Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    help converting from ipv4 to ipv6

    Firewalling
    4
    4
    618
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      NoNonSense
      last edited by

      I have a reasonable successful history of using ipv4 and running a pfSense firewall on this protocol but the conversion to ipv6 seems a mystery to me.

      I'm looking for some practical help making the leap to ipv6.

      Any thoughts, tutorials, videos, links ideas or advice on practical implementation of ipv6 (in pfsense) would be really appreciated

      Background:

      I have tried to get my head around ipv6 several times and just can't find the clarity of understanding to link the simple functionality of ipv4 to ipv6, it seems to be a totally different world.
      I keep getting lost down the rabbit hole and ultimately have given up waisting more time understanding and just firewalled off ipv6 traffic and turned off DHCP6 and ignored its existence.
      Which has been an oddly effective solution but I'm starting to get devices that don't like this as an answer (Apple Products mostly don't fall back to ipv4 nicely and keep trying to use ipv6 and it seems to be causing problems)

      For the most part I have the firewall allowing only specific needed ports to nominated devices, with static ip address locking devices where I need them. (Again perhaps this is an overkill but it has served me well thus far and made my system simple to understand whilst improving my understanding of network traffic)

      Questions:

      • Is there a simple way to make the leap to ipv6?
        Is IPv6 really as painful as I think it is? (I thought it was designed to make things quicker and easier)

      • All my firewall rules are based on allowing specific iP addresses & Ports for specific devices and protocols (or occasionally aliased groups of devices).
        I find that fixed ip addresses allows identification of devices problems in the logs quite intuitive but under IPv6 with the giant strings it can take some time just to identify the device that is causing trouble.
        Is there a practical way to alias devices (preferably grouped between ipv4 & ipv6) so they can be identified / used more quickly in logs or firewall rules?

      • I'm nervous about blanket opening up IPv6 ports without a solid understanding of what its truely allowing though and to where and how the traffic is being controlled.
        What is a practical way to ensure I don't do anything dumb and defeat the purpose of having a reasonable firewall?

      NollipfSenseN V JKnottJ 3 Replies Last reply Reply Quote 0
      • NollipfSenseN
        NollipfSense @NoNonSense
        last edited by

        @nononsense said in help converting from ipv4 to ipv6:

        I'm nervous about blanket opening up IPv6 ports without a solid understanding of what its truely allowing though

        Understandable; however, it's one of those things that one has to jump right it. You can start by allowing IPv6 to WAN. Search the web, there are lots of Info, like here: https://docs.netgate.com/pfsense/en/latest/network/ipv6/addresses.html

        pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
        pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

        1 Reply Last reply Reply Quote 0
        • V
          Vollans @NoNonSense
          last edited by

          @nononsense said in help converting from ipv4 to ipv6:

          Questions:

          • Is there a simple way to make the leap to ipv6?
            Is IPv6 really as painful as I think it is? (I thought it was designed to make things quicker and easier)

          Initially it's as painful as you think, just because it's quite different to IPv4, and you're expecting to be able to use normal firewall rules and rely on DHCP & port forwarding etc to avoid doing anything too stupid. The good news is the default set up allows you to communicate out, and blocks pretty much everything coming in uninvited. Get that working and see if it seems to be working correctly before getting into the port and device specific stuff.

          • All my firewall rules are based on allowing specific iP addresses & Ports for specific devices and protocols (or occasionally aliased groups of devices).
            I find that fixed ip addresses allows identification of devices problems in the logs quite intuitive but under IPv6 with the giant strings it can take some time just to identify the device that is causing trouble.

          That's still possible with IPv6 if the device supports/allows it. The few devices I want to allow stuff inbound have fixed IPv6 addresses either through DHCPv6 or more usually fiddling with config files in a linux box. Usually a device with a DHCPv6 address will also have an autogenerated address as well, so it's a lot harder to filter based on individual IPv6 addresses as by preference most devices use autogenerated IPv6 addresses for comms and change them or generate new ones quite regularly. It's the most annoying feature of IPv6 for me.

          Is there a practical way to alias devices (preferably grouped between ipv4 & ipv6) so they can be identified / used more quickly in logs or firewall rules?

          The thing is that DHCPv6 logs and IPv6 logs don't show MAC addresses, so matching a IPv6 address to a device isn't straightforward. I've not found a solution to that, other than the few devices where I use fixed addresses only and pretty much turn off SLAC.

          • I'm nervous about blanket opening up IPv6 ports without a solid understanding of what its truely allowing though and to where and how the traffic is being controlled.
            What is a practical way to ensure I don't do anything dumb and defeat the purpose of having a reasonable firewall?

          The defaults are pretty good to start off with - just remember that for IPv6 ICMP is a lot more than ping and critical for general comms, so don't block all ICMP.

          1 Reply Last reply Reply Quote 0
          • JKnottJ
            JKnott @NoNonSense
            last edited by

            @nononsense said in help converting from ipv4 to ipv6:

            I have a reasonable successful history of using ipv4 and running a pfSense firewall on this protocol but the conversion to ipv6 seems a mystery to me.
            I'm looking for some practical help making the leap to ipv6.
            Any thoughts, tutorials, videos, links ideas or advice on practical implementation of ipv6 (in pfsense) would be really appreciated

            For the most part, IPv6 works the same as IPv4, but with much larger addresses. Things like arp are replaced with neighbor solicitation, etc. You also don't have to configure anything on the client as SLAAC handles all that. You also don't worry about subnet size, as LANs always have a /64 prefix. With SLAAC router advertisements provide all the info a client needs to work. While DHCPv6 is available, generally SLAAC does all you need. Also, Android doesn't work with DHCPv6. You can thank some genius at Google for that. You should also have several /64 prefixes available, for multiple networks. For example, I get a /56 prefix from my ISP. This provides 256 /64 prefixes. I use one for my main LAN, another for my guest WiFi, OpenVPN, a test LAN, etc. Also, all devices will normally get public addresses, though you can also configure a network to use Unique Local Addresses, either by themselves or along with public addresses.

            You will also have to unlearn some bad habits that you picked up with NAT and the IPv4 address shortage.

            If you want to get into the nitty gritty details of IPv6, I can recommend IPv6 Essentials.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • First post
              Last post