Store for open software security devices in Australia, pre-loaded with OPNsense® or pfSense® software
Cart 0
Cart 0

Exetel IPv6 on pfSense®

ipv6 pfsense

Here are the steps to configure pfSense for IPv6 on Exetel NBN and ADSL products.

Exetel has recently started supporting dual stack IPv4 and IPv6 on their ADSL and NBN products. Chances are your existing connection will "just work".

Exetel Business Internet products on Telstra Fibre, Optus Fibre or EFM, AAPT/TPG/PIPE Fibre or EFM/MBE, or Other, support IPv6 through static address assignment. These products are not covered in this document.

(FTTP) Plug pfSense® WAN port in to UNI-D port

How to remove the cover and access the NBN NTD are well documented, so won't be covered here in detail.

You should first ensure that your service is working using the Exetel provided modem. Typically this will be on UNI-D port 1 or 2. If you have a fault, Exetel will want you to plug their modem in - so once you're sure your service is working unplug this modem and store it somewhere safe.

Now plug the WAN port of your pfSense firewall in to the UNI-D port on your NBN NTD (the "NBN box"). You should get a connection LED for that UNI-D port when your pfSense firewall is powered on.

VDSL services (aka FTTN and FTTB)

You will need to put an NBN approved VDSL modem in to bridge mode and attach your pfSense WAN to it's ethernet port.

The Netgear DM200 is the cheapest 1 port VDSL modem we have found.

For configuration steps please see our FTTN NBN guide as this is not specific to Exetel.

NBN-HFC services

Plug the WAN port of your pfSense firewall in to the single ethernet port of the NBN Cable modem (NBN like to call it an NTD... its a Cable modem).

Unplug the power on the Cable modem, and plug it in again - this will clear the MAC address from your Exetel modem.

What hardware should I run pfSense on?

For home, check out the A10 Dual Core or A10 Quad Core appliances in Desktop profile.

For business, check out the A10 Quad Core or the Xeon Quad Core Gen4 as Rackmount appliances.

Or anything that works for you.

Settings for Exetel IPv6

Exetel use PPPoE for IPv4, for NBN and ADSL products. For IPv6 they use DHCPv6 "over" that PPPoE connection. They delegate a single /60 for your LAN (which you can split up), the WAN address is simply the link local address and it is not internet routable.

Notice Regarding Phone Services

Warning: If you have a phone service with your Exetel NBN connection with your analog handset connecting to the phone port of your Exetel provided modem -  replacing your modem with pfSense will break your phone service.

If phone service on an FTTP UNI-V port? Yes, it will continue to work. We are not aware of Exetel selling phone services via the UNI-V port though.

If you use your Exetel phone service via an ATA device or stand alone VoIP handset - it should work well with pfSense. You may need to adjust the NAT settings for VoIP to ensure its proper functionality (not covered in this document)

Exetel do provide SIP details for BYO voip devices. They are perhaps the only ISP to do so. This is one reason we heartily recommend Exetel - please use dealer code BA1372 if you purchase a service.

Advanced Network Settings

Log in to your pfSense firewall, click the "System" drop down menu and click "Advanced".

Advanced Network Settings for Telstra IPv6

This page will load, then click the "Networking" tab. Ensure the check box next to "Allow IPv6" is checked.

Scroll to the bottom of the page and click "Save".

Enable DHCPv6 on WAN Interface

Log in to your pfSense firewall, then click the "Interfaces" drop down menu, and select your "WAN" interface.

Our convention, is to rename WAN interfaces to include their ISP. So in this case WAN becomes EXETELWAN.

Confgure DHCPv6 for Exetel IPv6

Ensure that the interface is "Enabled" (why wouldn't it be?).

Then select from the "IPv6 Configuration Type" the "DHCP6" option.

Scroll down to "DHCP6 Client Configurations".

Exetel DHCPv6 Settings

 As pictured above, select the following settings:

  • Options: untick "Advanced Configuration", untick "Configuration Override"
  • Use IPv4 connectivity as parent interface: tick
  • Request only an IPv6 prefix: optional. Exetel behavior has changed recently and will now give out WAN addresses.
  • DHCPv6 Prefix Delegation size: 60 (Note: or less, as pictured, for less addresses)
  • Send IPv6 prefix hint: tick
  • Debug: tick (optional, helps in the dhcp log though)
  • Do not wait for a RA: untick
  • Do not allow PF/Address release: untick

Scroll down and click "Save". Then "Apply Changes".

Configure IPv6 on LAN interface

Log in to your pfSense firewall, then click the "Interfaces" drop down menu, and select your "LAN" interface.

LAN settings for Telstra IPv6

From the "IPv6 Configuration Type" select "Track Interface".

Scroll down to "Track IPv6 Interface".

LAN settings for Telstra IPv6

From the "IPv6 Interface" select your "WAN" interface.

For the "IPv6 Prefix ID" enter "0".

Scroll down and click "Save", then "Apply Config".

You can repeat the above for each LAN type interface you have, incrementing the "IPv6 Prefix ID" each time.

Configure Router Advertisements

Note: You may wish to configure this differently, depending on how you wish to assign IP addresses.

Log in to your pfSense firewall, then click the "Service" drop down menu, and select "DHCPv6 Server & RA" option.

RA Settings for Telstra IPv6

Select the "Router Advertisements" tab.

For the "Router mode" select "Assisted".

For "Router priority" select "Normal".

Scroll down and click "Save".

Set the Default Gateway

In general, it's a good idea to set the "Default gateway" explicitly in pfSense as "auto" tends to have problems.

Click the "System" drop down menu and select "Routing".

Exetel Default Gateway

You can safely select the "EXETELWAN_PPPOE" and "EXETELWAN_DHCP6" gateways. Then click "Save".

Firewall Rules

You should now configure firewall rules for IPv6 on your LAN and WAN interfaces as per your preference.

According to RFC 4890 you should always allow the following ICMP types:

  • Destination Unreachable
  • Packet Too BIg
  • Time Exceeded
  • Parameter Problem

...and optionally...

  • Echo Request & Echo Response

You're Done!

Validate your configuration at http://test-ipv6.com/ and/or http://ipv6-test.com/

Is there a WAN IPv6 Address?

If you request a WAN address, Exetel will now give you one. However it is not required. In either case you then request an IPv6 subnet which can be used on your LAN networks.

How does this work without a WAN address?

IPv6 has the concept of "Link Local" addresses, This address is auto-configured, and ICMPv6 is used to discover neighbors and routers.

In Exetel's router your ::/60 is routed to your home router/firewall via its "Link Local" address. Your router/firewall has its default route set to Exetel's router which is connected on the other end of your NBN connection.

In this way, your ::/60 is routable to the world, however the IPv6 address on your WAN interface is not internet routable.

If your pfSense firewall accesses the internet, it must do so using its LAN IPv6 address.

Can I get more addresses?

Recently Exetel updated their customer portal with IP address management options. You can request a /56 if you would like more addresses.

Request more IPv6 Addresses

Log in to the portal. Click "Services & Usage" from the top menu. Click the "Manage" button next to the service in question. Then click the "Manage IP" tab. You can request a /56 as well as a proper IPv4 address if you are being NAT'd.

Disclaimer

Although we are a dealer for Exetel - all the above information is provided without warranty.

Please sign up using our dealer code BA1372

Stuck?

We offer commercial support, why not contact us

Older Post Newer Post

Leave a comment

Please note, comments must be approved before they are published