IPv6 Configuration Types¶
Similar to IPv4, the IPv6 Configuration Type controls if and how an IPv6 address is assigned to an interface. There are several different ways to configure IPv6 and the exact method depends on the network to which this firewall is connected and how the ISP has deployed IPv6.
Warning
Every ISP is different and large providers can even vary by region.
The ISP determines IPv6 settings for a circuit, and they are the only valid source for that information. As such, this documentation does not include examples for specific providers. Contact the ISP for information about their IPv6 client settings and requirements.
The ISP should provide instructions and specific values for configuring IPv6 on their service. For example, on a circuit with a static IPv6 configuration the ISP should supply the subnet addresses and prefix values for the WAN itself, as well as for routed prefixes. Providers who require DHCPv6 should supply values for settings such as the prefix delegation size, along with any requirements they have for client behavior.
See also
For more information on IPv6, including a basic introduction, see IPv6.
None¶
When IPv6 Configuration Type is set to None, IPv6 is disabled on the interface. This is useful if the interface has no IPv6 connectivity or if the IPv6 address on the interface is being managed in some other way, such as for a VPN or tunnel interface.
Static IPv6¶
The Static IPv6 controls work identically to the Static IPv4 settings. See Static IPv4 for details.
With Static IPv6, the interface contains a manually configured IPv6 address. When chosen, three additional fields are available on the interface configuration screen: IPv6 Address, a prefix length selector, and the IPv6 Upstream Gateway field.
Note
Do not set a gateway for internal interfaces such as a LAN or DMZ. Only select a gateway on externally-connected interfaces such as a WAN or a private site-to-site link which the firewall should consider a WAN.
Gateways may still be used on internal interfaces for the purpose of static routes without selecting an IPv6 Upstream Gateway here.
See WAN vs LAN Interfaces for more information.
The default IPv4 and IPv6 gateways work independently of one another. The two need not be on the same interface. Changing the default IPv4 gateway has no effect on the IPv6 gateway, and vice versa.
DHCP6¶
DHCP6 configures automatic IPv6 configuration of this interface via DHCPv6. DHCPv6 will configure the interface with an IPv6 address, prefix length, DNS servers, etc. but not a gateway. The gateway is obtained via router advertisements, so this interface will be set to accept router advertisements. This is a design choice as part of the IPv6 specification, not a limitation of this implementation. For more information on router advertisements, see Router Advertisements.
Several additional fields are available for IPv6 DHCP that do not exist for IPv4 DHCP:
- Use IPv4 Connectivity as Parent Interface:
When set, the IPv6 DHCP request is sent using IPv4 on this interface, rather than using native IPv6. This is only required in special cases when the ISP requires this type of configuration.
- Request only an IPv6 Prefix:
When set, the DHCPv6 client does not request an address for the interface itself, it only requests a delegated prefix.
- DHCPv6 Prefix Delegation Size:
If the ISP supplies a routed IPv6 network via prefix delegation, they will publish the delegation size, which can be selected here. It is typically a value somewhere between 48 and 64. For more information on how DHCPv6 prefix delegation works, see DHCP6 Prefix Delegation.
Note
To use this delegation, another internal interface must be set to an IPv6 Configuration Type of Track Interface (Track Interface) so that it can use the addresses delegated by the upstream DHCPv6 server.
- Send IPv6 Prefix Hint:
When set, the DHCPv6 Prefix Delegation Size is sent along with the request to inform the upstream server how large of a delegation is desired by this firewall. If an ISP allows the choice, and the chosen size is within their allowed range, the requested size will be given instead of the default size.
- Debug:
When set, the DHCPv6 client is started in debug mode.
- Do not wait for a RA:
Informs the operating system not to wait for a router advertisement when configuring the interface. This is required by some ISPs.
- Do not allow PD/Address release:
Prevents the operating system from sending a DHCPv6 release message on exit.
Some ISPs will release the allocated address or prefix when a client sends this message. With this option set, the client is more likely to receive the same allocation with subsequent requests.
- DHCPv6 VLAN Priority:
Optionally sets a VLAN Priority tag (802.1p) on DHCPv6 client traffic. Should only be enabled when required by an ISP and with the settings they provide.
