IPv6 routing over VPN
-
Hello,
I have a problem to understand the IPv6 routing over a VPN.
The IPv4 configuration works without problems, but the same IPv6 way doesn't.
My setup is as follows:
external VPS (with a /64 IPv6 network and currently one IPv4) (Wireguard, NAT) <-> pfSense (NAT) <-> DMZ serverThe IPv4 way is configured like this:
on the VPS (the Wireguard interface has the 10.56.0.1):
10.56.0.0 0.0.0.0 255.255.255.0 U 0 0 0 wg0on the pfSense on the Wireguard client interface:
10.56.0.0/24 link#13 U tun_wg2 10.56.0.5 link#13 UHS lo0on the pfSense DMZ interface (10.255.254.2) I have configured a static route:
192.168.201.0/24 3c:ec:ef:70:6d:ba US igb2and the route back on the DMZ server:
default 10.255.254.2 0.0.0.0 UG 0 0 0 ens18 10.255.254.2 0.0.0.0 255.255.255.255 UH 0 0 0 ens18Also I have configured a NAT with the source network 192.168.201.0/24 over the VPN interface address.
With IPv4 that works without any problems. But, when I configure it in the same way for the IPv6 connection it seems that the pfSense cannot route over the VPN tunnel.
So, where is my misconception?
-
@waldy327 said in IPv6 routing over VPN:
Also I have configured a NAT with the source network 192.168.201.0/24 over the VPN interface address.
With IPv4 that works without any problems. But, when I configure it in the same way for the IPv6 connection it seems that the pfSense cannot route over the VPN tunnel.
So, where is my misconception?Are you using NAT for IPv6? Do you not have multiple /64s to work with? I use OpenVPN and assign it it's own /64 prefix.
-
@jknott said in IPv6 routing over VPN:
Are you using NAT for IPv6? Do you not have multiple /64s to work with? I use OpenVPN and assign it it's own /64 prefix.
Yes, I tried it with NAT like the IPv4 way, but it does not work. When I ping the pfSense's gateway address directly it works, but other outgoing IPv6 connections to other targets seems not to be routed correctly.
btw.: I have only one /64 for the VPS, so I want to use the network only partial at home.
-
@waldy327 What is on the VPS?
-
-
@waldy327 WireGuard Server is what OS?
-
-
@waldy327 said in IPv6 routing over VPN:
btw.: I have only one /64 for the VPS, so I want to use the network only partial at home
Can you spare another? Also, you can always use Unique Local Addresses for the tunnel.
-
@jknott said in IPv6 routing over VPN:
Can you spare another? Also, you can always use Unique Local Addresses for the tunnel.
No. But the tunnel is not the problem. Here I already use Unique Local Adresses.
Here is my IPv6 configuration, maybe it helps to solve my problem:
Wireguard Server:
[Interface] Address = 10.56.0.1/24, fe00::1/64 PrivateKey = ******************** ListenPort = 51820 [Peer] PublicKey = ******************** AllowedIPs = 10.56.0.5/32, fe00::2/128, 2001:********************::/64At the wireguard client side (the pfSense) I use the fe00::2. This works.
But the routing/NAT between my DMZ server and the pfSense is not working:
On the pfSense DMZ interface (which I gave no IPv6 ip) I have the following static route:
2001:******************** 3c:ec:ef:70:6d:ba UHS igb2On the DMZ server (with the ip 2001:********************:21/128) I configured the route back as the host route:
[::]/0 fe80::3eec:efff:fe70:6dba UGH 1024 3 0 ens18And here comes my problem:
Direct ping to fe80::3eec:efff:fe70:6dba (the pfSense's link local address) works. But no NAT or routing to other targets.