IPv6 pfsense setup
I have a server from @ShockHosting and it comes with a /64 of IPv6 addresses. I’m using Proxmox and I would like to provide the whole range to my pfsense box so that I can give each VM it’s own IPv6 address. Any tips?
I have a server from @ShockHosting and it comes with a /64 of IPv6 addresses. I’m using Proxmox and I would like to provide the whole range to my pfsense box so that I can give each VM it’s own IPv6 address. Any tips?
Comments
If you've just got the one /64 you can use one address from the range on the host and have the rest routed to the VM, then use that one address as the gateway - I don't have the config to hand unfortunately and I can't quite remember the exact setup I used.
IIRC it was just a case of turning on IPv6 forwarding, giving the host an address from the /64 as an additional IP on vmbr0 (or your relevant interface) - 2001:a:b:c::1 for example - and then assigning another address on the guest (2001:a:b:c::2) and using the other address as the gateway.
You need ndppd
We, the All Seeing Eye, possessing the knowledge of anything and everything, hereby declare that Our proclaimed pronoun be "We/Our/Ours".
https://lowendspirit.com/discussion/comment/221016/#Comment_221016
Care to explain?
The proper way to offer IPv6 would be a /128 + /64. Your pfsense, acting as a router, will have the /128 configured on the 'wan' interface and one from the /64 configured on the 'lan' interface. Your other VMs will attach to the 'lan' interface and they discover each other using neighbor discovery protocol (NDP).
Your upstream will simply route the /64 via the /128.
For example, if you are assigned 2001:db8:aaaa:bbbb:cccc:dddd:1111:2222/128 and 2001:db8:1111:2222::/64, the upstream will have a route configured in their router this way:
Where ens10 is the ethernet port at the upstream router that shares a {v}switch with your machine.
Sometimes the route is discovered using NDP as well. When the upstream router received a packet destined to your /64, it will broadcast a NDP discovery packet asking "who has 2001:db8:1111:2222::3?". Your pfsense checks its interfaces, realizes that the address is part of the /64 configured on the 'lan' port, replies "I have that address" to upstream, the upstream then forwards the packet to your pfsense.
But you have only a /64, and one from the /64 is configured on the 'wan' port. Your pfsense will then assume that the /64
is part of the 'wan' network and will not respond to the NDP packet asking "who has 2001:db8:1111:2222::3?". In order to get pfsense respond to the NDP discovery packet, you'll need a NDP proxy daemon (ndppd).
Since this is not standard, I am not sure if pfsense has it. I would still ask your upstream to assign you a /128.
We, the All Seeing Eye, possessing the knowledge of anything and everything, hereby declare that Our proclaimed pronoun be "We/Our/Ours".
https://lowendspirit.com/discussion/comment/221016/#Comment_221016
@ShockHosting care to help?
Please open a support ticket and we will sort that our for you.
Thanks! @ShockHosting
Ticket #993344 - IPv6
A++ Rating