Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Very Basic IPv6 security question.

    Scheduled Pinned Locked Moved IPv6
    79 Posts 9 Posters 16.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • RobbieTTR
      RobbieTT @Gertjan
      last edited by

      @Gertjan

      My guess is that as you only have 1 subnet / LAN defined, so no need for a choice of prefix ID (I have 3 local networks defined).

      Any leases showing here:

       2023-07-21 at 12.44.54.png

      An example client shows the following addresses:

      en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
      	options=6463<RXCSUM,TXCSUM,TSO4,TSO6,CHANNEL_IO,PARTIAL_CSUM,ZEROINVERT_CSUM>
      	ether f8:4d:xx:xx:26:88 
      	inet6 fe80::xx:80c4:xxxx:7eef%en0 prefixlen 64 secured scopeid 0xf 
      	inet6 2a02:xxxx:xxxx:1:1808:6752:xxxx:a287 prefixlen 64 autoconf secured 
      	inet6 2a02:xxxx:xxxx:1:7c15:c736:xxxx:7732 prefixlen 64 deprecated autoconf temporary 
      	inet 10.0.1.10 netmask 0xffffff00 broadcast 10.0.1.255
      	inet6 2a02:xxxx:xxxx:1::1b06 prefixlen 64 dynamic 
      	inet6 fd83:xxxx:239c:4fb4:8cd:5e06:xxxx:def8 prefixlen 64 autoconf secured 
      	inet6 fd8d:xxxx:3a57:4f07:142f:f915:xxxx:4cef prefixlen 64 deprecated autoconf secured 
      	inet6 2a02:xxxx:xxxx:1:b5b2:5b0a:xxxx:6e82 prefixlen 64 deprecated autoconf temporary 
      	inet6 2a02:xxxx:xxxx:1:f186:b1b0:xxxx:3a5b prefixlen 64 autoconf temporary 
      	nd6 options=201<PERFORMNUD,DAD>
      	media: autoselect
      	status: active
      
      

      You would probably benefit from your own thread as we are distracting from this one. Apologies to @guardian.

      ☕️

      1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott @guardian
        last edited by

        @guardian said in Very Basic IPv6 security question.:

        Have I configured pfSense IPv6 Correctly? I am attempting to configure a VLAN6 which I am connecting over a trunk to an SG300 switch, and ultimately to an access port on GE2. The IPv4 is working fine, I get an IP assignment, and a DHCP server, but the IPv6 isn't working. I have a linux laptop connected to GE2 with DHCP configuration for both IPv4/v6. I have no IPv6 connectivity - a ping6 to 2607:f8b0:400b:804::2003 from the laptop results in Destination unreachable: Beyond scope of source address, but is successful if executed from the pfSense WebGUI.

        The laptop has an fe80::/64, and the Default Route has an fe80:: address as well. There are no other entries, and if I attempt to run ping6 against the Defaut route, I get invalid argument. For some reason ping6 does not liek fe80 addresses--even when I fully expanded :: with the appropriate number of 0000 to make 8 complete hextets

        I need to determine if the problem is with pfSense, the SG300, or the laptop, so any guidance would be much appreciated.

        You have to configure the VLAN on every device that uses it or it passes through. For example, my guest WiFi is on VLAN3. I configured VLAN3 on the same interface as my main LAN, on the access point for the 2nd SSID and also both ports on my switch that it had to pass through.

        Link local addresses are often used for routing. On Rogers, your default route will be a link local address and you will also have a global address on your WAN interface, but it's not used for routing.

        BTW, I see you have a prefix delegation size of 64. That will get you only a single /64 prefix. You want to use 56, which will get you 256 /64s.

        Also, why are you using DHCPv6 on your LAN? Unless you have a specific need for it, I'd recommend you stick with SLAAC. Also, thanks to some genius at Google, Android devices don't support DHCPv6.

        I'd recommend you start simple and then work out what else you want, after you get pfSense working. For example, configure your VLAN after the main LAN is working.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        RobbieTTR 1 Reply Last reply Reply Quote 0
        • JKnottJ
          JKnott @Gertjan
          last edited by

          @Gertjan said in Very Basic IPv6 security question.:

          Because I know that I will receive "2a01:cb19:xO7:a6dc" as a prefix, I "hard coded" it.

          Is that address from Rogers? If not, you shouldn't be using it. My addresses from Rogers start with 2607.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          GertjanG 1 Reply Last reply Reply Quote 0
          • JKnottJ
            JKnott @Gertjan
            last edited by

            @Gertjan said in Very Basic IPv6 security question.:

            Again : I know, treating the prefix as a static value is plain wrong / can bite you back in the future (== break your IPv6 networking).

