Zit Seng's Blog

A Singaporean's technology and lifestyle blog

pfSense Fix for IPv6 on StarHub Broadband

ONT and pfSense RouterI’m quite enthusiastic about supporting IPv6, as may be evident by my occasional posts on this topic in this blog. I have StarHub fibre broadband at home, and they’ve provided IPv6 access for some time. There are occasional glitches, but otherwise seems to work better than some others’ basic broadband access. My IPv6 broke again last week, and this post is about sharing the fix.

This breakage affects pfSense users, i.e. those who use pfSense on their gateway router that connects to the Internet.

Since the last weekend, my pfSense router failed to get a new DHCP lease for an IPv6 address. Interestingly, tcpdump on the WAN interface shows DHCPv6 Solicit messages leaving pfSense, and DHCPv6 Advertise messages returning. But pfSense did not go through to the next phase of acquiring a IPv6 address lease.

I was originally suspecting something amiss with the Advertise that led pfSense to ignore it. However, I could not tell what was wrong with it, even after dissecting the contents with tshark.

Eventually, I discovered that pfSense was dropping the DHCPv6 Advertise replies. Yup, the firewall was blocking the traffic. This is matched by a default rule that drops traffic from bogon networks. This happens when the WAN interface configuration has the “Drop bogon networks” option checked.

pfSense’s bogon list currently contains an entry for 8000::/1. StarHub’s DHCP server is sourcing from an fe80::/16 address, which matches. Now, pfSense’s bogon list is updated monthly by default. I don’t know if 8000::/1 is a new entry just introduced, or StarHub just changed their DHCP server to use an fe80::/16 address.

A quick search on the Internet does find mention of the 8000::/1 entry in the bogon list in 2013. So it appears to have been in there for quite long.

The fix for this is really quite simple. In your WAN interface configuration, under the “Private networks” section at the bottom, uncheck “Block bogon networks.” DHCPv6 should just work fine after this.

3 thoughts on “pfSense Fix for IPv6 on StarHub Broadband

  1. Bro, I’m planning to setup pfSense.

    Do I have to use IPv6 ? Can I just use IPv4 with Starhub connection ?

    My main goal is to replace existing wireless router so that I can have better OpenVPN connection ( pfSense as client ). I’ll buy intel Atom base ( AES NI extension build in ) mini PC box.

    VPN connection would be AES-256-CBC and 4096 bit RSA key size , so it would be quite CPU intensive. Do you have any recommendation on the hardware ?.

    1. Yes, you can certainly run pfSense without IPv6. About performance, I don’t know specifically. These days the Celeron seems to also be used in fanless boxes, like the Bay Trail J1900. You might want to consider them. Again, not sure about performance firsthand though.

    2. Ok, sorry, J1900 doesn’t do AES-NI. I was eyeing the J1900 previously, but didn’t have AES-NI as my requirement. An alternative (unfortunately also no AES-NI) is the N2930 which is lower power and slightly slower. Which Atom did you have in mind?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.