Is putting IPv4 and IPv6 on separate interfaces a good idea?

anschmid

Hello!

I am using a PC engines APU2 for my pfsense firewall and I am currently moving to setup IPv6 in my network. The APU2 has 3 network interfaces which I am using for WAN, LAN and OPT - the 3rd is currently unused.

My WAN interface has IPv4 and IPv6 address from my ISP. I was thinking it it would make sense to separate IPv4 and IPv6 on the two internal interfaces on my LAN such as this:

–-> LAN4 (IPv4) <---                                                                 
Modem <---> WAN (IPv4/IPv6) pfsense <                                  > Network Switch
                                                              ---> LAN6 (IPv6) <---

In this way I could configure IPv4 and IPv6 on different interfaces on monitor each interface.

Does this make sense or am I generating any problems I am not aware of?

bimmerdriver

@anschmid:

Hello!

I am using a PC engines APU2 for my pfsense firewall and I am currently moving to setup IPv6 in my network. The APU2 has 3 network interfaces which I am using for WAN, LAN and OPT - the 3rd is currently unused.

My WAN interface has IPv4 and IPv6 address from my ISP. I was thinking it it would make sense to separate IPv4 and IPv6 on the two internal interfaces on my LAN such as this:

–-> LAN4 (IPv4) <---                                                                 
Modem <---> WAN (IPv4/IPv6) pfsense <                                  > Network Switch
                                                              ---> LAN6 (IPv6) <---

In this way I could configure IPv4 and IPv6 on different interfaces on monitor each interface.

Does this make sense or am I generating any problems I am not aware of?

I have no idea why you would want or need to do that. Just set up ipv4 and ipv6 on the LAN and be done with it. KISS principle.

anschmid

Hhm, maybe I should have explained a bit more details why I want to do this.

First of it's for monitoring. If I have two interfaces I can see exactly in traffic graphs how much IPv4 vs IPv6 traffic is going through my firewall. Also I can see several other metrics on a per interface or in this config case per IP protocol basis.

Second it's configuration. A lot of pfSense Services are based on interfaces. For example Squid Proxy. Since squid doesn't support IPv6 it would be clearer to just setup squid to listen on IPv4 (LAN4) interface but not IPv6 (LAN6). Similar to other services like DHCP vs DHCPv6 server etc.

Is this still not good enough reason to configure it this way? Any potential problems?

Thanks!

JKnott

If you have separate interfaces for IPv4 & IPv6, you'll also need separate interfaces on each computer that you want to have both protocols.  Also, monitoring is easy enough by filtering what you want to measure.  For example, the pfSense packet capture can be configured for whatever protocol you want.  You can do the same with Wireshark.

jimp

The traffic graphs already separate out IPv4 and IPv6 pass/block counters.

There is no scenario I can think of where it makes more sense to separate the interfaces in this way, especially if both are connected to the same layer 2.

anschmid

Okay got it, not really any advantage doing it this way and might be more complex as well to manage.

I'll go back to have IPv4+IPv6 on my LAN and use the spare OPT port for a DMZ.

Thanks everyone for their inputs on this!

doktornotor

Unless you want to test how devices behave (better said, how much broken they are) on an IPv6-only network, then no, absolutely NOT.