Matureness of IPv6 generally

Gertjan

@keyser said in Matureness of IPv6 generally:

IPv6 works okay from endpoints if you use Orange’s Livebox as a router.
But if you want to use pfSense,

That's how I use them : ISP <fibre> Livebox6 <2.5 Gbit LAN> pfSense <MyLocalPlayGround>

3 NAT rules in the Livebox :
An OpenVPN, endpoint is pfSEnse WAN - so no double NAT.
A Munin node running on pfSense - so no double NAT.
And a double NAT to my pfSense LAN based NAS, so I can use my local NAS as a backup device for my dedicated servers, running in a datacentre in Paris.
I'm not hosting any mail/web/whatever locally.
All this works fine.

I don't bother double (or more) NAT, as, ones you know who to NAT, it is soooooo easy.

I'm not trying to not use the Livebox, by injecting the fibre cable into a pfSense WAN NIC (with some kind of adapter).
I leave the ISP connection up to the Livebox router.
I do use the phone connection on the ISP router (Livebox), as it is acting as our 'fax', as the line is free (and while the concept fax still exists - it will die very soon now).

@keyser said in Matureness of IPv6 generally:

no delegation on IPv6, just a /64

See the image above : my Livebox delegates a prefix to pfSEnse, to be used by pfSEnse on its LAN. It works.

@keyser said in Matureness of IPv6 generally:

Orange Fiber with a SFP ONT module which works flawlessly.

Ones, some day, I'll adventure in that direction.

@keyser said in Matureness of IPv6 generally:

But then comes all the IPv6 “trickery” and non standard things Orange applies to make life difficult for customers attempting to not use the Livebox.

From what I know - and you know better, I guess :
Some special crafted DHCP options (encoded MAC+fti/xxx login + password) are needed to get an IPv4, gateway, etc.
Same thing for DHCPv6.

@keyser said in Matureness of IPv6 generally:

Orange Fiber with a SFP ONT

Interesting.
Do you have details about the SFP ?
I'm using a 4100
The two WAN ports are doubled with SFP slots.
Maybe I'll do some experimenting with them, if I know what SFP to buy.

keyser

@Gertjan Hi Gertjan. I know it can be done like you do it (Did not know it would delegate a /64 however).
But I just think its cumbersome and annoying as he** to have all that translation and workarounds active. Besides, one of my sites is a remote site where there is no staff to help me out if something goes south with the VPN, and it’s just nice to have the Public IP directly in that case.

I’m using this particular SFP: https://www.fs.com/de-en/products/133619.html
in two SG-2100’s, but I had one mounted in my SG-6100 briefly (same NICs as the SG-4100), and it works there to.

It works completely flawlessly, and all you have to do is register your Livebox GPON Serialnumber and Vendor code in a SSH session (see lafibre.org). Then it’s permanently good to go. Both of mine have been working for 2 years without issues now. The only issue is not Fiber/link related but rather Oranges required DHCP options and lately pfSense’s “quirky” 802.1q tagging of DHCP frames. But it’s no problem getting it to work on IPv4 (and IPv6 on other firewalls). 100% stable im both my cases.

IPv6 is a different issue on pfSense as Orange requires DHCP options that pfSense does not support. So for now I’ve given up attempting IPv6 on Orange - I while back I had it running for a while using OPNsense’s DHCP6c client ported to pfSense. But I decided against this approach as it required some “hacks” I didn’t care for in upgrade situations and such.

RobbieTT

@keyser
I'm scratching my head a little and not sure why a simple configuration, similar to mine below, would not work for you?

My ISP provides a static /48 address block but I set it as DHCPv6, using the prefix only and set a unique prefix ID on each LAN/VLAN interface - giving them their own /64 to work with. (I understand you get a /56 but that still leaves plenty for subnetting.)

WAN Interface:

LAN Interface:

️

keyser

@RobbieTT The issue is not that it does not work in pfSense. The issue is that each ISP (if you elect to skip using their CPE) uses some absurdly finicky DHCPv6 settings that takes hours and hours of packet capture analysis to decode and replicate in terms of pfSense DHCPv6 configuration. My point is that DHCPv6 is not “standard” like DHCP4 where it is HIGHLY unusual for it not to work if you just enable it.

If the ISP then changes som settings, DHCPv6 stops working again, and you have to start over.

JKnott

@keyser said in Matureness of IPv6 generally:

If the ISP then changes som settings, DHCPv6 stops working again, and you have to start over.

Then it's not a problem with IPv6. It's a problem with some ISPs. You can't make a direct comparison with IPv4, as IPv6 can do so much more, such as providing a prefix, rather than just a single address. You also don't need NAT with it, to support multiple devices.

keyser

@JKnott said in Matureness of IPv6 generally:

Then it's not a problem with IPv6. It's a problem with some ISPs. You can't make a direct comparison with IPv4, as IPv6 can do so much more, such as providing a prefix, rather than just a single address. You also don't need NAT with it, to support multiple devices.

You are absolutely correct - in principle. But my point is that IPv6 routing - and specifically DHCPv6(-PD) and SLAAC assignments - have been changed and augmented so many times to allow for all manners of quirky needs and demands, that it takes a PHD and complete eyelevel communication with the party setting up the other end - otherwise odds are it will not work when we are talking ISP to end customer without CPE setups (not your average LAN IPv6 service).

RobbieTT

@keyser said in Matureness of IPv6 generally:

My point is that DHCPv6 is not “standard” like DHCP4 where it is HIGHLY unusual for it not to work if you just enable it.

Perhaps we are just beaten into submission when it comes to the horridness that comes with IPv4. All that messing with DHCP addresses, working with the constraints of NAT, no globally routable addresses for clients, reduced performance due to NAT overhead, DHCP pool allocations for WAN that can change, additional cost of static IPv4 addresses (if available), use of services such as DDNS, reverse proxies, port forwarding, UPNP etc etc.

IPv4 is a car crash but we are just used to its many pitfalls.

️

keyser

@JKnott But I’m also reffering to the no-mans land of missing Name service registration, missing options for standardized central control of if clients should DNS register, not use private addresses and prioritize their use of which IPv6 address?

JKnott

@keyser

Can you show me those services for IPv4? As for address scope, IPv6 tries to use the best address type to reach the destination. If a destination has both ULA and global addresses, then ULA will be used. Nothing mysterious about that.

BTW, every Saturday morning, some friends and I have a video conference (we used to meet in a restaurant before COVID). One of my friends set up a Jitsi server for this. The friend where the server is located is on an ISP that does not provide consistent IPv4 addresses and so we use DDNS to reach it. However, when the address changes, my friend has to go in to make some changes, so Jitsi will work with the new address. Also, since the friend who has the server in his home uses an RFC 1918 address and everyone else is coming in from the Internet, through NAT, the server sometimes causes problems for the guy with the server in his home. Lots of fun.

keyser

@JKnott I’m not arguing that IPv4 is nice or better (or even good), because I to hate all the work and issues NAT (sometimes multiple) and limited amount of addresses introduces. I’m a huge fan of IPv6 and would love everything to go greenfield IPv6.
Im just questioning if that will ever happen due to IPv6’s less than stellar maturity and ease of use? Considering it’s 15 years old I think it’s appaling the amount of issues there are still present or not handled with ease.

RobbieTT

@keyser

I seem to remember that the draft for IPv6 was out before IPv4 NAT became a thing. Even the original author of NAT (Paul Francis?) didn't think much would come of it. Then came PIX hardware and the world changed.