https://support.aa.net.uk/api.php?action=feedcontributions&user=Camlin&feedformat=atomAAISP Support Site - User contributions [en-gb]2024-03-29T05:46:15ZUser contributionsMediaWiki 1.39.5https://support.aa.net.uk/index.php?title=Router_-_PFSense&diff=5685Router - PFSense2014-04-28T18:55:18Z<p>Camlin: /* Fix the Gateway monitoring problems */</p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a bit buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
In the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
[[File: Interface_Setup_-_WAN.png|800px]]<br />
<br />
<br />
Finally, click on the save button.<br />
<br />
''Note: In previous versions of pfSense (2.1.0 and 2.1.1) this was a bit buggy and pfSense was getting mixed up in the PPoE interface assignment. So you often had to manually define the PPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.''<br />
<br />
<br />
=== Updating the LAN settings ===<br />
<br />
Go again in the "Interfaces" top menu, and select "LAN".<br />
<br />
Once there, ensure that the [[IPv6 Configuration|IPv6 configuration]] type is set to "Static [[IPv6]]".<br />
<br />
AAISP will have given you an [[IPv6]] prefix, i.e. something like: 2001:8b0:XXXX:YYYY::/64<br />
<br />
Use one address of that prefix and assign as the [[IPv6]] address of the LAN port. This address will have to be outside of the range you will allocate to DHCP6 for the LAN side. A suggestion could be something like:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1</code><br />
<br />
Then update the bitmask to match your [[IPv6]] assignment (typically 64, but could be 48 if you are trying to route your full allocation).<br />
<br />
You should end up with a configuration screen similar to this one:<br />
<br />
[[File: Interface_Setup_-_LAN.png|800px]]<br />
<br />
Finally, click the save button.<br />
<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
At this stage your PPoE WAN interface will have obtained an [[IPv6]] address from AAISP (something in the range of 2001:8b0:1111:1111::/64 but it is not visible unless you connect to the router via ssh and do an "ifconfig"). <br />
<br />
Your LAN network will in turn use the [[IPv6]] range you have been assigned by AAISP (remember, in [[IPv6]] there is no NAT and the like, all your devices are directly routable and this is why the [[IPv6]] range you have been given applies inside the LAN, and not outside. This is also why your PPoE interface get its address from a completely different range. It is just a "hop" to your network).<br />
<br />
Now we had to use a bit of that range for the LAN address of the router itself (the 2001:8b0:XXXX:YYYY::1 address set previously). So whilst we are at it, let's reserve some of the address for static use (i.e. not DHCP6). The easiest is to say that all addresses in the 2001:8b0:XXXX:YYYY:0000:://80 range are statically assigned. This means the static range has 2^48 addresses available, which could seem a bit excessive, but who cares, with [[IPv6]] we have more addresses than atoms in the universe :-)<br />
<br />
We can then assign the rest of your block to DHCPv6. So the following range will be given to DHCPv6:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1:0000 to 2001:8b0:XXXX:YYYY:ffff:ffff:ffff:ffff</code><br />
<br />
So, select "Services -> DHCPv6 Server/RA" and then enter the appropriate information. Once done and saved, the screen should look like this:<br />
<br />
[[File: Services_-_DHCPv6.png|800px]]<br />
<br />
I suspect there will be no real need to reserve a part of this range as if you need to create fancy subnetworks then you just need to use another one of your /64 blocks (and you have been given 65536 of them, that should be enough!). But in any case, pfSense allows to subdivide the block further if you need to (see the "subnets" options).<br />
<br />
Once this is done, it is then necessary to activate the router advertisements (RA), so select the "Router Advertisements" tab and then use the "Unmanaged" or "Assisted" mode. I tend to use "Assisted" because it allows me to do static DHCP assignment for some of my machines (although this is quite a pain at present as it is based on DUID and not MAC addresses).<br />
<br />
The configuration screen will be similar to this (don't forget to save!):<br />
<br />
[[File: Services_-_DHCPv6-RA.png|800px]]<br />
<br />
Once this is done, you should see that your machine has now acquired a nice and shinny new routable [[IPv6]] address. In fact, it will often acquire more than one depending of the RA mode you have selected and the privacy modes activated by the client machine.<br />
<br />
Yeaahhh!! Victory!<br />
<br />
[[File: Client_Computer.png]]<br />
<br />
''Note: On some old hardware/OS it is not impossible you could have to unplug/plug the network cable for the machine to pick up the change.''<br />
<br />
<br />
=== Check the firewall rules for outgoing from LAN ===<br />
<br />
If I remember correctly, pfSense will by default create the outgoing rules for the LAN (especially if you used the wizard). But just in case, go into the "Firewall -> Rules" page and check that you have at least the following entries:<br />
<br />
[[File: Default_LAN_Rules.png]]<br />
<br />
<br />
Happy with your new [[IPv6]] address and firewall rules, you then fire your browser and try to go somewhere when it suddenly becomes a "Houston we have a problem" moment...<br />
<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
The problem is that the PPoE stuff is still a bit flaky in 2.1.2, and although the PPoE negotiation itself is fine, it seems pfSense will often lose the ISP DNS settings (this seems to be a timing related issue of some kind, so sometimes it works and sometimes it does not. You can even get into situations where the DNS setting is there and then it suddenly disappear!).<br />
<br />
Arghhhh!!!!!<br />
<br />
Now, an easy way to fix this is to force pfSense to use specific DNS servers. This is done in the "System -> General Setup" page. Ideally you should set your ISP DNS server in there and/or some public ones like Google (8.8.8.8) or OpenDNS (208.67.220.220).<br />
<br />
[[File:System_-_General_setup.png|800px]]<br />
<br />
<br />
=== Testing internet access ===<br />
<br />
You can now fire a browser and check your public IPv4 and [[IPv6]] address by going to the http://ip4.me or http://ip6.me websites.<br />
<br />
<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
Although you can now go on the internet fine, If you look at the RRD graphs or consult the gateway status page you will notice the status is either marked as offline or unknown.<br />
<br />
This is a case because the script currently configuring apinger (the process that monitors the gateways) is buggy and currently does not cope very well with PPoE (when it used to be perfectly fine in pfSense 2.0.x).<br />
<br />
Another problem is that for [[IPv6]] the AAISP gateway will currently not reply to pings on its local link address (and it is the one used for routing the traffic, so it is reachable!). So you have to manually set the monitor address to be 2001:8b0:0:81::51bb:51bb (which is the [[IPv6]] address of clueless.aa.net.uk). But even that won't initially work because even if you set the routable address, apinger is told to use the local link address as the source, meaning you will never get the response... <br />
<br />
So it is necessary to change /etc/inc/gwlb.inc with these two fixes and then it will work. These fixes have been added to pfSense (See https://github.com/pfsense/pfsense/pull/1098) so they will make it in a future version but in the meantime they are described here: https://forum.pfsense.org/index.php?topic=69533.msg411732#msg411732<br />
<br />
Once this is done, you will just have to go in "System->Routing" and then edit the WAN_DHCP6 gateway settings to make them as follow:<br />
<br />
[[File: WAN_DHCP6_Gateway_settings.png|800px]]<br />
<br />
If successful in the script and settings changes you will then get a Gateway Status screen similar to this:<br />
<br />
[[File: Status_-_Gateways.png|800px]]<br />
<br />
Note: Sometimes, after link failure, the script will still fail to setup apinger properly (especially for [[IPv6]]. IPv4 will typically be ok). This seems to be caused by some timing issues whereby pfSense calls the script too early. Fixing this will probably require a more serious rework of that area in pfSense.<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense&diff=5684Router - PFSense2014-04-28T18:53:03Z<p>Camlin: </p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a bit buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
In the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
[[File: Interface_Setup_-_WAN.png|800px]]<br />
<br />
<br />
Finally, click on the save button.<br />
<br />
''Note: In previous versions of pfSense (2.1.0 and 2.1.1) this was a bit buggy and pfSense was getting mixed up in the PPoE interface assignment. So you often had to manually define the PPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.''<br />
<br />
<br />
=== Updating the LAN settings ===<br />
<br />
Go again in the "Interfaces" top menu, and select "LAN".<br />
<br />
Once there, ensure that the [[IPv6 Configuration|IPv6 configuration]] type is set to "Static [[IPv6]]".<br />
<br />
AAISP will have given you an [[IPv6]] prefix, i.e. something like: 2001:8b0:XXXX:YYYY::/64<br />
<br />
Use one address of that prefix and assign as the [[IPv6]] address of the LAN port. This address will have to be outside of the range you will allocate to DHCP6 for the LAN side. A suggestion could be something like:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1</code><br />
<br />
Then update the bitmask to match your [[IPv6]] assignment (typically 64, but could be 48 if you are trying to route your full allocation).<br />
<br />
You should end up with a configuration screen similar to this one:<br />
<br />
[[File: Interface_Setup_-_LAN.png|800px]]<br />
<br />
Finally, click the save button.<br />
<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
At this stage your PPoE WAN interface will have obtained an [[IPv6]] address from AAISP (something in the range of 2001:8b0:1111:1111::/64 but it is not visible unless you connect to the router via ssh and do an "ifconfig"). <br />
<br />
Your LAN network will in turn use the [[IPv6]] range you have been assigned by AAISP (remember, in [[IPv6]] there is no NAT and the like, all your devices are directly routable and this is why the [[IPv6]] range you have been given applies inside the LAN, and not outside. This is also why your PPoE interface get its address from a completely different range. It is just a "hop" to your network).<br />
<br />
Now we had to use a bit of that range for the LAN address of the router itself (the 2001:8b0:XXXX:YYYY::1 address set previously). So whilst we are at it, let's reserve some of the address for static use (i.e. not DHCP6). The easiest is to say that all addresses in the 2001:8b0:XXXX:YYYY:0000:://80 range are statically assigned. This means the static range has 2^48 addresses available, which could seem a bit excessive, but who cares, with [[IPv6]] we have more addresses than atoms in the universe :-)<br />
<br />
We can then assign the rest of your block to DHCPv6. So the following range will be given to DHCPv6:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1:0000 to 2001:8b0:XXXX:YYYY:ffff:ffff:ffff:ffff</code><br />
<br />
So, select "Services -> DHCPv6 Server/RA" and then enter the appropriate information. Once done and saved, the screen should look like this:<br />
<br />
[[File: Services_-_DHCPv6.png|800px]]<br />
<br />
I suspect there will be no real need to reserve a part of this range as if you need to create fancy subnetworks then you just need to use another one of your /64 blocks (and you have been given 65536 of them, that should be enough!). But in any case, pfSense allows to subdivide the block further if you need to (see the "subnets" options).<br />
<br />
Once this is done, it is then necessary to activate the router advertisements (RA), so select the "Router Advertisements" tab and then use the "Unmanaged" or "Assisted" mode. I tend to use "Assisted" because it allows me to do static DHCP assignment for some of my machines (although this is quite a pain at present as it is based on DUID and not MAC addresses).<br />
<br />
The configuration screen will be similar to this (don't forget to save!):<br />
<br />
[[File: Services_-_DHCPv6-RA.png|800px]]<br />
<br />
Once this is done, you should see that your machine has now acquired a nice and shinny new routable [[IPv6]] address. In fact, it will often acquire more than one depending of the RA mode you have selected and the privacy modes activated by the client machine.<br />
<br />
Yeaahhh!! Victory!<br />
<br />
[[File: Client_Computer.png]]<br />
<br />
''Note: On some old hardware/OS it is not impossible you could have to unplug/plug the network cable for the machine to pick up the change.''<br />
<br />
<br />
=== Check the firewall rules for outgoing from LAN ===<br />
<br />
If I remember correctly, pfSense will by default create the outgoing rules for the LAN (especially if you used the wizard). But just in case, go into the "Firewall -> Rules" page and check that you have at least the following entries:<br />
<br />
[[File: Default_LAN_Rules.png]]<br />
<br />
<br />
Happy with your new [[IPv6]] address and firewall rules, you then fire your browser and try to go somewhere when it suddenly becomes a "Houston we have a problem" moment...<br />
<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
The problem is that the PPoE stuff is still a bit flaky in 2.1.2, and although the PPoE negotiation itself is fine, it seems pfSense will often lose the ISP DNS settings (this seems to be a timing related issue of some kind, so sometimes it works and sometimes it does not. You can even get into situations where the DNS setting is there and then it suddenly disappear!).<br />
<br />
Arghhhh!!!!!<br />
<br />
Now, an easy way to fix this is to force pfSense to use specific DNS servers. This is done in the "System -> General Setup" page. Ideally you should set your ISP DNS server in there and/or some public ones like Google (8.8.8.8) or OpenDNS (208.67.220.220).<br />
<br />
[[File:System_-_General_setup.png|800px]]<br />
<br />
<br />
=== Testing internet access ===<br />
<br />
You can now fire a browser and check your public IPv4 and [[IPv6]] address by going to the http://ip4.me or http://ip6.me websites.<br />
<br />
<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
Although you can now go on the internet fine, If you look at the RRD graphs or consult the gateway status page you will notice the status is either marked as offline or unknown.<br />
<br />
This is a case because the script currently configuring apinger (the process that monitors the gateways) is buggy and currently does not cope very well with PPoE (when it used to be perfectly fine in pfSense 2.0.x).<br />
<br />
Another problem is that for [[IPv6]] the AAISP gateway will currently not reply to pings on its local link address (and it is the one used for routing the traffic, so it is reachable!). So you have to manually set the monitor address to be 2001:8b0:0:81::51bb:51bb (which is the [[IPv6]] address of clueless.aa.net.uk). But even that won't initially work because even if you set apinger the routable address it will use the local link address as the source, meaning you will never get the response... <br />
<br />
So it is necessary to change /etc/inc/gwlb.inc with these two fixes and then it will work. These fixes have been added to pfSense (See https://github.com/pfsense/pfsense/pull/1098) so they will make it in a future version but in the meantime they are described here: https://forum.pfsense.org/index.php?topic=69533.msg411732#msg411732<br />
<br />
Once this is done, you will just have to go in "System->Routing" and then edit the WAN_DHCP6 gateway settings to make them as follow:<br />
<br />
[[File: WAN_DHCP6_Gateway_settings.png|800px]]<br />
<br />
If successful in the script and settings changes you will then get a Gateway Status screen similar to this:<br />
<br />
[[File: Status_-_Gateways.png|800px]]<br />
<br />
Note: Sometimes, after link failure, the script will still fail to setup apinger properly (especially for [[IPv6]]. IPv4 will typically be ok). This seems to be caused by some timing issues whereby pfSense calls the script too early. Fixing this will probably require a more serious rework of that area in pfSense.<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense&diff=5678Router - PFSense2014-04-26T13:37:07Z<p>Camlin: </p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a bit buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
In the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
[[File: Interface_Setup_-_WAN.png|800px]]<br />
<br />
<br />
Finally, click on the save button.<br />
<br />
''Note: In previous versions of pfSense (2.1.0 and 2.1.1) this was a bit buggy and pfSense was getting mixed up in the PPoE interface assignment. So you often had to manually define the PPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.''<br />
<br />
<br />
=== Updating the LAN settings ===<br />
<br />
Go again in the "Interfaces" top menu, and select "LAN".<br />
<br />
Once there, ensure that the [[IPv6 Configuration|IPv6 configuration]] type is set to "Static [[IPv6]]".<br />
<br />
AAISP will have given you an [[IPv6]] prefix, i.e. something like: 2001:8b0:XXXX:YYYY::/64<br />
<br />
Use one address of that prefix and assign as the [[IPv6]] address of the LAN port. This address will have to be outside of the range you will allocate to DHCP6 for the LAN side. A suggestion could be something like:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1</code><br />
<br />
Then update the bitmask to match your [[IPv6]] assignment (typically 64, but could be 48 if you are trying to route your full allocation).<br />
<br />
You should end up with a configuration screen similar to this one:<br />
<br />
[[File: Interface_Setup_-_LAN.png|800px]]<br />
<br />
Finally, click the save button.<br />
<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
At this stage your PPoE WAN interface will have obtained an [[IPv6]] address from AAISP (something in the range of 2001:8b0:1111:1111::/64 but it is not visible unless you connect to the router via ssh and do an "ifconfig"). <br />
<br />
Your LAN network will in turn use the [[IPv6]] range you have been assigned by AAISP (remember, in [[IPv6]] there is no NAT and the like, all your devices are directly routable and this is why the [[IPv6]] range you have been given applies inside the LAN, and not outside. This is also why your PPoE interface get its address from a completely different range. It is just a "hop" to your network).<br />
<br />
Now we had to use a bit of that range for the LAN address of the router itself (the 2001:8b0:XXXX:YYYY::1 address set previously). So whilst we are at it, let's reserve some of the address for static use (i.e. not DHCP6). The easiest is to say that all addresses in the 2001:8b0:XXXX:YYYY:0000:://80 range are statically assigned. This means the static range has 2^48 addresses available, which could seem a bit excessive, but who cares, with [[IPv6]] we have more addresses than atoms in the universe :-)<br />
<br />
We can then assign the rest of your block to DHCPv6. So the following range will be given to DHCPv6:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1:0000 to 2001:8b0:XXXX:YYYY:ffff:ffff:ffff:ffff</code><br />
<br />
So, select "Services -> DHCPv6 Server/RA" and then enter the appropriate information. Once done and saved, the screen should look like this:<br />
<br />
[[File: Services_-_DHCPv6.png|800px]]<br />
<br />
I suspect there will be no real need to reserve a part of this range as if you need to create fancy subnetworks then you just need to use another one of your /64 blocks (and you have been given 65536 of them, that should be enough!). But in any case, pfSense allows to subdivide the block further if you need to (see the "subnets" options).<br />
<br />
Once this is done, it is then necessary to activate the router advertisements (RA), so select the "Router Advertisements" tab and then use the "Unmanaged" or "Assisted" mode. I tend to use "Assisted" because it allows me to do static DHCP assignment for some of my machines (although this is quite a pain at present as it is based on DUID and not MAC addresses).<br />
<br />
The configuration screen will be similar to this (don't forget to save!):<br />
<br />
[[File: Services_-_DHCPv6-RA.png|800px]]<br />
<br />
Once this is done, you should see that your machine has now acquired a nice and shinny new routable [[IPv6]] address. In fact, it will often acquire more than one depending of the RA mode you have selected and the privacy modes activated by the client machine.<br />
<br />
Yeaahhh!! Victory!<br />
<br />
[[File: Client_Computer.png]]<br />
<br />
''Note: On some old hardware/OS it is not impossible you could have to unplug/plug the network cable for the machine to pick up the change.''<br />
<br />
<br />
=== Check the firewall rules for outgoing from LAN ===<br />
<br />
If I remember correctly, pfSense will by default create the outgoing rules for the LAN (especially if you used the wizard). But just in case, go into the "Firewall -> Rules" page and check that you have at least the following entries:<br />
<br />
[[File: Default_LAN_Rules.png]]<br />
<br />
<br />
Happy with your new [[IPv6]] address and firewall rules, you then fire your browser and try to go somewhere when it suddenly becomes a "Houston we have a problem" moment...<br />
<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
The problem is that the PPoE stuff is still a bit flaky in 2.1.2, and although the PPoE negotiation itself is fine, it seems pfSense will often lose the ISP DNS settings (this seems to be a timing related issue of some kind, so sometimes it works and sometimes it does not. You can even get into situations where the DNS setting is there and then it suddenly disappear!).<br />
<br />
Arghhhh!!!!!<br />
<br />
Now, an easy way to fix this is to force pfSense to use specific DNS servers. This is done in the "System -> General Setup" page. Ideally you should set your ISP DNS server in there and/or some public ones like Google (8.8.8.8) or OpenDNS (208.67.220.220).<br />
<br />
[[File:System_-_General_setup.png|800px]]<br />
<br />
<br />
=== Testing internet access ===<br />
<br />
You can now fire a browser and check your public IPv4 and [[IPv6]] address by going to the http://ip4.me or http://ip6.me websites.<br />
<br />
<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
Although you can now go on the internet fine, If you look at the RRD graphs or consult the gateway status page you will notice the status is either marked as offline or unknown.<br />
<br />
This is a case because the script currently configuring apinger (the process that monitors the gateways) is buggy and currently does not cope very well with PPoE (when it used to be perfectly fine in pfSense 2.0.x).<br />
<br />
Another problem is that for [[IPv6]] the AAISP gateway will currently not reply to pings on its local link address (and it is the one used for routing the traffic, so it is reachable!). So you have to manually set the monitor address to be 2001:8b0:0:81::51bb:51bb (which is the [[IPv6]] address of clueless.aa.net.uk). But even that won't initially work because even if you set apinger the routable address it will use the local link address as the source, meaning you will never get the response... <br />
<br />
So it is necessary to change /etc/inc/gwlb.inc with these two fixes and then it will work. These fixes have been submitted to the pfSense team but in the meantime they are described here: https://forum.pfsense.org/index.php?topic=69533.msg411732#msg411732<br />