            This is one area where Rogers is really good. I've had the same prefix for a few years. Even my IPv4 address is virtually static and my IPv4 host name changes only when I change hardware.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • RobbieTTR
              RobbieTT @JKnott
              last edited by RobbieTT

              @JKnott said in Very Basic IPv6 security question.:

              Also, why are you using DHCPv6 on your LAN? Unless you have a specific need for it, I'd recommend you stick with SLAAC. Also, thanks to some genius at Google, Android devices don't support DHCPv6.

              Just so we are all on the same page with the applicable pfSense options:

              • Managed
                The firewall will send out RA packets and addresses will only be assigned to clients using DHCPv6.

              • Assisted
                The firewall will send out RA packets and addresses can be assigned to clients by DHCPv6 or SLAAC.

              • Stateless DHCP
                The firewall will send out RA packets and addresses can be assigned to clients by SLAAC while providing additional information such as DNS and NTP from DHCPv6.

              Coming from different router environment I originally selected "Stateless DHCP," given that I used SLAAC previously on a different OS. A Netgate developer suggested "Assisted" instead and it solved a brace of annoying issues and is friendly enough for 'droid clients too.

              ☕️

              JKnottJ 1 Reply Last reply Reply Quote 0
              • JKnottJ
                JKnott @RobbieTT
                last edited by

                @RobbieTT said in Very Basic IPv6 security question.:

                Coming from different router environment I originally selected "Stateless DHCP," given that I used SLAAC previously on a different OS. A Netgate developer suggested "Assisted" instead and it solved a brace of annoying issues and is friendly enough for 'droid clients too.

                I use unmanaged. Between SLAAC and RDNSS, you generally have all you need.

                As has been mentioned, start simple and go from there, as you get things working.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                RobbieTTR 1 Reply Last reply Reply Quote 0
                • RobbieTTR
                  RobbieTT @JKnott
                  last edited by

                  @JKnott said in Very Basic IPv6 security question.:

                  As has been mentioned, start simple and go from there, as you get things working.

                  Cannot argue with that. 👍

                  ☕️

                  1 Reply Last reply Reply Quote 0
                  • GertjanG
                    Gertjan @JKnott
                    last edited by

                    @JKnott said in Very Basic IPv6 security question.:

                    Because I know that I will receive "2a01:cb19:xO7:a6dc" as a prefix, I "hard coded" it.
                    

                    Is that address from Rogers?

                    No. I'm living in the original, old world, not the recent one ;)
                    To be exact : 2a01:cb19:907:a6dc
                    ISP Orange, France.

                    @RobbieTT said in Very Basic IPv6 security question.:

                    Just so we are all on the same page

                    Managed, for myself.
                    I'm doing my best to give Android devices a hard time on my networks.
                    I'm joking of course, I don't have any Android devices so I'm not in the need of the SLAAC thing.
                    ( or am I saying the same thing differently ? )

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    JKnottJ 1 Reply Last reply Reply Quote 0
                    • JKnottJ
                      JKnott @Gertjan
                      last edited by

                      @Gertjan said in Very Basic IPv6 security question.:

                      No. I'm living in the original, old world, not the recent one ;)
                      To be exact : 2a01:cb19:907:a6dc
                      ISP Orange, France.

                      Sorry, I was getting posters mixed up. I thought I was replying to @guardian, who is on Rogers.

                      PfSense running on Qotom mini PC
                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                      UniFi AC-Lite access point

                      I haven't lost my mind. It's around here...somewhere...

                      1 Reply Last reply Reply Quote 0
                      • G
                        guardian Rebel Alliance @RobbieTT
                        last edited by guardian

                        @RobbieTT said in Very Basic IPv6 security question.:

                        @guardian

                        You are not configured for it to work just yet. For the Interfaces / WAN I would start by checking the boxes below and you will also have to determine what the prefix delegation size is from your ISP. A nice fat /48 is typical (as I have on the example below), with some ISPs trimming this down to a /56 (as it is still massive). Hopefully you don't just have a /64 but I understand that there are some ISPs that are that dumb/restrictive (particularly in the US it seems).

                         2023-07-21 at 10.01.42.png

                        More to do after that on your LAN(s)/VLANs, DHCPv6 Server and Router Advertisements but the above is as good as any starting point. That and reading the section in the pfSense manual.

                        ☕️

                        @RobbieTT - Thanks very much - when I made these changes I now have IPv6 Connectivity being passed through to the VLAN, and hence the laptop. For some reason the connection monitor isn't working - it was working before, but then everything else wasn't working, so it didn't matter. Is there a way to fix it? FYI I can ping this address successfully from the Diagnostics menu and also from the shell, so I'm wondering if the process got hung somehow (how do I restart it?).

