PFSense - Deliver IPv6 over OpenVPN Tunnel
-
I have an Gateway router and I am currently trying to set up a PFSense + OpenVPN Tunnel. However I am having problems with IPv6 connectivity.
The FGW is configured with the DMZ for the PFSense Internal IP.
Send below the PFSense configs:
PFSense in current configurations have IPv6 connectivity, but tunnel clients in tests give 0/10.
WAN Interface
WAN Firewall
OpenVPN Firewall
OpenVPN Tunnel Config -
I see you have DHCP6 for the configuration type. It's normally track interface, so it can get the prefix from your WAN connection. Also, you mention you have a gateway router. Is it in bridge or gateway mode? You want bridge mode.
-
@JKnott I'm relatively new to IPv6. Do I need to configure my carrier gateway in Bridge mode? Wouldn't pfsense inform my FiberGW that it has the IPv6 block? I think that's what you mean by track mode? FGW uses DHCPv6 and SLAAC, at least I manage to have external pfsense connectivity in both methods. The FGW have the following IPv6 Prefix: 2001:8a0:ed69:9e00::/56
-
I cannot speak about your ISP specifically, but with consumer level IPv6, the normal method is DHCPv6-PD on the WAN interface. With this, the ISP provides a prefix for all your addresses. My ISP provides a /56 prefix, which can be split into 256 /64 prefixes. Each LAN interface gets it's own /64, which contains 18.4 billion, billion addresses. On the LAN side, you use track interface to get a prefix. On each interface, you specify the prefix ID. It must be unique for each interface. Does your ISP do things differently?
BTW, get your IPv6 connection going first, then worry about the VPN. It helps if you mention your ISP, as someone here might have experience with them.
-
@JKnott First of all thanks for the help. I think my ISP does the same. It's a home router. I'm setting this up just in order to get access to my internal network and have IPv6 connectivity even on IPv4 only networks. (Incredible as it may seem, in Portugal only the operators' fixed networks are IPv6. Mobile networks, universities, etc... still only have IPv4) Currently, PFSense already has connectivity for both IPv4 and IPv6 sites. Unfortunately today I will not be able to test the track interface, as I am afraid of losing connectivity in both protocols and currently the only way to access PFSense is via VPN, however tomorrow around this time I will have these tests performed. I just have a doubt, the PFSense WAN interface receives both IPv4 and IPv6, if I put it as a Track Interface will I lose IPv4 connectivity? I'll have to do more research on what the track interface is.
-
Yes, you can run IPv6 in a VPN over IPv4. That's the way my VPN is set up. First step is to get IPv6 working on your home network, using what I suggested. Again, please tell us who your ISP is. There may be some unique issues with them. Once you have IPv6 running, then you can use one of your /64 prefixes on your VPN to provide IPv6 elsewhere.
However, start with your modem in bridge mode.
-
@JKnott My ISP is from Portugal, in this case MEO. Within my home network, IPv6 is already working. However, the current scenario is as follows, I have the MEO Gateway in Router mode, and a DMZ configured for the PFSense IP, which is virtualized, so it would not be very useful for me to put the Gateway in Bridge mode, as this server during the night it is turned off. As I said above, IPv6 works perfectly at the LAN level, now I just wanted to take it to the tunnel, since PFSense already has IPv6 connectivity as it is indirectly connected to a LAN port on the Gateway. Tomorrow, when I have physical access to that server, I'll test using PFSense with the interface in Track mode to see if I can get something that way. Sorry if I'm making an obvious technical mistake, but I'm completely new to IPv6.
-
It it's in router mode, you will only get a single /64, which you will not be able to use beyond pfSense. It must be in bridge mode, for pfSense to do what it has to.
-
@JKnott Therefore, if i have to put the FGW that is currently in routed mode, in Bridge mode, this IPv6 implementation phase in the project for the time being will be stopped until i have a physical PFSense device. However I'm not sure if my ISP assigns a /64 on each LAN port or a higher prefix. What's the best way to see this?
-
I strongly recommend using real hardware for any firewall, not just pfSense. However, with DHCPv6-PD, the ISP provides a prefix, often a /56, which pfSense then splits into multiple /64s, for the various interfaces. For example, I use prefix ID 0 for my main LAN and 3 for my guest WiFi VLAN. I also use the same values for the 3rd octet of my IPv4 address block to keep things simple. Also, with IPv6, local LANs are supposed to be /64, which means you don't split off part of it for other networks, VPNs, etc..
