none
Simple IPv6 setup for Active Directory Domain Server using Comcast /64 through pfSense firewall/router

    Question

  • Hello, 

    I have a simple homelab with a few VM servers and active directory appearing to work correctly using IPv4.  I am tired of having to choose between IPv6 and being able to use the DC - but for now I just have IPv6 turned off completely.

    I am using pfSense router (not virtualized) and have a Comcast residential gateway which has been provided a native /64 address (the modem actually ONLY gets a IPv6 address and presumably translates it to IPv4 for LAN devices).  

    pfSense is both firewall and used for local routing.  It is set to track the WAN IPv6 address locally (no NAT64).

    I am trying to wrap my head around setting up IPv6 using the domain controller.  IPv6 works great if I take the domain controller out of the equation, but if I add the domain controller using DHCP for IPv6 it doesn't appear to be able to resolve DNS and can't ping names like google.com that try and resolve to IPv6 addresses (although it does get to IPv4 sites - so it's like a mixed working/non-working situation that's very frustrating).  

    DNS root hints are untouched from default install and contain both IPv4 and 6 addresses.

    I have seen warning messages saying I need to set up a static IPv6 address for the DC, but I am not sure if that's possible.  I've tried setting it to a link-local address but I seem to remember it complained saying that wasn't allowed (sorry, it was a while ago).

    Any info would be greatly appreciated!  

    Thanks,

    Avery

    Wednesday, April 04, 2018 2:26 PM

All replies


  • Hi,
    Thank you for your question. 
    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
    Thank you for your understanding and support.
    Best Regards,

    Frank

    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, April 05, 2018 2:42 AM
  • Hi, 

    Thanks, I appreciate it.  I'll be checking frequently, as it's really bugging me that I can't seem to get it working!  Apparently I need to brush up on my netsh commands ... ;)

    Thursday, April 05, 2018 6:33 PM
  • I think I am making some headway.  I have two AD DCs, with DNS enabled - accessed manually through explicitly setting them for DNS.  DC01 is 192.168.1.2 and DC02 is 192.168.1.3

    DC02 192.168.1.3 can ping -6 ipv6.google.com fine:

    dc02 > netsh int ipv6 dump

    # ----------------------------------
    # IPv6 Configuration
    # ----------------------------------
    pushd interface ipv6

    reset
    set interface interface="Ethernet (Kernel Debugger)" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
    set interface interface="Ethernet0" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
    set interface interface="Teredo Tunneling Pseudo-Interface" forwarding=enabled advertise=enabled mtu=1280 nud=enabled ignoredefaultroutes=disabled

    DC01 192.168.1.2 cannot ping ipv6 destinations:

    dc01 > netsh int ipv6 dump

    # ----------------------------------
    # IPv6 Configuration
    # ----------------------------------
    pushd interface ipv6

    reset

    set global

    set privacy state=disabled
    add route prefix=::/0 interface="Ethernet0" nexthop=2601:603:4d00:32c6:a9:9cff:fe24:ce00 publish=Yes
    set interface interface="Ethernet0" forwarding=enabled advertise=enabled nud=enabled routerdiscovery=dhcp managedaddress=enabled
    set interface interface="Teredo Tunneling Pseudo-Interface" forwarding=enabled advertise=enabled mtu=1280 nud=enabled ignoredefaultroutes=disabled

    route of DC02 (working):

     dc02 > netsh int ipv6 show route

    Publish  Type      Met  Prefix                    Idx  Gateway/Interface Name
    -------  --------  ---  ------------------------  ---  ------------------------
    No       Manual    256  ::/0                        4  fe80::1:1
    No       System    256  ::1/128                     1  Loopback Pseudo-Interface 1
    No       Manual    256  2001::/32                   2  Teredo Tunneling Pseudo-Interface
    No       Manual    256  2601:603:4d00:32c6::/64     4  Ethernet0
    No       System    256  2601:603:4d00:32c6:cd9e:d4ff:61e9:f707/128    4  Ethernet0
    No       System    256  fe80::/64                   4  Ethernet0
    No       System    256  fe80::/64                   2  Teredo Tunneling Pseudo-Interface
    No       System    256  fe80::ffff:ffff:fffe/128    2  Teredo Tunneling Pseudo-Interface
    No       System    256  fe80::cd9e:d4ff:61e9:f707/128    4  Ethernet0
    No       System    256  ff00::/8                    1  Loopback Pseudo-Interface 1
    No       System    256  ff00::/8                    4  Ethernet0
    No       System    256  ff00::/8                    2  Teredo Tunneling Pseudo-Interface

    Route of DC01 (not working): 

    dc01 > netsh int ipv6 show route


    Publish  Type      Met  Prefix                    Idx  Gateway/Interface Name
    -------  --------  ---  ------------------------  ---  ------------------------
    Yes      Manual    256  ::/0                        4  2601:603:4d00:32c6:a9:9cff:fe24:ce00
    No       Manual    256  ::/0                        9  Teredo Tunneling Pseudo-Interface
    No       System    256  ::1/128                     1  Loopback Pseudo-Interface 1
    No       Manual    256  2001::/32                   9  Teredo Tunneling Pseudo-Interface
    No       System    256  fe80::/64                   4  Ethernet0
    No       System    256  fe80::/64                   9  Teredo Tunneling Pseudo-Interface
    No       System    256  fe80::5efe:192.168.1.2/128    2  Local Area Connection* 2
    No       System    256  fe80::ffff:ffff:fffe/128    9  Teredo Tunneling Pseudo-Interface
    No       System    256  fe80::6085:1d85:e1da:459f/128    4  Ethernet0
    No       System    256  ff00::/8                    1  Loopback Pseudo-Interface 1
    No       System    256  ff00::/8                    4  Ethernet0
    No       System    256  ff00::/8                    9  Teredo Tunneling Pseudo-Interface

    Any ideas?

    Friday, April 06, 2018 2:17 PM