How to use IPv6 on Quickline/WWZ and pfSense firewall

Here’s how to configure your pfSense firewall for IPv6 on Quickline/WWZ. The settings may work with other ISPs too but YMMV. I’m assuming your modem is already in bridge mode and pfSense is up and running for IPv4 DHCP on the WAN interface.

Activate IPv6 and DHCP6 in the router

We’re configuring pfSense to use DHCP6 on the WAN interface to get an IPv6 prefix from the ISP.

In System → Advanced → Networking:

  • Activate Allow IPv6

In Interfaces → WAN → General Configuration:

  • IPv6 Configuration Type: DHCP6

In Interfaces → WAN → DHCP6 Client Configuration:

  • Activate Request only an IPv6 prefix
  • DHCPv6 Prefix Delegation size (according to Quickline, ask your ISP when in doubt):
    • 56 for cable modems (HF)
    • 64 for FTTH
  • Optional but helps if something doesn’t work: Start DHCP6 client in debug mode
  • Activate Do not wait for RA
  • Optional: Activate Do not allow PD/Address release
    • May help keeping your assigned IPv6 prefix if you prefer it to be static

In Interfaces → LAN → General Configuration:

  • IPv6 Configuration Type: Track Interface

In Interfaces → LAN → Track IPv6 Interface:

  • IPv6 Interface: WAN

In Services → DHCPv6 Server & RA → Router Advertisments:

  • Router mode: Unmanaged
  • Router priority: High

You could opt to activate pfSense’s DHCPv6 server on the LAN interface and hand out a range of available IPv6 addresses from your prefix but I have no need for a DHCPv6 server on the LAN interface. Instead, I’m making the IPv6 prefix available to the LAN clients to autoconfigure themselves for IPv6. Watch out for blocked DHCPv6 connections if you enable pfSense’s DHCPv6 server and assisted/managed RA in combination with Bogon filtering.

Very important final step: reboot pfSense. I was getting error messages like transmit failed: Can’t assign requested address which where gone after a reboot.

Is it working?

Go to Status → Gateways. If pfSense was able to get an IPv6 prefix from your ISP, the WAN_DHCP6 gateway (or whatever the name you chose for the WAN interface) shold show status Online. If it’s always in state Pending then something went wrong (see Debugging below).

Use a web browser in a LAN client (check if it was assigned an IPv6, reboot when in doubt) to check if IPv6 is available and go to https://ipv6test.google.com.

Optimization

While IPv6 has been around for quite a while, most ISP and network providers still optimize routing for IPv4 (=have more IPv4 peers than IPv6 BGP peers). That’s why you might get better/faster connections when giving IPv4 precedence over IPv6 (the default is to always prefer IPv6).

That’s why I’m instructing pfSense to prefer IPv4 over IPv6 if both are available in a DNS response in System → Advanced → Networking → IPv6 Options: Activate Prefer IPv4 over IPv6.

Obviously, this setting needs to be configured in every client on your LAN (if the device supports it) since it’s based on how a DNS response is interpreted. For Linux based clients have a look at /etc/gai.conf

Debugging

If debug logging is enabled for the DHCP6 client you might find helpful debugging information in Status → System Logs → DHCP. You can use the Advanced Log Filter to search for dhcp6 messages in the log.

Do LAN clients get a public IPv6 but the IPv6 browser check still fails? Check the firewall rules for blocked IPv6 traffic.

Ubuntu release upgrade says ‘no new release found’ on IPv6-only server

I’m running some sort of an experimental KVM guest with IPv6 connectivity only. Since it still had Ubuntu Server 13.10 installed I tried to run a do-release-upgrade on it to upgrade it to the latest Ubuntu Server release – which at the time of this writing is 14.10. However, the do-release-upgrade command kept saying that no new release could be found:

root@ipv6lab:~# do-release-upgrade
Checking for a new Ubuntu release
No new release found

I verified the /etc/update-manager/release-upgrades configuration file but it already contained the Prompt=normal line. After doing some digging I found out that the do-release-upgrade tries to connect to http://changelogs.ubuntu.com but there is no AAAA DNS record for this host. Essentially, this means that an Ubuntu server can’t be upgraded to a newer release over IPv6 because it can’t connect to the update info site over IPv6.

root@ipv6lab:~# dig +short changelogs.ubuntu.com A
91.189.95.36
root@ipv6lab:~# dig +short changelogs.ubuntu.com AAAA
root@ipv6lab:~#

Interestingly, the Ubuntu APT repository update site is accessible over IPv6, which is why something like apt-get update runs fine on IPv6-only Ubuntu servers.

I solved the problem by creating an IPv6 to IPv4 HTTP proxy using HAProxy on a IPv4/IPv6 dual stack server. The proxy listens on an IPv6 address and “tunnels” all requests to changelogs.ubuntu.com using the IPv4 address of the changelogs server. I was able to upgrade to a newer Ubuntu release this way on an IPv6-only Ubuntu server. Continue reading