A verrry basic ipv6 question

MrPete

For the first time, I'm exploring ipv6.
I have a working ipv4 pfSense, even including CARP. For now, I'd just like "basic" ipv6 to work on my primary.

Context:

Centurylink, static ip
ipv6 via 6rd
I'm getting my v6 ip seemingly correctly

Issue: outgoing is simply not working... from pfSense

(Tested with ping6 while monitoring tcpdump)

My one thought, but can't see a fix:

Default v6 gateway is correctly wan_stf... but NOT an fe80:: local address. And wan_stf doesn't have one of those.
So, what should this look like?

Hints MOST welcome! Details below.

Thanks!
Pete

wan_stf: flags=4041<UP,RUNNING,LINK2> metric 0 mtu 1472
inet6 2602:xx:xxxx:d300:: prefixlen 24
groups: stf
v4net x.x.x.x/32 -> tv4br 205.171.2.64
nd6 options=101<PERFORMNUD,NO_DAD>

v6 routes (netstat -rn)
Internet6:
Destination Gateway Flags Netif Expire
default 2602:xx:xxxx:4000:: UGS wan_stf
::1 link#5 UH lo0
2602::/24 link#16 U wan_stf
2602:xx:xxxx:d300:: link#16 UHS lo0
....

MrPete

I forgot to include: I can't even ping6 the gateway address. Seems like I am missing something very basic.

johnpoz

@mrpete 6rd is a bit of a hack..

https://docs.netgate.com/pfsense/en/latest/interfaces/configure-ipv6.html#rd-tunnel

here is a CL user.. That has a guide up for using that with pfsense
https://potatoforinter.net/553/centurylink-ipv6-with-pfsense/

if it was me, and my isp was just going to tunnel IPv6 to me anyway - I would prob just use the Hurricane Electric tunnel. Way more info with people setting that up, and they will give you a /48 that you can use, and allow you to set PTRs for it, etc. And if you happen to move to another isp, you can still keep your /48.. I have had mine for like 11 years or so, and multiple isps during that time. Current one doesn't have any ipv6 support ;)

MrPete

@johnpoz That's a good insight ;)

I'll check it out...

johnpoz

@mrpete if you end up going with HE, and need any help or have questions - just ask. Been using HE with pfsense for years.. Its a pretty easy setup to be honest. And they have pops all over the globe so should be able to find one in your neck of the woods.

JKnott

@johnpoz

Don't they require a static address? That's one thing I noticed when I was considering them.

johnpoz

@jknott said in A verrry basic ipv6 question:

That's one thing I noticed when I was considering them.

No.. They need to be able to ping your IP.. if your isp is one that changes your IP every hour or something you might have an issue.. But I have a dynamic IP, and it hasn't changed in years..

Normally a dhcp assigned IP would stay the same, it is how dhcp is designed to work, you get an IP, and then renew it at the 50% mark of the lease. In theory your IP could be that same IP forever.. As long as you do not turn off your device for some extended period, or change the device so you get a different mac. But if your new device had the same mac (say clone of previous mac) you would still get the same IP.

https://ipv6.he.net/certification/faq.php
My IPv4 endpoint address is dynamic. Can I still create a tunnel? If yes, what do I need to do when my IP address changes?

Yes, you can still create a tunnel even if you are using a dynamic IPv4 endpoint address. If your IPv4 endpoint address changes, you can either login to the tunnelbroker.net page and update your IPv4 endpoint address or use https://ipv4.tunnelbroker.net/nic/update which is designed to be used to update your IPv4 endpoint address.

edit:
If your IP is just changing on the fly for no real reason, I would assume you would have some sort of blip in your tunnel.. But if your IP is changing like that I would think you would have all kinds of blips anyway ;)

Bob.Dig

@johnpoz There is a Dynamic DNS Clients for HE.net tunnelbroker in pfSense.

johnpoz

@bob-dig yeah I do believe so - was just linking to their faq as answer to the question.

There is prob multiple was to update the ddns IP.. they have like a api you use.

I believe you use the tunnel ID for the hostname in the HE setup.

And then you can generate the api key in the dns setup on HE

Here is a link to their forums with info about the ddns setup
https://forums.he.net/index.php?topic=1994.0
Dyn-compliant Endpoint Updates

I have never needed to set it up - because my IP while dynamic hasn't changed in years, over multiple ISP. Once got an IP from isp, it stayed the same unless I changed the mac of the device connected to their modem.

JKnott

@johnpoz

I don't need it for myself, as I get native IPv6 from my ISP, but a friend was wondering about getting IPv6. As I've mentioned before, my IPv4 is virtually static and my host name only changes with hardware MAC addresses. When I was looking at he.net for myself I asked them if a host name was suitable and they said no. Prior to getting IPv6 from my ISP, I used another tunnel broker that required installing client software. They had one for Windows, but Linux, Mac and BSD users had to compile theirs. They also sold a box that acted as a client, but they gave me one for free for all the help I was providing others¹. One other thing they had, which was quite useful was a single address mode. While I got a /56 prefix on my Linux firewall, I also ran the client in single address mode, when I was away from home with my notebook computer.

They also wanted me to do a presentation at some IPv6 conference in Los Angeles, but I declined.

johnpoz

@jknott yeah I didn't think you did ;)

I was just filling out the blanks for anyone else reading the thread is all.

MrPete

@johnpoz Thanks. Gonna shut down my ipv6 experiment for the next few days of Christmas and come back to it. ;)

FWIW I have static IP, so that is not an issue.
I see a lot of bugfixing in this area in OpnS***** ...maybe the two communities have something to learn from one another. ;)

JKnott

@mrpete

HEY!!! Get your priorities straight!!!

BTW, isn't OPNsense based on pfsense? A friend of mine runs it and seems to like it.