Why does this seem like spam to me.. Why does someone join a site just to advertise some site - other than just spam!!!
I wouldn't hit that site with your ____ if you know what I mean!
There is one thing if you have user X that has been here in the community, and then there is a thread that says hey where do you test Y.. suggesting a site, and then there is accounts that join, and same instant suggest go X.. I should just delete and ban this account.. But its not from IN, so will give the benefit of doubt... For now.
Well, it doesn't work. Can't communicate between subnets no matter what I do. I'm 99% sure it is not about firewall rules (not excluding the possibility of course). Maybe it has to do with that link-local address I added for the WAN from the CLI and things are not properly routed because of it. I don't know.
In the worst case, I'll move the WiFi clients in the same subnet as the LAN, for both IPv4 and 6.
@JKnott ok sorry.
Noob more in regard of IPv6 itself. I'm not a networking guy, I got a fair understanding of IPv4, but not so much about IPv6. And to that I must say: still a noob, and looking to learn.
About the HOW, I'm sorry if that wasn't clear and I didn't get the hints to explain that part better, but its out in the clear now I guess. I may have missed mentioning it was a Datacenter I just said "provider" my bad and I'm sorry for the confusion.
I have 4 dedis with 2 pfSense routers. WAN is only connected to the pfSenses via vSwitch. All vm's get their connectivity through pfSense and are not host-bound.
@Derelict I didn't mean to offend probably as much as you meant me. I already explained the "noob" part, but consider saying to someone:
You should also probably paste EXACTLY what they are telling you instead of your interpretation of the same.
Its like people (or me in this case) are stupid and can't interpret what were told. Your comment was specifically about one's ability to understand a message and pass it on. People who can't understand a simple message and repeat it fall in such categories. Maybe you could have phrased better. Anyway, please note I said it seemed, I am sure that's not what you meant, yet I felt the remark was due. I have been working with IT and customers for 14 years and I never made such a remark to any, despite how dumb I may think they are sometimes.
Anyway I don't want to derail the topic to this, was just a comment.
I'm still insisting with the DC so they give me a bigger prefix.
Especially if the WAN address is on the opposite end of my prefix from where my LAN and other networks are.
My WAN address has absolutely nothing to do with my prefix. However, as you mentioned, you could pick any address within your prefix. For example, with my /56, I use prefix ID ff for OpenVPN. There's no reason it couldn't also be used as a target. However, I haven't tried that.
Keeping in mind that most people have a gateway (modem + router in one) rather than a separate modem and router, they will probably only ever see a /64. That's what needs to be used on a LAN, and those gateways don't usually support more than one LAN. But pfSense connected to a modem (not a gateway, unless it's in bridge mode) should be able to request a prefix that gets you multiple /64's, so you can set up multiple networks, each with their own /64.
Clearly you have a WAN address... so DHCPv6 is working. Requesting a /60 prefix on your WAN will work regardless of your service. If you have business service and need more than 16 /64's, you could request a /56. Your internal networks should be Track Interface > WAN, and each should use a different prefix ID.
@hemachayart It's been like a month... I remember setting it back to regular Unbound mode as a test, then rebooting it and it came back up with my IPV6. I then set it back to Python and restarted Unbound again if memory serves and it came back up OK. That was when version 3 first came out. I've upgraded it with those small incremental updates since and haven't had any other issue like that. I suspect if I were to power cycle the modem or disconnect it I would probably have to restart Unbound again, as I have left it in Python mode. It's like a weird timing thing between the modem and router when it's in python mode.
@databeestje Confirmed working from Helsinki, Finland with operator Telia, but had to edit WAN-interface's DHCP-client to request option-212 and run a packet capture for relay and prefix details.
6RD Prefix:2001: 2003:f400::/38
6RD Border relay: 188.8.131.52
6RD IPv4 Prefix length: 14
From what I've heard, in Finland especially Telia is really behind in native IPv6 -deployment and 6RD is extensively in use. Only the first 32 bits of the prefix are static and to add insult to injury the border relay IPs sometimes change.
