How to use IPv6 on Quickline/WWZ and pfSense firewall

Here’s how to configure your pfSense firewall for IPv6 on Quickline/WWZ. The settings may work with other ISPs too but YMMV. I’m assuming your modem is already in bridge mode and pfSense is up and running for IPv4 DHCP on the WAN interface.

Activate IPv6 and DHCP6 in the router

We’re configuring pfSense to use DHCP6 on the WAN interface to get an IPv6 prefix from the ISP.

In System → Advanced → Networking:

  • Activate Allow IPv6

In Interfaces → WAN → General Configuration:

  • IPv6 Configuration Type: DHCP6

In Interfaces → WAN → DHCP6 Client Configuration:

  • Activate Request only an IPv6 prefix
  • DHCPv6 Prefix Delegation size (according to Quickline, ask your ISP when in doubt):
    • 56 for cable modems (HF + FTTH)
    • 64 for FTTH
  • Optional but helps if something doesn’t work: Start DHCP6 client in debug mode
  • Activate Do not wait for RA
  • Optional: Activate Do not allow PD/Address release
    • May help keeping your assigned IPv6 prefix if you prefer it to be static

In Interfaces → LAN → General Configuration:

  • IPv6 Configuration Type: Track Interface

In Interfaces → LAN → Track IPv6 Interface:

  • IPv6 Interface: WAN

In Services → DHCPv6 Server & RA → Router Advertisments:

  • Router mode: Unmanaged
  • Router priority: High

You could opt to activate pfSense’s DHCPv6 server on the LAN interface and hand out a range of available IPv6 addresses from your prefix but I have no need for a DHCPv6 server on the LAN interface. Instead, I’m making the IPv6 prefix available to the LAN clients to autoconfigure themselves for IPv6. Watch out for blocked DHCPv6 connections if you enable pfSense’s DHCPv6 server and assisted/managed RA in combination with Bogon filtering.

Very important final step: reboot pfSense. I was getting error messages like transmit failed: Can’t assign requested address which where gone after a reboot.

Is it working?

Go to Status → Gateways. If pfSense was able to get an IPv6 prefix from your ISP, the WAN_DHCP6 gateway (or whatever the name you chose for the WAN interface) shold show status Online. If it’s always in state Pending then something went wrong (see Debugging below).

Use a web browser in a LAN client (check if it was assigned an IPv6, reboot when in doubt) to check if IPv6 is available and go to https://ipv6test.google.com.

Optimization

While IPv6 has been around for quite a while, most ISP and network providers still optimize routing for IPv4 (=have more IPv4 peers than IPv6 BGP peers). That’s why you might get better/faster connections when giving IPv4 precedence over IPv6 (the default is to always prefer IPv6).

That’s why I’m instructing pfSense to prefer IPv4 over IPv6 if both are available in a DNS response in System → Advanced → Networking → IPv6 Options: Activate Prefer IPv4 over IPv6.

Obviously, this setting needs to be configured in every client on your LAN (if the device supports it) since it’s based on how a DNS response is interpreted. For Linux based clients have a look at /etc/gai.conf

Debugging

If debug logging is enabled for the DHCP6 client you might find helpful debugging information in Status → System Logs → DHCP. You can use the Advanced Log Filter to search for dhcp6 messages in the log.

Do LAN clients get a public IPv6 but the IPv6 browser check still fails? Check the firewall rules for blocked IPv6 traffic.

Join the Conversation

7 Comments

Leave a Reply to Boris Cancel reply

Your email address will not be published. Required fields are marked *

  1. Hi Jan

    WWZ just changed the system to their own with FTTH, which is now independent from Quickline. Before I got an IPv6-Address on the WAN-Interface. With the new setup (the changed around two weeks ago), I not got an IPv6-Address any more with this configuration. Do know, what is to change, for IPv6 works with the new setup of WWZ?

    Thanks Michael

    1. Hello guys
      Please excuse me I have only now seen the comments.
      Apparently it caused too many problems during the introduction, so it was switched off again. Today I noticed that since yesterday WWZ has switched back FTTH to IPv6.
      I have successfully configured IPv6 this evening. According to the instructions of Jan. Thanks again for sharing! ;-) @Boris, I would have to search again for the adaptation for FTTH from Quickline. It was a Linux kernel option, which had to be set. If this is still up to date I will gladly share this.
      Simon

      1. Hi Simon
        Today, I’ve got the message from WWZ that now it should be working again. So I tried again to get it back to work by following the above Howto of Jan. Unfortunately, I only get a pending Gateway. When I deactivate “Do not wait for RA”, then I get an IP and also the IP of the gateway (Gateway Online), but both is still with an fe80:…-Address. Did you make something different?
        Thanks for any hint.
        Michael

        1. Hi Michael,
          What you need to do is add this tunable:
          net.inet6.icmp6.nd6_onlink_ns_rfc4861 = 1
          this was the solution to the 6 min timeout with wwz ftth and ipv6.

          My WAN config looks like:
          IPv6 Configuration Type = DHCPv6
          Request only an IPv6 prefix = disabled
          Prefix delegation size = 56
          Send IPv6 prefix hint = disabled

          if this does not help send me a PN on reddit.com: OverrideCH

          BR,
          Simon

  2. Hi

    I’ve got the same setup like Simon and exactly the same problem with this 5 minutes. On other forums, users with FritzBoxes had the same problem, the wwz support meaned, that this has something to do with arp-requests.

    Did you or Simon was already able to solve this problem?

    Regards,
    Boris

    1. I have noticed that it is only when I reply to your comment that you will probably receive an email. Simon

  3. Hi Jan,

    Thank you very much for your blog post. So far it has worked for me too (I’m also a WWZ customer with FTTH). The only problem I have is that my IPv6 connection get disconnected after 5 minutes. I’m working on troubleshooting.

    Which connection do you have, FTTH or HF? Just a small correction for your blog. As you can see here: https://community.quickline.ch/d/314-wie-bekomme-ich-eine-ipv6-pr-fix-id/24
    the FTTH connections also have a /56 prefix and not /64.

    BR,
    Simon