Bug #8435
open
DHCPv6 unusable in certain circumstances (US AT&T Fiber, etc.)
0%
Description
pfSense's implementation of DHCPv6 prefix delegation is unusable in edge ISP configurations. AT&T Fiber in the United States, for example, commits the entire /60 to the customer's on-premises gateway, even if the gateway is (as) bypassed (as it can be). The pfSense appliance behind the gateway can only request delegation for one /64 at a time, even if multiple /64s are to be delegated. In other words, if I have four LAN subnets, I would need to request four separate /64s from the gateway, rather than a single /62 to then be doled out by the pfSense firewall.
Unfortunately, pfSense only allows for a single delegated prefix over the WAN. If a /63, /62, /61, etc. is configured, it is ignored by the gateway. The problem is that setting a prefix length of /64 for DHCPv6 on WAN means that only a single LAN interface can be given that delegated prefix. There is no configuration structure within pfSense (that I have found) that allows one to individually request a /64 prefix for EACH so-configured LAN interface.
Updated by
Updated by Nathan Ollerenshaw over 2 years ago
Can confirm; there is a workaround that was documented in the forums.
interface igb3 {
send ia-na 0;
send ia-pd 0;
send ia-pd 1;
request domain-name-servers;
request domain-name;
script "/var/etc/dhcp6c_wan_script.sh";
};
id-assoc na 0 { };
id-assoc pd 0 {
prefix-interface igb1 {
sla-id 0;
sla-len 0;
};
};
id-assoc pd 1 {
prefix-interface igb2 {
sla-id 0;
sla-len 0;
};
};
A "send ia-pd" stanza for each delegation you want, and an equivalent "id-assoc" entry.
Note that if you want this to work with NpT you need to remove the prefix-interface sections for each id-assoc. That will claim the PD but not assign it to an interface, so you can do NpT as normal.
I suggest adding a tickbox to the ui that says "Enable for AT&T Fiber" with some kind of snarky comment as the helptext about how AT&T doesn't know what they're doing.