Configuring pfSense and IPv6 on a Telus connection

This is how I've configured my pfSense firewall to support IPv6 on the Telus network.

Telus is the major fibre optic and vDSL internet provider in my province. Telus started offering IPv6 sometime around May, 2015 to eligible subscribers on Telus's converged edge network (provided their local Central Office (CO) was upgraded to supported IPv6). Telus's IPv6 rollout was completed around mid-2016. Currently, Telus assigns subscribers a /56 prefix (which is equivalent 256 /64 networks, more than enough for the average home user).

Telus's modems only use IA_PD (Identity Association for Prefix Delegation) and do not use IA_NA (Identity Association for Non-Temporary Addresses). Thus, pfSense must be configured to only request IA_PD.

Modem Configuration

If you have one of Telus's "advanced" modems, you must configure the modem to use Port 1 Bridge mode and connect the WAN interface of pfSense to LAN #1 on the modem. However, if you're lucky enough to obtain a T2200M bridged modem, a Nokia G-010S-A SFP ONT module, or have a Nokia (formerly Alcatel-Lucent) G-240G-A ONT, you can connect directly to the WAN port of those modems/ONTs. The Nokia SFP ONT module has limited support in switching/router hardware.

Modem/ONT Port Network Notes
V1000H, V2000H, T1200H, T2200H, T3200M LAN 1 DSL Must use Port 1 Bridge mode
T2200M GigE DSL Plug-and-Play
Nokia ONT Data 1 GPON Plug-and-Play
Nokia SFP ONT GPON Residential only; limited vendor support

pfSense Configuration

I've successfully tested this configuration on Telus's GPON and DSL networks.

Enable IPv6

If you haven't already, pfSense must have IPv6 support turned on. Under System > Advanced > Networking > IPv6 Options, enable Allow IPv6.

Next, configure your WAN interface:

  • Interfaces > WAN > General Configuration:
  • IPv6 Configuration Type: DHCP6
  • Interfaces > WAN > DHCP6 Client Configuration:
  • Request only an IPv6 prefix: Enabled
  • DHCPv6 Prefix Delegation size: 56
  • Send IPv6 prefix hint: Enabled
  • Do not wait for a RA: Enabled (request a prefix from the Telus router immediately)
  • Do not allow PD release: Enabled

LAN Interface(s)

You can configure multiple LAN interfaces to support IPv6, all you have to do is assign a different IPv6 Prefix ID to each LAN interface that should be IPv6 capable. E.g. A prefix ID for your private LAN, another for your guest network, but none for your IPv4-only VoIP network.

Configure the LAN interface to tack the WAN interface:

  • Interfaces > LAN > General Configuration:
  • IPv6 Configuration Type: Track Interface
  • Interfaces > LAN > Track IPv6 Interface:
  • IPv6 Interface: WAN
  • IPv6 Prefix ID: 0 (or something else, depending on how many other interfaces are tracking the WAN interface)
DHCP & Router Advertisements

There are a few ways for hosts to obtain IPv6 addresses: SLAAC (StateLess Address AutoConfiguration), DHCPv6, or a combination of both. In each case, Router Advertisements are required. Which method to use depends on your network's requirements and potential hosts. For example: Android does not (and will not) support DHCPv6, Windows 10 supports DHCPv6 and SLAAC (although SLAAC + RDNSS support was missing until version 1703).

SLAAC

Since I don't need the extra features of stateful DHCPv6, I'll use SLAAC to obtain addresses and the RDNSS RA option (RFC 8106) to provide DNS configuration. In pfSense, this is the Unmanaged RA mode. If the Stateless DHCP RA mode was used, the DHCPv6 server would have to be enabled in order to provide additional information, like which DNS servers to use.

To configure Router Advertisements for the LAN interface:

  • Services > DHCPv6 Server & RA > LAN > DHCPv6 Server:
  • DHCPv6 Server: Disable
  • Services > DHCPv6 Server & RA > LAN > Router Advertisements:
  • Router mode: Unmanaged

In this configuration, pfSense (CPE) will request a prefix from Telus (BNG). Once a network prefix is delegated, Telus will route traffic for that prefix to the customer's router (pfSense), which will then advertise itself as the DNS server and direct hosts to obtain addresses using SLAAC and the obtained prefix. Clients that support SLAAC will assign their own IPv6 addresses (avoiding address collisions with the Duplicate Address Detection extension of the Neighbour Discovery Protocol) and use pfSense as the DNS server (from the RDNSS option). This configuration is compatible with pfSense's DNS resolver (unbound).

Stateless DHCPv6

This approach still uses SLAAC to obtain addresses but introduces DHCPv6 for obtaining other configuration (like DNS, NTP, etc) after the SLAAC process is finished. Enable the DHCPv6 Server for the interface and set the router advertisement mode to Stateless DHCP. This configuration is called stateless because pfSense does not keep track of any client leases.

Stateful DHCPv6

This approach does not use SLAAC (although some clients will still use SLAAC to generate a "privacy" address) and all configuration is done with DHCPv6. Enable the DHCPv6 Server for the interface and set the router advertisement mode to Managed.

Note: The Assisted mode in pfSense is almost identical to the Managed mode, except the A flag is also set, which allows hosts to use SLAAC and/or DHCPv6 for address configuration and DNS information.

More on RA Flags

When a host sends a Router Solicitation (RS) message and a router replies with an RA message, it contains flags that tell the host how to obtain an IPv6 address:

Flag Meaning
L On-Link Addresses with the same prefix are on the same L2 subnet
M Managed Use DHCPv6 for IPv6 address assignment
O Other Other configuration is available through DHCPv6. E.g. DNS servers
A Autonomous Use the advertised prefix for SLAAC (RFC 4862)

In pfSense, these flags are controlled by the Router Mode setting for the interface:

Router Mode Flags
Disabled
Router Only
Unmanaged A
Managed M+O
Assisted M+O+A
Stateless DHCP A+O

In all modes except Disabled and Router Only, the On-Link (L) flag will also be present.

More information on the different router modes in pfSense.