- Advanced Configuration:
Enables a wide array of advanced tuning parameters for the DHCPv6 client. These options are rarely used, and when they are required, the values are dictated by the ISP or network administrator. See the dhcp6c.conf man page for details.
- Configuration Override:
Enables a field to use a custom configuration file. The full path must be given. Using a custom file is rarely needed, but some ISPs require DHCP fields or options that are not supported in the pfSense GUI.
SLAAC¶
Stateless address autoconfiguration (SLAAC) as the IPv6 type makes the operating system attempt to configure the IPv6 address for the interface from router advertisements (RA) that advertise the prefix and related information.
Note
DNS is not typically provided via RA, so the firewall will still attempt to get DNS servers via DHCPv6 when using SLAAC. The RDNSS extensions to the RA process may allow DNS servers to be obtained from RA in some cases. For more information on router advertisements, see Router Advertisements.
This selection has one additional option:
- Use IPv4 connectivity as parent interface:
When set, IPv6 requests are sent over the IPv4 connectivity layer used by this interface (e.g. PPPoE) rather than the parent interface directly. May be required by certain ISPs.
6RD Tunnel¶
6RD is an IPv6 tunneling technology employed by ISPs to quickly enable IPv6 support for their networks, passing IPv6 traffic inside specially crafted IPv4 packets between and end user router and the ISP relay. It is related to 6to4 but is intended to be used within the ISP network, using the IPv6 addresses from the ISP for client traffic. To use 6RD, the ISP must supply three pieces of information: The 6RD prefix, the 6RD Border Relay, and the 6RD IPv4 Prefix length.
- 6RD Prefix:
The 6RD IPv6 prefix assigned by the ISP, such as
2001:db8::/32
.- 6RD Border Relay:
The IPv4 address of the ISP 6RD relay.
- 6RD IPv4 Prefix Length:
Controls how much of the end user IPv4 address is encoded inside of the 6RD prefix. This is normally supplied by the ISP. A value of
0
means the entire IPv4 address will be embedded inside the 6RD prefix. This value allows ISPs to effectively route more IPv6 addresses to customers by removing redundant IPv4 information if an ISP allocation is entirely within the same larger subnet.
6to4 Tunnel¶
Similar to 6RD, 6to4 is another method of tunneling IPv6 traffic inside IPv4.
Unlike 6RD, however, 6to4 uses constant prefixes and relays. As such there are
no user-adjustable settings for using the 6to4 option. The 6to4 prefix is
always 2002::/16
. Any address inside of the 2002::/16
prefix is
considered a 6to4 address rather than a native IPv6 address. Also unlike 6RD, a
6to4 tunnel can be terminated anywhere on the Internet, not only at the end user
ISP, so the quality of the connection between the user and the 6to4 relay can
vary widely.
6to4 tunnels are always terminated at the IPv4 address of 192.88.99.1
. This
IPv4 address is anycasted, meaning that although the IPv4 address is the same
everywhere, it can be routed regionally toward a node close to the user.
Another deficiency of 6to4 is that it relies upon other routers to relay traffic between the 6to4 network and the remainder of the IPv6 network. There is a possibility that some IPv6 peers may not have connectivity to the 6to4 network, and thus these would be unreachable by clients connecting to 6to4 relays, and this could also vary depending upon the 6to4 node to which the user is actually connected.
Track Interface¶
The Track Interface choice works in concert with another IPv6 interface using DHCPv6 Prefix Delegation. When a delegation is received from the ISP, this option designates which interface will be assigned the IPv6 addresses delegated by the ISP and in cases where a larger delegation is obtained, which prefix inside the delegation is used.
- IPv6 Interface:
A list of all interfaces on the system currently set for dynamic IPv6 WAN types offering prefix delegation (DHCPv6, PPPoE, 6rd, etc.). Select the interface from the list which will receive the delegated subnet information from the ISP.
- IPv6 Prefix ID:
If the ISP has delegated more than one prefix via DHCPv6, the IPv6 Prefix ID controls which of the delegated
/64
subnets will be used on this interface. This value is specified in hexadecimal.For example, If a
/60
delegation is supplied by the ISP that means 16/64
networks are available, so prefix IDs from0
throughf
may be used.
For more information on how prefix delegation works, see DHCP6 Prefix Delegation.