Secure Wireless Hotspot rule with IPv6

johnpoz

@slu your saying you get no IPv4 address, not even a rfc1918 or cgnat range 100.64/10.. I find that a very odd deployment for normal ISP, ie your isp cellular? For that to work your isp would have to be doing like the phone companies do and translate all your IPv6 traffic to IPv4.. Since a vast majority of the internet is not on IPv6 yet..

If you want to provide Ipv6 - you were on the right track, just that 2001::/16 is not correct.. And you would want to allow whatever traffic you might want to pfsense IPv6 address, dns, ntp, etc.. Then block your local prefix, then either use any for the "internet" for ipv6 or use the 2000::/3 cidr.. They wouldn't be able to get to a shit ton of stuff if you only allowed 2001::/16

slu

@johnpoz said in Secure Wireless Hotspot rule with IPv6:

@slu your saying you get no IPv4 address, not even a rfc1918 or cgnat range 100.64/10.. I find that a very odd deployment for normal ISP, ie your isp cellular?

I check this, musst be some rfc1918 or cgant address because I can access IPv4 services in the internet.

johnpoz

@slu said in Secure Wireless Hotspot rule with IPv6:

because I can access IPv4 services in the internet.

They could be doing 464XLAT like the phone companies do.. My phone gets no IPv4 address, not even rfc1918 or cgnat space.. It makes sense with stuff like phones - there are billions of them on the planet.. Even using all of rfc1918 space would not provide for enough address space.. So they would have to overlap and use the same IPs in different regions, etc.. How many phones are on t-mobile for example ;)

But that would seem odd for your typical local isp to do such a thing.. It would be simpler for them to just use cgnat to provide IPv4 if they do not have enough public IPv4 to use.. And then sure assign you a ipv6 prefix

Look on your pfsense wan - you saying it has no ipv4 address?

As to your clients.. There is no major player services on the planet that you can not get to via IPv4.. So are you talking that they can get to their home plex server or something that is on some other isp that doesn't provide IPv4 so they need to get to their home network from your network via IPv6? That would make sense - but why should you care if they can do that from your hotspot?

Sure if they said hey I can not get to amazon or facebook, or their bank or medical page, etc. But that they can not talk to some service that is only on IPv6.. This not going to be a major player.. Sure they might not be able to vpn to their home network if their isp doesn't give them ipv4..

slu

@johnpoz said in Secure Wireless Hotspot rule with IPv6:

@slu your saying you get no IPv4 address, not even a rfc1918 or cgnat

The ipv4 is CGNAT and I have a new "ipv6 problem",
my ISP change the ipv6 subnet prefix /56 with every new dial in.

How do I add a firewall rule with an changing /56 subnet without cutting out
my complete ISP subnet/destinations?

johnpoz

@slu said in Secure Wireless Hotspot rule with IPv6:

my ISP change the ipv6 subnet prefix /56 with every new dial in.

No you don't say ;) It is so unlike an ISP to have some shit IPv6 deployment.. hahahaah

Did you try setting pfsense not to release the prefix?

You can use the variables lan net, lan address, So vs using a cidr, just create specific blocks to your other networks lan net, opt net, optX net, etc..

So my "simple" solution is looking better isn't it - why exactly do these clients need IPv6 again? They can't get to their home hosted plex servers or something that only have IPv6 for unsolicited inbound traffic.. What major resource on the internet can they not get to exactly with IPv4?

If working with your isp ipv6 deployment methods is painful - you could always just setup a HE tunnel, free /48 that never changes.. And you can setup the PTRs on it as well.. Highly doubt your isp lets you do that with the prefixes they give you that change any time the wind blows..

slu

@johnpoz said in Secure Wireless Hotspot rule with IPv6:

No you don't say ;)

Yes we have two locations, one with static /56 (no problem) and one with dynamic /56...

@johnpoz said in Secure Wireless Hotspot rule with IPv6:

It is so unlike an ISP to have some shit IPv6 deployment..

You say it, this makes the good IPv6 technologie wrongly bad...

@johnpoz said in Secure Wireless Hotspot rule with IPv6:

Did you try setting pfsense not to release the prefix?

Didn't know that, thanks for the hint!
I try...

Gertjan

@slu

Something, related to the captive portal, is missing in this thread :
See here : Captive Portal

Currently, Captive Portal does not support IPv6.

IPv6 over Wifi, protected using the whatever AP method you use, works just fine with IPv6.
But when you activate a "captive portal" on a pfSense interface, you have only IPv4 to worry about.

slu

@Gertjan
thanks for the hint, I didn't see that.

slu

@johnpoz said in Secure Wireless Hotspot rule with IPv6:

haha - they should update that.. That for sure isn't correct.. If you wanted to create a cidr that included all Ipv6 gua space it would be 2000::/3

How can we trigger this change in the docs?

johnpoz

@slu said in Secure Wireless Hotspot rule with IPv6:

How can we trigger this change in the docs?

You could put in a redmine..

https://redmine.pfsense.org/projects/pfsense-docs

slu

@johnpoz said in Secure Wireless Hotspot rule with IPv6:

You could put in a redmine..

https://redmine.pfsense.org/issues/14948

Hope I done it right.