<br />
Once this is done, you will just have to go in "System->Routing" and then edit the WAN_DHCP6 gateway settings to make them as follow:<br />
<br />
[[File: WAN_DHCP6_Gateway_settings.png|800px]]<br />
<br />
If successful in the script and settings changes you will then get a Gateway Status screen similar to this:<br />
<br />
[[File: Status_-_Gateways.png|800px]]<br />
<br />
Note: Sometimes, after link failure, the script will still fail to setup apinger properly (especially for [[IPv6]]. IPv4 will typically be ok). This seems to be caused by some timing issues whereby pfSense calls the script too early. Fixing this will probably require a more serious rework of that area in pfSense.<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense&diff=5677Router - PFSense2014-04-26T13:35:33Z<p>Camlin: /* Fix the Gateway monitoring problems */</p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a bit buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
In the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
[[File: Interface_Setup_-_WAN.png|800px]]<br />
<br />
<br />
Finally, click on the save button.<br />
<br />
''Note: In previous versions of pfSense (2.1.0 and 2.1.1) this was a bit buggy and pfSense was getting mixed up in the PPoE interface assignment. So you often had to manually define the PPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.''<br />
<br />
<br />
=== Updating the LAN settings ===<br />
<br />
Go again in the "Interfaces" top menu, and select "LAN".<br />
<br />
Once there, ensure that the [[IPv6 Configuration|IPv6 configuration]] type is set to "Static [[IPv6]]".<br />
<br />
AAISP will have given you an [[IPv6]] prefix, i.e. something like: 2001:8b0:XXXX:YYYY::/64<br />
<br />
Use one address of that prefix and assign as the [[IPv6]] address of the LAN port. This address will have to be outside of the range you will allocate to DHCP6 for the LAN side. A suggestion could be something like:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1</code><br />
<br />
Then update the bitmask to match your [[IPv6]] assignment (typically 64, but could be 48 if you are trying to route your full allocation).<br />
<br />
You should end up with a configuration screen similar to this one:<br />
<br />
[[File: Interface_Setup_-_LAN.png|800px]]<br />
<br />
Finally, click the save button.<br />
<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
At this stage your PPoE WAN interface will have obtained an [[IPv6]] address from AAISP (something in the range of 2001:8b0:1111:1111::/64 but it is not visible unless you connect to the router via ssh and do an "ifconfig"). <br />
<br />
Your LAN network will in turn use the [[IPv6]] range you have been assigned by AAISP (remember, in [[IPv6]] there is no NAT and the like, all your devices are directly routable and this is why the [[IPv6]] range you have been given applies inside the LAN, and not outside. This is also why your PPoE interface get its address from a completely different range. It is just a "hop" to your network).<br />
<br />
Now we had to use a bit of that range for the LAN address of the router itself (the 2001:8b0:XXXX:YYYY::1 address set previously). So whilst we are at it, let's reserve some of the address for static use (i.e. not DHCP6). The easiest is to say that all addresses in the 2001:8b0:XXXX:YYYY:0000:://80 range are statically assigned. This means the static range has 2^48 addresses available, which could seem a bit excessive, but who cares, with [[IPv6]] we have more addresses than atoms in the universe :-)<br />
<br />
We can then assign the rest of your block to DHCPv6. So the following range will be given to DHCPv6:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1:0000 to 2001:8b0:XXXX:YYYY:ffff:ffff:ffff:ffff</code><br />
<br />
So, select "Services -> DHCPv6 Server/RA" and then enter the appropriate information. Once done and saved, the screen should look like this:<br />
<br />
[[File: Services_-_DHCPv6.png|800px]]<br />
<br />
I suspect there will be no real need to reserve a part of this range as if you need to create fancy subnetworks then you just need to use another one of your /64 blocks (and you have been given 65536 of them, that should be enough!). But in any case, pfSense allows to subdivide the block further if you need to (see the "subnets" options).<br />
<br />
Once this is done, it is then necessary to activate the router advertisements (RA), so select the "Router Advertisements" tab and then use the "Unmanaged" or "Assisted" mode. I tend to use "Assisted" because it allows me to do static DHCP assignment for some of my machines (although this is quite a pain at present as it is based on DUID and not MAC addresses).<br />
<br />
The configuration screen will be similar to this (don't forget to save!):<br />
<br />
[[File: Services_-_DHCPv6-RA.png|800px]]<br />
<br />
Once this is done, you should see that your machine has now acquired a nice and shinny new routable [[IPv6]] address. In fact, it will often acquire more than one depending of the RA mode you have selected and the privacy modes activated by the client machine.<br />
<br />
Yeaahhh!! Victory!<br />
<br />
[[File: Client_Computer.png]]<br />
<br />
''Note: On some old hardware/OS it is not impossible you could have to unplug/plug the network cable for the machine to pick up the change.''<br />
<br />
<br />
=== Check the firewall rules for outgoing from LAN ===<br />
<br />
If I remember correctly, pfSense will by default create the outgoing rules for the LAN (especially if you used the wizard). But just in case, go into the "Firewall -> Rules" page and check that you have at least the following entries:<br />
<br />
[[File: Default_LAN_Rules.png]]<br />
<br />
<br />
Happy with your new [[IPv6]] address and firewall rules, you then fire your browser and try to go somewhere when it suddenly becomes a "Houston we have a problem" moment...<br />
<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
The problem is that the PPoE stuff is still a bit flaky in 2.1.2, and although the PPoE negotiation itself is fine, it seems pfSense will often lose the ISP DNS settings (this seems to be a timing related issue of some kind, so sometimes it works and sometimes it does not. You can even get into situations where the DNS setting is there and then it suddenly disappear!).<br />
<br />
Arghhhh!!!!!<br />
<br />
Now, an easy way to fix this is to force pfSense to use specific DNS servers. This is done in the "System -> General Setup" page. Ideally you should set your ISP DNS server in there and/or some public ones like Google (8.8.8.8) or OpenDNS (208.67.220.220).<br />
<br />
[[File:System_-_General_setup.png|800px]]<br />
<br />
<br />
=== Testing internet access ===<br />
<br />
You can now fire a browser and check your public IPv4 and [[IPv6]] address by going to the http://ip4.me or http://ip6.me websites.<br />
<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
Although you can now go on the internet fine, If you look at the RRD graphs or consult the gateway status page you will notice the status is either marked as offline or unknown.<br />
<br />
This is a case because the script currently configuring apinger (the process that monitors the gateways) is buggy and currently does not cope very well with PPoE (when it used to be perfectly fine in pfSense 2.0.x).<br />
<br />
Another problem is that for [[IPv6]] the AAISP gateway will currently not reply to pings on its local link address (and it is the one used for routing the traffic, so it is reachable!). So you have to manually set the monitor address to be 2001:8b0:0:81::51bb:51bb (which is the [[IPv6]] address of clueless.aa.net.uk). But even that won't initially work because even if you set apinger the routable address it will use the local link address as the source, meaning you will never get the response... <br />
<br />
So it is necessary to change /etc/inc/gwlb.inc with these two fixes and then it will work. These fixes have been submitted to the pfSense team but in the meantime they are described here: https://forum.pfsense.org/index.php?topic=69533.msg411732#msg411732<br />
<br />
Once this is done, you will just have to go in "System->Routing" and then edit the WAN_DHCP6 gateway settings to make them as follow:<br />
<br />
[[File: WAN_DHCP6_Gateway_settings.png|800px]]<br />
<br />
If successful in the script and settings changes you will then get a Gateway Status screen similar to this:<br />
<br />
[[File: Status_-_Gateways.png|800px]]<br />
<br />
Note: Sometimes, after link failure, the script will still fail to setup apinger properly (especially for [[IPv6]]. IPv4 will typically be ok). This seems to be caused by some timing issues whereby pfSense calls the script too early. Fixing this will probably require a more serious rework of that area in pfSense.<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=File:Status_-_Gateways.png&diff=5676File:Status - Gateways.png2014-04-26T13:29:41Z<p>Camlin: </p>
<hr />
<div></div>Camlinhttps://support.aa.net.uk/index.php?title=File:WAN_DHCP6_Gateway_settings.png&diff=5675File:WAN DHCP6 Gateway settings.png2014-04-26T13:28:58Z<p>Camlin: </p>
<hr />
<div></div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense&diff=5674Router - PFSense2014-04-26T13:10:30Z<p>Camlin: /* Testing internet access */</p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a bit buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
In the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
[[File: Interface_Setup_-_WAN.png|800px]]<br />
<br />
<br />
Finally, click on the save button.<br />
<br />
''Note: In previous versions of pfSense (2.1.0 and 2.1.1) this was a bit buggy and pfSense was getting mixed up in the PPoE interface assignment. So you often had to manually define the PPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.''<br />
<br />
<br />
=== Updating the LAN settings ===<br />
<br />
Go again in the "Interfaces" top menu, and select "LAN".<br />
<br />
Once there, ensure that the [[IPv6 Configuration|IPv6 configuration]] type is set to "Static [[IPv6]]".<br />
<br />
AAISP will have given you an [[IPv6]] prefix, i.e. something like: 2001:8b0:XXXX:YYYY::/64<br />
<br />
Use one address of that prefix and assign as the [[IPv6]] address of the LAN port. This address will have to be outside of the range you will allocate to DHCP6 for the LAN side. A suggestion could be something like:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1</code><br />
<br />
Then update the bitmask to match your [[IPv6]] assignment (typically 64, but could be 48 if you are trying to route your full allocation).<br />
<br />
You should end up with a configuration screen similar to this one:<br />
<br />
[[File: Interface_Setup_-_LAN.png|800px]]<br />
<br />
Finally, click the save button.<br />
<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
At this stage your PPoE WAN interface will have obtained an [[IPv6]] address from AAISP (something in the range of 2001:8b0:1111:1111::/64 but it is not visible unless you connect to the router via ssh and do an "ifconfig"). <br />
<br />
Your LAN network will in turn use the [[IPv6]] range you have been assigned by AAISP (remember, in [[IPv6]] there is no NAT and the like, all your devices are directly routable and this is why the [[IPv6]] range you have been given applies inside the LAN, and not outside. This is also why your PPoE interface get its address from a completely different range. It is just a "hop" to your network).<br />
<br />
Now we had to use a bit of that range for the LAN address of the router itself (the 2001:8b0:XXXX:YYYY::1 address set previously). So whilst we are at it, let's reserve some of the address for static use (i.e. not DHCP6). The easiest is to say that all addresses in the 2001:8b0:XXXX:YYYY:0000:://80 range are statically assigned. This means the static range has 2^48 addresses available, which could seem a bit excessive, but who cares, with [[IPv6]] we have more addresses than atoms in the universe :-)<br />
<br />
We can then assign the rest of your block to DHCPv6. So the following range will be given to DHCPv6:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1:0000 to 2001:8b0:XXXX:YYYY:ffff:ffff:ffff:ffff</code><br />
<br />
So, select "Services -> DHCPv6 Server/RA" and then enter the appropriate information. Once done and saved, the screen should look like this:<br />
<br />
[[File: Services_-_DHCPv6.png|800px]]<br />
<br />
I suspect there will be no real need to reserve a part of this range as if you need to create fancy subnetworks then you just need to use another one of your /64 blocks (and you have been given 65536 of them, that should be enough!). But in any case, pfSense allows to subdivide the block further if you need to (see the "subnets" options).<br />
<br />
Once this is done, it is then necessary to activate the router advertisements (RA), so select the "Router Advertisements" tab and then use the "Unmanaged" or "Assisted" mode. I tend to use "Assisted" because it allows me to do static DHCP assignment for some of my machines (although this is quite a pain at present as it is based on DUID and not MAC addresses).<br />
<br />
The configuration screen will be similar to this (don't forget to save!):<br />
<br />
[[File: Services_-_DHCPv6-RA.png|800px]]<br />
<br />
Once this is done, you should see that your machine has now acquired a nice and shinny new routable [[IPv6]] address. In fact, it will often acquire more than one depending of the RA mode you have selected and the privacy modes activated by the client machine.<br />
<br />
Yeaahhh!! Victory!<br />
<br />
[[File: Client_Computer.png]]<br />
<br />
''Note: On some old hardware/OS it is not impossible you could have to unplug/plug the network cable for the machine to pick up the change.''<br />
<br />
<br />
=== Check the firewall rules for outgoing from LAN ===<br />
<br />
If I remember correctly, pfSense will by default create the outgoing rules for the LAN (especially if you used the wizard). But just in case, go into the "Firewall -> Rules" page and check that you have at least the following entries:<br />
<br />
[[File: Default_LAN_Rules.png]]<br />
<br />
<br />
Happy with your new [[IPv6]] address and firewall rules, you then fire your browser and try to go somewhere when it suddenly becomes a "Houston we have a problem" moment...<br />
<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
The problem is that the PPoE stuff is still a bit flaky in 2.1.2, and although the PPoE negotiation itself is fine, it seems pfSense will often lose the ISP DNS settings (this seems to be a timing related issue of some kind, so sometimes it works and sometimes it does not. You can even get into situations where the DNS setting is there and then it suddenly disappear!).<br />
<br />
Arghhhh!!!!!<br />
<br />
Now, an easy way to fix this is to force pfSense to use specific DNS servers. This is done in the "System -> General Setup" page. Ideally you should set your ISP DNS server in there and/or some public ones like Google (8.8.8.8) or OpenDNS (208.67.220.220).<br />
<br />
[[File:System_-_General_setup.png|800px]]<br />
<br />
<br />
=== Testing internet access ===<br />
<br />
You can now fire a browser and check your public IPv4 and [[IPv6]] address by going to the http://ip4.me or http://ip6.me websites.<br />
<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
Section still to be done.<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense&diff=5673Router - PFSense2014-04-26T13:08:23Z<p>Camlin: /* Testing internet access */</p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a bit buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
In the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
[[File: Interface_Setup_-_WAN.png|800px]]<br />
<br />
<br />
Finally, click on the save button.<br />
<br />
''Note: In previous versions of pfSense (2.1.0 and 2.1.1) this was a bit buggy and pfSense was getting mixed up in the PPoE interface assignment. So you often had to manually define the PPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.''<br />
<br />
<br />
=== Updating the LAN settings ===<br />
<br />
Go again in the "Interfaces" top menu, and select "LAN".<br />
<br />
Once there, ensure that the [[IPv6 Configuration|IPv6 configuration]] type is set to "Static [[IPv6]]".<br />
<br />
AAISP will have given you an [[IPv6]] prefix, i.e. something like: 2001:8b0:XXXX:YYYY::/64<br />
<br />
Use one address of that prefix and assign as the [[IPv6]] address of the LAN port. This address will have to be outside of the range you will allocate to DHCP6 for the LAN side. A suggestion could be something like:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1</code><br />
<br />
Then update the bitmask to match your [[IPv6]] assignment (typically 64, but could be 48 if you are trying to route your full allocation).<br />
<br />
You should end up with a configuration screen similar to this one:<br />
<br />
[[File: Interface_Setup_-_LAN.png|800px]]<br />
<br />
Finally, click the save button.<br />
<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
At this stage your PPoE WAN interface will have obtained an [[IPv6]] address from AAISP (something in the range of 2001:8b0:1111:1111::/64 but it is not visible unless you connect to the router via ssh and do an "ifconfig"). <br />
<br />
Your LAN network will in turn use the [[IPv6]] range you have been assigned by AAISP (remember, in [[IPv6]] there is no NAT and the like, all your devices are directly routable and this is why the [[IPv6]] range you have been given applies inside the LAN, and not outside. This is also why your PPoE interface get its address from a completely different range. It is just a "hop" to your network).<br />
<br />
Now we had to use a bit of that range for the LAN address of the router itself (the 2001:8b0:XXXX:YYYY::1 address set previously). So whilst we are at it, let's reserve some of the address for static use (i.e. not DHCP6). The easiest is to say that all addresses in the 2001:8b0:XXXX:YYYY:0000:://80 range are statically assigned. This means the static range has 2^48 addresses available, which could seem a bit excessive, but who cares, with [[IPv6]] we have more addresses than atoms in the universe :-)<br />
<br />
We can then assign the rest of your block to DHCPv6. So the following range will be given to DHCPv6:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1:0000 to 2001:8b0:XXXX:YYYY:ffff:ffff:ffff:ffff</code><br />
<br />
So, select "Services -> DHCPv6 Server/RA" and then enter the appropriate information. Once done and saved, the screen should look like this:<br />
<br />
[[File: Services_-_DHCPv6.png|800px]]<br />
<br />
I suspect there will be no real need to reserve a part of this range as if you need to create fancy subnetworks then you just need to use another one of your /64 blocks (and you have been given 65536 of them, that should be enough!). But in any case, pfSense allows to subdivide the block further if you need to (see the "subnets" options).<br />
<br />
Once this is done, it is then necessary to activate the router advertisements (RA), so select the "Router Advertisements" tab and then use the "Unmanaged" or "Assisted" mode. I tend to use "Assisted" because it allows me to do static DHCP assignment for some of my machines (although this is quite a pain at present as it is based on DUID and not MAC addresses).<br />
<br />
The configuration screen will be similar to this (don't forget to save!):<br />
<br />
[[File: Services_-_DHCPv6-RA.png|800px]]<br />
<br />
Once this is done, you should see that your machine has now acquired a nice and shinny new routable [[IPv6]] address. In fact, it will often acquire more than one depending of the RA mode you have selected and the privacy modes activated by the client machine.<br />
<br />
Yeaahhh!! Victory!<br />
<br />
[[File: Client_Computer.png]]<br />
<br />
''Note: On some old hardware/OS it is not impossible you could have to unplug/plug the network cable for the machine to pick up the change.''<br />
<br />
<br />
=== Check the firewall rules for outgoing from LAN ===<br />
<br />
If I remember correctly, pfSense will by default create the outgoing rules for the LAN (especially if you used the wizard). But just in case, go into the "Firewall -> Rules" page and check that you have at least the following entries:<br />
<br />
[[File: Default_LAN_Rules.png]]<br />
<br />
<br />
Happy with your new [[IPv6]] address and firewall rules, you then fire your browser and try to go somewhere when it suddenly becomes a "Houston we have a problem" moment...<br />
<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
The problem is that the PPoE stuff is still a bit flaky in 2.1.2, and although the PPoE negotiation itself is fine, it seems pfSense will often lose the ISP DNS settings (this seems to be a timing related issue of some kind, so sometimes it works and sometimes it does not. You can even get into situations where the DNS setting is there and then it suddenly disappear!).<br />
<br />
Arghhhh!!!!!<br />
<br />
Now, an easy way to fix this is to force pfSense to use specific DNS servers. This is done in the "System -> General Setup" page. Ideally you should set your ISP DNS server in there and/or some public ones like Google (8.8.8.8) or OpenDNS (208.67.220.220).<br />
<br />
[[File:System_-_General_setup.png|800px]]<br />
<br />
<br />
=== Testing internet access ===<br />
<br />
You can now fire a browser and check your public IPv4 and [[IPv6]] address by going to the http://ipv4.me or http://ipv6.me websites.<br />
<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
Section still to be done.<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense&diff=5672Router - PFSense2014-04-26T13:07:44Z<p>Camlin: /* Testing internet access */</p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a bit buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
In the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
[[File: Interface_Setup_-_WAN.png|800px]]<br />
<br />
<br />
Finally, click on the save button.<br />
<br />
''Note: In previous versions of pfSense (2.1.0 and 2.1.1) this was a bit buggy and pfSense was getting mixed up in the PPoE interface assignment. So you often had to manually define the PPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.''<br />
<br />
<br />
=== Updating the LAN settings ===<br />
<br />
Go again in the "Interfaces" top menu, and select "LAN".<br />
<br />
Once there, ensure that the [[IPv6 Configuration|IPv6 configuration]] type is set to "Static [[IPv6]]".<br />
<br />
AAISP will have given you an [[IPv6]] prefix, i.e. something like: 2001:8b0:XXXX:YYYY::/64<br />
<br />
Use one address of that prefix and assign as the [[IPv6]] address of the LAN port. This address will have to be outside of the range you will allocate to DHCP6 for the LAN side. A suggestion could be something like:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1</code><br />
<br />
Then update the bitmask to match your [[IPv6]] assignment (typically 64, but could be 48 if you are trying to route your full allocation).<br />
<br />
You should end up with a configuration screen similar to this one:<br />
<br />
[[File: Interface_Setup_-_LAN.png|800px]]<br />
<br />
Finally, click the save button.<br />
<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
At this stage your PPoE WAN interface will have obtained an [[IPv6]] address from AAISP (something in the range of 2001:8b0:1111:1111::/64 but it is not visible unless you connect to the router via ssh and do an "ifconfig"). <br />
<br />
Your LAN network will in turn use the [[IPv6]] range you have been assigned by AAISP (remember, in [[IPv6]] there is no NAT and the like, all your devices are directly routable and this is why the [[IPv6]] range you have been given applies inside the LAN, and not outside. This is also why your PPoE interface get its address from a completely different range. It is just a "hop" to your network).<br />
