ipv6 disable on Pfsense

Gertjan

@johnpoz
Sure. I can image that IPv6 doesn't play well for everybody. After all, there are many out there that still have to discover (... understand) IPv4.

"The day" I was talking about is the day a major company that allow you to host 'things' just don't have any dedicated IPv4 any more to 'offer' your. Or, at a huge monthly $$$$. So, you content will be using multi-homing (many 'sites' using one and the same IPv4, this is what most hosting company use today). This somewhat works, but ones you dicover that 'another site' using the same IPv4 as you does 'ugly' things the IPv4 gets listed somewhere, taking 'down' your site with it.

A typical dedicated server, or VPS, or whatever cloud wants - needs - to have its own IPv4. The day an IPv4 'just for you' becomes more expensive as the product behind is, is the day IPv4 collapses.

I ordered 16 IPv4 a decade ago, I still have them today, most of them are in use. Last January, I was asked to pay a € per month for them. I'm sure this will go up very soon.

JonathanLee

@johnpoz what about this custom dns resolver setting. . .

server:
do-ip4: yes
prefer-ip4: yes
do-ip6: no
prefer-ip6: no
dns64-ignore-aaaa: * . *
do-not-query-address: ::
do-not-query-address: ::1
do-not-query-address: ::/0

Back in my day Professor's said,
"IPv6 is just around the corner, it was researched and developed as an experimental solution in the 90s," the Professors said this in 2002, 2005, and in 2019. It's the year 2023 and my ISP still only gives me an IPv4 address. Yes, well smartphones are what runs primarily IPv6 now, so it did come. Leading to, once higher tertiary educational institutions only teach IPv6 and when IPv4 becomes twightlighted like BISYNC, Ring topology, AppleSoft, or the older 10base cables from the 90s, that's when smartphone technology will matter the most. The thing is IPv6 has started its emergence, we see the smartphones with TB local storage, they even have built in hotspots. We see the home cell based AP wifi systems that come with no RJ45 plugs. I future cast that home networks and office networks with plugs will disappear very soon, and that is when it will put IPv4 into a death spiral.

It has been occurring slowly by way of upgrades. Soon you will just plug your smartphone onto an official hub or KVM and all your virtual software and operating systems like Windows or Mac will boot up and become a desktop, your office software will connect and it will work like it does normally. This is happening, do a Google search for "Windows VM runs on Smartphones," we might not even need a connection it will just beam to the screen next to you. Look at the Cisco Meraki systems, they are helping push this too. Sure the data centers will have plugs however it will be the monster Ciena internet backbone systems with products like Veritas Cloud Access systems with huge PB storage in a single rack. Tintri was a total solid state SAN system that when developed shocked and amazed, now Nutanix has monster SSD SAN products that only run instances of VMs. Let's face it, It's here already and your ISP knows it.

The future for the public and office networks is Smartphones/tablets running on IPv6. Try to leave your smartphone at home and notice what happens, the truth is you can't function without it. What's sad is this field outdated itself, that's Moore's law for you and you can see it's at its finest hour now. I was glad Moore lived long enough to see it start to occur. Sure it will have the hotspots here and there and official work equipment, but the major consumer base will use their smartphones. I am just waiting to see what KVM or keyboard video mouse smartphone adapter/docking product comes out first. Will companies want to adopt it quickly is the question. Look at Raspberry pi it's the size of a credit card. It's the technology that blends both worlds that will be a major winner, like Cisco's Meraki AP/Cellphone based systems they had a model that was licenced to intercept cell frequencies for cyber security/firewalling use years ago for offices.

IPv6 won't outclass IPv4, the smartphone running IPv6 will.

Me I love my IPv4.

johnpoz

@JonathanLee I think you have some redundant settings..

Not sure what the point of do-ipv4 to yes, that is default, setting do-ipv6 no should be enough..

same with the prefer-ipv4, you shouldn't really need prefer-ipv6 no.

if you have do-ipv6 set to no, not sure if these matter

do-not-query-address: ::
do-not-query-address: ::1
do-not-query-address: ::/0

not sure what the point of this is

dns64-ignore-aaaa: .

