I recently decided to improve my home network by purchasing a pfSense box. I wanted to ditch my ISP issued router, a Tilgin HG2381 router which works well for simple networks but fails to offer advanced configuration options, like support for wireguard VPN or VLANs.
HyperOptic
HyperOptic is a UK broadband provider which supports both IPv4 and IPv6 address assignment. For IPv4 addresses they use Carrier-grade NAT (CGN) which doesn’t allow exposing a service using port forwarding.
A static IPv4 option is available which costs an extra £5 per month. But I decided to use IPv6 for all my services instead. This was a nightmare at first, I could not get my new pfSense working correctly with IPv6.
On their website they provide a seemingly useful guide on configuring IPv6 with a third-party router. Link: https://www.hyperoptic.com/faq/posts/static-ip-addresses/
However, these instructions did NOT work for me.
pfSense
I’m using a Netgate SG-1100 as my main firewall and router, but these configuration options should still work on any hardware supported by pfSense software. Before changing anything, now is a good idea to backup your current configuration.
WAN settings
Navigate to Interfaces and select the WAN interface. Change IPv6 Configuration Type to DHCP6 and scroll down until you see the DHCP6 Client Configuration section, supply the following options:
- Request only an IPv6 prefix
- DHCPv6 Prefix Delegation size (
56) - Send IPv6 prefix hint
- Debug
- Do not wait for a RA
- Do not allow PD/Address release
Leave the rest of the options unchecked.
In my case I needed to do an extra step which was to spoof the MAC address of the WAN interface to match my ISP supplied device. To change the Mac address, go to System > Setup Wizard and click through until you get to (step 4), copy the MAC address from your ISP issued device.
Without this step my pfSense device would fail to assign an IPv6 address.
LAN or vLAN settings
For your LAN or VLAN(s) settings, select your Interface and set the IPv6 Configuration Type to Track Interface. And in the Track IPv6 Interface specify:
- IPv6 Interface
WAN - IPv6 Prefix ID
0
I have several VLANs on my network so I need to set a different Prefix ID for each interface. To keep things organsied I set the Prefix ID value to match the VLAN TAG or network subnet e.g.
- VLAN10
- Prefix ID -
10 - IPv4 addresses -
10.1.10.XX - IPv6 addresses –
2a01:4b00:XXXX:XX10:XXXX:XXXX:XXXX:XXXX
- Prefix ID -
- VLAN20
- Prefix ID -
20 - IPv4 addresses -
10.1.20.XX - IPv6 addresses –
2a01:4b00:XXXX:XX20:XXXX:XXXX:XXXX:XXXX
- Prefix ID -
This way I can immediately identify which VLAN an IPv6 address is from.
DHCPv6 settings
Finally, go to Services > DHCPv6 Server & RA. Next, select the interface you want to configure (e.g. LAN).
Each interface has two types of settings, DHCPv6 server and Router Advertisements.
For the DHCPv6 server, I completely disable it and click Save.
For Router Advertisements I set the options:
- Router mode
Assisted - Router priority
Normal
Leave the rest as default and click Save.
Issues and Solutions
We have a better view of what’s happening using the debug mode for the DHCPv6 client. The DHCP log file is located at /var/log/dhcp.log and showed the following:
May 1 10:28:43 dhcp6c 75307 send solicit to ff02::1:2%em1
May 1 10:28:43 dhcp6c 75307 reset a timer on em1, state=SOLICIT, timeo=5, retrans=31928
May 1 10:29:15 dhcp6c 75307 Sending Solicit
May 1 10:29:15 dhcp6c 75307 set client ID (len 14)
May 1 10:29:15 dhcp6c 75307 set elapsed time (len 2)
May 1 10:29:15 dhcp6c 75307 set option request (len 4)
May 1 10:29:15 dhcp6c 75307 set IA_PD prefix
May 1 10:29:15 dhcp6c 75307 set IA_PD
A Netgate forum member experienced the exact same errors. The post IPv6 LAN with Tracking interface problem explains that they couldn’t get IPv6 address on their LAN network.
This issue was likely caused by HyperOptic because they do not respond to RA requests coming from devices that are not issued by them. Spoofing the MAC address solved this.