<br />
Now we had to use a bit of that range for the LAN address of the router itself (the 2001:8b0:XXXX:YYYY::1 address set previously). So whilst we are at it, let's reserve some of the address for static use (i.e. not DHCP6). The easiest is to say that all addresses in the 2001:8b0:XXXX:YYYY:0000:://80 range are statically assigned. This means the static range has 2^48 addresses available, which could seem a bit excessive, but who cares, with [[IPv6]] we have more addresses than atoms in the universe :-)<br />
<br />
We can then assign the rest of your block to DHCPv6. So the following range will be given to DHCPv6:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1:0000 to 2001:8b0:XXXX:YYYY:ffff:ffff:ffff:ffff</code><br />
<br />
So, select "Services -> DHCPv6 Server/RA" and then enter the appropriate information. Once done and saved, the screen should look like this:<br />
<br />
[[File: Services_-_DHCPv6.png|800px]]<br />
<br />
I suspect there will be no real need to reserve a part of this range as if you need to create fancy subnetworks then you just need to use another one of your /64 blocks (and you have been given 65536 of them, that should be enough!). But in any case, pfSense allows to subdivide the block further if you need to (see the "subnets" options).<br />
<br />
Once this is done, it is then necessary to activate the router advertisements (RA), so select the "Router Advertisements" tab and then use the "Unmanaged" or "Assisted" mode. I tend to use "Assisted" because it allows me to do static DHCP assignment for some of my machines (although this is quite a pain at present as it is based on DUID and not MAC addresses).<br />
<br />
The configuration screen will be similar to this (don't forget to save!):<br />
<br />
[[File: Services_-_DHCPv6-RA.png|800px]]<br />
<br />
Once this is done, you should see that your machine has now acquired a nice and shinny new routable [[IPv6]] address. In fact, it will often acquire more than one depending of the RA mode you have selected and the privacy modes activated by the client machine.<br />
<br />
Yeaahhh!! Victory!<br />
<br />
[[File: Client_Computer.png]]<br />
<br />
''Note: On some old hardware/OS it is not impossible you could have to unplug/plug the network cable for the machine to pick up the change.''<br />
<br />
<br />
=== Check the firewall rules for outgoing from LAN ===<br />
<br />
If I remember correctly, pfSense will by default create the outgoing rules for the LAN (especially if you used the wizard). But just in case, go into the "Firewall -> Rules" page and check that you have at least the following entries:<br />
<br />
[[File: Default_LAN_Rules.png]]<br />
<br />
<br />
Happy with your new [[IPv6]] address and firewall rules, you then fire your browser and try to go somewhere when it suddenly becomes a "Houston we have a problem" moment...<br />
<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
The problem is that the PPoE stuff is still a bit flaky in 2.1.2, and although the PPoE negotiation itself is fine, it seems pfSense will often lose the ISP DNS settings (this seems to be a timing related issue of some kind, so sometimes it works and sometimes it does not. You can even get into situations where the DNS setting is there and then it suddenly disappear!).<br />
<br />
Arghhhh!!!!!<br />
<br />
Now, an easy way to fix this is to force pfSense to use specific DNS servers. This is done in the "System -> General Setup" page. Ideally you should set your ISP DNS server in there and/or some public ones like Google (8.8.8.8) or OpenDNS (208.67.220.220).<br />
<br />
[[File:System_-_General_setup.png|800px]]<br />
<br />
<br />
=== Testing internet access ===<br />
<br />
You can now fire a browser and check your public IPv4 and [[IPv6]] address by going to the [[http://ipv6.me]] or [[http://ipv4.me]] websites.<br />
<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
Section still to be done.<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense&diff=5671Router - PFSense2014-04-26T10:08:58Z<p>Camlin: </p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a bit buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
In the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
[[File: Interface_Setup_-_WAN.png|800px]]<br />
<br />
<br />
Finally, click on the save button.<br />
<br />
''Note: In previous versions of pfSense (2.1.0 and 2.1.1) this was a bit buggy and pfSense was getting mixed up in the PPoE interface assignment. So you often had to manually define the PPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.''<br />
<br />
<br />
=== Updating the LAN settings ===<br />
<br />
Go again in the "Interfaces" top menu, and select "LAN".<br />
<br />
Once there, ensure that the [[IPv6 Configuration|IPv6 configuration]] type is set to "Static [[IPv6]]".<br />
<br />
AAISP will have given you an [[IPv6]] prefix, i.e. something like: 2001:8b0:XXXX:YYYY::/64<br />
<br />
Use one address of that prefix and assign as the [[IPv6]] address of the LAN port. This address will have to be outside of the range you will allocate to DHCP6 for the LAN side. A suggestion could be something like:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1</code><br />
<br />
Then update the bitmask to match your [[IPv6]] assignment (typically 64, but could be 48 if you are trying to route your full allocation).<br />
<br />
You should end up with a configuration screen similar to this one:<br />
<br />
[[File: Interface_Setup_-_LAN.png|800px]]<br />
<br />
Finally, click the save button.<br />
<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
At this stage your PPoE WAN interface will have obtained an [[IPv6]] address from AAISP (something in the range of 2001:8b0:1111:1111::/64 but it is not visible unless you connect to the router via ssh and do an "ifconfig"). <br />
<br />
Your LAN network will in turn use the [[IPv6]] range you have been assigned by AAISP (remember, in [[IPv6]] there is no NAT and the like, all your devices are directly routable and this is why the [[IPv6]] range you have been given applies inside the LAN, and not outside. This is also why your PPoE interface get its address from a completely different range. It is just a "hop" to your network).<br />
<br />
Now we had to use a bit of that range for the LAN address of the router itself (the 2001:8b0:XXXX:YYYY::1 address set previously). So whilst we are at it, let's reserve some of the address for static use (i.e. not DHCP6). The easiest is to say that all addresses in the 2001:8b0:XXXX:YYYY:0000:://80 range are statically assigned. This means the static range has 2^48 addresses available, which could seem a bit excessive, but who cares, with [[IPv6]] we have more addresses than atoms in the universe :-)<br />
<br />
We can then assign the rest of your block to DHCPv6. So the following range will be given to DHCPv6:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1:0000 to 2001:8b0:XXXX:YYYY:ffff:ffff:ffff:ffff</code><br />
<br />
So, select "Services -> DHCPv6 Server/RA" and then enter the appropriate information. Once done and saved, the screen should look like this:<br />
<br />
[[File: Services_-_DHCPv6.png|800px]]<br />
<br />
I suspect there will be no real need to reserve a part of this range as if you need to create fancy subnetworks then you just need to use another one of your /64 blocks (and you have been given 65536 of them, that should be enough!). But in any case, pfSense allows to subdivide the block further if you need to (see the "subnets" options).<br />
<br />
Once this is done, it is then necessary to activate the router advertisements (RA), so select the "Router Advertisements" tab and then use the "Unmanaged" or "Assisted" mode. I tend to use "Assisted" because it allows me to do static DHCP assignment for some of my machines (although this is quite a pain at present as it is based on DUID and not MAC addresses).<br />
<br />
The configuration screen will be similar to this (don't forget to save!):<br />
<br />
[[File: Services_-_DHCPv6-RA.png|800px]]<br />
<br />
Once this is done, you should see that your machine has now acquired a nice and shinny new routable [[IPv6]] address. In fact, it will often acquire more than one depending of the RA mode you have selected and the privacy modes activated by the client machine.<br />
<br />
Yeaahhh!! Victory!<br />
<br />
[[File: Client_Computer.png]]<br />
<br />
''Note: On some old hardware/OS it is not impossible you could have to unplug/plug the network cable for the machine to pick up the change.''<br />
<br />
<br />
=== Check the firewall rules for outgoing from LAN ===<br />
<br />
If I remember correctly, pfSense will by default create the outgoing rules for the LAN (especially if you used the wizard). But just in case, go into the "Firewall -> Rules" page and check that you have at least the following entries:<br />
<br />
[[File: Default_LAN_Rules.png]]<br />
<br />
<br />
Happy with your new [[IPv6]] address and firewall rules, you then fire your browser and try to go somewhere when it suddenly becomes a "Houston we have a problem" moment...<br />
<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
The problem is that the PPoE stuff is still a bit flaky in 2.1.2, and although the PPoE negotiation itself is fine, it seems pfSense will often lose the ISP DNS settings (this seems to be a timing related issue of some kind, so sometimes it works and sometimes it does not. You can even get into situations where the DNS setting is there and then it suddenly disappear!).<br />
<br />
Arghhhh!!!!!<br />
<br />
Now, an easy way to fix this is to force pfSense to use specific DNS servers. This is done in the "System -> General Setup" page. Ideally you should set your ISP DNS server in there and/or some public ones like Google (8.8.8.8) or OpenDNS (208.67.220.220).<br />
<br />
[[File:System_-_General_setup.png|800px]]<br />
<br />
<br />
=== Testing internet access ===<br />
<br />
You can now fire a browser and check your public IPv4 and [[IPv6]] address by going to the [[IPv6|ipv6]].me or ipv4.me website (Note: for some reasons I am getting saving errors when I try to save the wiki page with the real links to these sites).<br />
<br />
<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
Section still to be done.<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense&diff=5670Router - PFSense2014-04-26T10:08:18Z<p>Camlin: </p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a bit buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
In the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
[[File: Interface_Setup_-_WAN.png|800px]]<br />
<br />
<br />
Finally, click on the save button.<br />
<br />
''Note: In previous versions of pfSense (2.1.0 and 2.1.1) this was a bit buggy and pfSense was getting mixed up in the PPoE interface assignment. So you often had to manually define the PPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.''<br />
<br />
<br />
=== Updating the LAN settings ===<br />
<br />
Go again in the "Interfaces" top menu, and select "LAN".<br />
<br />
Once there, ensure that the [[IPv6 Configuration|IPv6 configuration]] type is set to "Static [[IPv6]]".<br />
<br />
AAISP will have given you an [[IPv6]] prefix, i.e. something like: 2001:8b0:XXXX:YYYY::/64<br />
<br />
Use one address of that prefix and assign as the [[IPv6]] address of the LAN port. This address will have to be outside of the range you will allocate to DHCP6 for the LAN side. A suggestion could be something like:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1</code><br />
<br />
Then update the bitmask to match your [[IPv6]] assignment (typically 64, but could be 48 if you are trying to route your full allocation).<br />
<br />
You should end up with a configuration screen similar to this one:<br />
<br />
[[File: Interface_Setup_-_LAN.png|800px]]<br />
<br />
Finally, click the save button.<br />
<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
At this stage your PPoE WAN interface will have obtained an [[IPv6]] address from AAISP (something in the range of 2001:8b0:1111:1111::/64 but it is not visible unless you connect to the router via ssh and do an "ifconfig"). <br />
<br />
Your LAN network will in turn use the [[IPv6]] range you have been assigned by AAISP (remember, in [[IPv6]] there is no NAT and the like, all your devices are directly routable and this is why the [[IPv6]] range you have been given applies inside the LAN, and not outside. This is also why your PPoE interface get its address from a completely different range. It is just a "hop" to your network).<br />
<br />
Now we had to use a bit of that range for the LAN address of the router itself (the 2001:8b0:XXXX:YYYY::1 address set previously). So whilst we are at it, let's reserve some of the address for static use (i.e. not DHCP6). The easiest is to say that all addresses in the 2001:8b0:XXXX:YYYY:0000:://80 range are statically assigned. This means the static range has 2^48 addresses available, which could seem a bit excessive, but who cares, with [[IPv6]] we have more addresses than atoms in the universe :-)<br />
<br />
We can then assign the rest of your block to DHCPv6. So the following range will be given to DHCPv6:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1:0000 to 2001:8b0:XXXX:YYYY:ffff:ffff:ffff:ffff</code><br />
<br />
So, select "Services -> DHCPv6 Server/RA" and then enter the appropriate information. Once done and saved, the screen should look like this:<br />
<br />
[[File: Services_-_DHCPv6.png|800px]]<br />
<br />
I suspect there will be no real need to reserve a part of this range as if you need to create fancy subnetworks then you just need to use another one of your /64 blocks (and you have been given 65536 of them, that should be enough!). But in any case, pfSense allows to subdivide the block further if you need to (see the "subnets" options).<br />
<br />
Once this is done, it is then necessary to activate the router advertisements (RA), so select the "Router Advertisements" tab and then use the "Unmanaged" or "Assisted" mode. I tend to use "Assisted" because it allows me to do static DHCP assignment for some of my machines (although this is quite a pain at present as it is based on DUID and not MAC addresses).<br />
<br />
The configuration screen will be similar to this (don't forget to save!):<br />
<br />
[[File: Services_-_DHCPv6-RA.png|800px]]<br />
<br />
Once this is done, you should see that your machine has now acquired a nice and shinny new routable [[IPv6]] address. In fact, it will often acquire more than one depending of the RA mode you have selected and the privacy modes activated by the client machine.<br />
<br />
Yeaahhh!! Victory!<br />
<br />
[[File: Client_Computer.png]]<br />
<br />
''Note: On some old hardware/OS it is not impossible you could have to unplug/plug the network cable for the machine to pick up the change.''<br />
<br />
<br />
=== Check the firewall rules for outgoing from LAN ===<br />
<br />
If I remember correctly, pfSense will by default create the outgoing rules for the LAN (especially if you used the wizard). But just in case, go into the "Firewall -> Rules" page and check that you have at least the following entries:<br />
<br />
[[File: Default_LAN_Rules.png]]<br />
<br />
<br />
Happy with your new [[IPv6]] address and firewall rules, you then fire your browser and try to go somewhere when it suddenly becomes a "Houston we have a problem" moment...<br />
<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
The problem is that the PPoE stuff is still a bit flaky in 2.1.2, and although the PPoE negotiation itself is fine, it seems pfSense will often lose the ISP DNS settings (this seems to be a timing related issue of some kind, so sometimes it works and sometimes it does not. You can even get into situations where the DNS setting is there and then it suddenly disappear!).<br />
<br />
Arghhhh!!!!!<br />
<br />
Now, an easy way to fix this is to force pfSense to use specific DNS servers. This is done in the "System -> General Setup" page. Ideally you should set your ISP DNS server in there and/or some public ones like Google (8.8.8.8) or OpenDNS (208.67.220.220).<br />
<br />
[[File:System_-_General_setup.png|800px]]<br />
<br />
<br />
=== Testing internet access ===<br />
<br />
You can now fire a browser and check your public IPv4 and [[IPv6]] address by going to the [[IPv6|ipv6]].me or ipv4.me website (for some reasons I am getting saving errors when I try to save the wiki page with the real links to these sites).<br />
<br />
<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
Section still to be done.<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense&diff=5669Router - PFSense2014-04-26T10:07:11Z<p>Camlin: </p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a bit buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
In the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
[[File: Interface_Setup_-_WAN.png|800px]]<br />
<br />
<br />
Finally, click on the save button.<br />
<br />
''Note: In previous versions of pfSense (2.1.0 and 2.1.1) this was a bit buggy and pfSense was getting mixed up in the PPoE interface assignment. So you often had to manually define the PPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.''<br />
<br />
<br />
=== Updating the LAN settings ===<br />
<br />
Go again in the "Interfaces" top menu, and select "LAN".<br />
<br />
Once there, ensure that the [[IPv6 Configuration|IPv6 configuration]] type is set to "Static [[IPv6]]".<br />
<br />
AAISP will have given you an [[IPv6]] prefix, i.e. something like: 2001:8b0:XXXX:YYYY::/64<br />
<br />
Use one address of that prefix and assign as the [[IPv6]] address of the LAN port. This address will have to be outside of the range you will allocate to DHCP6 for the LAN side. A suggestion could be something like:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1</code><br />
<br />
Then update the bitmask to match your [[IPv6]] assignment (typically 64, but could be 48 if you are trying to route your full allocation).<br />
<br />
You should end up with a configuration screen similar to this one:<br />
<br />
[[File: Interface_Setup_-_LAN.png|800px]]<br />
<br />
Finally, click the save button.<br />
<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
At this stage your PPoE WAN interface will have obtained an [[IPv6]] address from AAISP (something in the range of 2001:8b0:1111:1111::/64 but it is not visible unless you connect to the router via ssh and do an "ifconfig"). <br />
<br />
Your LAN network will in turn use the [[IPv6]] range you have been assigned by AAISP (remember, in [[IPv6]] there is no NAT and the like, all your devices are directly routable and this is why the [[IPv6]] range you have been given applies inside the LAN, and not outside. This is also why your PPoE interface get its address from a completely different range. It is just a "hop" to your network).<br />
<br />
Now we had to use a bit of that range for the LAN address of the router itself (the 2001:8b0:XXXX:YYYY::1 address set previously). So whilst we are at it, let's reserve some of the address for static use (i.e. not DHCP6). The easiest is to say that all addresses in the 2001:8b0:XXXX:YYYY:0000:://80 range are statically assigned. This means the static range has 2^48 addresses available, which could seem a bit excessive, but who cares, with [[IPv6]] we have more addresses than atoms in the universe :-)<br />
<br />
We can then assign the rest of your block to DHCPv6. So the following range will be given to DHCPv6:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1:0000 to 2001:8b0:XXXX:YYYY:ffff:ffff:ffff:ffff</code><br />
<br />
So, select "Services -> DHCPv6 Server/RA" and then enter the appropriate information. Once done and saved, the screen should look like this:<br />
<br />
[[File: Services_-_DHCPv6.png|800px]]<br />
<br />
I suspect there will be no real need to reserve a part of this range as if you need to create fancy subnetworks then you just need to use another one of your /64 blocks (and you have been given 65536 of them, that should be enough!). But in any case, pfSense allows to subdivide the block further if you need to (see the "subnets" options).<br />
<br />
Once this is done, it is then necessary to activate the router advertisements (RA), so select the "Router Advertisements" tab and then use the "Unmanaged" or "Assisted" mode. I tend to use "Assisted" because it allows me to do static DHCP assignment for some of my machines (although this is quite a pain at present as it is based on DUID and not MAC addresses).<br />
<br />
The configuration screen will be similar to this (don't forget to save!):<br />
<br />
[[File: Services_-_DHCPv6-RA.png|800px]]<br />
<br />
Once this is done, you should see that your machine has now acquired a nice and shinny new routable [[IPv6]] address. In fact, it will often acquire more than one depending of the RA mode you have selected and the privacy modes activated by the client machine.<br />
<br />
Yeaahhh!! Victory!<br />
<br />
[[File: Client_Computer.png]]<br />
<br />
''Note: On some old hardware/OS it is not impossible you could have to unplug/plug the network cable for the machine to pick up the change.''<br />
<br />
<br />
=== Check the firewall rules for outgoing from LAN ===<br />
<br />
If I remember correctly, pfSense will by default create the outgoing rules for the LAN (especially if you used the wizard). But just in case, go into the "Firewall -> Rules" page and check that you have at least the following entries:<br />
<br />
[[File: Default_LAN_Rules.png]]<br />
<br />
<br />
Happy with your new [[IPv6]] address and firewall rules, you then fire your browser and try to go somewhere when it suddenly becomes a "Houston we have a problem" moment...<br />
<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
The problem is that the PPoE stuff is still a bit flaky in 2.1.2, and although the PPoE negotiation itself is fine, it seems pfSense will often lose the ISP DNS settings (this seems to be a timing related issue of some kind, so sometimes it works and sometimes it does not. You can even get into situations where the DNS setting is there and then it suddenly disappear!).<br />
<br />
Arghhhh!!!!!<br />
<br />
Now, an easy way to fix this is to force pfSense to use specific DNS servers. This is done in the "System -> General Setup" page. Ideally you should set your ISP DNS server in there and/or some public ones like Google (8.8.8.8) or OpenDNS (208.67.220.220).<br />
<br />
[[File:System_-_General_setup.png|800px]]<br />
<br />
<br />
=== Testing internet access ===<br />
<br />
You can now fire a browser and check your public IPv4 and [[IPv6]] address by going to <br />
<br />
* [[http://ip4.me/]]<br />
* [[http://ip6.me/]]<br />
<br />
<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
Section still to be done.<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense&diff=5668Router - PFSense2014-04-26T10:06:48Z<p>Camlin: </p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a bit buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
In the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
[[File: Interface_Setup_-_WAN.png|800px]]<br />
<br />
<br />
Finally, click on the save button.<br />
<br />
''Note: In previous versions of pfSense (2.1.0 and 2.1.1) this was a bit buggy and pfSense was getting mixed up in the PPoE interface assignment. So you often had to manually define the PPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.''<br />
<br />
<br />
=== Updating the LAN settings ===<br />
<br />
Go again in the "Interfaces" top menu, and select "LAN".<br />
<br />
Once there, ensure that the [[IPv6 Configuration|IPv6 configuration]] type is set to "Static [[IPv6]]".<br />
<br />