                        4e47b59e-c662-41d2-8fce-8afb2b315e23-image.png

                        For the benefit of anyone who comes after me, (for Rogers Canada in July 2023) the deligation is "only" 56, and here is how I am set up now on the WAN:

                        af11579b-b56d-414b-b743-82b144ee0e20-image.png

                        If you find my post useful, please give it a thumbs up!
                        pfSense 2.7.2-RELEASE

                        JKnottJ 1 Reply Last reply Reply Quote 0
                        • JKnottJ
                          JKnott @guardian
                          last edited by

                          @guardian said in Very Basic IPv6 security question.:

                          For some reason the connection monitor isn't working - it was working before, but then everything else wasn't working, so it didn't matter. Is there a way to fix it?

                          What address are you using? It has to be a global address, not link local.

                          PfSense running on Qotom mini PC
                          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                          UniFi AC-Lite access point

                          I haven't lost my mind. It's around here...somewhere...

                          RobbieTTR G 2 Replies Last reply Reply Quote 0
                          • RobbieTTR
                            RobbieTT @JKnott
                            last edited by

                            @JKnott

                            If it is the first hop to the ISP's node then link local (fe80) would be fine or even expected. Beyond that it would need a global target to ping against.

                             2023-07-22 at 13.59.38.png

                            JKnottJ 1 Reply Last reply Reply Quote 0
                            • JKnottJ
                              JKnott @RobbieTT
                              last edited by

                              @RobbieTT

                              In my experience, it didn't work with the link local address. I did a traceroute to Google and used the first global address that turned up.

                              PfSense running on Qotom mini PC
                              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                              UniFi AC-Lite access point

                              I haven't lost my mind. It's around here...somewhere...

                              JKnottJ 1 Reply Last reply Reply Quote 0
                              • JKnottJ
                                JKnott @JKnott
                                last edited by

                                @JKnott

                                I just tried again, using the default route fe80::217:10ff:fe9. While it is accepted, the dashboard shows packet loss.

                                PfSense running on Qotom mini PC
                                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                UniFi AC-Lite access point

                                I haven't lost my mind. It's around here...somewhere...

                                RobbieTTR 1 Reply Last reply Reply Quote 0
                                • RobbieTTR
                                  RobbieTT @JKnott
                                  last edited by

                                  @JKnott
                                  Understood - just clarifying that a global address is not always needed for a gateway to node hop. 👍

                                  ☕️

                                  johnpozJ 1 Reply Last reply Reply Quote 0
                                  • johnpozJ
                                    johnpoz LAYER 8 Global Moderator @RobbieTT
                                    last edited by

                                    @RobbieTT said in Very Basic IPv6 security question.:

                                    global address is not always needed for a gateway to node hop.

                                    very true.. But what would be needed to be able to ping something you monitoring that has gua. Is a gua to send the answer back too.

                                    Also possible the link local address might not even answer ping, etc.

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    JKnottJ RobbieTTR 2 Replies Last reply Reply Quote 0
                                    • JKnottJ
                                      JKnott @johnpoz
                                      last edited by

                                      @johnpoz said in Very Basic IPv6 security question.:

                                      Also possible the link local address might not even answer ping, etc.

                                      That appears to be the case here.

                                      PfSense running on Qotom mini PC
                                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                      UniFi AC-Lite access point

                                      I haven't lost my mind. It's around here...somewhere...

                                      1 Reply Last reply Reply Quote 0
                                      • RobbieTTR
                                        RobbieTT @johnpoz
                                        last edited by RobbieTT

                                        @johnpoz said in Very Basic IPv6 security question.:

                                        very true.. But what would be needed to be able to ping something you monitoring that has gua. Is a gua to send the answer back too.

                                        Also possible the link local address might not even answer ping, etc.

                                        Clearly it should respond to ICMP6 (it is an IPv6 requirement) but ISPs...

                                        In my example above I didn't set anything manually as the link-local for the gateway comes via the RA and pfSense adopts it:

                                        Jul 20 18:43:40	rtsold	67156	Received RA specifying route fe80::xxx:xxxx:xxxx:x100 for interface wan(pppoe0)
                                        

                                        I'm a bit of a purist, keeping the gateway monitor limited to the gateway, rather than the wider internet. One of my servers runs a GUA ping graph via PingPlotter 24/7, to monitor the broader upstream connectivity.

