How to configure dhcp6 service?
-
Good morning,
I have been a private and French user of Pfsense for almost three years.Unfortunately on the French part of the forum, I did not get the long-awaited help, I hope you will be able to help me.
I decided there little, to install at home a mail server running under Ubuntu server (latest version).
The mail server works via mailinabox.I have a router provided by my internet provider, I created a DMZ to the PFsense IP (latest stable version) (192.168.0.27)
I created my port forwardings to the mail server for ports (22,53,80,443) and many others to the server ip (19.21.27.86)
But mailinabox wants the same in ipv6.For the moment the dhcp6 service is not activated, and I won't even know how to configure it, that's where I need help.
How do you configure the dhcp service under Pfsense so that it assigns ip v6?
In the router interface of my internet provider, I have an ip v6 local link of the type:
fe80::3I have the public ip address
2a01:eand style prefixes
2a01:e0a:85f:
with each prefix a Next HOP fieldI hope you can help me.
Thanks in advanceGreat night
Manu
-
@arobase13 Can your first router delegate the prefix to pfSense? Name the router and your ISP, maybe someone can tell for sure. And email doesn't need IPv6, it should work without it.
-
My internet provider is Free, I use a Freebox Delta.
The mail server works well with ipv4.But, I think that if I could master ipv6 it will be beneficial for me.
-
@arobase13 said in How to configure dhcp6 service?:
My internet provider is Free, I use a Freebox Delta.
I wish my internet would be free.
But serious, many cheap routers can't delegate, so you have a problem right there. But let's see, maybe someone knows for sure.
-
If you have any Android devices, you do not want to use DHCPv6. Thanks to some genius at Google, Android does not support DHCPv6.
-
Here is the configuration in pfsense
Here is the info in the router
Sorry, that's a lot of pictures.
-
Salut
I'm not using 'Free', but 'Orange' (Livebox). My ISP has a somewhat workable these days.
IPv6 in France isn't easy - or, also possible, I didn't understand everything yet.
Look here, that me posting on a french forum : Livebox 6 mais pas trĂšs 'pro'.
https://lafibre.info has a lot of info about all ISPs.What you probably should do, is using DHCP (v6, client !) for IPv6 on your WAN interface, not a static setup.
pfSense will ask for a prefix or delegation, which is most often a /64 'block' that you can use by "Tracking" that block on the LAN interface. Activate also the DHCPv6 server on your LAN, create a pool, etc.
If the /64 you got from the Freebox (for your LAN) is always the same, you could, as you've shown, ad a static IPv6 on your LAN interface.
The first xxxxx::1 will be the LAN IPv6 of pfSEnse, and, for example, xxxx:2 to xxxxx:100 as a IPv6 pool on your LAN. That's what I'm doing right now.Btw, as @bob above, IPv6 is advised, as IPv4 is old (stupid, and a burden to support and we love it) but not mandatory.
Far more important is : is your reverse of your IP identical to the host (domain) name you use mail server ? Can Free offer you that ?
Exampe :
If have a mail server with the domain : "test-domaine.fr" :root@ns311465:~# host test-domaine.fr test-domaine.fr has address 5.196.43.182 test-domaine.fr has IPv6 address 2001:41d0:2:927b::15 test-domaine.fr mail is handled by 10 mail.test-domaine.fr.Now, the other way around :
root@ns311465:~# host 5.196.43.182 182.43.196.5.in-addr.arpa domain name pointer mail.test-domaine.fr. root@ns311465:~# host 2001:41d0:2:927b::15 5.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.7.2.9.2.0.0.0.0.d.1.4.1.0.0.2.ip6.arpa domain name pointer mail.test-domaine.fr.I doubt if Free can do 'reverse' for you (I doubt it)
If you want to receive - or send mail to - from gmail, or the others, like hotmail, yahoo, this is not an option.
You'll find out that a mail server doesn't belong on a ISP 'home' IPv4 or IPv6 connection. -
Hi,
actually ipv6 addresses seem not very well managed even by Free.After much testing, Pfsense finally assigns an ipv6.
So, question, how do you do a nat redirect? -
@arobase13 said in How to configure dhcp6 service?:
actually ipv6 addresses seem not very well managed even by Free.
What all ISPs (in France) manage these days, is that their box has a /64 or bigger for the LAN of the box.