AAISP will have given you an [[IPv6]] prefix, i.e. something like: 2001:8b0:XXXX:YYYY::/64<br />
<br />
Use one address of that prefix and assign as the [[IPv6]] address of the LAN port. This address will have to be outside of the range you will allocate to DHCP6 for the LAN side. A suggestion could be something like:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1</code><br />
<br />
Then update the bitmask to match your [[IPv6]] assignment (typically 64, but could be 48 if you are trying to route your full allocation).<br />
<br />
You should end up with a configuration screen similar to this one:<br />
<br />
[[File: Interface_Setup_-_LAN.png|800px]]<br />
<br />
Finally, click the save button.<br />
<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
At this stage your PPoE WAN interface will have obtained an [[IPv6]] address from AAISP (something in the range of 2001:8b0:1111:1111::/64 but it is not visible unless you connect to the router via ssh and do an "ifconfig"). <br />
<br />
Your LAN network will in turn use the [[IPv6]] range you have been assigned by AAISP (remember, in [[IPv6]] there is no NAT and the like, all your devices are directly routable and this is why the [[IPv6]] range you have been given applies inside the LAN, and not outside. This is also why your PPoE interface get its address from a completely different range. It is just a "hop" to your network).<br />
<br />
Now we had to use a bit of that range for the LAN address of the router itself (the 2001:8b0:XXXX:YYYY::1 address set previously). So whilst we are at it, let's reserve some of the address for static use (i.e. not DHCP6). The easiest is to say that all addresses in the 2001:8b0:XXXX:YYYY:0000:://80 range are statically assigned. This means the static range has 2^48 addresses available, which could seem a bit excessive, but who cares, with [[IPv6]] we have more addresses than atoms in the universe :-)<br />
<br />
We can then assign the rest of your block to DHCPv6. So the following range will be given to DHCPv6:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1:0000 to 2001:8b0:XXXX:YYYY:ffff:ffff:ffff:ffff</code><br />
<br />
So, select "Services -> DHCPv6 Server/RA" and then enter the appropriate information. Once done and saved, the screen should look like this:<br />
<br />
[[File: Services_-_DHCPv6.png|800px]]<br />
<br />
I suspect there will be no real need to reserve a part of this range as if you need to create fancy subnetworks then you just need to use another one of your /64 blocks (and you have been given 65536 of them, that should be enough!). But in any case, pfSense allows to subdivide the block further if you need to (see the "subnets" options).<br />
<br />
Once this is done, it is then necessary to activate the router advertisements (RA), so select the "Router Advertisements" tab and then use the "Unmanaged" or "Assisted" mode. I tend to use "Assisted" because it allows me to do static DHCP assignment for some of my machines (although this is quite a pain at present as it is based on DUID and not MAC addresses).<br />
<br />
The configuration screen will be similar to this (don't forget to save!):<br />
<br />
[[File: Services_-_DHCPv6-RA.png|800px]]<br />
<br />
Once this is done, you should see that your machine has now acquired a nice and shinny new routable [[IPv6]] address. In fact, it will often acquire more than one depending of the RA mode you have selected and the privacy modes activated by the client machine.<br />
<br />
Yeaahhh!! Victory!<br />
<br />
[[File: Client_Computer.png]]<br />
<br />
''Note: On some old hardware/OS it is not impossible you could have to unplug/plug the network cable for the machine to pick up the change.''<br />
<br />
<br />
=== Check the firewall rules for outgoing from LAN ===<br />
<br />
If I remember correctly, pfSense will by default create the outgoing rules for the LAN (especially if you used the wizard). But just in case, go into the "Firewall -> Rules" page and check that you have at least the following entries:<br />
<br />
[[File: Default_LAN_Rules.png]]<br />
<br />
<br />
Happy with your new [[IPv6]] address and firewall rules, you then fire your browser and try to go somewhere when it suddenly becomes a "Houston we have a problem" moment...<br />
<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
The problem is that the PPoE stuff is still a bit flaky in 2.1.2, and although the PPoE negotiation itself is fine, it seems pfSense will often lose the ISP DNS settings (this seems to be a timing related issue of some kind, so sometimes it works and sometimes it does not. You can even get into situations where the DNS setting is there and then it suddenly disappear!).<br />
<br />
Arghhhh!!!!!<br />
<br />
Now, an easy way to fix this is to force pfSense to use specific DNS servers. This is done in the "System -> General Setup" page. Ideally you should set your ISP DNS server in there and/or some public ones like Google (8.8.8.8) or OpenDNS (208.67.220.220).<br />
<br />
[[File:System_-_General_setup.png|800px]]<br />
<br />
<br />
=== Testing internet access ===<br />
<br />
You can now fire a browser and check your public IPv4 and [[IPv6]] address by going to <br />
<br />
* http://ip4.me/<br />
* http://ip6.me/<br />
<br />
<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
Section still to be done.<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense&diff=5667Router - PFSense2014-04-26T10:06:28Z<p>Camlin: </p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a bit buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
In the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
[[File: Interface_Setup_-_WAN.png|800px]]<br />
<br />
<br />
Finally, click on the save button.<br />
<br />
''Note: In previous versions of pfSense (2.1.0 and 2.1.1) this was a bit buggy and pfSense was getting mixed up in the PPoE interface assignment. So you often had to manually define the PPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.''<br />
<br />
<br />
=== Updating the LAN settings ===<br />
<br />
Go again in the "Interfaces" top menu, and select "LAN".<br />
<br />
Once there, ensure that the [[IPv6 Configuration|IPv6 configuration]] type is set to "Static [[IPv6]]".<br />
<br />
AAISP will have given you an [[IPv6]] prefix, i.e. something like: 2001:8b0:XXXX:YYYY::/64<br />
<br />
Use one address of that prefix and assign as the [[IPv6]] address of the LAN port. This address will have to be outside of the range you will allocate to DHCP6 for the LAN side. A suggestion could be something like:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1</code><br />
<br />
Then update the bitmask to match your [[IPv6]] assignment (typically 64, but could be 48 if you are trying to route your full allocation).<br />
<br />
You should end up with a configuration screen similar to this one:<br />
<br />
[[File: Interface_Setup_-_LAN.png|800px]]<br />
<br />
Finally, click the save button.<br />
<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
At this stage your PPoE WAN interface will have obtained an [[IPv6]] address from AAISP (something in the range of 2001:8b0:1111:1111::/64 but it is not visible unless you connect to the router via ssh and do an "ifconfig"). <br />
<br />
Your LAN network will in turn use the [[IPv6]] range you have been assigned by AAISP (remember, in [[IPv6]] there is no NAT and the like, all your devices are directly routable and this is why the [[IPv6]] range you have been given applies inside the LAN, and not outside. This is also why your PPoE interface get its address from a completely different range. It is just a "hop" to your network).<br />
<br />
Now we had to use a bit of that range for the LAN address of the router itself (the 2001:8b0:XXXX:YYYY::1 address set previously). So whilst we are at it, let's reserve some of the address for static use (i.e. not DHCP6). The easiest is to say that all addresses in the 2001:8b0:XXXX:YYYY:0000:://80 range are statically assigned. This means the static range has 2^48 addresses available, which could seem a bit excessive, but who cares, with [[IPv6]] we have more addresses than atoms in the universe :-)<br />
<br />
We can then assign the rest of your block to DHCPv6. So the following range will be given to DHCPv6:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1:0000 to 2001:8b0:XXXX:YYYY:ffff:ffff:ffff:ffff</code><br />
<br />
So, select "Services -> DHCPv6 Server/RA" and then enter the appropriate information. Once done and saved, the screen should look like this:<br />
<br />
[[File: Services_-_DHCPv6.png|800px]]<br />
<br />
I suspect there will be no real need to reserve a part of this range as if you need to create fancy subnetworks then you just need to use another one of your /64 blocks (and you have been given 65536 of them, that should be enough!). But in any case, pfSense allows to subdivide the block further if you need to (see the "subnets" options).<br />
<br />
Once this is done, it is then necessary to activate the router advertisements (RA), so select the "Router Advertisements" tab and then use the "Unmanaged" or "Assisted" mode. I tend to use "Assisted" because it allows me to do static DHCP assignment for some of my machines (although this is quite a pain at present as it is based on DUID and not MAC addresses).<br />
<br />
The configuration screen will be similar to this (don't forget to save!):<br />
<br />
[[File: Services_-_DHCPv6-RA.png|800px]]<br />
<br />
Once this is done, you should see that your machine has now acquired a nice and shinny new routable [[IPv6]] address. In fact, it will often acquire more than one depending of the RA mode you have selected and the privacy modes activated by the client machine.<br />
<br />
Yeaahhh!! Victory!<br />
<br />
[[File: Client_Computer.png]]<br />
<br />
''Note: On some old hardware/OS it is not impossible you could have to unplug/plug the network cable for the machine to pick up the change.''<br />
<br />
<br />
=== Check the firewall rules for outgoing from LAN ===<br />
<br />
If I remember correctly, pfSense will by default create the outgoing rules for the LAN (especially if you used the wizard). But just in case, go into the "Firewall -> Rules" page and check that you have at least the following entries:<br />
<br />
[[File: Default_LAN_Rules.png]]<br />
<br />
<br />
Happy with your new [[IPv6]] address and firewall rules, you then fire your browser and try to go somewhere when it suddenly becomes a "Houston we have a problem" moment...<br />
<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
The problem is that the PPoE stuff is still a bit flaky in 2.1.2, and although the PPoE negotiation itself is fine, it seems pfSense will often lose the ISP DNS settings (this seems to be a timing related issue of some kind, so sometimes it works and sometimes it does not. You can even get into situations where the DNS setting is there and then it suddenly disappear!).<br />
<br />
Arghhhh!!!!!<br />
<br />
Now, an easy way to fix this is to force pfSense to use specific DNS servers. This is done in the "System -> General Setup" page. Ideally you should set your ISP DNS server in there and/or some public ones like Google (8.8.8.8) or OpenDNS (208.67.220.220).<br />
<br />
[[File:System_-_General_setup.png|800px]]<br />
<br />
<br />
=== Testing internet access ===<br />
<br />
You can now fire a browser and check your public IPv4 and [[IPv6]] address by going to <br />
<br />
<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
Section still to be done.<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense_v2.1.2%2B&diff=5666Router - PFSense v2.1.2+2014-04-26T10:01:50Z<p>Camlin: Redirected page to Router - PFSense</p>
<hr />
<div>#REDIRECT [[Router_-_PFSense]]</div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense&diff=5665Router - PFSense2014-04-26T09:59:03Z<p>Camlin: </p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a bit buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
In the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
[[File: Interface_Setup_-_WAN.png|800px]]<br />
<br />
<br />
Finally, click on the save button.<br />
<br />
''Note: In previous versions of pfSense (2.1.0 and 2.1.1) this was a bit buggy and pfSense was getting mixed up in the PPoE interface assignment. So you often had to manually define the PPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.''<br />
<br />
<br />
=== Updating the LAN settings ===<br />
<br />
Go again in the "Interfaces" top menu, and select "LAN".<br />
<br />
Once there, ensure that the [[IPv6 Configuration|IPv6 configuration]] type is set to "Static [[IPv6]]".<br />
<br />
AAISP will have given you an [[IPv6]] prefix, i.e. something like: 2001:8b0:XXXX:YYYY::/64<br />
<br />
Use one address of that prefix and assign as the [[IPv6]] address of the LAN port. This address will have to be outside of the range you will allocate to DHCP6 for the LAN side. A suggestion could be something like:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1</code><br />
<br />
Then update the bitmask to match your [[IPv6]] assignment (typically 64, but could be 48 if you are trying to route your full allocation).<br />
<br />
You should end up with a configuration screen similar to this one:<br />
<br />
[[File: Interface_Setup_-_LAN.png|800px]]<br />
<br />
Finally, click the save button.<br />
<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
At this stage your PPoE WAN interface will have obtained an [[IPv6]] address from AAISP (something in the range of 2001:8b0:1111:1111::/64 but it is not visible unless you connect to the router via ssh and do an "ifconfig"). <br />
<br />
Your LAN network will in turn use the [[IPv6]] range you have been assigned by AAISP (remember, in [[IPv6]] there is no NAT and the like, all your devices are directly routable and this is why the [[IPv6]] range you have been given applies inside the LAN, and not outside. This is also why your PPoE interface get its address from a completely different range. It is just a "hop" to your network).<br />
<br />
Now we had to use a bit of that range for the LAN address of the router itself (the 2001:8b0:XXXX:YYYY::1 address set previously). So whilst we are at it, let's reserve some of the address for static use (i.e. not DHCP6). The easiest is to say that all addresses in the 2001:8b0:XXXX:YYYY:0000:://80 range are statically assigned. This means the static range has 2^48 addresses available, which could seem a bit excessive, but who cares, with [[IPv6]] we have more addresses than atoms in the universe :-)<br />
<br />
We can then assign the rest of your block to DHCPv6. So the following range will be given to DHCPv6:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1:0000 to 2001:8b0:XXXX:YYYY:ffff:ffff:ffff:ffff</code><br />
<br />
So, select "Services -> DHCPv6 Server/RA" and then enter the appropriate information. Once done and saved, the screen should look like this:<br />
<br />
[[File: Services_-_DHCPv6.png|800px]]<br />
<br />
I suspect there will be no real need to reserve a part of this range as if you need to create fancy subnetworks then you just need to use another one of your /64 blocks (and you have been given 65536 of them, that should be enough!). But in any case, pfSense allows to subdivide the block further if you need to (see the "subnets" options).<br />
<br />
Once this is done, it is then necessary to activate the router advertisements (RA), so select the "Router Advertisements" tab and then use the "Unmanaged" or "Assisted" mode. I tend to use "Assisted" because it allows me to do static DHCP assignment for some of my machines (although this is quite a pain at present as it is based on DUID and not MAC addresses).<br />
<br />
The configuration screen will be similar to this (don't forget to save!):<br />
<br />
[[File: Services_-_DHCPv6-RA.png|800px]]<br />
<br />
Once this is done, you should see that your machine has now acquired a nice and shinny new routable [[IPv6]] address. In fact, it will often acquire more than one depending of the RA mode you have selected and the privacy modes activated by the client machine.<br />
<br />
Yeaahhh!! Victory!<br />
<br />
[[File: Client_Computer.png]]<br />
<br />
''Note: On some old hardware/OS it is not impossible you could have to unplug/plug the network cable for the machine to pick up the change.''<br />
<br />
<br />
=== Check the firewall rules for outgoing from LAN ===<br />
<br />
If I remember correctly, pfSense will by default create the outgoing rules for the LAN (especially if you used the wizard). But just in case, go into the "Firewall -> Rules" page and check that you have at least the following entries:<br />
<br />
[[File: Default_LAN_Rules.png]]<br />
<br />
<br />
Happy with your new [[IPv6]] address and firewall rules, you then fire your browser and try to go somewhere when it suddenly becomes a "Houston we have a problem" moment...<br />
<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
The problem is that the PPoE stuff is still a bit flaky in 2.1.2, and although the PPoE negotiation itself is fine, it seems pfSense will often lose the ISP DNS settings (this seems to be a timing related issue of some kind, so sometimes it works and sometimes it does not. You can even get into situations where the DNS setting is there and then it suddenly disappear!).<br />
<br />
Arghhhh!!!!!<br />
<br />
Now, an easy way to fix this is to force pfSense to use specific DNS servers. This is done in the "System -> General Setup" page. Ideally you should set your ISP DNS server in there and/or some public ones like Google (8.8.8.8) or OpenDNS (208.67.220.220).<br />
<br />
[[File:System_-_General_setup.png|800px]]<br />
<br />
<br />
=== Testing internet access ===<br />
<br />
You can now fire a browser and check your public IPv4 and [[IPv6]] address by going to <br />
<br />
* http://ip4.me/<br />
* http://ip6.me/<br />
<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
Section still to be done.<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense_(beta_2.1)&diff=5664Router - PFSense (beta 2.1)2014-04-26T09:58:17Z<p>Camlin: </p>
<hr />
<div>This is a short guide on getting a pfSense 2.0-[[IPv6]] and the 2.1 beta to connect to AAISP as a dual stack router and firewall. If you want more detail, pretty pictures and a full step by step guide, then post on the Discussion page and I'll consider it.<br />
<br />
Also, there is now a guide for more recent versions of pfSense (2.1.2+) that is also available here: [[Router_-_PFSense]]<br />
<br />
= pfSense with IPv4 and IPv6 =<br />
I recently persuaded [http://www.pfsense.org/ pfSense] running on an ALIX based system with a Draytek Vigor 140 [[ADSL Modem|ADSL modem]] to connect up with IPv4 and [[IPv6]] to AAISP. Here are some notes on how. That there are some minor faults with it but for the use case presented here it works fine and 2.1 is due for release fairly soon. They have a Redmine bug tracker that you can follow and the forums are excellent for support. The developers are on the ball.<br />
<br />
= Hardware =<br />
The [http://www.applianceshop.eu/index.php/firewalls/opnsense-pfsense-appliance.html example ALIX system] I have is a bit pricey but it comes with pfSense already installed and three 100Mb interfaces. You can get just the board and do it yourself quite easily for a lot less. Make sure you have some way to access the RS232 based console in some way in case it all goes wrong if you use this box.<br />
<br />
A very good alternative is an old PC. Either put several network cards in it or get a switch such as a Netgear 108 and learn about 802.1Q VLANs to make one NIC into several.<br />
<br />
'''You need at least two interfaces, one for LAN and one for WAN'''<br />
<br />
= Software =<br />
At the time of writing (20 May 2012) you need a development snapshot from the 2.1 series. Make sure it is post the date of this write up.<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
Plug the Vigor into a PC and point a browser at it. Check the output of "netstat -r"/"ipconfig /all"/"ip r" to find out its address (probably 192.168.2.1/24). There is no username and password by default. Now give it a new address and admin password. Make sure that it gets SHOWTIME for ADSL. It wont be able to login yet but at least you can verify the ADSL bit.<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IP address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you move the web GUI port to another port and enable SSL. There's a built in certificate generator so there is no excuse.<br />
<br />
Start with IPv4 and then move on to [[IPv6]].<br />
<br />
The default firewall set up is no inbound access at all and just IPv4 out from the LAN subnet.<br />
<br />
=== IPv4 ===<br />
Set a static IPv4 address on WAN that is in the same range as the Vigor. Create an outbound NAT rule from the LAN subnet to the WAN subnet. The Vigor has no routing table as such but pf can NAT you to it.<br />
<br />
Create a PPPoE connection in Interfaces -> (assign) -> PPPs. Set your username and password.<br />
<br />
Go to Interfaces -> (assign), add a new interface and assign the PPP to it. Call it something like AAISP. <br />
<br />
If you prefer, you could rename your WAN to WANBASE and the PPPoE interface to WAN to avoid confusion when reading docs. However, if you use multiple ISPs then I suggest nameing the base interface to ISPBASE or ISPNIC and the PPPoE to ISP. It makes life a lot easier when you are managing it (my work one has six WANs on it!)<br />
<br />
At this point you should be able to browse the internet and connect to the Vigor. The PPPoE interface should have the /32 address assigned to you by AAISP - check it in Status -> Interfaces.<br />
<br />
Get some firewall rules set up (make sure that you set them to IPv4) and generally get the hang of the system.<br />
<br />
=== IPv6 ===<br />
* Set the [[IPv6 Configuration|IPv6 configuration]] type on your PPPoE interface to DHCPv6<br />
* Set the [[IPv6]] on LAN to <your /64 range>::1 (it doesn't have to be 1) and the mask to 64. eg 2001:8b0:fc5c:6a01::1.<br />
* Services -> DHCPv6 Server/RA. Set Router Advertisements to Unmanaged<br />
<br />
Have a look at the addresses on your PC ("ip a"/"ifconfig"/"ipconfig /all") and you should find that you now have a global [[IPv6]] address assigned. It will start with the /64 prefix from above.<br />
<br />
If you have additional interfaces then simply add another /64 on your AAISP control page and then set the [[IPv6]] address to <another one of your /64s>::1. Then set RA to unmanaged as above for that interface<br />
<br />
Unmanaged really means use "radvd" ie auto addressing based on subnet and MAC address. There are several other options and these are described nicely on the page but unmanaged gets you up and running quickly.<br />
<br />
Add some [[IPv6]] rules - eg on the LAN interface: "allow from LAN subnet to any".<br />
<br />
Test with something like "ping6 -n www.google.com" (adjust for OS)<br />
<br />
Check http://test-ipv6.com/ for a full dual stack test.<br />
<br />
= Notes =<br />
*Do not be tempted by the Widescreen package until it has been ported - it removes the web GUI [[IPv6]] related stuff.<br />
<br />
A customer noted that Setting 'Request a [[IPv6]] prefix/information through the IPv4 connectivity link' helped him:<br />
<br />
[[File:Pfsensev6config.png]]<br />
<br />
This causes pfSense to change the interface in /var/etc/dhcpv6_wan.conf from em0 to pppoe0 (obviously dependent on hardware) - although the 'IPv4 connectivity link' description is a bit misleading . The following bug reports sent me in the right direction:<br />
*[http://forum.pfsense.org/index.php?topic=65832.0 forum.pfsense.org/index.php?topic=65832.0]<br />
*[https://redmine.pfsense.org/issues/3097 redmine.pfsense.org/issues/3097]<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense&diff=5663Router - PFSense2014-04-26T09:57:18Z<p>Camlin: </p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a big buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