                                        ☕️

                                        johnpozJ 1 Reply Last reply Reply Quote 0
                                        • johnpozJ
                                          johnpoz LAYER 8 Global Moderator @RobbieTT
                                          last edited by johnpoz

                                          @RobbieTT said in Very Basic IPv6 security question.:

                                          Clearly it should respond to ICMP6

                                          ICMP sure - but not the "ping" echo request of ICMP.. that is not actually "required" for IPv6 to function... But I believe the rfc says to allow them.. And pfsense does..

                                          # IPv6 ICMP is not auxiliary, it is required for operation
                                          # See man icmp6(4)
                                          # 1    unreach         Destination unreachable
                                          # 2    toobig          Packet too big
                                          # 128  echoreq         Echo service request
                                          # 129  echorep         Echo service reply
                                          # 133  routersol       Router solicitation
                                          # 134  routeradv       Router advertisement
                                          # 135  neighbrsol      Neighbor solicitation
                                          # 136  neighbradv      Neighbor advertisement
                                          pass  quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} ridentifier 1000000107 keep state
                                          
                                          # Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
                                          pass out  quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} ridentifier 1000000108 keep state
                                          pass out  quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} ridentifier 1000000109 keep state
                                          pass in  quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} ridentifier 1000000110 keep state
                                          pass in  quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} ridentifier 1000000111 keep state
                                          pass in  quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} ridentifier 1000000112 keep state
                                          pass in  quick inet6 proto ipv6-icmp from :: to ff02::/16 icmp6-type {128,133,134,135,136} ridentifier 1000000113 keep state
                                          

                                          https://www.rfc-editor.org/rfc/rfc4890#section-4.3.1

                                          4.3.1.  Traffic That Must Not Be Dropped
                                          
                                             Error messages that are essential to the establishment and
                                             maintenance of communications:
                                          
                                             o  Destination Unreachable (Type 1) - All codes
                                             o  Packet Too Big (Type 2)
                                             o  Time Exceeded (Type 3) - Code 0 only
                                             o  Parameter Problem (Type 4) - Codes 1 and 2 only
                                          
                                             Appendix A.4 suggests some more specific checks that could be
                                             performed on Parameter Problem messages if a firewall has the
                                             necessary packet inspection capabilities.
                                          
                                             Connectivity checking messages:
                                          
                                             o  Echo Request (Type 128)
                                             o  Echo Response (Type 129)
                                          
                                             For Teredo tunneling [RFC4380] to IPv6 nodes on the site to be
                                             possible, it is essential that the connectivity checking messages are
                                             allowed through the firewall.  It has been common practice in IPv4
                                             networks to drop Echo Request messages in firewalls to minimize the
                                             risk of scanning attacks on the protected network.  As discussed in
                                             Section 3.2, the risks from port scanning in an IPv6 network are much
                                             less severe, and it is not necessary to filter IPv6 Echo Request
                                             messages.
                                          

                                          But as you stated - not all ISPs follow the RFCs ;) and they could have some rate limiting on it, etc.

                                          If you read this part of the RFC

                                          A.5.  ICMPv6 Echo Request and Echo Response
                                          
                                             Echo Request (Type 128) uses unicast addresses as source addresses,
                                             but may be sent to any legal IPv6 address, including multicast and
                                             anycast addresses [RFC4443].  Echo Requests travel end-to-end.
                                             Similarly, Echo Responses (Type 129) travel end-to-end and would have
                                             a unicast address as destination and either a unicast or anycast
                                             address as source.  They are mainly used in combination for
                                             monitoring and debugging connectivity.  Their only role in
                                             establishing communication is that they are required when verifying
                                             connectivity through Teredo tunnels [RFC4380]: Teredo tunneling to
                                             IPv6 nodes on the site will not be possible if these messages are
                                             blocked.  It is not thought that there is a significant risk from
                                             scanning attacks on a well-designed IPv6 network (see Section 3.2),
                                             and so connectivity checks should be allowed by default.
                                          

                                          So ok you won't be able to do teredo if you block them.. But that is pretty much dead..

                                          But I read

                                          It is not thought that there is a significant risk from scanning attacks on a well-designed IPv6 network (see Section 3.2), and so connectivity checks should be allowed by default.

                                          But does that mean its required to allow - I don't think so, other than teredo..

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                                          RobbieTTR 1 Reply Last reply Reply Quote 0
                                          • RobbieTTR
                                            RobbieTT @johnpoz
                                            last edited by

                                            @johnpoz

                                            RFC6919 clarifies the hierarchy of language used for the required standards. Essential reading for networking engineers at ISPs:

                                            https://datatracker.ietf.org/doc/html/rfc6919

                                            ☕️

                                            1 Reply Last reply Reply Quote 1
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.