So, every Freebox LAN device can get a Ipv6 out of a /64 pool. Somewhat comparable with how DHCPv4 works.When you place a router (pfSEnse) after your ISP router (the Freebox), pfSEne will askan IPv6 like any other Freebox router LAN device.
That's the IPv6 starting with "2" on your WAN :
But another thing happens : pfSEnse also asks for a /64 prefix.
This prefiux is used for your pfSense LAN :In my case, Orange, my Liebox has - in theory - a /56 for me.
2a01:cb19:907:a6dc
The livebox gave prefix "dc" or number 220 decimal is used for my LAN usage.
My LAN is static hardcoded to 2a01:cb19:907:a6dc::1My DHCPv6 server LAN pool is :
The isssue with Orange / Livebox, is :
If I had another LAN interface, I should be able to ask another prefix, not neing "sc" but for example "a0". Anytrhing from :00 to :ff or 256 prefexes.
Because that the difference between a /56 and a /64 : there are 256 ($ff) blocks or prefixes of /64 in a /56.
The issue is : it "works" , but "nothing" works when I do that.My Livebox tells me it allocated the "dc" prefix top my pfSEnse :
You can see that :
2a01:cb19:907:a600::/56 is for me to use. All these are routed to me.
2a01:cb19:907:a600:92ec:77ff:fe29:392a is an IPv6 out of the first /64, that's the LAN of my Livebox, the IPv6 is attributed to the device called pfSense, and is the WAN IP of my pfSense.
pfSense, as it is a router, also asked for a /64, and got number "dc". Why not "01" or some other number : I don't know.I can "ping6" my IPv6 WAN pfSense :
C:\Users\gwkro>ping -6 2a01:cb19:907:a600:92ec:77ff:fe29:392a Envoi dâune requĂȘte 'Ping' 2a01:cb19:907:a600:92ec:77ff:fe29:392a avec 32 octets de donnĂ©es : RĂ©ponse de 2a01:cb19:907:a600:92ec:77ff:fe29:392a : temps=28 ms RĂ©ponse de 2a01:cb19:907:a600:92ec:77ff:fe29:392a : temps=17 ms RĂ©ponse de 2a01:cb19:907:a600:92ec:77ff:fe29:392a : temps=17 ms RĂ©ponse de 2a01:cb19:907:a600:92ec:77ff:fe29:392a : temps=17 msThis works because I have this rule on pfSense WAN :
For SSH TCP traffic to go to my pfSense WAN, I create also "firewall rules" in my Livebox :
Now I can access SSH of pfSense
When I add a https firewall rule :
I can access the https GUI of pfSense using it's WAN IPv6.
The issue with Orange (Liebox) : no way to make rules on the Livebox that make me pass traffic to the "dc" prefix, so no way to access my IPv6 LAN IPv6 on pfSense.
My Livebox rules only operate in prefix "00".
@arobase13 said in How to configure dhcp6 service?:
So, question, how do you do a nat redirect?
That's the easy part.
Write it on the wall : NAT isn't needed with IPv6.
The IPv6s used are all routable.For example, I have a diskstation Synology NAS on my pfSense, it has a IPv6 using the "dc" prefix : 2a01:cb19:907:a6dc::c2
My pass all IPv6 on my pfSense passes all IPv6 traffic.
But impossible to inform my Livebox it should accept traffic with that destination = 2a01:cb19:907:a6dc::c2 .With a NAT hack, I can access my diskskation :
I IPv6 NAT traffic coming into my pfSEnse WAN = 2a01:cb19:907:a600:92ec:77ff:fe29:392a port 22 TCP to 2a01:cb19:907:a6dc::c2
Take note : this is a NAT pass rule :
A special, non default NAT option is used :
So when I access the IPv6 of my pfSEnse WAN, port 22 TCP, it gets redirected on my LAN to 2a01:cb19:907:a6dc::c2
This is a hack. Good Ipv6 only needs firewall rules. No IPv6 address rewriting. -
Only Android devices, don't seem to have ipv6.
I put a capture of my NAT redirects, but in ipv6 does not work. -
@arobase13 said in How to configure dhcp6 service?:
Only Android devices, don't seem to have ipv6.
Yep, as I mentioned above, some genius at Google decided Android users don't want to use DHCPv6. Use SLAAC on your LAN