In the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
[[File: Interface_Setup_-_WAN.png|800px]]<br />
<br />
<br />
Finally, click on the save button.<br />
<br />
''Note: In previous versions of pfSense (2.1.0 and 2.1.1) this was a bit buggy and pfSense was getting mixed up in the PPoE interface assignment. So you often had to manually define the PPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.''<br />
<br />
<br />
=== Updating the LAN settings ===<br />
<br />
Go again in the "Interfaces" top menu, and select "LAN".<br />
<br />
Once there, ensure that the [[IPv6 Configuration|IPv6 configuration]] type is set to "Static [[IPv6]]".<br />
<br />
AAISP will have given you an [[IPv6]] prefix, i.e. something like: 2001:8b0:XXXX:YYYY::/64<br />
<br />
Use one address of that prefix and assign as the [[IPv6]] address of the LAN port. This address will have to be outside of the range you will allocate to DHCP6 for the LAN side. A suggestion could be something like:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1</code><br />
<br />
Then update the bitmask to match your [[IPv6]] assignment (typically 64, but could be 48 if you are trying to route your full allocation).<br />
<br />
You should end up with a configuration screen similar to this one:<br />
<br />
[[File: Interface_Setup_-_LAN.png|800px]]<br />
<br />
Finally, click the save button.<br />
<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
At this stage your PPoE WAN interface will have obtained an [[IPv6]] address from AAISP (something in the range of 2001:8b0:1111:1111::/64 but it is not visible unless you connect to the router via ssh and do an "ifconfig"). <br />
<br />
Your LAN network will in turn use the [[IPv6]] range you have been assigned by AAISP (remember, in [[IPv6]] there is no NAT and the like, all your devices are directly routable and this is why the [[IPv6]] range you have been given applies inside the LAN, and not outside. This is also why your PPoE interface get its address from a completely different range. It is just a "hop" to your network).<br />
<br />
Now we had to use a bit of that range for the LAN address of the router itself (the 2001:8b0:XXXX:YYYY::1 address set previously). So whilst we are at it, let's reserve some of the address for static use (i.e. not DHCP6). The easiest is to say that all addresses in the 2001:8b0:XXXX:YYYY:0000:://80 range are statically assigned. This means the static range has 2^48 addresses available, which could seem a bit excessive, but who cares, with [[IPv6]] we have more addresses than atoms in the universe :-)<br />
<br />
We can then assign the rest of your block to DHCPv6. So the following range will be given to DHCPv6:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1:0000 to 2001:8b0:XXXX:YYYY:ffff:ffff:ffff:ffff</code><br />
<br />
So, select "Services -> DHCPv6 Server/RA" and then enter the appropriate information. Once done and saved, the screen should look like this:<br />
<br />
[[File: Services_-_DHCPv6.png|800px]]<br />
<br />
I suspect there will be no real need to reserve a part of this range as if you need to create fancy subnetworks then you just need to use another one of your /64 blocks (and you have been given 65536 of them, that should be enough!). But in any case, pfSense allows to subdivide the block further if you need to (see the "subnets" options).<br />
<br />
Once this is done, it is then necessary to activate the router advertisements (RA), so select the "Router Advertisements" tab and then use the "Unmanaged" or "Assisted" mode. I tend to use "Assisted" because it allows me to do static DHCP assignment for some of my machines (although this is quite a pain at present as it is based on DUID and not MAC addresses).<br />
<br />
The configuration screen will be similar to this (don't forget to save!):<br />
<br />
[[File: Services_-_DHCPv6-RA.png|800px]]<br />
<br />
Once this is done, you should see that your machine has now acquired a nice and shinny new routable [[IPv6]] address. In fact, it will often acquire more than one depending of the RA mode you have selected and the privacy modes activated by the client machine.<br />
<br />
Yeaahhh!! Victory!<br />
<br />
[[File: Client_Computer.png]]<br />
<br />
''Note: On some old hardware/OS it is not impossible you could have to unplug/plug the network cable for the machine to pick up the change.''<br />
<br />
<br />
=== Check the firewall rules for outgoing from LAN ===<br />
<br />
If I remember correctly, pfSense will by default create the outgoing rules for the LAN (especially if you used the wizard). But just in case, go into the "Firewall -> Rules" page and check that you have at least the following entries:<br />
<br />
[[File: Default_LAN_Rules.png]]<br />
<br />
<br />
Happy with your new [[IPv6]] address and firewall rules, you then fire your browser and try to go somewhere when it suddenly becomes a "Houston we have a problem" moment...<br />
<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
The problem is that the PPoE stuff is still a bit flaky in 2.1.2, and although the PPoE negotiation itself is fine, it seems pfSense will often lose the ISP DNS settings (this seems to be a timing related issue of some kind, so sometimes it works and sometimes it does not. You can even get into situations where the DNS setting is there and then it suddenly disappear!).<br />
<br />
Arghhhh!!!!!<br />
<br />
Now, an easy way to fix this is to force pfSense to use specific DNS servers. This is done in the "System -> General Setup" page. Ideally you should set your ISP DNS server in there and/or some public ones like Google (8.8.8.8) or OpenDNS (208.67.220.220).<br />
<br />
[[File:System_-_General_setup.png|800px]]<br />
<br />
<br />
=== Testing internet access ===<br />
<br />
You can now fire a browser and check your public IPv4 and [[IPv6]] address by going to <br />
<br />
* http://ip4.me/<br />
* http://ip6.me/<br />
<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
Section still to be done.<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense_(beta_2.1)&diff=5662Router - PFSense (beta 2.1)2014-04-26T09:52:04Z<p>Camlin: </p>
<hr />
<div>This is a short guide on getting a pfSense 2.0-[[IPv6]] and the 2.1 beta to connect to AAISP as a dual stack router and firewall. If you want more detail, pretty pictures and a full step by step guide, then post on the Discussion page and I'll consider it.<br />
<br />
Also, there is now a guide for more recent versions of pfSense (2.1.2+) that is also available here: [[Router_-_PFSense_v2.1.2%2B]]<br />
<br />
= pfSense with IPv4 and IPv6 =<br />
I recently persuaded [http://www.pfsense.org/ pfSense] running on an ALIX based system with a Draytek Vigor 140 [[ADSL Modem|ADSL modem]] to connect up with IPv4 and [[IPv6]] to AAISP. Here are some notes on how. That there are some minor faults with it but for the use case presented here it works fine and 2.1 is due for release fairly soon. They have a Redmine bug tracker that you can follow and the forums are excellent for support. The developers are on the ball.<br />
<br />
= Hardware =<br />
The [http://www.applianceshop.eu/index.php/firewalls/opnsense-pfsense-appliance.html example ALIX system] I have is a bit pricey but it comes with pfSense already installed and three 100Mb interfaces. You can get just the board and do it yourself quite easily for a lot less. Make sure you have some way to access the RS232 based console in some way in case it all goes wrong if you use this box.<br />
<br />
A very good alternative is an old PC. Either put several network cards in it or get a switch such as a Netgear 108 and learn about 802.1Q VLANs to make one NIC into several.<br />
<br />
'''You need at least two interfaces, one for LAN and one for WAN'''<br />
<br />
= Software =<br />
At the time of writing (20 May 2012) you need a development snapshot from the 2.1 series. Make sure it is post the date of this write up.<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
Plug the Vigor into a PC and point a browser at it. Check the output of "netstat -r"/"ipconfig /all"/"ip r" to find out its address (probably 192.168.2.1/24). There is no username and password by default. Now give it a new address and admin password. Make sure that it gets SHOWTIME for ADSL. It wont be able to login yet but at least you can verify the ADSL bit.<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IP address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you move the web GUI port to another port and enable SSL. There's a built in certificate generator so there is no excuse.<br />
<br />
Start with IPv4 and then move on to [[IPv6]].<br />
<br />
The default firewall set up is no inbound access at all and just IPv4 out from the LAN subnet.<br />
<br />
=== IPv4 ===<br />
Set a static IPv4 address on WAN that is in the same range as the Vigor. Create an outbound NAT rule from the LAN subnet to the WAN subnet. The Vigor has no routing table as such but pf can NAT you to it.<br />
<br />
Create a PPPoE connection in Interfaces -> (assign) -> PPPs. Set your username and password.<br />
<br />
Go to Interfaces -> (assign), add a new interface and assign the PPP to it. Call it something like AAISP. <br />
<br />
If you prefer, you could rename your WAN to WANBASE and the PPPoE interface to WAN to avoid confusion when reading docs. However, if you use multiple ISPs then I suggest nameing the base interface to ISPBASE or ISPNIC and the PPPoE to ISP. It makes life a lot easier when you are managing it (my work one has six WANs on it!)<br />
<br />
At this point you should be able to browse the internet and connect to the Vigor. The PPPoE interface should have the /32 address assigned to you by AAISP - check it in Status -> Interfaces.<br />
<br />
Get some firewall rules set up (make sure that you set them to IPv4) and generally get the hang of the system.<br />
<br />
=== IPv6 ===<br />
* Set the [[IPv6 Configuration|IPv6 configuration]] type on your PPPoE interface to DHCPv6<br />
* Set the [[IPv6]] on LAN to <your /64 range>::1 (it doesn't have to be 1) and the mask to 64. eg 2001:8b0:fc5c:6a01::1.<br />
* Services -> DHCPv6 Server/RA. Set Router Advertisements to Unmanaged<br />
<br />
Have a look at the addresses on your PC ("ip a"/"ifconfig"/"ipconfig /all") and you should find that you now have a global [[IPv6]] address assigned. It will start with the /64 prefix from above.<br />
<br />
If you have additional interfaces then simply add another /64 on your AAISP control page and then set the [[IPv6]] address to <another one of your /64s>::1. Then set RA to unmanaged as above for that interface<br />
<br />
Unmanaged really means use "radvd" ie auto addressing based on subnet and MAC address. There are several other options and these are described nicely on the page but unmanaged gets you up and running quickly.<br />
<br />
Add some [[IPv6]] rules - eg on the LAN interface: "allow from LAN subnet to any".<br />
<br />
Test with something like "ping6 -n www.google.com" (adjust for OS)<br />
<br />
Check http://test-ipv6.com/ for a full dual stack test.<br />
<br />
= Notes =<br />
*Do not be tempted by the Widescreen package until it has been ported - it removes the web GUI [[IPv6]] related stuff.<br />
<br />
A customer noted that Setting 'Request a [[IPv6]] prefix/information through the IPv4 connectivity link' helped him:<br />
<br />
[[File:Pfsensev6config.png]]<br />
<br />
This causes pfSense to change the interface in /var/etc/dhcpv6_wan.conf from em0 to pppoe0 (obviously dependent on hardware) - although the 'IPv4 connectivity link' description is a bit misleading . The following bug reports sent me in the right direction:<br />
*[http://forum.pfsense.org/index.php?topic=65832.0 forum.pfsense.org/index.php?topic=65832.0]<br />
*[https://redmine.pfsense.org/issues/3097 redmine.pfsense.org/issues/3097]<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense_(beta_2.1)&diff=5661Router - PFSense (beta 2.1)2014-04-26T09:50:00Z<p>Camlin: </p>
<hr />
<div>This is a short guide on getting a pfSense 2.0-[[IPv6]] and the 2.1 beta to connect to AAISP as a dual stack router and firewall. If you want more detail, pretty pictures and a full step by step guide, then post on the Discussion page and I'll consider it.<br />
<br />
There is now a guide for more recent versions of pfSense (2.1.2+) that is also available here: [[Router_-_PFSense_v2.1.2%2B]]<br />
<br />
= pfSense with IPv4 and IPv6 =<br />
I recently persuaded [http://www.pfsense.org/ pfSense] running on an ALIX based system with a Draytek Vigor 140 [[ADSL Modem|ADSL modem]] to connect up with IPv4 and [[IPv6]] to AAISP. Here are some notes on how. That there are some minor faults with it but for the use case presented here it works fine and 2.1 is due for release fairly soon. They have a Redmine bug tracker that you can follow and the forums are excellent for support. The developers are on the ball.<br />
<br />
= Hardware =<br />
The [http://www.applianceshop.eu/index.php/firewalls/opnsense-pfsense-appliance.html example ALIX system] I have is a bit pricey but it comes with pfSense already installed and three 100Mb interfaces. You can get just the board and do it yourself quite easily for a lot less. Make sure you have some way to access the RS232 based console in some way in case it all goes wrong if you use this box.<br />
<br />
A very good alternative is an old PC. Either put several network cards in it or get a switch such as a Netgear 108 and learn about 802.1Q VLANs to make one NIC into several.<br />
<br />
'''You need at least two interfaces, one for LAN and one for WAN'''<br />
<br />
= Software =<br />
At the time of writing (20 May 2012) you need a development snapshot from the 2.1 series. Make sure it is post the date of this write up.<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
Plug the Vigor into a PC and point a browser at it. Check the output of "netstat -r"/"ipconfig /all"/"ip r" to find out its address (probably 192.168.2.1/24). There is no username and password by default. Now give it a new address and admin password. Make sure that it gets SHOWTIME for ADSL. It wont be able to login yet but at least you can verify the ADSL bit.<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IP address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you move the web GUI port to another port and enable SSL. There's a built in certificate generator so there is no excuse.<br />
<br />
Start with IPv4 and then move on to [[IPv6]].<br />
<br />
The default firewall set up is no inbound access at all and just IPv4 out from the LAN subnet.<br />
<br />
=== IPv4 ===<br />
Set a static IPv4 address on WAN that is in the same range as the Vigor. Create an outbound NAT rule from the LAN subnet to the WAN subnet. The Vigor has no routing table as such but pf can NAT you to it.<br />
<br />
Create a PPPoE connection in Interfaces -> (assign) -> PPPs. Set your username and password.<br />
<br />
Go to Interfaces -> (assign), add a new interface and assign the PPP to it. Call it something like AAISP. <br />
<br />
If you prefer, you could rename your WAN to WANBASE and the PPPoE interface to WAN to avoid confusion when reading docs. However, if you use multiple ISPs then I suggest nameing the base interface to ISPBASE or ISPNIC and the PPPoE to ISP. It makes life a lot easier when you are managing it (my work one has six WANs on it!)<br />
<br />
At this point you should be able to browse the internet and connect to the Vigor. The PPPoE interface should have the /32 address assigned to you by AAISP - check it in Status -> Interfaces.<br />
<br />
Get some firewall rules set up (make sure that you set them to IPv4) and generally get the hang of the system.<br />
<br />
=== IPv6 ===<br />
* Set the [[IPv6 Configuration|IPv6 configuration]] type on your PPPoE interface to DHCPv6<br />
* Set the [[IPv6]] on LAN to <your /64 range>::1 (it doesn't have to be 1) and the mask to 64. eg 2001:8b0:fc5c:6a01::1.<br />
* Services -> DHCPv6 Server/RA. Set Router Advertisements to Unmanaged<br />
<br />
Have a look at the addresses on your PC ("ip a"/"ifconfig"/"ipconfig /all") and you should find that you now have a global [[IPv6]] address assigned. It will start with the /64 prefix from above.<br />
<br />
If you have additional interfaces then simply add another /64 on your AAISP control page and then set the [[IPv6]] address to <another one of your /64s>::1. Then set RA to unmanaged as above for that interface<br />
<br />
Unmanaged really means use "radvd" ie auto addressing based on subnet and MAC address. There are several other options and these are described nicely on the page but unmanaged gets you up and running quickly.<br />
<br />
Add some [[IPv6]] rules - eg on the LAN interface: "allow from LAN subnet to any".<br />
<br />
Test with something like "ping6 -n www.google.com" (adjust for OS)<br />
<br />
Check http://test-ipv6.com/ for a full dual stack test.<br />
<br />
= Notes =<br />
*Do not be tempted by the Widescreen package until it has been ported - it removes the web GUI [[IPv6]] related stuff.<br />
<br />
A customer noted that Setting 'Request a [[IPv6]] prefix/information through the IPv4 connectivity link' helped him:<br />
<br />
[[File:Pfsensev6config.png]]<br />
<br />
This causes pfSense to change the interface in /var/etc/dhcpv6_wan.conf from em0 to pppoe0 (obviously dependent on hardware) - although the 'IPv4 connectivity link' description is a bit misleading . The following bug reports sent me in the right direction:<br />
*[http://forum.pfsense.org/index.php?topic=65832.0 forum.pfsense.org/index.php?topic=65832.0]<br />
*[https://redmine.pfsense.org/issues/3097 redmine.pfsense.org/issues/3097]<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense_v2.1.2%2B&diff=5660Router - PFSense v2.1.2+2014-04-26T09:43:28Z<p>Camlin: </p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a big buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
In the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
[[File: Interface_Setup_-_WAN.png|800px]]<br />
<br />
<br />
Finally, click on the save button.<br />
<br />
''Note: In previous versions of pfSense (2.1.0 and 2.1.1) this was a bit buggy and pfSense was getting mixed up in the PPoE interface assignment. So you often had to manually define the PPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.''<br />
<br />
<br />
=== Updating the LAN settings ===<br />
<br />
Go again in the "Interfaces" top menu, and select "LAN".<br />
<br />
Once there, ensure that the [[IPv6 Configuration|IPv6 configuration]] type is set to "Static [[IPv6]]".<br />
<br />
AAISP will have given you an [[IPv6]] prefix, i.e. something like: 2001:8b0:XXXX:YYYY::/64<br />
<br />
Use one address of that prefix and assign as the [[IPv6]] address of the LAN port. This address will have to be outside of the range you will allocate to DHCP6 for the LAN side. A suggestion could be something like:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1</code><br />
<br />
Then update the bitmask to match your [[IPv6]] assignment (typically 64, but could be 48 if you are trying to route your full allocation).<br />
<br />
You should end up with a configuration screen similar to this one:<br />
<br />
[[File: Interface_Setup_-_LAN.png|800px]]<br />
<br />
Finally, click the save button.<br />
<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
At this stage your PPoE WAN interface will have obtained an [[IPv6]] address from AAISP (something in the range of 2001:8b0:1111:1111::/64 but it is not visible unless you connect to the router via ssh and do an "ifconfig"). <br />
<br />
Your LAN network will in turn use the [[IPv6]] range you have been assigned by AAISP (remember, in [[IPv6]] there is no NAT and the like, all your devices are directly routable and this is why the [[IPv6]] range you have been given applies inside the LAN, and not outside. This is also why your PPoE interface get its address from a completely different range. It is just a "hop" to your network).<br />
<br />
Now we had to use a bit of that range for the LAN address of the router itself (the 2001:8b0:XXXX:YYYY::1 address set previously). So whilst we are at it, let's reserve some of the address for static use (i.e. not DHCP6). The easiest is to say that all addresses in the 2001:8b0:XXXX:YYYY:0000:://80 range are statically assigned. This means the static range has 2^48 addresses available, which could seem a bit excessive, but who cares, with [[IPv6]] we have more addresses than atoms in the universe :-)<br />
<br />
We can then assign the rest of your block to DHCPv6. So the following range will be given to DHCPv6:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1:0000 to 2001:8b0:XXXX:YYYY:ffff:ffff:ffff:ffff</code><br />
<br />
So, select "Services -> DHCPv6 Server/RA" and then enter the appropriate information. Once done and saved, the screen should look like this:<br />
<br />
[[File: Services_-_DHCPv6.png|800px]]<br />
<br />
I suspect there will be no real need to reserve a part of this range as if you need to create fancy subnetworks then you just need to use another one of your /64 blocks (and you have been given 65536 of them, that should be enough!). But in any case, pfSense allows to subdivide the block further if you need to (see the "subnets" options).<br />
<br />
Once this is done, it is then necessary to activate the router advertisements (RA), so select the "Router Advertisements" tab and then use the "Unmanaged" or "Assisted" mode. I tend to use "Assisted" because it allows me to do static DHCP assignment for some of my machines (although this is quite a pain at present as it is based on DUID and not MAC addresses).<br />
<br />
The configuration screen will be similar to this (don't forget to save!):<br />
<br />
[[File: Services_-_DHCPv6-RA.png|800px]]<br />
<br />
Once this is done, you should see that your machine has now acquired a nice and shinny new routable [[IPv6]] address. In fact, it will often acquire more than one depending of the RA mode you have selected and the privacy modes activated by the client machine.<br />
<br />
Yeaahhh!! Victory!<br />
<br />
[[File: Client_Computer.png]]<br />
<br />
''Note: On some old hardware/OS it is not impossible you could have to unplug/plug the network cable for the machine to pick up the change.''<br />
<br />
<br />
=== Check the firewall rules for outgoing from LAN ===<br />
<br />
If I remember correctly, pfSense will by default create the outgoing rules for the LAN (especially if you used the wizard). But just in case, go into the "Firewall -> Rules" page and check that you have at least the following entries:<br />
<br />
[[File: Default_LAN_Rules.png]]<br />
<br />
<br />
Happy with your new [[IPv6]] address and firewall rules, you then fire your browser and try to go somewhere when it suddenly becomes a "Houston we have a problem" moment...<br />
<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
The problem is that the PPoE stuff is still a bit flaky in 2.1.2, and although the PPoE negotiation itself is fine, it seems pfSense will often lose the ISP DNS settings (this seems to be a timing related issue of some kind, so sometimes it works and sometimes it does not. You can even get into situations where the DNS setting is there and then it suddenly disappear!).<br />
<br />
Arghhhh!!!!!<br />
<br />
Now, an easy way to fix this is to force pfSense to use specific DNS servers. This is done in the "System -> General Setup" page. Ideally you should set your ISP DNS server in there and/or some public ones like Google (8.8.8.8) or OpenDNS (208.67.220.220).<br />
<br />
[[File:System_-_General_setup.png|800px]]<br />
<br />
<br />
=== Testing internet access ===<br />
<br />
You can now fire a browser and check your public IPv4 and [[IPv6]] address by going to <br />