If unbound is told to not do IPv6, not sure why you would want/need to set that?

JonathanLee

@Gertjan

I am afraid to use the tunnel I have to own this and admit it to you. I want IPv6 I just want it direct from my ISP.

Check out this topic was reading.

https://forums.he.net/index.php?topic=4253.0

Have you see this in the HE forum? It is stating that Google now blocks ipv6 queries from HE tunnels?

". . . Google now seems to block ipv6 queries to search from HE tunnelbroker ASN"

HE also has really bad ratings on yelp I was reading.

https://www.yelp.com/biz/hurricane-electric-fremont

HE is in need of some good reviews from pfSense people that use this service on yelp. I am sure there is a lot of happy Netgate community users that have not posted a review.

Is this service really free? I pay big bucks every month to my ISP. What do they get out of handing out free IPv6 there is got to be some catch for using it, maybe testing and development of the IPv6 network?

johnpoz

@JonathanLee said in ipv6 disable on Pfsense:

I am afraid to use the tunnel I have to own this and admit it to you

I have been using their tunnels for like 13+ years, have never had any issues with it. I am not really a big IPv6 user, normally I have it turned off on my machine.

But just enabled it, tried google via ipv6.google.com and not having any issues.. Not sure who brought up google was blocking HE?

Not having any issues from quick test..

As to yelp - yup where all the network engineers go to see who they should use as ISP for their company ;) heheheh

jdeloach

@JonathanLee said in ipv6 disable on Pfsense:

@Gertjan

https://forums.he.net/index.php?topic=4253.0

Have you see this in the HE forum? It is stating that Google now blocks ipv6 queries from HE tunnels?

". . . Google now seems to block ipv6 queries to search from HE tunnelbroker ASN"

I realize this issue has nothing to do with pfSense or it's functionality but sounds like I'm not by myself.

This now explains why I might be blocked from accessing google.com via ipv6 or ipv4. The error message
says something to the effect that I don't have proper permissions to access "google.com". They are
being very cryptive as to why I no longer have access to their site. It's mainly their search engine that
I'm blocked from. I get various error codes like this "****403. That’s an error.

Your client does not have permission to get URL / from this server. That’s all we know****." At first I thought
it was a Firefox issue since it started right after I upgraded Firefox to latest version but now I'm not
sure.

There were some other error codes last week before they pulled the plug on me.
I'll have to turn off my he.net and see if this clears up.

I do know that he.net is flagged on several spam websites as being a haven for spammers.

johnpoz

@jdeloach said in ipv6 disable on Pfsense:

several spam websites as being a haven for spammers.

They didn't even use to allow smtp over the IPv6 unless you cleared it with them.. But I just checked and I could unblock smtp with just a click.

Any "tunnel" method is a haven for lots of bad people.. Just like every single vpn service on the planet to be honest. How many vpn services get blocked for the same sort of thing.

Not my problem that bad people ruin a good thing for the rest of us..

HE is a free way for you to get IPv6 when your isp doesn't provide it - or their "providing" of it is just shit.. Which is many of the ipv6 deployments I have seen. They will give you a /48 that doesn't change, and even allow you set PTRs for the range of IPs

To be honest not sure why anyone should care if they have IPv6 or not.. Name one resource that you want to access that is only via IPv6.. Until that day comes there is little use for it for your typical home user.

I use it because it interests me, I use to host a ntp server over it - because that was really the only thing I could do to actually make use of it. Now I have it setup to pretty much just play with - my isp doesn't provide any ipv6, and have not seen them even hint at a roadmap or any sort of date when they would.

You know where IPv6 makes sense - when you have billions of devices, like mobile phones. Guess who uses IPv6 - mobile carriers ;) My phone doesn't even get a IPv4 address when its on cell - only IPv6, they use 464XLAT to get you to the IPv4s you want to get to..

I applaud you for wanting to learn about IPv6, I do believe it is the future - but at this current time, there is nothing saying you have to use it. If you don't want to use HE, and your isp doesn't provide IPv6 or its shit deployment. Your only real recourse is either change your ISP.. Or get an ISP that allows you to run your own IPv6.. You could prob get your own space.. Its not free.. But not all that hard, I got my last company their /32 from Arin, just some paperwork to fillout - have to show your going to use it, etc.. And then pay the bill.

