CenturyLink & IPV6 with pfSense 2.4+

Over the years, IPv6 has been on the up and up in terms of implementation and usage. pfSense has had native IPv6 support since the 2.x series, unfortunately, CenturyLink’s IPv6 implementation has been riddled with ‘fun road bumps’ along the way – be it downtime, slowness, among other fun routing issues observed.

CenturyLink (as of early 2020) still does not provide static IPv6 allocations to Fiber or DSL customers – it still remains as DHCP (of sorts).

Before you continue onward with this article, please keep in mind the following…

  1. Your DSL Modem is in ‘bridge mode’ and NOT ‘routing mode’.
  2. Your pfSense install is 2.4.x or newer.
  3. You are aware of the CenturyLink region that you’re in. As some regions do not require the VLAN 201 tag on WAN port!
  4. I’ll be using the IPv6 DNS variant of 1.1.1.1 and 1.0.0.1.
  5. On pfSense, you have not gone to Advanced -> Networking Tab and modified the IPv6 Options. Below are what I have set…
    • Allow IPv6: Checked
    • IPv6 over IPv4: Unchecked
    • Prefer IPv4 over IPv6: Checked
    • IPv6 DNS Entry: Unchecked.
    • DHCPV6 DUID: DUIT-LLT
    • DUID-LLT:
      • Time in seconds since Jan 1, 2000: 637075522.
      • Link-Layer Address: Your pfSense WAN MAC.

CenturyLink IPv6 configuration settings…

  1. IPv6 Mode/Type: 6rd Tunnel
  2. 6RD Config:
    • Prefix: 2602::/24
    • Border Relay: 205.171.2.64
    • Prefix Length: 0

Prerequisites out of the way, let’s begin work on pfSense!

1. Login to pfSense if you’ve not already done so.

2. Add a gateway

  1. Go to System-> Routing -> Gateways Tab
  2. Click “+ Add”
  3. Disabled: Unchecked.
  4. Interface: Your WAN IPv4 port.
  5. Address Family: IPv6 (this is rather crucial) 🙂
  6. Name: SomethingIPv6 – Give it a name that won’t be confusing. 🙂
  7. Gateway: Leave blank – it’s auto-filled as dynamic later on.
  8. Gateway Monitoring: Unchecked (for now).
  9. Gateway Action: Checked (we’re tieing the IPv6 to the IPv4 gateway in a way. If IPv4 goes down, IPv6 goes with it!)
  10. Monitor IP: Leave blank (for now).
  11. Force State: Unchecked.
  12. Description: CenturyLag’s IPv6 (or something descriptive)
  13. The ‘Advanced’ section is not used in this context.
  14. Save.
Gateways segment & final configuration.

3. Enable IPv6 on WAN first

  1. Select your WAN port for CenturyLink (Interfaces -> WAN (or whatever your WAN interface is named)).
  2. General Configuration panel, under IPv6 Configuration Type, set to “6rd Tunnel“.
  3. 6RD Configuration panel…
    • 6rd Prefix: 2602::/24
    • 6rd Border Relay: 205.171.2.64
    • IPv4 Prefix Length: 0
  4. Save.
  5. Apply Changes.
Some configuration options in image have been removed or blurred.

4. Enable IPv6 on LAN next

  1. Select your LAN port for your network under the Interfaces section.
  2. General Configuration panel, under IPv6 Configuration Type, set to “Static IPv6“.
    NOTE: We will be revisiting this later due to a bug with pfSense!
    • While you can enable Static IPv6 with forcing the interface to use DHCPv6, it will have routing issues.
  3. IPv6 Address: 2001:470:4312:: Set the subnet to /48.
  4. Use IPv4 connectivity and Upstream gateway: Unchecked.
  5. Save & Apply.

5. Enable DHCPv6 for our LAN… with some configurations.

  1. Go to Services -> DHCPv6 Server & RA.
  2. Select your LAN tab, if it wasn’t selected already.
  3. Under DHCPv6 Options…
    • DHCPv6 Server: Checked.
    • Range: 2001:470:4312::2001:470:4312:ffff::
    • Prefix Delegation Range: Blank
    • Prefix Delegation Size: 48
    • DNS Server: Blank – we’ll be using the global settings for that.
    • Domain name: Blank – it’ll inherit from the global DNS LAN naming convention.
    • Domain search list: Blank
    • Default lease time: Blank
    • Max lease time: Blank
    • Time format change: Checked.
    • DDNS, NTP, LDAP, Network Booting, Additional Options – all of these are not used.
  4. Save.
  5. Go to the “Router Advertisements” tab.
  6. Router Mode: Stateless DHCP.
  7. Router Priority: High.
  8. The rest are intentionally left blank.
  9. Save (and Apply if that pops up again).

6. Back to Interfaces -> LAN

  1. Set IPv6 Configuration type to Track Interface.
  2. Set Track IPv6 Interface to the WAN interface in the dropdown.
  3. Set IPv6 Prefix ID to 0.
  4. Save.
  5. Apply.

If you’re still reading… you’re almost done!

7. The DNS (it’s always the DNS).

  1. Go to System -> General Setup.
  2. In the DNS Server Settings, we need to add two new DNS servers to the mix.
  3. Click “+ Add DNS Server” twice.
  4. Add IPv6 host 2606:4700:4700::1111 to the first DNS address blank.
  5. Set gateway to the v6 gateway that was added above. For me, I aptly named it DSLv6.
  6. Add IPv6 host 2606:4700:4700::1001 to the second DNS address blank.
  7. Do the same as step five for the second IPv6 DNS provider.
  8. Save.

8. Firewall rules

What fun is IPv6 without allowing traffic?
  1. Go to Firewall -> Rules.
  2. Go to the WAN rules tab.
  3. Add a new firewall rule, the bottom of the list is fine.
    • Action: Pass
    • Disabled: Unchecked
    • Interface: WAN
    • Address Family: IPv6 (don’t select IPv4+6 with ICMP – weird things happen)
    • Protocol: ICMP
    • ICMP Subtypes: any
  4. Source: any.
  5. Destination: LAN interface aka “LAN ‘net'”.
  6. You can tick log if you desire, only useful in terms of debugging.
  7. Save.
  8. Apply.
Additional unrelated rules removed.
Now for the LAN tab… this is effectively “allow everything”
  1. Action: Pass
  2. Disabled: Unchecked
  3. Interface: LAN
  4. Address Family: IPv6
  5. Protocol: Any
  6. Source: Any
  7. Destination: Any
  8. Log: Unchecked.
  9. Save.
And the final LAN rule: ICMP – all of it.
  1. Action: Pass
  2. Disabled: Unchecked
  3. Interface: LAN
  4. Address Family: IPv6
  5. Protocol: ICMP
  6. ICMP Subtypes: any
  7. Source: Any
  8. Destination: Any
  9. Log: Unchecked.
  10. Save.
  11. Apply.
Additional unrelated rules removed.

With all of the above completed at this point, let’s give it a test…

9. Go to a machine/device with IPv6 support.

10. Disable then enable the networking on the device (be sure that the interface even has it enabled in the first place!). See if you get an IPv6 address – it might take a moment or two.

11. Test out your IPv6 and IPv4 stack and see if everything is working!

If all goes well, you will see something similar to this… and don’t worry about the reverse DNS ‘issue’. Not many providers even have DNS assigned to their entire IPv6 block(s).

ipv6-test.com site test