Just a tiny post about my home Internet Connection. I use a Vodafone, former Unitymedia, CableMax 1000 home connection. That’s a Gbit Coax line with 50 Mbit upstream. Problem at the beginning of the new 1G Tarif there where several Problems regarding IPv4 / IPv6 – either you got a IPv4 only connection or something like DS-Lite or a SLAAC IPv6. I quickly figured out there is a way to change your contract and let them enable "Dual Stack".
Dual What?It simply means you are running a full IPv6 and IPv4 Config at the same time (dual) allowing you to use the Internet natively in IPv6 AND IPv4 without any tunneling or “translation” involved. This is how it should be. Especially IPv6 compatible P2P Games I found much less hassle to run them because all those troubling NAT Modes are only a IPv4 thing. In the IPv6 universe each Device receive it’s own “Internet-IP” so a NAT (Network Address Translation), where all your Devices at home are merged into one Public IP, isn’t required any more. As said, specially in P2P Applications this gives a big benefit. No NAT, no UPnP, less trouble.
My home Setup
Your connected Device at Port 4 will receive a Public IP or Public IPv6 DHCP / RA. Else it would do a double NAT, one time at your Fritzbox and another time in the pfSense, even with a Setup DMZ (Exposed Host) this you really want to avoid. Especially in “Gaming Homes” with Consoles and Computers this will cause trouble. So if a bridge mode is available it should be used.
The pfSense Setup then is simple, you define a WAN Interface; For IPv4 you just let it handled by DHCPC, for IPv6 on the WAN you choose DHCP6 and in Advanced config now it is important to set a DHCPv6 Prefix Delegation size.
For my Vodafone CableMax this is a /59 – big enough to use it for my several Vlans. If you do not separate your Network, e.g. only having one LAN it doesn’t really matter for you. But if you have like me a Setup with e.g.: LAN, WIFI, IOT, GUEST that are 4 VLANs. In IPv4 this is easy, you would specify a own /24 for each. E.g.
VLAN 20 WIFI = 10.20.0.0/24
VLAN 30 IPT = 10.30.0.0/24
You get the point. But in IPv6 you definitely do not want to use Local only Addresses and NAT them. This is a NO-GO, never ever do that. Other than at IPv4 you do not simply receive one single Public IP, as written, in my case I received a /59 which can be split in 32x single Networks of /64 size. Which in theory would give me 590.295.810.358.705.651.712 – that is a lot – I don’t even know how to read that number ^^
My WAN Interface Settings look like that:
So you take that one large /59 and break it down so each VLAN can have it’s own /32. You can do that by configuring the pfSense Interface and set it to “Track” your WAN Interface in IPv6:
The IPv6 Prefix ID is important when you use several VLANs, it's used to assign a continuous Subnet to each Interface. e.g. LAN is 0, WIFI is 1, IOT is 2. You can go from 0 to 1F (hex) which is 0 to 31 so 32 Subnets in theory.
For the LAN Interfaces / VLANs you now need to be sure that RA (Router Announcement) is active. Instead of DHCP IPv6 use the RA Protocoll to distribute available Addresses. In pfSense you can configure it in Services > DHCPv6 Server & RA. Select your LAN or VLAN you want to configure and be sure the DHCPv6 is OFF! this is a Mistake often made. Instead go to the Router Advertisements Tab and set it up like this:
(1) unmanaged is fine because we do not need to change/rewrite or enrich the RA Information. (2) should be set to high but actually doesnt matter if you only have one RA in your Subnet. (3) Those Values in the three options here shouldn't be to high. In current pfsense releases those numbers are default, I had some trouble with older much higher numbers. The lifetime is what you know from IPv4 DHCP "Lease Time" the RA Announcement will invalid after that Time. So be sure that this Value is much higher than the maximum RA interval. For DNS (4) just leav this one empty.
Last but not least, a Option many people forget is in the pfSense Advanced Config. pfSense have a Option to generally "disable" IPv6 functionality - this need to be off. You find it System > Advanced > Networking. Be sure the Allow IPv6 box is ticked:
And finally make sure in your LAN / VLAN Firewall Rules you allow IPv6 ICMP. The RA Protocoll uses ICMP to communicate, if this is rejected or by default blocked you won't get a IPv6 on your clients.
If everything is correct your Dashbaord Interfaces should show with different Address blocks like this:
You can use the test at test-ipv6.com to check your Connection.
I hope this brief recap can help others not fall into the same pitfalls as I did.
Happy Networking :)