@rodrigocamargo said in Endereço IP:

1 Digamos que a pessoa irá criar uma rede na empresa dela e usará o IP 192.168.0 a 192.168.0.255, ou seja, colocará num total 256 hosts na empresa, este endereço de IP ele é exclusivo da empresa, ou seja, ninguém que for criar uma outra rede com o mesmo propósito não poderá usar este endereço de IP?

Não são 256 hosts, o primeiro e o último não pode usar pois o primeiro 192.168.0.0 é a network, e o útlimo é 192.168.0.255 que é o broadcast.
São 8 bits para host, 2 elevado a n -2, onde n é o número de bits, ou seja 256 -2 = 254 hosts.

2 Eu vi alguns roteadores e modems que eu tenho em casa, por exemplo da Tp-link que o endereço de IP é 192.168.68.102 este endereço é só dá Tp-link? E se eu fosse utilizar o endereço de rede no item 1 eu teria que utilizar somente hosts da mesma marca ou posso ter de marcas diferentes?

Não é assim, pesquise sobre RFC1918.
Esses endereços podem ser usados em todas as redes internas.
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

E é para isso que NAT serve, pois o NAT transforma seu IP público, que é único, no IP privado que você tem ai dentro.

@skilledinept

If you know the issue isn't local, check alsways this page https://www.tunnelbroker.net/status.php. the he.net.ipv6 POPs can have issues.
For example, right now, the a UK-LONDON POP has been moved to Dusseldorf, Germany.
While we can't see the 'load' of these servers, it will be a factor.

All my IPv6 traffic goes out over the he.net.ipv6 link, and it's pretty stable. I'm using their services for many years now.

edit : also check out the he.net support forum.

Using it as as just a AP behind pfsense will be fine - and then sure be able to look into sure.

As to sniffing - on pfsense, do a packet capture on your opt interface you were using for wireless. In promiscuous mode.. set it for just arp on the protocol

Do you see arp traffic from the internet? For example.. This is my actual wan interface - I tried to run some wireless network here it would be directly connected to the internet no matter what "ip" Layer 3 range I ran on it..

arp.jpg

This interface is connected to the internet.. Running some AP on your isp device that you put into bridge mode and tried to run wireless on - "could" very well just be bridging that wifi to the internet.. Be it you running as some rfc1918 network or not.

That sniff ran for 5 seconds - that is just small portion of what it saw, none of those IPs are my pfsense wan IP.. Those are just other isp clients on the same L2 as my wan.

@andicniko

EDIT: After a factory reset and trying again, it seems it will work if 1) I state the DHCPv6 range in full (including the prefix), and 2) I state the subnet in the router advertisements settings.

For anyone else struggling to make this work, the specific settings are:

Services / DHCPv6 Server & RA / LAN / DHCPv6 Server
Range = [your desired IPv6 range in full, e.g. 1000:1000:1000:1000::2000 to 1000:1000:1000:1000::3000]

Note: DO NOT omit the prefix when stating the range. This is one of the issues that seemed to prevent my DHCPv6 server working properly (if the LAN interface is set to IPv6 Configuration Type = Static IPv6). By default, the range is stated excluding the prefix, e.g. ::2000 to ::3000. I'm not sure why this should matter, if the subnet field is already populated and aware of 1000:1000:1000:1000::, and omitting the prefix does no harm when the LAN interface is set to IPv6 Configuration Type = Track interface. Also note: I also had some trouble keeping the "Provide DNS servers to DHCPv6 clients" checkbox ticked. It is ticked by default, but seemed to untick by itself when changing and saving settings on this page. When ticking it again and saving, it would just disappear. However, it was ticked after navigating to another page and coming back. So I didn't have an issue in the end.

Services / DHCPv6 Server & RA / LAN / Router Advertisements
Subnets = [your IPv6 prefix 1000:1000:1000:1000::/64]

Note: DO NOT leave this blank. This is one of the issues that seemed to prevent my DHCPv6 server working properly (if the LAN interface is set to IPv6 Configuration Type = Static IPv6). By default this is blank, and it does no harm leaving it blank when the LAN interface is set to IPv6 Configuration Type = Track interface. I'm not sure why this should matter.

I don't know if the above are supposed to be necessary or not - apologies if I'm posting something that should be obvious. But I hope that helps someone!

@csoban

A big part of the problem are those who think an inadequate address space + hacks is a good idea, even though it's holding back many things. One thing I was reading about recently was how China plans to be single stack IPv6 only by 2030. This means if you want to reach sites there, you will need IPv6. There are other parts of the world, where they won't hand out IPv4 addresses to anyone who's not also running IPv6. I don't know how things are in Eastern Europe, but in North America it's still possible to get by with only IPv4 because we have so many of the addresses here. In Canada, some of the major IPs are providing IPv6, but Bell Canada, which used to be a world leader in telecom, is falling behind.

@sts-134 did you actually get /56? Maybe they only allow you to ask for specific sizes went doesn't give you what you ask for it confuses pfsense? Which I agree is no ideal.

@johnpoz said in IPv6 configuration for LAN only when no IPv6 from ISP?:

name 1 resource just 1, that your typical user would need ipv6 to access?

As I mentioned, there are many who are stuck behind CGNAT. They cannot connect to their networks from outside.