Would it be possible to add a checkbox in the 6RD config GUI for the automatic update of the 6RD parameters via option-212?
So I am running multi-WAN, and I do have NPt set up to translate my /48 with an HE.net /48 on my backup connection, and I see the same behavior you posted a screen shot of. I tried removing the NPt rule and still observed the same behavior on my primary WAN (IPv6 address being reported as the router WAN IP, not my desktop IPv6 address)
Any suggestions on things I could check or this just a side effect of using multi-WAN and gateways w/fail-over?
@ksdehoff Odd that yours didn't work for the static mapping, maybe because I enumerated the entire interface ID (::7d86:e96:bb0c:fe85 for example). So I don't have to mess with changing anything in the static mapping. I had another issue unrelated to it (caused by Snort of all things) and I had as part of troubleshooting, unchecked the 'do not allow release...' setting and rebooted, and yep the prefix changed and the servers got new IPs with the same interface ID and the new prefix. So I am happy with that small victory.
Hmm... look... another ISP (in Germany this time) with the same issue. I guess Comcast isn't the only one broken. Can this be looked into now to see where the problem lies as far as pfSense's handling of prefix size received being different from prefix size requested?
At the moment, you're using an even number prefix. What happens if you pick an odd one? That /63 moves the boundary between the prefix and suffix over by one to the left. Will a prefix ID 1 now be the same as 0?
Perhaps a touch. However, I have noticed a lot of misunderstanding about IPv6, because people are so used to IPv4. While many things work the same way, some others are quite different. When I had that IPv6 problem, a couple of years ago, I found I had to educate the 2nd level tech support (I wouldn't waste my time with 1st) and senior tech at my ISP on the finer details of how some things worked with IPv6.
As for the WAN address, a public address is entirely optional with IPv6, relying on the link local address for routing. That seems to be quite a leap for many to understand.
LAN (default vlan): Switchs, APs and controller
Home: iPhones, iPads, Macbooks
Media: LG TV, Roku TV, Apple TVs, Sonos Speakers
Server: Synology and QNAP NAS
Printer: HP printers
IoT: Kindles and Bike Computers
I have 3 SSIDS
Freeside: Enterprise Radius assigned VLAN
Chiba: PSK Radius assigned VLAN by MAC address
I put everything I could on Freeside, including one of my printers that supports WPA2 Enterprise EAP-TLS. Lots of fun with Apple Configurator for the others.
Chiba gets the kindles, bike computers and Roku TV. Before anyone has a fit, no you can't get on this network by MAC address only. They are only used to do VLAN assignments. You still have to know the pre shared key. Unifi is kinda misleading with this, they call it 'RADUIS MAC AUTHENTICATION". I tested this and found that you have to have a user in Radius that matches the MAC address and the PSK. Radius shows it as a successful logon if you have no password or the wrong password but the AP doesn't connect you in that case. Maybe you could do this on an open network or do something in Radius to make it a MAC bypass. That is a terrible idea.
Sprawl is the guest network.
Everything that is stationary is on a wired connection with the exception of the Roku TV and one Apple TV.
One printer (an all-in-one) is on a cart and connects to Freeside (didn't know it supported Enterprise EAP-TLS until recently, never bothered to look when I bought it) :)
I violate the F out of the L2 segregation using avahi (mDNS/Bonjour) and udpbroadcastrelay (SSDP, for the Sonos). I'd post up all my firewall rules but that would just serve to make me look dumber than I already do. They get the job done but are not nearly as locked down as they could be.
There is a lot that could be improved. We're probably going to move late spring/early summer and that will be the time to get some gear that is quieter and more energy efficient. A Netgate appliance and new switch(s). Get rid of my unifi stuff and replace them with Ruckus APs if I can find some for a decent price used. Put bigger drives in my Synology and retire the QNAP. There's always something...
