@JKnott said in Services / Router Advertisement - DHCPv6 server - strange behavior:

Thanks to some genius at Google, Android does not support DHCPv6

Same genius at Google for its Chrome OS ;-)
Does also not fully support RFC 3315

See: https://en.wikipedia.org/wiki/Comparison_of_IPv6_support_in_operating_systems

@NickyDoes yeah a /56 is lot of /64s for testing and playing with ;)

Best practice is /64 for any segment you want to break out.. Even if it only has a couple of devices on it.. It seems insane when you first start playing with Ipv6 to be honest.. Since a /64 is so freaking huge when it comes to how many IPs..

Following the info on the link provided worked so i'm all good to go. Thanks again

@ChrisJenk

Well, I you'll have to see what the flags are when whatever fails.

@the-other

Success! This issue was a layer 2 issue: I hadn't configured one VLAN switch port's VLAN ID, a simple oversight. Return traffic wasn't reaching the pfSense interface.

Whittling away the unknowns.

@guardian said in Very Basic IPv6 security question.:

Hi - I have been using pfSense for several years, but just with IPv4 since I have yet to get my head around what I need to do to secure IPv6. At the moment I have IPv6 disabled on all interfaces including the WAN.

I am being forced into IPv6 by my ISP due to changes in the cable TV system which is moving from a legacy RF system to an IPTV system that uses IPv6. (Rogers in Canada-Ignite TV-I was told it is a similar system to Comcast in the US-I think it is called Xfinity or something like that.)

IIUC, I should be able to enable IPv6 on the WAN and get an IPv6 address (I think it uses DHCP6, but I'm not sure so I need to experiment), and since none of the other interfaces have IPv6 enabled there should be no traffic flow to/from the network.

Am I correct, or do I need to take measures to protect my network?

My initial goal is just to get IP connectivity to the router. Once I have done that to see if I can pipe IPv6 traffic over a VLAN.

P.S.: Any suggestions as to helpful learning resources would be much appreciated.

You can access the web gui over IPv6. So make sure you sure that fyi

Example every interface can access the firewall gui unless you block it...

Screenshot 2024-07-28 at 20.40.46.png

Test it and see..

@johnpoz I have no idea, it only does it with iMac in safari browser with IPv6 enabled. That port 149 is not a standard port used often also. It makes no sense why it would be showing up so much.. thanks for verifying this with me.

Hi,
Since you are using IP passthrough for IP4 why not do the same with IP6. I do not have static IP and do it this way. I guested at the settings having looked all over for configuration settings with AT&T. Comcast was much easier. I am definitely not an expert with this.

WAN has DHCP for both IP4 and IP6
I have the following DHCP6 Client configuration boxes checked
Send IPv6 prefix hint
Do not wait for a RA.

I get a /128 IP for the WAN.

On the lan side.
I know of 2 settings that work for a LAN network with no VLANS
IPV6 Configuration Track Interface or Type Static IPV6 (Will probably break if IP6 changes on WAN)

With tack interface:
You select the IPV6 Interface (WAN)
You should get an IP6 for the LAN and mine was a /64
At this point I get IP6 addresses for all the devices on the LAN interface.
Problem with this setting is that I have VLANs setup and those VLANs don't get a IP6 address.

This works but probably isn't correct.
You can also change the LAN to static. I did this using the prefix address and selected an IP6 address with a /64 address. I used an IP6 calculator to guess at a correct IP6 address to choose.
Routing and everything works for the LAN.
The IPv6 upstream gateway is None.
I was able to setup DHCP6 on the LAN with a range.
Devices on the LAN can reach the internet via IP6
I have not been successful figuring out how to get IP6 on the VLANs yet.

Hope this helps.

@NickyDoes

If enabled, it uses RDNSS to provide the IPv6 server address. If not enabled, then you have to rely on DHCPv6 to provide is. If you don't have DHCPv6, then you have to rely on DHCPv4 DNS to provide an IPv4 DNS server address. However, whichever DNS server you use, you will get back the exact same info.

@br8bruno said in So close on IPv6 yet so far away - Can't get to internet over IPv6 despite everything seeming to be in place.:

Not really sure, but I will as the ISP

They will ask you to execute a traceroute to, for example, 8.8.8.8
The second, third, maybe fourth IP listed is theirs - on of their equipment. Pick any of these, as long as they answer to ping.
Further on, you'll will find the main 'highway Internet core routers'.

@johnpoz thanks for the recommendations again!!