@johnpoz

I originally used fe80::/16, which you told me was incorrect (which is true... it should be fe80::/10 like you mentioned). But then you said this:

An alias for any specific "net" using the space of /16 wouldn't be a specific net, it would be a huge chuck of the whole space FE80::/10, where did you come up with using /16 anyway?

The way I interpreted that, was that using /10 also wasn't ideal, and using a /64 would use less space (and would be closer to a * net). Both /64 and /10 both work, so I can update the Redmine ticket if you think /10 should be the correct default.

224.0.0.0/3 is the multicast address space. Originally I created individual rules for each specific address, but decided to "simplify" doing that and instead creating an alias that included the entire multicast address space. My alias is called MULTICAST_SUBNET, and includes the network of 224.0.0.0/3 which is technically correct right? I use more then just mDNS requests fall into that subnet. But you are 100% correct that I should update that ticket and make it 224.0.0.251, since that is unique to mDNS and is the only destination required for Avahi.

Something else related to this thread... some of my devices on some VLANS make requests for SSDP. They have an IPv4 destination of 239.255.255.250. However, IPv6 traffic is blocked by default unless this rule is created:

source: fe80::/10
destination: ff02::c
Port: 1900

Another example would be the same source and destination above, but for port 3702 which is WSDD (used by a Windows 10 device).

These are examples of traffic where I would assume (incorrectly based on your feedback) the * net source rule to cover when IPv6 is enabled on on a network.

And no offense taken. I'm far from an expert here. I've already solved this myself, although you may see the way I've done it is less then ideal. I created this post to hopefully help others.

@thondwe said in WAN_DHCP6 Pending - Pfsense 2.5.2:

but the dpinger command uses -B "Gateway Address" as an option

Not a gateway.

type

dpinger

without any options, and you see what it want : the local address to bind to :

bind (source) address

Like "192.168.1.1" if you want to "dpinger" to a device on your LAN (seems absurd, but I do just that).
So it knows from what address ( and interface) to start pinging from.

@thondwe said in WAN_DHCP6 Pending - Pfsense 2.5.2:

for the Hurricane Electric Tunnel -B address is different to the final ping target at the end..

he.net give us static IPv6's for our "our side' and their side
2001:470:1f12:5cx::1/64 == their side
2001:470:1f12:5cx::2/64 == pfSense side.

Thus "2001:470:1f12:5cx::2" is the address used for dpinger == the address to bind to.

Btw :

here is the "GIF" tunnel info :

gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1480 description: HeNetv6 options=80000<LINKSTATE> tunnel inet 192.168.10.3 --> 216.66.84.42 inet6 2001:470:1f12:5cx::2 --> 2001:470:1f12:5cx::1 prefixlen 128 inet6 fe80::215:17ff:fe77:d119%gif0 prefixlen 64 scopeid 0xa groups: gif nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

I do have a "fe80::215:17ff:fe77:d119" but it's not use any where..

@tarbash

Results match is as follows:

good %IP%|nochg %IP%

@code4food23

It means you have to assign an address to the interface. With SLAAC, addresses are created automagically.

@lordsandwurm I made a cronjob in pfsense to reboot it every night, that mostly fixed it for me. I wish that wouldn't be necessary...

@chrisjmuk did you create that route via the gui, with gateway setup? or trying to just add the route from the cmd line?

@ethereal said in IPv6 DHCPv6 Delegation Range:

@bob-dig probably his setup is a bit more complex and using the firewall as firewall - rather than a router for his lan.

@simple0ne I have a similar setup at home and I was thinking to go ahead and try to implement it.
Will give it a go next weekend or so.

@Ethereal sounds good. I will get back to testing this further in the next few days hopefully, so I'll let you know if I discover any thing interesting.

@Bob-Dig, yep two use separate use cases. One is where the firewall is basically already just serving as firewall (+ proxy for some services on IPv4) as @Ethereal mentioned.

The second scenario is actually a little different and has two flavours (though they are quite similar to each other):

The pf is serving as the outside firewall of a dual vendor DMZ, but the pf is also providing some services to devices/networks living within the DMZ. Similar to the first, but the pf is the only firewall, but is providing some services to downstream clients. There are a few networks, each with a lot of WAPs (that are actually routing) on them, which are managed separately, but wish to have IPv6 routed to them for allocation to wireless clients.

Part of the problem here isn't purely technical, it's that the administrative domains for different devices/parts of the network are owned by different parties. This makes for some additional headwinds when it comes to adopting wider changes that could make everything a bit easier to resolve.

@bob-dig said in Block fc00::/7 out WAN just like RFC1918?:

@jknott said in Block fc00::/7 out WAN just like RFC1918?:

Yep. My ISP's gateway has a link local address.

Mine too.

Mine three.

@jimp I believe I had set it to DHCPv6 only but what is the setting I need to disable SLAAC?

@jpvonhemel

You might want to allow ping. Most of the ICMP6 stuff is used on the local LAN and on the WAN side, pfsense is the "client".

As for sparse addresses, the standard LAN size is a /64, which has as many addresses as the entire IPv4 address space squared. In that huge space, you might have a few dozen working addresses at any time, most of which are temporary. Bottom line, you're not much of a target.

Did that test site list which ICMP6 it was testing?

@viktor_g

I created a redmine ticket for this here:
https://redmine.pfsense.org/issues/12280

@jbattermann

I haven't done load balancing, so I can't help with that. Are you saying you have 2 prefixes on the LAN side of one network? Also, load balancing on the WAN side shouldn't have any effect on the LAN.