Can't be done through UI, needs to be executed in a shell.
The tunnel will not be visible in the UI.
Doesn't persist. Would need to re-execute every time the WAN comes up and has a global IPv6 assigned.
Need to extract the AFTR name and its IPv6 address. In my case, the name comes through via DHCPv6 from the ISP as option 64. Could extract it via tcpdump. Then resolved it to an IP address and used that when setting up the tunnel.
Breaks again if AFTR name/IP changes.
So, no real DS-Lite support in pfSense currently, but possible to set up manually.
@jknott Honestly, I don't think I ever intentionally set anything up for that (nor knew it was an option to disable it either). It's just something that's always been there on the dashboard. I assumed it was pfsense pinging the gateway address and getting the answer (since the gateway is usually given by dhcp on the WAN).
I just found the checkboxes to disable it - all good :-)
I recently changed the rules for my guest WiFi VLAN to IPv6. in some cases it was only necessary to change from IPv4 to IPv4 & IPv6. I have only one rule that is IPv6 specific and none that are IPv4 specific. That IPv6 one is to block anything within my prefix.
@jknott OK - so have sussed it -am on a pure IPv6 connected PC now! So Static IPv6 address on link, DHCPv6 disabled, but RA set as assisted with a DNS server with the link ipv6 address set on the RA tab.
So I think this is SLAAC + RDNSS working properly?
Even managed to use a literal IPv6 address for the pfsense box - https://[ipv6 address] needed in edge - square brackets eh?
Irony of testing though one of the Test -Ipv6 sites I was using didn't resolve an IPv6 address (test-ipv6.com) where as ipv-test.com was happy!
@gertjan Thanks for the clarifications. I hadn't thought to look upstream, as I had assumed the functionality was there but not being presented in the UI.
In this case, these are hosts (VMs, actually) that I admin, so I don't expect the MAC to change once brought online, but I have run into the DUID changing in the past due to changes to the DHCPv6 client. I run radvd in managed mode, so clients are not instructed to try to get SLAAC addresses.
The purpose of this is more so to use it as a guardrail in case a host gets brought up on the subnet by mistake or without being "pre-provisioned" where someone makes an explicit effort to document the new host and assign it an address. In other words, if it comes up and has connectivity, I don't want someone, including myself, to mistaken think they did everything they needed to and have some rogue host sitting out there unaccounted for.
Based on what you're suggesting, it sounds like I can create an alias with LL addresses that should be allowed to multicast for DHCPv6 on that subnet, then put in a rule to allow those to pass through to the firewall interface, and drop solicits from all other hosts.
All the addresses appear automagically. One of each type is consistent, based on the MAC address. The privacy addresses are based on random numbers. The only thing I configure is the DNS entries, which I point to the consistent addresses. I do not ever use a privacy address for DNS, as it would only last for a week. It is also possible to have consistent addresses based on a random number, for those who are worried about someone tracking their MAC address.
While I haven't seen 2 link local addresses in a device with only 1 interface, multiple routeable addresses are common. For example, this computer, once it's been up for a week, will have a total of 16 routeable addresses, 8 global and 8 unique local. Of those, one of each is consistent and MAC based and the others are privacy addresses, of which I get new ones every day, with them expiring after 7 days.
I see. Will tracerouting the ipv4 addresses shown in the registration process be sufficient to tell if a specific tunnel endpoint is a good choice or will it require registration and bringing up the tunnel itself to be sure?
You've probably either figured this out already or just decided to ignore it but I have found that those errors are typically caused by an IPv6 client that doesn't support DHCPv6 and your IPv6 Router Advertisements are configured not to support SLAAC (set to either "Managed" or "Disabled" on that interface).
Under "Services/DHCPv6 Server & RA", change your RA mode to "Assisted" or "Stateless" on the interface those clients are connected to and this error should disappear.
We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.
Subscribe to our Newsletter
Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.