<br />
* http://ip4.me/<br />
* http://ip6.me/<br />
<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense_v2.1.2%2B&diff=5659Router - PFSense v2.1.2+2014-04-26T09:42:08Z<p>Camlin: </p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a big buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
In the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
[[File: Interface_Setup_-_WAN.png|800px]]<br />
<br />
<br />
Finally, click on the save button.<br />
<br />
''Note: In previous versions of pfSense (2.1.0 and 2.1.1) this was a bit buggy and pfSense was getting mixed up in the PPoE interface assignment. So you often had to manually define the PPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.''<br />
<br />
<br />
=== Updating the LAN settings ===<br />
<br />
Go again in the "Interfaces" top menu, and select "LAN".<br />
<br />
Once there, ensure that the [[IPv6 Configuration|IPv6 configuration]] type is set to "Static [[IPv6]]".<br />
<br />
AAISP will have given you an [[IPv6]] prefix, i.e. something like: 2001:8b0:XXXX:YYYY::/64<br />
<br />
Use one address of that prefix and assign as the [[IPv6]] address of the LAN port. This address will have to be outside of the range you will allocate to DHCP6 for the LAN side. A suggestion could be something like:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1</code><br />
<br />
Then update the bitmask to match your [[IPv6]] assignment (typically 64, but could be 48 if you are trying to route your full allocation).<br />
<br />
You should end up with a configuration screen similar to this one:<br />
<br />
[[File: Interface_Setup_-_LAN.png|800px]]<br />
<br />
Finally, click the save button.<br />
<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
At this stage your PPoE WAN interface will have obtained an [[IPv6]] address from AAISP (something in the range of 2001:8b0:1111:1111::/64 but it is not visible unless you connect to the router via ssh and do an "ifconfig"). <br />
<br />
Your LAN network will in turn use the [[IPv6]] range you have been assigned by AAISP (remember, in [[IPv6]] there is no NAT and the like, all your devices are directly routable and this is why the [[IPv6]] range you have been given applies inside the LAN, and not outside. This is also why your PPoE interface get its address from a completely different range. It is just a "hop" to your network).<br />
<br />
Now we had to use a bit of that range for the LAN address of the router itself (the 2001:8b0:XXXX:YYYY::1 address set previously). So whilst we are at it, let's reserve some of the address for static use (i.e. not DHCP6). The easiest is to say that all addresses in the 2001:8b0:XXXX:YYYY:0000:://80 range are statically assigned. This means the static range has 2^48 addresses available, which could seem a bit excessive, but who cares, with [[IPv6]] we have more addresses than atoms in the universe :-)<br />
<br />
We can then assign the rest of your block to DHCPv6. So the following range will be given to DHCPv6:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1:0000 to 2001:8b0:XXXX:YYYY:ffff:ffff:ffff:ffff</code><br />
<br />
So, select "Services -> DHCPv6 Server/RA" and then enter the appropriate information. Once done and saved, the screen should look like this:<br />
<br />
[[File: Services_-_DHCPv6.png|800px]]<br />
<br />
I suspect there will be no real need to reserve a part of this range as if you need to create fancy subnetworks then you just need to use another one of your /64 blocks (and you have been given 65536 of them, that should be enough!). But in any case, pfSense allows to subdivide the block further if you need to (see the "subnets" options).<br />
<br />
Once this is done, it is then necessary to activate the router advertisements (RA), so select the "Router Advertisements" tab and then use the "Unmanaged" or "Assisted" mode. I tend to use "Assisted" because it allows me to do static DHCP assignment for some of my machines (although this is quite a pain at present as it is based on DUID and not MAC addresses).<br />
<br />
The configuration screen will be similar to this (don't forget to save!):<br />
<br />
[[File: Services_-_DHCPv6-RA.png|800px]]<br />
<br />
Once this is done, you should see that your machine has now acquired a nice and shinny new routable [[IPv6]] address. In fact, it will often acquire more than one depending of the RA mode you have selected and the privacy modes activated by the client machine.<br />
<br />
Yeaahhh!! Victory!<br />
<br />
[[File: Client_Computer.png]]<br />
<br />
''Note: On some old hardware/OS it is not impossible you could have to unplug/plug the network cable for the machine to pick up the change.''<br />
<br />
<br />
=== Check the firewall rules for outgoing from LAN ===<br />
<br />
If I remember correctly, pfSense will by default create the outgoing rules for the LAN (especially if you used the wizard). But just in case, go into the "Firewall -> Rules" page and check that you have at least the following entries:<br />
<br />
[[File: Default_LAN_Rules.png]]<br />
<br />
<br />
Happy with your new [[IPv6]] address and firewall rules, you then fire your browser and try to go somewhere when it suddenly becomes a "Houston we have a problem" moment...<br />
<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
The problem is that the PPoE stuff is still a bit flaky in 2.1.2, and although the PPoE negotiation itself is fine, it seems pfSense will often lose the ISP DNS settings (this seems to be a timing related issue of some kind, so sometimes it works and sometimes it does not. You can even get into situations where the DNS setting is there and then it suddenly disappear!).<br />
<br />
Arghhhh!!!!!<br />
<br />
Now, an easy way to fix this is to force pfSense to use specific DNS servers. This is done in the "System -> General Setup" page. Ideally you should set your ISP DNS server in there and/or some public ones like Google (8.8.8.8) or OpenDNS (208.67.220.220).<br />
<br />
[[File:System_-_General_setup.png|800px]]<br />
<br />
<br />
=== Testing internet access ===<br />
<br />
You can now fire a browser and check your public IPv4 and [[IPv6]] address by going to http://ip4.me/ and http://ip6.me/<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense_v2.1.2%2B&diff=5658Router - PFSense v2.1.2+2014-04-26T09:37:31Z<p>Camlin: </p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a big buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
In the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
[[File: Interface_Setup_-_WAN.png|800px]]<br />
<br />
<br />
Finally, click on the save button.<br />
<br />
''Note: In previous versions of pfSense (2.1.0 and 2.1.1) this was a bit buggy and pfSense was getting mixed up in the PPoE interface assignment. So you often had to manually define the PPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.''<br />
<br />
<br />
=== Updating the LAN settings ===<br />
<br />
Go again in the "Interfaces" top menu, and select "LAN".<br />
<br />
Once there, ensure that the [[IPv6 Configuration|IPv6 configuration]] type is set to "Static [[IPv6]]".<br />
<br />
AAISP will have given you an [[IPv6]] prefix, i.e. something like: 2001:8b0:XXXX:YYYY::/64<br />
<br />
Use one address of that prefix and assign as the [[IPv6]] address of the LAN port. This address will have to be outside of the range you will allocate to DHCP6 for the LAN side. A suggestion could be something like:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1</code><br />
<br />
Then update the bitmask to match your [[IPv6]] assignment (typically 64, but could be 48 if you are trying to route your full allocation).<br />
<br />
You should end up with a configuration screen similar to this one:<br />
<br />
[[File: Interface_Setup_-_LAN.png|800px]]<br />
<br />
Finally, click the save button.<br />
<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
At this stage your PPoE WAN interface will have obtained an [[IPv6]] address from AAISP (something in the range of 2001:8b0:1111:1111::/64 but it is not visible unless you connect to the router via ssh and do an "ifconfig"). <br />
<br />
Your LAN network will in turn use the [[IPv6]] range you have been assigned by AAISP (remember, in [[IPv6]] there is no NAT and the like, all your devices are directly routable and this is why the [[IPv6]] range you have been given applies inside the LAN, and not outside. This is also why your PPoE interface get its address from a completely different range. It is just a "hop" to your network).<br />
<br />
Now we had to use a bit of that range for the LAN address of the router itself (the 2001:8b0:XXXX:YYYY::1 address set previously). So whilst we are at it, let's reserve some of the address for static use (i.e. not DHCP6). The easiest is to say that all addresses in the 2001:8b0:XXXX:YYYY:0000:://80 range are statically assigned. This means the static range has 2^48 addresses available, which could seem a bit excessive, but who cares, with [[IPv6]] we have more addresses than atoms in the universe :-)<br />
<br />
We can then assign the rest of your block to DHCPv6. So the following range will be given to DHCPv6:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1:0000 to 2001:8b0:XXXX:YYYY:ffff:ffff:ffff:ffff</code><br />
<br />
So, select "Services -> DHCPv6 Server/RA" and then enter the appropriate information. Once done and saved, the screen should look like this:<br />
<br />
[[File: Services_-_DHCPv6.png|800px]]<br />
<br />
I suspect there will be no real need to reserve a part of this range as if you need to create fancy subnetworks then you just need to use another one of your /64 blocks (and you have been given 65536 of them, that should be enough!). But in any case, pfSense allows to subdivide the block further if you need to (see the "subnets" options).<br />
<br />
Once this is done, it is then necessary to activate the router advertisements (RA), so select the "Router Advertisements" tab and then use the "Unmanaged" or "Assisted" mode. I tend to use "Assisted" because it allows me to do static DHCP assignment for some of my machines (although this is quite a pain at present as it is based on DUID and not MAC addresses).<br />
<br />
The configuration screen will be similar to this (don't forget to save!):<br />
<br />
[[File: Services_-_DHCPv6-RA.png|800px]]<br />
<br />
Once this is done, you should see that your machine has now acquired a nice and shinny new routable [[IPv6]] address. In fact, it will often acquire more than one depending of the RA mode you have selected and the privacy modes activated by the client machine.<br />
<br />
Yeaahhh!! Victory!<br />
<br />
[[File: Client_Computer.png]]<br />
<br />
''Note: On some old hardware/OS it is not impossible you could have to unplug/plug the network cable for the machine to pick up the change.''<br />
<br />
<br />
=== Check the firewall rules for outgoing from LAN ===<br />
<br />
If I remember correctly, pfSense will by default create the outgoing rules for the LAN (especially if you used the wizard). But just in case, go into the "Firewall -> Rules" page and check that you have at least the following entries:<br />
<br />
[[File: Default_LAN_Rules.png]]<br />
<br />
<br />
Happy with your new [[IPv6]] address and firewall rules, you then fire your browser and try to go somewhere when it suddenly becomes a "Houston we have a problem" moment...<br />
<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
The problem is that the PPoE stuff is still a bit flaky in 2.1.2, and although the PPoE negotiation itself is fine, it seems pfSense will often lose the ISP DNS settings (this seems to be a timing related issue of some kind, so sometimes it works and sometimes it does not. You can even get into situations where the DNS setting is there and then it suddenly disappear!).<br />
<br />
Arghhhh!!!!!<br />
<br />
Now, an easy way to fix this is to force pfSense to use specific DNS servers. This is done in the "System -> General Setup" page. Ideally you should set your ISP DNS server in there and/or some public ones like Google (8.8.8.8) or OpenDNS (208.67.220.220).<br />
<br />
[[File:System_-_General_setup.png|800px]]<br />
<br />
<br />
=== Testing internet access ===<br />
<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense_v2.1.2%2B&diff=5657Router - PFSense v2.1.2+2014-04-26T09:35:30Z<p>Camlin: </p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a big buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
In the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
[[File: Interface_Setup_-_WAN.png|800px]]<br />
<br />
<br />
Finally, click on the save button.<br />
<br />
''Note: In previous versions of pfSense (2.1.0 and 2.1.1) this was a bit buggy and pfSense was getting mixed up in the PPoE interface assignment. So you often had to manually define the PPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.''<br />
<br />
<br />
=== Updating the LAN settings ===<br />
<br />
Go again in the "Interfaces" top menu, and select "LAN".<br />
<br />
Once there, ensure that the [[IPv6 Configuration|IPv6 configuration]] type is set to "Static [[IPv6]]".<br />
<br />
AAISP will have given you an [[IPv6]] prefix, i.e. something like: 2001:8b0:XXXX:YYYY::/64<br />
<br />
Use one address of that prefix and assign as the [[IPv6]] address of the LAN port. This address will have to be outside of the range you will allocate to DHCP6 for the LAN side. A suggestion could be something like:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1</code><br />
<br />
Then update the bitmask to match your [[IPv6]] assignment (typically 64, but could be 48 if you are trying to route your full allocation).<br />
<br />
You should end up with a configuration screen similar to this one:<br />
<br />
[[File: Interface_Setup_-_LAN.png|800px]]<br />
<br />
Finally, click the save button.<br />
<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
At this stage your PPoE WAN interface will have obtained an [[IPv6]] address from AAISP (something in the range of 2001:8b0:1111:1111::/64 but it is not visible unless you connect to the router via ssh and do an "ifconfig"). <br />
<br />
Your LAN network will in turn use the [[IPv6]] range you have been assigned by AAISP (remember, in [[IPv6]] there is no NAT and the like, all your devices are directly routable and this is why the [[IPv6]] range you have been given applies inside the LAN, and not outside. This is also why your PPoE interface get its address from a completely different range. It is just a "hop" to your network).<br />
<br />
Now we had to use a bit of that range for the LAN address of the router itself (the 2001:8b0:XXXX:YYYY::1 address set previously). So whilst we are at it, let's reserve some of the address for static use (i.e. not DHCP6). The easiest is to say that all addresses in the 2001:8b0:XXXX:YYYY:0000:://80 range are statically assigned. This means the static range has 2^48 addresses available, which could seem a bit excessive, but who cares, with [[IPv6]] we have more addresses than atoms in the universe :-)<br />
<br />
We can then assign the rest of your block to DHCPv6. So the following range will be given to DHCPv6:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1:0000 to 2001:8b0:XXXX:YYYY:ffff:ffff:ffff:ffff</code><br />
<br />
So, select "Services -> DHCPv6 Server/RA" and then enter the appropriate information. Once done and saved, the screen should look like this:<br />
<br />
[[File: Services_-_DHCPv6.png|800px]]<br />
<br />
I suspect there will be no real need to reserve a part of this range as if you need to create fancy subnetworks then you just need to use another one of your /64 blocks (and you have been given 65536 of them, that should be enough!). But in any case, pfSense allows to subdivide the block further if you need to (see the "subnets" options).<br />
<br />
Once this is done, it is then necessary to activate the router advertisements (RA), so select the "Router Advertisements" tab and then use the "Unmanaged" or "Assisted" mode. I tend to use "Assisted" because it allows me to do static DHCP assignment for some of my machines (although this is quite a pain at present as it is based on DUID and not MAC addresses).<br />
<br />
The configuration screen will be similar to this (don't forget to save!):<br />
<br />
[[File: Services_-_DHCPv6-RA.png|800px]]<br />
<br />
Once this is done, you should see that your machine has now acquired a nice and shinny new routable [[IPv6]] address. In fact, it will often acquire more than one depending of the RA mode you have selected and the privacy modes activated by the client machine.<br />
<br />
Yeaahhh!! Victory!<br />
<br />
[[File: Client_Computer.png]]<br />
<br />
''Note: On some old hardware/OS it is not impossible you could have to unplug/plug the network cable for the machine to pick up the change.''<br />
<br />
<br />
=== Check the firewall rules for outgoing from LAN ===<br />
<br />
If I remember correctly, pfSense will by default create the outgoing rules for the LAN (especially if you used the wizard). But just in case, go into the "Firewall -> Rules" page and check that you have at least the following entries:<br />
<br />
[[File: Default_LAN_Rules.png]]<br />
<br />
Happy with your new [[IPv6]] address and firewall rules, you then fire your browser and try to go somewhere when it suddenly becomes a "Houston we have a problem" moment...<br />
<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
The problem is that the PPoE stuff is still a bit flaky in 2.1.2, and although the PPoE negotiation itself is fine, it seems pfSense will often lose the ISP DNS settings (this seems to be a timing related issue of some kind, so sometimes it works and sometimes it does not. You can even get into situations where the DNS setting is there and then it suddenly disappear!).<br />
<br />
Arghhhh!!!!!<br />
<br />
Now, an easy way to fix this is to force pfSense to use specific DNS servers. This is done in the "System -> General Setup" page. Ideally you should set your ISP DNS server in there and/or some public ones like Google (8.8.8.8) or OpenDNS (208.67.220.220).<br />
<br />
[File:System_-_General_setup.png|800px]]<br />
<br />
<br />
=== Testing internet access ===<br />
<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense_v2.1.2%2B&diff=5656Router - PFSense v2.1.2+2014-04-26T09:34:18Z<p>Camlin: </p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a big buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
In the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
[[File: Interface_Setup_-_WAN.png|800px]]<br />
<br />
<br />
Finally, click on the save button.<br />
<br />
''Note: In previous versions of pfSense (2.1.0 and 2.1.1) this was a bit buggy and pfSense was getting mixed up in the PPoE interface assignment. So you often had to manually define the PPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.''<br />
<br />
<br />
=== Updating the LAN settings ===<br />
<br />
Go again in the "Interfaces" top menu, and select "LAN".<br />
<br />
Once there, ensure that the [[IPv6 Configuration|IPv6 configuration]] type is set to "Static [[IPv6]]".<br />
<br />
AAISP will have given you an [[IPv6]] prefix, i.e. something like: 2001:8b0:XXXX:YYYY::/64<br />
<br />
Use one address of that prefix and assign as the [[IPv6]] address of the LAN port. This address will have to be outside of the range you will allocate to DHCP6 for the LAN side. A suggestion could be something like:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1</code><br />
<br />
Then update the bitmask to match your [[IPv6]] assignment (typically 64, but could be 48 if you are trying to route your full allocation).<br />
<br />
You should end up with a configuration screen similar to this one:<br />
<br />
[[File: Interface_Setup_-_LAN.png|800px]]<br />
<br />
Finally, click the save button.<br />
<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
At this stage your PPoE WAN interface will have obtained an [[IPv6]] address from AAISP (something in the range of 2001:8b0:1111:1111::/64 but it is not visible unless you connect to the router via ssh and do an "ifconfig"). <br />
<br />
Your LAN network will in turn use the [[IPv6]] range you have been assigned by AAISP (remember, in [[IPv6]] there is no NAT and the like, all your devices are directly routable and this is why the [[IPv6]] range you have been given applies inside the LAN, and not outside. This is also why your PPoE interface get its address from a completely different range. It is just a "hop" to your network).<br />
<br />
Now we had to use a bit of that range for the LAN address of the router itself (the 2001:8b0:XXXX:YYYY::1 address set previously). So whilst we are at it, let's reserve some of the address for static use (i.e. not DHCP6). The easiest is to say that all addresses in the 2001:8b0:XXXX:YYYY:0000:://80 range are statically assigned. This means the static range has 2^48 addresses available, which could seem a bit excessive, but who cares, with [[IPv6]] we have more addresses than atoms in the universe :-)<br />
<br />
We can then assign the rest of your block to DHCPv6. So the following range will be given to DHCPv6:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1:0000 to 2001:8b0:XXXX:YYYY:ffff:ffff:ffff:ffff</code><br />
<br />
So, select "Services -> DHCPv6 Server/RA" and then enter the appropriate information. Once done and saved, the screen should look like this:<br />
<br />
[[File: Services_-_DHCPv6.png|800px]]<br />
<br />
I suspect there will be no real need to reserve a part of this range as if you need to create fancy subnetworks then you just need to use another one of your /64 blocks (and you have been given 65536 of them, that should be enough!). But in any case, pfSense allows to subdivide the block further if you need to (see the "subnets" options).<br />
<br />
Once this is done, it is then necessary to activate the router advertisements (RA), so select the "Router Advertisements" tab and then use the "Unmanaged" or "Assisted" mode. I tend to use "Assisted" because it allows me to do static DHCP assignment for some of my machines (although this is quite a pain at present as it is based on DUID and not MAC addresses).<br />
<br />
The configuration screen will be similar to this (don't forget to save!):<br />
<br />
[[File: Services_-_DHCPv6-RA.png|800px]]<br />
<br />
Once this is done, you should see that your machine has now acquired a nice and shinny new routable [[IPv6]] address. In fact, it will often acquire more than one depending of the RA mode you have selected and the privacy modes activated by the client machine.<br />
<br />
Yeaahhh!! Victory!<br />
<br />
[[File: Client_Computer.png]]<br />
<br />
''Note: On some old hardware/OS it is not impossible you could have to unplug/plug the network cable for the machine to pick up the change.''<br />
<br />
=== Check the firewall rules for outgoing from LAN ===<br />
<br />
If I remember correctly, pfSense will by default create the outgoing rules for the LAN (especially if you used the wizard). But just in case, go into the "Firewall -> Rules" page and check that you have at least the following entries:<br />
<br />
[[File: Default_LAN_Rules.png]]<br />
<br />
Happy with your new [[IPv6]] address and firewall rules, you then fire your browser and try to go somewhere when it suddenly becomes a "Houston we have a problem" moment...<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
The problem is that the PPoE stuff is still a bit flaky in 2.1.2, and although the PPoE negotiation itself is fine, it seems pfSense will often lose the ISP DNS settings (this seems to be a timing related issue of some kind, so sometimes it works and sometimes it does not. You can even get into situations where the DNS setting is there and then it suddenly disappear!).<br />
<br />
Arghhhh!!!!!<br />
<br />
