Here are the steps to configure pfSense for IPv6 on Telstra NBN and ADSL products.
Telstra has supported dual stack IPv4 and IPv6 on their ADSL and NBN products from some time. Chances are your existing connection will "just work".
(FTTP) Plug pfSense® WAN port in to UNI-D port
How to remove the cover and access the NBN NTD are well documented, so won't be covered here in detail.
You should first ensure that your service is working using the Telstra provided modem. Typically this will be on UNI-D port 1 or 2. If you have a fault, Telstra will want you to plug their modem in - so once you're sure your service is working unplug this modem and store it somewhere safe.
Now plug the WAN port of your pfSense firewall in to the UNI-D port on your NBN NTD (the "NBN box"). You should get a connection LED for that UNI-D port when your pfSense firewall is powered on.
VDSL services (aka FTTN and FTTB)
You will need to put an NBN approved VDSL modem in to bridge mode and attach your pfSense WAN to it's ethernet port.
The Netgear DM200 is the cheapest 1 port VDSL modem we have found.
For configuration steps please see our FTTN NBN guide as this is not specific to Telstra.
NBN-HFC services
Plug the WAN port of your pfSense firewall in to the single ethernet port of the NBN Cable modem (NBN like to call it an NTD... its a Cable modem).
Unplug the power on the Cable modem, and plug it in again - this will clear the MAC address from your Telstra modem.
What hardware should I run pfSense® on ?
For home, check out the A10 Dual Core or A10 Quad Core appliances in Desktop profile.
For business, check out the A10 Quad Core or the Xeon Quad Core Gen4 as Rackmount appliances.
Or anything that works for you.
Settings for Telstra IPv6
As Telstra use DHCP for IPv4, plugging in a pfSense firewall with default settings should "Just work". IPv6 is far from the same scenario.
Notice Regarding Phone Services
Warning: If you have a phone service with your Telstra NBN connection with your analog handset connecting to the phone port of your Telstra provided modem - replacing your modem with pfSense will break your phone service.
Is your phone service on an FTTP UNI-V port? Yes, it will continue to work.
If you have a Digital Office Technology (DOT) phone service running off a Telstra provided VoIP handset - this may work but may require additional changes to your pfSense firewall rules.
For analog phones attached to your Telstra modem, people have reported that their services can be made to work by plugging the WAN port of the Telstra modem in to a port on the LAN network off of their pfSense. YMMV.
In either case, any problems you have will be up to you to solve. Telstra will blame pfSense for everything.
Telstra do not provide SIP details for BYO voip devices.
If you would like an ISP which allows BYO VoIP - we heartily recommend Exetel - please use dealer code BA1372
Advanced Network Settings
Log in to your pfSense firewall, click the "System" drop down menu and click "Advanced".
This page will load, then click the "Networking" tab. Ensure the check box next to "Allow IPv6" is checked.
Scroll to the bottom of the page and click "Save".
Click the "System Tunables" tab, then click "+Add"
At the "Edit Table" screen, enter the following values (as displayed above).
- Tunable: net.inet6.icmp6.nd6_onlink_ns_rfc4861
- Value: 1
- Description: <anything you like>
Click "Save" and you will be returned to the listing of "System Tunables".
Click "+Add" again.
At the "Edit Table" screen, enter the following values (as displayed above).
- Tunable: net.inet6.ip6.accept_rtadv
- Value: 0
- Description: <anything you like>
Click "Save" and you will be returned to the listing of "System Tunables".
These new settings should be visible in the list. Now click "Apply Changes".
Although it may not strictly be needed, you should now reboot the firewall by clicking the "Diagnostics" drop down, and selecting "Reboot", then confirm by clicking the final "Reboot" button.
Enable IPv6 on WAN Interface
Log in to your pfSense firewall, then click the "Interfaces" drop down menu, and select your "WAN" interface.
Our convention, is to rename WAN interfaces to include their ISP. So in this case WAN becomes TELSTRAWAN.
Ensure that the interface is "Enabled" (why wouldn't it be?).
Then select from the "IPv6 Configuration Type" the "DHCP6" option.
Scroll down to "DHCP6 Client Configurations".
As pictured above, select the following settings:
- Options: untick "Advanced Configuration", untick "Configuration Override"
- Use IPv4 connectivity as parent interface: untick
- Request only an IPv6 prefix: tick
- DHCPv6 Prefix Delegation size: 56
- Send IPv6 prefix hint: tick
- Debug: tick (optional, helps in the dhcp log though)
- Do not wait for a RA: untick
- Do not allow PF/Address release: untick
Scroll down and click "Save". Then "Apply Changes".
Note: On the Telstra Business connections that we have tried, the "Request only an IPv6 prefix" needs to be ticked. We have reports that residential services are Okay with this unticked.
Configure DHCPv6 on LAN interface
Log in to your pfSense firewall, then click the "Interfaces" drop down menu, and select your "LAN" interface.
From the "IPv6 Configuration Type" select "Track Interface".
Scroll down to "Track IPv6 Interface".
From the "IPv6 Interface" select your "WAN" interface.
For the "IPv6 Prefix ID" enter "0".
Scroll down and click "Save", then "Apply Config".
You can repeat the above for each LAN type interface you have, incrementing the "IPv6 Prefix ID" each time.
Configure Router Advertisements
Note: You may wish to configure this differently, depending on how you wish to assign IP addresses.
Log in to your pfSense firewall, then click the "Service" drop down menu, and select "DHCPv6 Server & RA" option.
Select the "Router Advertisements" tab.
For the "Router mode" select "Assisted".
For "Router priority" select "Normal".
Scroll down and click "Save".
Set the Default Gateway
In general, it's a good idea to set the "Default gateway" explicitly in pfSense as "auto" tends to have problems.
Click the "System" drop down menu and select "Routing".
You can safely select the "TELSTRAWAN_DHCP" and "TELSTRAWAN_DHCP6" gateways. Then click "Save".
Firewall Rules
You should now configure firewall rules for IPv6 on your LAN and WAN interfaces as per your preference.
According to RFC 4890 you should always allow the following ICMP types:
- Destination Unreachable
- Packet Too BIg
- Time Exceeded
- Parameter Problem
...and optionally...
- Echo Request & Echo Response
You're Done!
Validate your configuration at http://test-ipv6.com/ and/or http://ipv6-test.com/
Is there a WAN IPv6 Address?
With Telstra Business, we have found that a ::/56 subnet is delegated via DHCPv6 but not a WAN IPv6 address.
How does this work?
IPv6 has the concept of "Link Local" addresses, This address is auto-configured, and ICMPv6 is used to discover neighbors and routers.
In Telstra's router, your ::/56 is routed to your home router/firewall via its "Link Local" address. Your router/firewall has its default route set to Telstra's router which is connected on the other end of your NBN connection.
In this way, your ::/56 is routable to the world, however the IPv6 address on your WAN interface is not internet routable.
If your pfSense firewall accesses the internet, it must do so using its LAN IPv6 address.
Disclaimer: We have no affiliation with Telstra. The above is provided without warranty.
Stuck?
We offer commercial support, why not contact us
The DHCPv6 gateway address provided by Telstra is a link-local address. Users should take care to ensure “Block private networks and loopback addresses” is not enabled on their WAN interface, otherwise this rule will block connectivity with the IPv6 gateway. This gave me a bit of trouble until I realised my PEBKAC.