I handled setting up all the routing objects for them, etc. They had some project they are working on for connecting cars - again something there are billions of on the planet.

While as mentioned I would hope the kid has been born already that will see IPv4 turned off and IPv6 be the only game in town - or something might actually replace IPv6 who knows.

The problem is IPv4 isn't going away, atleast not any time soon. The IP apocalypse was has gone away because all the players that Need millions and or billions of IP addresses for their devices/projects can use IPv6.. The IPv4 space now sells on the gray market to who is willing to pay for them.. We sold off in my last company a big chunk of our /16 for quite tidy sum.. Because they wanted infux of cash to make that years books look better. And really had no use for the all those IPs.. If the Registries like Arin would actually take back some of the space that companies are hoarding back.. They could most likely allocate those to isp that could actually use them..

But you have nothing to loose with trying to use a HE tunnel, use it to learn IPv6 that is for sure - I would recommend you run through their IPv6 sage program.. You get a free tshirt when you reach sage level ;) You have to setup Ipv6 glue on a domain, and run a smtp server over IPv6, etc.. I don't think it has changed much in the 12 some years ago when I did it.. I still have the tshirt btw ;) But it is a good learning tool for sure.

jdeloach

This post is deleted!

jdeloach

@jdeloach said in ipv6 disable on Pfsense:

@JonathanLee said in ipv6 disable on Pfsense:

@Gertjan

https://forums.he.net/index.php?topic=4253.0

Have you see this in the HE forum? It is stating that Google now blocks ipv6 queries from HE tunnels?

". . . Google now seems to block ipv6 queries to search from HE tunnelbroker ASN"

I realize this issue has nothing to do with pfSense or it's functionality but sounds like I'm not by myself.

This now explains why I might be blocked from accessing google.com via ipv6 or ipv4. The error message
says something to the effect that I don't have proper permissions to access "google.com". They are
being very cryptive as to why I no longer have access to their site. It's mainly their search engine that
I'm blocked from. I get various error codes like this "****403. That’s an error.

Your client does not have permission to get URL / from this server. That’s all we know****." At first I thought
it was a Firefox issue since it started right after I upgraded Firefox to latest version but now I'm not
sure.

There were some other error codes last week before they pulled the plug on me.
I'll have to turn off my he.net and see if this clears up.

I do know that he.net is flagged on several spam websites as being a haven for spammers.

Well those sorry Google SOB(s) that blocked me from Google Search. I disabled ipv6 on my pfSense and temporally disable my
HE.net account so that I don't ipv6 on my home network anymore and guess what? I now have access to Google Search engine again.

This is pure Bullshit. How can those folks take over my network and tell me what can use and not use to access their website. Glad I stumbled on to this
thread because I was pull my hair out trying to fix this issue.

I don't have a need to use ipv6 but it was nice to be able to play with it, but I would never have thought Google would F..K things up like this.

johnpoz

@jdeloach said in ipv6 disable on Pfsense:

Google would F..K things up like this.

Not sure why you think its google? From what I have seen looks like they are blocking some /64s that are part of larger /32? that small sites use, or the tunnel network they hand out, but if your on a routed /48 like I am that is not blocked.. So that could explain why not seeing any issues when I test it..

Sites can and do block netblocks that cause them grief - lots of networks are blocked from the forums here even, because all those networks do is post spam..

What is the prefix your coming from? The one on your account? Your saying that is blocked?

I disabled ipv6 on my pfSense

I don't show you coming from any IPv4 addresses - thought you said you disabled IPv6?

JonathanLee

After adding in advanced config options we talked about. Only A resolves now.

private-address: ::/0
Was also added per @johnpoz @smolka_J and everyone else thanks for the recommendations

bimmerdriver

@johnpoz Before my ISP offered IPV6, I used a tunnel from HE. It worked very well. Admittedly it's been a while since I have used HE, but I agree that you can't go wrong with them.