I know the basics of IPv6. I can configure an ipv6 webserver that is behind a secure firewall inside of a IPv6 tunnel broker that tunnels inside of a IPv4 only ISP provider. I can manage and parse out AAAA records for streaming services that do not support tunnel brokers. I understand glue-records and have my website mirroredanalytics.com working (just the basics I have not spent any time really designing it. Right now, my web server is still under construction) YEAHHHH Buddy!

Screenshot 2024-07-24 at 11.25.59.png

Plus they said I get a T-Shirt :)

@NickyDoes IPv6 gets quite tricky when it comes to pfSense. Like with IPv4 there is no support for automatic client DNS nameregistration in IPv6, so either you have to register all clients/servers manually (SLAAC clients and Static IP clients) or in some products the DHCPv6 server can register its clients in DNS - but not on pfSense though (so manually it is….).

Also - IPv6 on most/all clients use something called privacy extensions, so if you use SLAAC you cannot create pr. Client outbound firewall rules. You have to allow og deny everything equally for the intire subnet.
With privacy extensions clients will pick a new random IPv6 address every day for oubound connections.

You could experiment with the new MAC address based firewall rules though…

@rsaanon, looking for an update.

Did you ever get IPv6 working smoothly with Google Fiber?
Do you still have Google Fiber? What is your PD size now?

@jimp said in pfSense host gets IPv6 from ISP (Google Fiber) but not LAN clients:

I just showed you what a working setup looks like and what a working server sends. Your server is not sending that, thus your server is not working properly.

Getting a working WAN address is not the same as getting a working and viable prefix delegation from upstream. One can work while the other is broken.

Looks like I was lacking "rapid commit" under advanced IP options. I tried to post instructions here but it keeps getting flagged as Spam. Check out https://www.reddit.com/r/PFSENSE/comments/1duuc6o/ipv6_troubles_unstable_pppoe_ipv6_address_via/ for the full post.

@JonathanLee said in IPv6 HE tunnel broker and Netflix quick fix idea:

This fixed my issues 100% anyone else parse AAAA and A dns records like this?

That issue is very old.

Hit the search button - its just above :

979fea0f-8b0a-4338-afa4-9be21a3aeefa-image.png

The issue has even a pfBlockerng solution made for it :

99d7ab85-cb14-44e3-958e-e48648d7256f-image.png

Check the check box.
Add all the host names that should not be resolved to AAAA.
Done.

@JonathanLee

Yes, I've been aware of that for coming up on 30 years.

@JonathanLee said in HE tunnel broker questions:

I went the old way of wan only

The old way ?
If your uplink is rather big, like a Gigagbit or way more, it's the dangerous way.

Incoming, Internet originated traffic, is normally dropped without any further actions taken.
If you decide to have that traffic analyzed by, for example, snort, then you expose yourself to a much greater DOS risk : the more traffic comes in, the harder snort is going to "snort" on it.
Now, all it takes it : I, with my bots, send you a loads of 'suspect' traffic and your firewall comes to a crawling halt.
Remember : you can not stop the the traffic coming into your WAN, only your ISP can. If you want to spend a zillion CPU cycles on every bad packet, and lots of these are coming in, your firewall will get overloaded.

@JonathanLee don't use bang rules.. If you don't want lan net to talk to opt net, then put in a block rule for opt net above your allow. Yes the network/subnet aliases would be the ipv4 or ipv6 networks on said interfaces.

@lmat said in Static IPv6 "gateway does not lie within one the chosen interface's subnets":

I ran the packet capture for several minutes: tcpdump -vvv -ttt -i igb0 icmp6; and got the following:

Use the packet capture that's in pfSense. You may have to install it. Then post the capture file here. It's a lot easier to examine the capture with Wireshark that what packet capture displays.

Here's what a router advertisement looks like in Wireshark:

ae550191-613d-491b-bc38-83746130322c-image.png

And when expanded, selecting IPv6 info:

1f6587bd-bae2-4ff2-8f09-66e18495c283-image.png

@Shack

Why not just go with IPv6 and get rid of all the crap that's become necessary to keep IPv4 going? Stuff like NAT break things and CGNAT even more things. Because of NAT we need STUN for VoIP and some games. So, it's hack upon hack just to get around the IPv4 address shortage. On top of this, IPv6 cleans up some of the things in IPv4. For example, ARP predates IPv4 and was used because it was available. With IPv6, the functionality of it has been rolled into ICMPv6 with some other features added. Other things improve security and more. According to Vint Cerf, the guy who created it, IPv4 was intended only as a proof of concept and he expected the final protocol would have a much larger address space.

With my ISP, I have a single IPv4 address which requires NAT to support multiple devices. With IPv6, I get a /56 prefix, which provides 256 /64s, each of which contains 18.4 billion, billion addresses. NAT also breaks the end to end transparency, which the network gods had intended. 😉