Now, an easy way to fix this is to force pfSense to use specific DNS servers. This is done in the "System -> General Setup" page. Ideally you should set your ISP DNS server in there and/or some public ones like Google (8.8.8.8) or OpenDNS (208.67.220.220).<br />
<br />
[File:System_-_General_setup.png|800px]]<br />
<br />
<br />
=== Testing internet access ===<br />
<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=File:System_-_General_setup.png&diff=5655File:System - General setup.png2014-04-26T09:33:44Z<p>Camlin: </p>
<hr />
<div></div>Camlinhttps://support.aa.net.uk/index.php?title=File:Default_LAN_Rules.png&diff=5654File:Default LAN Rules.png2014-04-26T09:32:00Z<p>Camlin: </p>
<hr />
<div></div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense_v2.1.2%2B&diff=5653Router - PFSense v2.1.2+2014-04-26T08:45:51Z<p>Camlin: </p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a big buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
In the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
[[File: Interface_Setup_-_WAN.png|800px]]<br />
<br />
<br />
Finally, click on the save button.<br />
<br />
''Note: In previous versions of pfSense (2.1.0 and 2.1.1) this was a bit buggy and pfSense was getting mixed up in the PPoE interface assignment. So you often had to manually define the PPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.''<br />
<br />
<br />
=== Updating the LAN settings ===<br />
<br />
Go again in the "Interfaces" top menu, and select "LAN".<br />
<br />
Once there, ensure that the [[IPv6 Configuration|IPv6 configuration]] type is set to "Static [[IPv6]]".<br />
<br />
AAISP will have given you an [[IPv6]] prefix, i.e. something like: 2001:8b0:XXXX:YYYY::/64<br />
<br />
Use one address of that prefix and assign as the [[IPv6]] address of the LAN port. This address will have to be outside of the range you will allocate to DHCP6 for the LAN side. A suggestion could be something like:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1</code><br />
<br />
Then update the bitmask to match your [[IPv6]] assignment (typically 64, but could be 48 if you are trying to route your full allocation).<br />
<br />
You should end up with a configuration screen similar to this one:<br />
<br />
[[File: Interface_Setup_-_LAN.png|800px]]<br />
<br />
Finally, click the save button.<br />
<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
At this stage your PPoE WAN interface will have obtained an [[IPv6]] address from AAISP (something in the range of 2001:8b0:1111:1111::/64 but it is not visible unless you connect to the router via ssh and do an "ifconfig"). <br />
<br />
Your LAN network will in turn use the [[IPv6]] range you have been assigned by AAISP (remember, in [[IPv6]] there is no NAT and the like, all your devices are directly routable and this is why the [[IPv6]] range you have been given applies inside the LAN, and not outside. This is also why your PPoE interface get its address from a completely different range. It is just a "hop" to your network).<br />
<br />
Now we had to use a bit of that range for the LAN address of the router itself (the 2001:8b0:XXXX:YYYY::1 address set previously). So whilst we are at it, let's reserve some of the address for static use (i.e. not DHCP6). The easiest is to say that all addresses in the 2001:8b0:XXXX:YYYY:0000:://80 range are statically assigned. This means the static range has 2^48 addresses available, which could seem a bit excessive, but who cares, with [[IPv6]] we have more addresses than atoms in the universe :-)<br />
<br />
We can then assign the rest of your block to DHCPv6. So the following range will be given to DHCPv6:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1:0000 to 2001:8b0:XXXX:YYYY:ffff:ffff:ffff:ffff</code><br />
<br />
So, select "Services -> DHCPv6 Server/RA" and then enter the appropriate information. Once done and saved, the screen should look like this:<br />
<br />
[[File: Services_-_DHCPv6.png|800px]]<br />
<br />
I suspect there will be no real need to reserve a part of this range as if you need to create fancy subnetworks then you just need to use another one of your /64 blocks (and you have been given 65536 of them, that should be enough!). But in any case, pfSense allows to subdivide the block further if you need to (see the "subnets" options).<br />
<br />
Once this is done, it is then necessary to activate the router advertisements (RA), so select the "Router Advertisements" tab and then use the "Unmanaged" or "Assisted" mode. I tend to use "Assisted" because it allows me to do static DHCP assignment for some of my machines (although this is quite a pain at present as it is based on DUID and not MAC addresses).<br />
<br />
The configuration screen will be similar to this (don't forget to save!):<br />
<br />
[[File: Services_-_DHCPv6-RA.png|800px]]<br />
<br />
Once this is done, you should see that your machine has now acquired a nice and shinny new routable [[IPv6]] address. In fact, it will often acquire more than one depending of the RA mode you have selected and the privacy modes activated by the client machine.<br />
<br />
[[File: Client_Computer.png]]<br />
<br />
''Note: On some old hardware/OS it is not impossible you could have to unplug/plug the network cable for the machine to pick up the change.''<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense_v2.1.2%2B&diff=5652Router - PFSense v2.1.2+2014-04-26T08:45:13Z<p>Camlin: </p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a big buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
In the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
[[File: Interface_Setup_-_WAN.png|800px]]<br />
<br />
<br />
Finally, click on the save button.<br />
<br />
''Note: In previous versions of pfSense (2.1.0 and 2.1.1) this was a bit buggy and pfSense was getting mixed up in the PPoE interface assignment. So you often had to manually define the PPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.''<br />
<br />
<br />
=== Updating the LAN settings ===<br />
<br />
Go again in the "Interfaces" top menu, and select "LAN".<br />
<br />
Once there, ensure that the [[IPv6 Configuration|IPv6 configuration]] type is set to "Static [[IPv6]]".<br />
<br />
AAISP will have given you an [[IPv6]] prefix, i.e. something like: 2001:8b0:XXXX:YYYY::/64<br />
<br />
Use one address of that prefix and assign as the [[IPv6]] address of the LAN port. This address will have to be outside of the range you will allocate to DHCP6 for the LAN side. A suggestion could be something like:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1</code><br />
<br />
Then update the bitmask to match your [[IPv6]] assignment (typically 64, but could be 48 if you are trying to route your full allocation).<br />
<br />
You should end up with a configuration screen similar to this one:<br />
<br />
[[File: Interface_Setup_-_LAN.png|800px]]<br />
<br />
Finally, click the save button.<br />
<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
At this stage your PPoE WAN interface will have obtained an [[IPv6]] address from AAISP (something in the range of 2001:8b0:1111:1111::/64 but it is not visible unless you connect to the router via ssh and do an "ifconfig"). <br />
<br />
Your LAN network will in turn use the [[IPv6]] range you have been assigned by AAISP (remember, in [[IPv6]] there is no NAT and the like, all your devices are directly routable and this is why the [[IPv6]] range you have been given applies inside the LAN, and not outside. This is also why your PPoE interface get its address from a completely different range. It is just a "hop" to your network).<br />
<br />
Now we had to use a bit of that range for the LAN address of the router itself (the 2001:8b0:XXXX:YYYY::1 address set previously). So whilst we are at it, let's reserve some of the address for static use (i.e. not DHCP6). The easiest is to say that all addresses in the 2001:8b0:XXXX:YYYY:0000:://80 range are statically assigned. This means the static range has 2^48 addresses available, which could seem a bit excessive, but who cares, with [[IPv6]] we have more addresses than atoms in the universe :-)<br />
<br />
We can then assign the rest of your block to DHCPv6. So the following range will be given to DHCPv6:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1:0000 to 2001:8b0:XXXX:YYYY:ffff:ffff:ffff:ffff</code><br />
<br />
So, select "Services -> DHCPv6 Server/RA" and then enter the appropriate information. Once done and saved, the screen should look like this:<br />
<br />
[[File: Services_-_DHCPv6.png|800px]]<br />
<br />
I suspect there will be no real need to reserve a part of this range as if you need to create fancy subnetworks then you just need to use another one of your /64 blocks (and you have been given 65536 of them, that should be enough!). But in any case, pfSense allows to subdivide the block further if you need to (see the "subnets" options).<br />
<br />
Once this is done, it is then necessary to activate the router advertisements (RA), so select the "Router Advertisements" tab and then use the "Unmanaged" or "Assisted" mode. I tend to use "Assisted" because it allows me to do static DHCP assignment for some of my machines (although this is quite a pain at present as it is based on DUID and not MAC addresses).<br />
<br />
The configuration screen will be similar to this (don't forget to save!):<br />
<br />
[[File: Services_-_DHCPv6-RA.png|800px]]<br />
<br />
Once this is done, you should see that your machine has now acquired a nice and shinny new routable [[IPv6]] address. In fact, it will often acquire more than one depending of the RA mode you have selected and the privacy modes activated by the client machine.<br />
<br />
[[File: Client_Computer.png|800px]]<br />
<br />
''Note: On some old hardware/OS it is not impossible you could have to unplug/plug the network cable for the machine to pick up the change.''<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=File:Client_Computer.png&diff=5651File:Client Computer.png2014-04-26T08:44:50Z<p>Camlin: </p>
<hr />
<div></div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense_v2.1.2%2B&diff=5650Router - PFSense v2.1.2+2014-04-26T08:34:58Z<p>Camlin: </p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a big buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
In the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
[[File: Interface_Setup_-_WAN.png|800px]]<br />
<br />
<br />
Finally, click on the save button.<br />
<br />
''Note: In previous versions of pfSense (2.1.0 and 2.1.1) this was a bit buggy and pfSense was getting mixed up in the PPoE interface assignment. So you often had to manually define the PPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.''<br />
<br />
<br />
=== Updating the LAN settings ===<br />
<br />
Go again in the "Interfaces" top menu, and select "LAN".<br />
<br />
Once there, ensure that the [[IPv6 Configuration|IPv6 configuration]] type is set to "Static [[IPv6]]".<br />
<br />
AAISP will have given you an [[IPv6]] prefix, i.e. something like: 2001:8b0:XXXX:YYYY::/64<br />
<br />
Use one address of that prefix and assign as the [[IPv6]] address of the LAN port. This address will have to be outside of the range you will allocate to DHCP6 for the LAN side. A suggestion could be something like:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1</code><br />
<br />
Then update the bitmask to match your [[IPv6]] assignment (typically 64, but could be 48 if you are trying to route your full allocation).<br />
<br />
You should end up with a configuration screen similar to this one:<br />
<br />
[[File: Interface_Setup_-_LAN.png|800px]]<br />
<br />
Finally, click the save button.<br />
<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
At this stage your PPoE WAN interface will have obtained an [[IPv6]] address from AAISP (something in the range of 2001:8b0:1111:1111::/64 but it is not visible unless you connect to the router via ssh and do an "ifconfig"). <br />
<br />
Your LAN network will in turn use the [[IPv6]] range you have been assigned by AAISP (remember, in [[IPv6]] there is no NAT and the like, all your devices are directly routable and this is why the [[IPv6]] range you have been given applies inside the LAN, and not outside. This is also why your PPoE interface get its address from a completely different range. It is just a "hop" to your network).<br />
<br />
Now we had to use a bit of that range for the LAN address of the router itself (the 2001:8b0:XXXX:YYYY::1 address set previously). So whilst we are at it, let's reserve some of the address for static use (i.e. not DHCP6). The easiest is to say that all addresses in the 2001:8b0:XXXX:YYYY:0000:://80 range are statically assigned. This means the static range has 2^48 addresses available, which could seem a bit excessive, but who cares, with [[IPv6]] we have more addresses than atoms in the universe :-)<br />
<br />
We can then assign the rest of your block to DHCPv6. So the following range will be given to DHCPv6:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1:0000 to 2001:8b0:XXXX:YYYY:ffff:ffff:ffff:ffff</code><br />
<br />
So, select "Services -> DHCPv6 Server/RA" and then enter the appropriate information. Once done and saved, the screen should look like this:<br />
<br />
[[File: Services_-_DHCPv6.png|800px]]<br />
<br />
I suspect there will be no real need to reserve a part of this range as if you need to create fancy subnetworks then you just need to use another one of your /64 blocks (and you have been given 65536 of them, that should be enough!). But in any case, pfSense allows to subdivide the block further if you need to (see the "subnets" options).<br />
<br />
Once this is done, it is then necessary to activate the router advertisements (RA), so select the "Router Advertisements" tab and then use the "Unmanaged" or "Assisted" mode. I tend to use "Assisted" because it allows me to do static DHCP assignment for some of my machines (although this is quite a pain at present as it is based on DUID and not MAC addresses).<br />
<br />
The configuration screen will be similar to this (don't forget to save!):<br />
<br />
[[File: Services_-_DHCPv6-RA.png|800px]]<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense_v2.1.2%2B&diff=5649Router - PFSense v2.1.2+2014-04-26T08:33:33Z<p>Camlin: </p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a big buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
In the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
[[File: Interface_Setup_-_WAN.png|800px]]<br />
<br />
<br />
Finally, click on the save button.<br />
<br />
''Note: In previous versions of pfSense (2.1.0 and 2.1.1) this was a bit buggy and pfSense was getting mixed up in the PPoE interface assignment. So you often had to manually define the PPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.''<br />
<br />
<br />
=== Updating the LAN settings ===<br />
<br />
Go again in the "Interfaces" top menu, and select "LAN".<br />
<br />
Once there, ensure that the [[IPv6 Configuration|IPv6 configuration]] type is set to "Static [[IPv6]]".<br />
<br />
AAISP will have given you an [[IPv6]] prefix, i.e. something like: 2001:8b0:XXXX:YYYY::/64<br />
<br />
Use one address of that prefix and assign as the [[IPv6]] address of the LAN port. This address will have to be outside of the range you will allocate to DHCP6 for the LAN side. A suggestion could be something like:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1</code><br />
<br />
Then update the bitmask to match your [[IPv6]] assignment (typically 64, but could be 48 if you are trying to route your full allocation).<br />
<br />
You should end up with a configuration screen similar to this one:<br />
<br />
[[File: Interface_Setup_-_LAN.png|800px]]<br />
<br />
Finally, click the save button.<br />
<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
At this stage your PPoE WAN interface will have obtained an [[IPv6]] address from AAISP (something in the range of 2001:8b0:1111:1111::/64 but it is not visible unless you connect to the router via ssh and do an "ifconfig"). <br />
<br />
Your LAN network will in turn use the [[IPv6]] range you have been assigned by AAISP (remember, in [[IPv6]] there is no NAT and the like, all your devices are directly routable and this is why the [[IPv6]] range you have been given applies inside the LAN, and not outside. This is also why your PPoE interface get its address from a completely different range. It is just a "hop" to your network).<br />
<br />
Now we had to use a bit of that range for the LAN address of the router itself (the 2001:8b0:XXXX:YYYY::1 address set previously). So whilst we are at it, let's reserve some of the address for static use (i.e. not DHCP6). The easiest is to say that all addresses in the 2001:8b0:XXXX:YYYY:0000:://80 range are statically assigned. This means the static range has 2^48 addresses available, which could seem a bit excessive, but who cares, with [[IPv6]] we have more addresses than atoms in the universe :-)<br />
<br />
We can then assign the rest of your block to DHCPv6. So the following range will be given to DHCPv6:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1:0000 to 2001:8b0:XXXX:YYYY:ffff:ffff:ffff:ffff</code><br />
<br />
So, select "Services -> DHCPv6 Server/RA" and then enter the appropriate information. Once done and saved, the screen should look like this:<br />
<br />
[[File: Services_-_DHCPv6.png|800px]]<br />
<br />
I suspect there will be no real need to reserve a part of this range as if you need to create fancy subnetworks then you just need to use another one of your /64 blocks (and you have been given 65536 of them, that should be enough!). But in any case, pfSense allows to subdivide the block further if you need to (see the "subnets" options).<br />
<br />
Once this is done, it is then necessary to activate the router advertisements (RA), so select the "Router Advertisements" tab and then use the "Unmanaged" or "Assisted" mode. I tend to use "Assisted" because it allows me to do static DHCP assignment for some of my machines (although this is quite a pain at present as it is based on DUID and not MAC addresses).<br />
<br />
The configuration screen will be similar to this:<br />
<br />
[[File: Services_-_DHCPv6-RA.png|800px]]<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=File:Services_-_DHCPv6-RA.png&diff=5648File:Services - DHCPv6-RA.png2014-04-26T08:32:50Z<p>Camlin: </p>
<hr />
<div></div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense_v2.1.2%2B&diff=5647Router - PFSense v2.1.2+2014-04-26T08:18:51Z<p>Camlin: </p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a big buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
In the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
[[File: Interface_Setup_-_WAN.png|800px]]<br />
<br />
<br />
Finally, click on the save button.<br />
<br />
''Note: In previous versions of pfSense (2.1.0 and 2.1.1) this was a bit buggy and pfSense was getting mixed up in the PPoE interface assignment. So you often had to manually define the PPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.''<br />
<br />
<br />
=== Updating the LAN settings ===<br />
<br />
Go again in the "Interfaces" top menu, and select "LAN".<br />
<br />
Once there, ensure that the [[IPv6 Configuration|IPv6 configuration]] type is set to "Static [[IPv6]]".<br />
<br />
AAISP will have given you an [[IPv6]] prefix, i.e. something like: 2001:8b0:XXXX:YYYY::/64<br />
<br />
Use one address of that prefix and assign as the [[IPv6]] address of the LAN port. This address will have to be outside of the range you will allocate to DHCP6 for the LAN side. A suggestion could be something like:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1</code><br />
<br />
Then update the bitmask to match your [[IPv6]] assignment (typically 64, but could be 48 if you are trying to route your full allocation).<br />
<br />
You should end up with a configuration screen similar to this one:<br />
<br />
[[File: Interface_Setup_-_LAN.png|800px]]<br />
<br />
Finally, click the save button.<br />
<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
At this stage your PPoE WAN interface will have obtained an [[IPv6]] address from AAISP (something in the range of 2001:8b0:1111:1111::/64 but it is not visible unless you connect to the router via ssh and do an "ifconfig"). <br />
<br />
Your LAN network will in turn use the [[IPv6]] range you have been assigned by AAISP (remember, in [[IPv6]] there is no NAT and the like, all your devices are directly routable and this is why the [[IPv6]] range you have been given applies inside the LAN, and not outside. This is also why your PPoE interface get its address from a completely different range. It is just a "hop" to your network).<br />
<br />
Now we had to use a bit of that range for the LAN address of the router itself (the 2001:8b0:XXXX:YYYY::1 address set previously). So whilst we are at it, let's reserve some of the address for static use (i.e. not DHCP6). The easiest is to say that all addresses in the 2001:8b0:XXXX:YYYY:0000:://80 range are statically assigned. This means the static range has 2^48 addresses available, which could seem a bit excessive, but who cares, with [[IPv6]] we have more addresses than atoms in the universe :-)<br />
<br />
We can then assign the rest of your block to DHCPv6. So the following range will be given to DHCPv6:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1:0000 to 2001:8b0:XXXX:YYYY:ffff:ffff:ffff:ffff</code><br />
<br />
So, select "Services -> DHCPv6 Server/RA" and then enter the appropriate information. Once done and saved, the screen should look like this:<br />
<br />
[[File: Services_-_DHCPv6.png|800px]]<br />
<br />
I suspect there will be no real need to reserve a part of this range as if you need to create fancy subnetworks then you just need to use another one of your /64 blocks (and you have been given 65536 of them, that should be enough!).<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense_v2.1.2%2B&diff=5646Router - PFSense v2.1.2+2014-04-26T08:14:26Z<p>Camlin: </p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a big buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
In the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
[[File: Interface_Setup_-_WAN.png|800px]]<br />
<br />
<br />
Finally, click on the save button.<br />
<br />
''Note: In previous versions of pfSense (2.1.0 and 2.1.1) this was a bit buggy and pfSense was getting mixed up in the PPoE interface assignment. So you often had to manually define the PPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.''<br />
<br />
<br />
=== Updating the LAN settings ===<br />
<br />
Go again in the "Interfaces" top menu, and select "LAN".<br />
<br />
Once there, ensure that the [[IPv6 Configuration|IPv6 configuration]] type is set to "Static [[IPv6]]".<br />
<br />
AAISP will have given you an [[IPv6]] prefix, i.e. something like: 2001:8b0:XXXX:YYYY::/64<br />
<br />
Use one address of that prefix and assign as the [[IPv6]] address of the LAN port. This address will have to be outside of the range you will allocate to DHCP6 for the LAN side. A suggestion could be something like:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1</code><br />
<br />
Then update the bitmask to match your [[IPv6]] assignment (typically 64, but could be 48 if you are trying to route your full allocation).<br />
<br />
You should end up with a configuration screen similar to this one:<br />
<br />
[[File: Interface_Setup_-_LAN.png|800px]]<br />
<br />
Finally, click the save button.<br />
<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
At this stage your PPoE WAN interface will have obtained an [[IPv6]] address from AAISP (something in the range of 2001:8b0:1111:1111::/64 but it is not visible unless you connect to the router via ssh and do an "ifconfig"). <br />
<br />
