Configuring pfSense and IPv6 on a Telus connection
This is how I've configured my pfSense firewall to support IPv6 on the Telus network.
Telus is the major fibre optic and vDSL internet provider in my province. Telus started offering IPv6 sometime around May, 2015 to eligible subscribers on Telus's converged edge network (provided their local Central Office (CO) was upgraded to supported IPv6). Telus's IPv6 rollout was completed around mid-2016. Currently, Telus assigns subscribers a /56 prefix (which is equivalent 256 /64 networks, more than enough for the average home user).
Telus's modems only use IA_PD (Identity Association for Prefix Delegation) and do not use IA_NA (Identity Association for Non-Temporary Addresses). Thus, pfSense must be configured to only request IA_PD.
Modem Configuration
If you have one of Telus's "advanced" modems, you must configure the modem to use Port 1 Bridge mode and connect the WAN interface of pfSense to LAN #1 on the modem. However, if you're lucky enough to obtain a T2200M bridged modem, a Nokia G-010S-A SFP ONT module, or have a Nokia (formerly Alcatel-Lucent) G-240G-A ONT, you can connect directly to the WAN port of those modems/ONTs. The Nokia SFP ONT module has limited support in switching/router hardware.
| Modem/ONT | Port | Network | Notes |
|---|---|---|---|
| V1000H, V2000H, T1200H, T2200H, T3200M | LAN 1 | DSL | Must use Port 1 Bridge mode |
| T2200M | GigE | DSL | Plug-and-Play |
| Nokia ONT | Data 1 | GPON | Plug-and-Play |
| Nokia SFP ONT | — | GPON | Residential only; limited vendor support |
pfSense Configuration
I've successfully tested this configuration on Telus's GPON and DSL networks.
Enable IPv6
If you haven't already, pfSense must have IPv6 support turned on. Under System > Advanced > Networking > IPv6 Options, enable Allow IPv6.
Next, configure your WAN interface:
Interfaces>WAN>General Configuration:- IPv6 Configuration Type: DHCP6
Interfaces>WAN>DHCP6 Client Configuration:- Request only an IPv6 prefix: Enabled
- DHCPv6 Prefix Delegation size: 56
- Send IPv6 prefix hint: Enabled
- Do not wait for a RA: Enabled (request a prefix from the Telus router immediately)
- Do not allow PD release: Enabled
LAN Interface(s)
You can configure multiple LAN interfaces to support IPv6, all you have to do is assign a different IPv6 Prefix ID to each LAN interface that should be IPv6 capable. E.g. A prefix ID for your private LAN, another for your guest network, but none for your IPv4-only VoIP network.
Configure the LAN interface to tack the WAN interface:
Interfaces>LAN>General Configuration:- IPv6 Configuration Type: Track Interface
Interfaces>LAN>Track IPv6 Interface:- IPv6 Interface: WAN
- IPv6 Prefix ID: 0 (or something else, depending on how many other interfaces are tracking the WAN interface)
DHCP & Router Advertisements
There are a few ways for hosts to obtain IPv6 addresses: SLAAC (StateLess Address AutoConfiguration), DHCPv6, or a combination of both. In each case, Router Advertisements are required. Which method to use depends on your network's requirements and potential hosts. For example: Android does not (and will not) support DHCPv6, Windows 10 supports DHCPv6 and SLAAC (although SLAAC + RDNSS support was missing until version 1703).
SLAAC
Since I don't need the extra features of stateful DHCPv6, I'll use SLAAC to obtain addresses and the RDNSS RA option (RFC 8106) to provide DNS configuration. In pfSense, this is the Unmanaged RA mode. If the Stateless DHCP RA mode was used, the DHCPv6 server would have to be enabled in order to provide additional information, like which DNS servers to use.
To configure Router Advertisements for the LAN interface:
Services>DHCPv6 Server & RA>LAN>DHCPv6 Server:- DHCPv6 Server: Disable
Services>DHCPv6 Server & RA>LAN>Router Advertisements:- Router mode: Unmanaged
In this configuration, pfSense (CPE) will request a prefix from Telus (BNG). Once a network prefix is delegated, Telus will route traffic for that prefix to the customer's router (pfSense), which will then advertise itself as the DNS server and direct hosts to obtain addresses using SLAAC and the obtained prefix. Clients that support SLAAC will assign their own IPv6 addresses (avoiding address collisions with the Duplicate Address Detection extension of the Neighbour Discovery Protocol) and use pfSense as the DNS server (from the RDNSS option). This configuration is compatible with pfSense's DNS resolver (unbound).
Stateless DHCPv6
This approach still uses SLAAC to obtain addresses but introduces DHCPv6 for obtaining other configuration (like DNS, NTP, etc) after the SLAAC process is finished. Enable the DHCPv6 Server for the interface and set the router advertisement mode to Stateless DHCP. This configuration is called stateless because pfSense does not keep track of any client leases.
Stateful DHCPv6
This approach does not use SLAAC (although some clients will still use SLAAC to generate a "privacy" address) and all configuration is done with DHCPv6. Enable the DHCPv6 Server for the interface and set the router advertisement mode to Managed.
Note: The Assisted mode in pfSense is almost identical to the Managed mode, except the A flag is also set, which allows hosts to use SLAAC and/or DHCPv6 for address configuration and DNS information.
More on RA Flags
When a host sends a Router Solicitation (RS) message and a router replies with an RA message, it contains flags that tell the host how to obtain an IPv6 address:
| Flag | Meaning | |
|---|---|---|
| L | On-Link | Addresses with the same prefix are on the same L2 subnet |
| M | Managed | Use DHCPv6 for IPv6 address assignment |
| O | Other | Other configuration is available through DHCPv6. E.g. DNS servers |
| A | Autonomous | Use the advertised prefix for SLAAC (RFC 4862) |
In pfSense, these flags are controlled by the Router Mode setting for the interface:
| Router Mode | Flags |
|---|---|
| Disabled | — |
| Router Only | — |
| Unmanaged | A |
| Managed | M+O |
| Assisted | M+O+A |
| Stateless DHCP | A+O |
In all modes except Disabled and Router Only, the On-Link (L) flag will also be present.
More information on the different router modes in pfSense.
A Note on DSL
A somewhat annoying issue I've faced with a DSL connection and pfSense is that the modem sometimes takes a while to sync again after a power failure. pfSense will sometimes hang during boot or it will never get an IP address, completely preventing remote access. This appears to happen because the physical link is up between the firewall and the modem, but there is no response from the modem until it is ready. A solution that has worked so far is delaying the boot time so that the modem has a chance to sync with the DSLAM, before pfSense tries to request a lease.
There are two options available for delaying the boot process:
### Loader settings ########################################
#loader_delay="3" # Delay in seconds before loading anything.
# Default is unset and disabled (no delay).
#autoboot_delay="10" # Delay in seconds before autobooting,
# -1 for no user interrupts, NO to disable/boot/loader.conf.localThese are added to /boot/loader.conf.local so that they are preserved across reboots and upgrades. I've been successful in using loader_delay="60".