Your LAN network will in turn use the [[IPv6]] range you have been assigned by AAISP (remember, in [[IPv6]] there is no NAT and the like, all your devices are directly routable and this is why the [[IPv6]] range you have been given applies inside the LAN, and not outside. This is also why your PPoE interface get its address from a completely different range. It is just a "hop" to your network).<br />
<br />
Now we had to use a bit of that range for the LAN address of the router itself (the 2001:8b0:XXXX:YYYY::1 address set previously). So whilst we are at it, let's reserve some of the address for static use (i.e. not DHCP6). The easiest is to say that all addresses in the 2001:8b0:XXXX:YYYY:0000:://80 range are statically assigned. This means the static range has 2^48 addresses available, which could seem a bit excessive, but who cares, with [[IPv6]] we have more addresses than atoms in the universe :-)<br />
<br />
We can then assign the rest of your block to DHCPv6 (although it could be an idea to restrict the range if you later want to create fancy subnets with their own router in your LAN). So the following range will be given to DHCPv6:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1:0000 to 2001:8b0:XXXX:YYYY:ffff:ffff:ffff:ffff</code><br />
<br />
So, select "Services -> DHCPv6 Server/RA" and then enter the appropriate information. Once done and saved, the screen should look like this:<br />
<br />
[[File: Services_-_DHCPv6.png|800px]]<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=File:Services_-_DHCPv6.png&diff=5645File:Services - DHCPv6.png2014-04-26T08:14:01Z<p>Camlin: </p>
<hr />
<div></div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense_v2.1.2%2B&diff=5644Router - PFSense v2.1.2+2014-04-26T08:09:45Z<p>Camlin: </p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a big buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
In the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
[[File: Interface_Setup_-_WAN.png|800px]]<br />
<br />
<br />
Finally, click on the save button.<br />
<br />
''Note: In previous versions of pfSense (2.1.0 and 2.1.1) this was a bit buggy and pfSense was getting mixed up in the PPoE interface assignment. So you often had to manually define the PPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.''<br />
<br />
<br />
=== Updating the LAN settings ===<br />
<br />
Go again in the "Interfaces" top menu, and select "LAN".<br />
<br />
Once there, ensure that the [[IPv6 Configuration|IPv6 configuration]] type is set to "Static [[IPv6]]".<br />
<br />
AAISP will have given you an [[IPv6]] prefix, i.e. something like: 2001:8b0:XXXX:YYYY::/64<br />
<br />
Use one address of that prefix and assign as the [[IPv6]] address of the LAN port. This address will have to be outside of the range you will allocate to DHCP6 for the LAN side. A suggestion could be something like:<br />
<br />
<code>2001:8b0:XXXX:YYYY::1</code><br />
<br />
Then update the bitmask to match your [[IPv6]] assignment (typically 64, but could be 48 if you are trying to route your full allocation).<br />
<br />
You should end up with a configuration screen similar to this one:<br />
<br />
[[File: Interface_Setup_-_LAN.png|800px]]<br />
<br />
Finally, click the save button.<br />
<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
At this stage your PPoE WAN interface will have obtained an [[IPv6]] address from AAISP (something in the range of 2001:8b0:1111:1111::/64 but it is not visible unless you connect to the router via ssh and do an "ifconfig"). <br />
<br />
Your LAN network will in turn use the [[IPv6]] range you have been assigned by AAISP (remember, in [[IPv6]] there is no NAT and the like, all your devices are directly routable and this is why the [[IPv6]] range you have been given applies inside the LAN, and not outside. This is also why your PPoE interface get its address from a completely different range. It is just a "hop" to your network).<br />
<br />
Now we had to use a bit of that range for the LAN address of the router itself (the 2001:8b0:XXXX:YYYY::1 address set previously). So whilst we are at it, let's reserve some of the address for static use (i.e. not DHCP6). The easiest is to say that all addresses in the 2001:8b0:XXXX:YYYY:0000:://80 range are statically assigned. This means the static range has 2^48 addresses available, which could seem a bit excessive, but who cares, with [[IPv6]] we have more addresses than atoms in the universe :-)<br />
<br />
We can then assign the rest of your block to DHCPv6 (although it could be an idea to restrict the range if you later want to create fancy subnets with their own router in your LAN). So the following range will be given to DHCPv6:<br />
<br />
2001:8b0:XXXX:YYYY::1:0000 to 2001:8b0:XXXX:YYYY:ffff:ffff:ffff:ffff<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense_v2.1.2%2B&diff=5643Router - PFSense v2.1.2+2014-04-26T08:04:14Z<p>Camlin: </p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a big buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
In the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
[[File: Interface_Setup_-_WAN.png|800px]]<br />
<br />
<br />
Finally, click on the save button.<br />
<br />
''Note: In previous versions of pfSense (2.1.0 and 2.1.1) this was a bit buggy and pfSense was getting mixed up in the PPoE interface assignment. So you often had to manually define the PPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.''<br />
<br />
<br />
=== Updating the LAN settings ===<br />
<br />
Go again in the "Interfaces" top menu, and select "LAN".<br />
<br />
Once there, ensure that the [[IPv6 Configuration|IPv6 configuration]] type is set to "Static [[IPv6]]".<br />
<br />
AAISP will have given you an [[IPv6]] prefix, i.e. something like: 2001:8b0:XXX:YYY::/64<br />
<br />
Use one address of that prefix and assign as the [[IPv6]] address of the LAN port. This address will have to be outside of the range you will allocate to DHCP6 for the LAN side. A suggestion could be something like:<br />
<br />
<code>2001:8b0:XXX:YYY::1</code><br />
<br />
Then update the bitmask to match your [[IPv6]] assignment (typically 64, but could be 48 if you are trying to route your full allocation).<br />
<br />
You should end up with a configuration screen similar to this one:<br />
<br />
[[File: Interface_Setup_-_LAN.png|800px]]<br />
<br />
Finally, click the save button.<br />
<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
At this stage your PPoE WAN interface will have obtained an [[IPv6]] address from AAISP (something in the range of 2001:8b0:1111:1111::/64 but it is not visible unless you connect to the router via ssh and do an "ifconfig"). <br />
<br />
Your LAN network will in turn use the [[IPv6]] range you have been assigned by AAISP (remember, in [[IPv6]] there is no NAT and the like, all your devices are directly routable and this is why the [[IPv6]] range you have been given applies inside the LAN, and not outside. This is also why your PPoE interface get its address from a completely different range. It is just a "hop" to your network).<br />
<br />
Now we had to use a bit of that range for the LAN address of the router itself (the 2001:8b0:XXX:YYY::1 address set previously). So whilst we are at it, let's reserve some of the address for static use (i.e. not DHCP6). The easiest is to say that all addresses in the 2001:8b0:XXX:YYY:0000:://80 range are statically assigned. This means the static range has 2^48 addresses available, which could seem a bit excessive, but who cares, with [[IPv6]] we have more addresses than atoms in the universe :-)<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense_v2.1.2%2B&diff=5642Router - PFSense v2.1.2+2014-04-26T07:30:32Z<p>Camlin: </p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a big buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
In the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
[[File: Interface_Setup_-_WAN.png|800px]]<br />
<br />
<br />
Finally, click on the save button.<br />
<br />
''Note: In previous versions of pfSense (2.1.0 and 2.1.1) this was a bit buggy and pfSense was getting mixed up in the PPoE interface assignment. So you often had to manually define the PPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.''<br />
<br />
<br />
=== Updating the LAN settings ===<br />
<br />
Go again in the "Interfaces" top menu, and select "LAN".<br />
<br />
Once there, ensure that the [[IPv6 Configuration|IPv6 configuration]] type is set to "Static [[IPv6]]".<br />
<br />
AAISP will have given you an [[IPv6]] prefix, i.e. something like: 2001:8b0:XXX:YYY::/64<br />
<br />
Use one address of that prefix and assign as the [[IPv6]] address of the LAN port. This address will have to be outside of the range you will allocate to DHCP6 for the LAN side. A suggestion could be something like:<br />
<br />
<code>2001:8b0:XXX:YYY::1</code><br />
<br />
Then update the bitmask to match your [[IPv6]] assignment (typically 64, but could be 48 if you are trying to route your full allocation).<br />
<br />
You should end up with a configuration screen similar to this one:<br />
<br />
[[File: Interface_Setup_-_LAN.png|800px]]<br />
<br />
Finally, click the save button.<br />
<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense_v2.1.2%2B&diff=5641Router - PFSense v2.1.2+2014-04-25T19:33:13Z<p>Camlin: </p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a big buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
In the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
[[File: Interface_Setup_-_WAN.png|800px]]<br />
<br />
<br />
Finally, click on the save button.<br />
<br />
''Note: In previous versions of pfSense (2.1.0 and 2.1.2) this was a bit buggy and pfSense was getting mixed up in the PPoE interface assignment. So you often had to manually define the PPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.''<br />
<br />
<br />
=== Updating the LAN settings ===<br />
<br />
Go again in the "Interfaces" top menu, and select "LAN".<br />
<br />
Once there, ensure that the [[IPv6 Configuration|IPv6 configuration]] type is set to "Static [[IPv6]]".<br />
<br />
AAISP will have given you an [[IPv6]] prefix, i.e. something like: 2001:8b0:XXX:YYY::/64<br />
<br />
Use one address of that prefix and assign as the [[IPv6]] address of the LAN port. This address will have to be outside of the range you will allocate to DHCP6 for the LAN side. A suggestion could be something like:<br />
<br />
<code>2001:8b0:XXX:YYY::1</code><br />
<br />
Then update the bitmask to match your [[IPv6]] assignment (typically 64, but could be 48 if you are trying to route your full allocation).<br />
<br />
You should end up with a configuration screen similar to this one:<br />
<br />
[[File: Interface_Setup_-_LAN.png|800px]]<br />
<br />
Finally, click the save button.<br />
<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense_v2.1.2%2B&diff=5640Router - PFSense v2.1.2+2014-04-25T19:29:29Z<p>Camlin: </p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a big buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
In the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
[[File: Interface_Setup_-_WAN.png|800px]]<br />
<br />
<br />
Finally, click on the save button.<br />
<br />
''Note: In previous versions of pfSense (2.1.0 and 2.1.2) this was a bit buggy and pfSense was getting mixed up in the PPoE interface assignment. So you often had to manually define the PPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.''<br />
<br />
<br />
=== Updating the LAN settings ===<br />
<br />
Go again in the "Interfaces" top menu, and select "LAN".<br />
<br />
Once there, ensure that the [[IPv6 Configuration|IPv6 configuration]] type is set to "Static [[IPv6]]".<br />
<br />
AAISP will have given you an [[IPv6]] prefix, i.e. something like: 2001:8b0:XXX:YYY::/64<br />
<br />
Use one address of that prefix and assign as the [[IPv6]] address of the LAN port. This address will have to be outside of the range you will allocate to DHCP6 for the LAN side. A suggestion could be something like:<br />
<br />
<code>2001:8b0:XXX:YYY::1</code><br />
<br />
Then update the bitmask to match your [[IPv6]] assignment (typically 64, but could be 48 if you are trying to route your full allocation).<br />
<br />
You should end up with a configuration screen similar to this one:<br />
<br />
[[File: Interface_Setup_-_LAN.png|800px]]<br />
<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense_v2.1.2%2B&diff=5639Router - PFSense v2.1.2+2014-04-25T19:23:29Z<p>Camlin: </p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a big buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
In the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
[[File: Interface_Setup_-_WAN.png|800px]]<br />
<br />
<br />
Finally, click on the save button.<br />
<br />
''Note: In previous versions of pfSense (2.1.0 and 2.1.2) this was a bit buggy and pfSense was getting mixed up in the PPoE interface assignment. So you often had to manually define the PPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.''<br />
<br />
=== Updating the LAN settings ===<br />
<br />
Go again in the "Interfaces" top menu, and select "LAN".<br />
<br />
Once there, ensure that the [[IPv6 Configuration|IPv6 configuration]] type is set to "Static [[IPv6]]".<br />
<br />
AAISP will have given you an [[IPv6]] prefix, i.e. something like: 2001:8b0:XXX:YYY::/64<br />
<br />
Use one address of that prefix and assign as the [[IPv6]] address of the LAN port. This address will have to be outside of the range you will allocate to DHCP6 for the LAN side. A suggestion could be something like:<br />
<br />
<code>2001:8b0:XXX:YYY::1</code><br />
<br />
Then update the bitmask to match your [[IPv6]] assignment (typically 64, but could be 48 if you are trying to route your full allocation).<br />
<br />
You should end up with a configuration screen similar to this one:<br />
<br />
[[File: Interface_Setup_-_LAN.png|800px]]<br />
<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense_v2.1.2%2B&diff=5638Router - PFSense v2.1.2+2014-04-25T19:20:52Z<p>Camlin: </p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a big buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
In the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
[[File: Interface_Setup_-_WAN.png|800px]]<br />
<br />
<br />
Finally, click on the save button.<br />
<br />
''Note: In previous versions of pfSense (2.1.0 and 2.1.2) this was a bit buggy and pfSense was getting mixed up in the PPoE interface assignment. So you often had to manually define the PPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.''<br />
<br />
=== Updating the LAN settings ===<br />
<br />
Go again in the "Interfaces" top menu, and select "LAN".<br />
<br />
Once there, ensure that the [[IPv6 Configuration|IPv6 configuration]] type is set to "Static [[IPv6]]".<br />
<br />
AAISP will have given you an [[IPv6]] prefix, i.e. something like: 2001:8b0:XXX:YYY::/64<br />
<br />
Use one address of that prefix and assign as the [[IPv6]] address of the LAN port. This address will have to be outside of the range you will allocate to DHCP6 for the LAN side. A suggestion could be something like:<br />
<br />
<code>2001:8b0:XXX:YYY::1</code><br />
<br />
You should end up with a configuration screen similar to this one:<br />
<br />
[[File: Interface_Setup_-_LAN.png|800px]]<br />
<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=File:Interface_Setup_-_LAN.png&diff=5637File:Interface Setup - LAN.png2014-04-25T19:20:35Z<p>Camlin: </p>
<hr />
<div></div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense_v2.1.2%2B&diff=5636Router - PFSense v2.1.2+2014-04-25T19:18:03Z<p>Camlin: </p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a big buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
In the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
[[File: Interface_Setup_-_WAN.png|800px]]<br />
<br />
<br />
Finally, click on the save button.<br />
<br />
''Note: In previous versions of pfSense (2.1.0 and 2.1.2) this was a bit buggy and pfSense was getting mixed up in the PPoE interface assignment. So you often had to manually define the PPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.''<br />
<br />
=== Updating the LAN settings ===<br />
<br />
Go again in the "Interfaces" top menu, and select "LAN".<br />
<br />
Once there, ensure that the [[IPv6 Configuration|IPv6 configuration]] type is set to "Static [[IPv6]]".<br />
<br />
AAISP will have given you an [[IPv6]] prefix, i.e. something like: 2001:8b0:XXX:YYY::/64<br />
<br />
Use one address of that prefix and assign as the [[IPv6]] address of the LAN port. This address will have to be outside of the range you will allocate to DHCP6. A suggestion could be something like:<br />
<br />
<code>2001:8b0:XXX:YYY::1</code><br />
<br />
<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense_v2.1.2%2B&diff=5635Router - PFSense v2.1.2+2014-04-25T18:44:10Z<p>Camlin: </p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a big buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
In the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
[[File: Interface_Setup_-_WAN.png|800px]]<br />
<br />
<br />
Finally, click on the save button.<br />
<br />
''Note: In previous versions of pfSense (2.10 and 2.1.2) this was a bit buggy and pfSense was getting mixed up in the PPoE interface assignment. So you often had to manually define the PPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.''<br />
<br />
=== Updating the LAN settings ===<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense_v2.1.2%2B&diff=5634Router - PFSense v2.1.2+2014-04-25T18:43:27Z<p>Camlin: </p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a big buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
In the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
<br />
[[File: Interface_Setup_-_WAN.png|800px]]<br />
<br />
<br />
Finally, click on the save button.<br />
<br />
''Note: In previous versions of pfSense (2.10 and 2.1.2) this was a bit buggy and pfSense was getting mixed up in the PPoE interface assignment. So you often had to manually define the PPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.''<br />
<br />
=== Updating the LAN settings ===<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense_v2.1.2%2B&diff=5633Router - PFSense v2.1.2+2014-04-25T18:41:49Z<p>Camlin: </p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a big buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
In the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
[[File: Interface_Setup_-_WAN.png|800px]]<br />
<br />
Finally, click on the save button.<br />
<br />
''Note: In previous versions of pfSense (2.10 and 2.1.2) this was a bit buggy and pfSense was getting mixed up in the PPoE interface assignment. So you often had to manually define the PPoE interface by creating it in the PPP tab of the "Interfaces -> (assign)" page. But this seems to work reasonably well now.''<br />
<br />
<br />
=== Updating the LAN settings ===<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlinhttps://support.aa.net.uk/index.php?title=File:Interface_Setup_-_WAN.png&diff=5632File:Interface Setup - WAN.png2014-04-25T18:37:34Z<p>Camlin: </p>
<hr />
<div></div>Camlinhttps://support.aa.net.uk/index.php?title=Router_-_PFSense_v2.1.2%2B&diff=5631Router - PFSense v2.1.2+2014-04-25T18:36:15Z<p>Camlin: </p>
<hr />
<div>This is a short guide on getting a pfSense 2.1.2+ system to connect to AAISP as a dual stack router and firewall (Note however this is just the way I have setup my system, and should be used only as guidance) . <br />
<br />
= Introduction =<br />
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.<br />
<br />
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a big buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[Router_-_PFSense_(beta_2.1)]]) could still be a valid option (unless your security rules dictates you must be on the latest).<br />
<br />
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.<br />
<br />
= Hardware =<br />
As described in the previous version of this document (See [[Router_-_PFSense_(beta_2.1)]]), a [[Vigor 120]] [[ADSL Modem]] was used alongside an ALIX board (although things like an old PC or embedded hardware will work too).<br />
<br />
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).<br />
<br />
On the PC side, you need at least two interfaces, one for LAN and one for WAN. This can be physical interfaces (easiest option) or can also be done by using 802.1Q VLANs to make one NIC into several.<br />
<br />
= Software =<br />
As, indicated, at the time of writing (23rd of April 2014), you need a copy of pfSense 2.1.2 (embedded variant or not, just check the pfSense website to check which option will suit you best).<br />
<br />
= Addressing =<br />
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them. <br />
<br />
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.<br />
<br />
= Configuration =<br />
== Vigor ==<br />
The good thing is that a UK variant of the [[Vigor 120]] modem will typically works just fine with its factory settings (so an easy way to get it quickly ready could be to just hard reset the thing).<br />
<br />
You don't need to enter your A&A username and password there as this will be done in pfSense (when setting PPoE).<br />
<br />
Now, it could still be an idea to check the settings and change the default password. In which case, just plug the Vigor into a PC, point a browser at it (typically will be listening on 192.168.1.1) and follow the user docs. If you check the web front end, make sure that it gets SHOWTIME for ADSL (otherwise it means you have a problem with the ADSL connection to start with).<br />
<br />
Typically you will be trying to setup the modem in bridge mode so that it receives the PPoE on the NIC port and then pushes that over the ADSL connection (via PPoA, using the usual VC Mux 0/38). In the case of the [[Vigor 120]], the configuration will look like this:<br />
<br />
<br />
[[File:Vigor_120_Setup.png|800px]]<br />
<br />
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''<br />
<br />
== Dlink DSL-320B ==<br />
<br />
I also tried with a Dlink DSL-320B modem and it worked fine too although it had to be setup in RFC1483 IP LLC bridge mode and the default VCI number had to be changed to 38 (there did not seem to be any PPoE passthrough option over PPoA). <br />
<br />
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.<br />
<br />
[[File:Dlink_DSL-320B_Setup.png|800px]]<br />
<br />
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''<br />
<br />
== pfSense ==<br />
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL. <br />
<br />
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.<br />
<br />
That setting is available in the page "System: Advanced: Networking":<br />
<br />
[[File:IPv6_Enabled.png|800px]]<br />
<br />
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].<br />
<br />
=== Setting up the WAN ===<br />
<br />
Go to Interfaces -> (assign), then look for the WAN interface (if I remember it should be there by default. If not just click on the "+" button).<br />
<br />
Select the network port you want the WAN interface to really use and click save.<br />
<br />
Then click on the WAN interface name (i.e. click on "WAN" if you have called it like that) and enable it.<br />
<br />
For the IPv4 configuration type select "PPoE". And for the [[IPv6 Configuration]] Type select "DHCP6".<br />
<br />
Then ensure that "Use IPv4 connectivity as parent interface" is selected.<br />
<br />
Finally, in the PPoE configuration section enter your username and password (as given by A&A) and ensure that "dial on demand" is validated and that the idle timeout is set to 0.<br />
<br />
You should get a configuration screen similar to this:<br />
<br />
<br />
<br />
=== Updating the LAN settings ===<br />
<br />
=== Enable DHCPv6 ===<br />
<br />
=== Fix the PPoE DNS problem ===<br />
<br />
=== Fix the Gateway monitoring problems ===<br />
<br />
<br />
[[Category:IPv6]] [[Category:Router]]</div>Camlin