Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Very Basic IPv6 security question.

    Scheduled Pinned Locked Moved IPv6
    79 Posts 9 Posters 20.9k Views 12 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G Offline
      guardian Rebel Alliance @johnpoz
      last edited by guardian

      @johnpoz said in Very Basic IPv6 security question.:

      @guardian what did you not understand about you can not ping a gua from link local?

      You can for sure use a link-local as a transit network. But you can not monitor some gua address out on the internet without having a gua address.

      @johnpoz I understand you can not ping a gua from link local - what I don't understand is what pfSense is actually doing, and how the gateway monitor gets set up or what address the pings get sent from. Ping/traceroute work from the menu, (but the actual address used isn't shown), but the pinger isn't working and I had no idea why. There was a point (when I didn't have a working system), that I had a working pinger - I believe it was before I set up prefix delegation - I think the router was being issued a single /64 - but I can't remember.

      @JKnott said in Very Basic IPv6 security question.:

      @johnpoz said in Very Basic IPv6 security question.:

      @guardian what did you not understand about you can not ping a gua from link local?

      You can for sure use a link-local as a transit network. But you can not monitor some gua address out on the internet without having a gua address.

      Since he's on Rogers, he should have a WAN GUA. In my own testing, I've determined that a link local monitor address won't work, as the gateway address doesn't respond to pings. It's been so long since I set up my own system that I forgot that was why I couldn't use a link local address. However, a monitor address is not necessary for a working system. There's also the IPv4 one that should work.

      @JKnott, @johnpoz is there a way forward, or should I just disable the montior and hide it from the dashbord?

      I notice the same thing with IPv4, that the monitor is using internal addresses. Is there some way to display my public IP on the dashboard? (if not, no big deal, but it would be "nice" to have.).

      If you find my post useful, please give it a thumbs up!
      pfSense 2.8.0-RELEASE

      johnpozJ JKnottJ 2 Replies Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator @guardian
        last edited by johnpoz

        @guardian said in Very Basic IPv6 security question.:

        Is there some way to display my public IP on the dashboard?

        Does your wan have a public IPv4 address? Or are you behind a nat?

        For you IPv6 - not getting a gua, do you have this set?

        ipv6.jpg

        If you actually have public IPv4 and IPv6 address - they would be shown on what your gateway is and the actual interfaces

        display.jpg

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

        G 1 Reply Last reply Reply Quote 0
        • JKnottJ Offline
          JKnott @guardian
          last edited by

          @guardian said in Very Basic IPv6 security question.:

          @JKnott, @johnpoz is there a way forward, or should I just disable the montior and hide it from the dashbord?

          I notice the same thing with IPv4, that the monitor is using internal addresses. Is there some way to display my public IP on the dashboard? (if not, no big deal, but it would be "nice" to have.).

          You can add the interfaces widget to the dashboard. As for your monitor, as I mentioned you don't need it. Normally pfSense will use the gateway as the monitor address. That works for IPv4, but with Rogers, on IPv6, it doesn't work, because the Rogers gateway doesn't respond to ping. As I mentioned earlier, I just ran a traceroute to Google and picked the first GUA that turned up.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 0
          • G Offline
            guardian Rebel Alliance @johnpoz
            last edited by guardian

            @johnpoz said in Very Basic IPv6 security question.:

            @guardian said in Very Basic IPv6 security question.:

            Is there some way to display my public IP on the dashboard?

            Does your wan have a public IPv4 address? Or are you behind a nat?

            For you IPv6 - not getting a gua, do you have this set?

            f3e21d2c-bb68-411e-8719-279c250446d0-image.png

            If you actually have public IPv4 and IPv6 address - they would be shown on what your gateway is and the actual interfaces

            @johnpoz, @JKnott - TLDR; Pinger working now thanks--and IPv6 still OK!

            I have a public IPv4 address, but the pinger widget displays the gateway (x.x.x.1) address even though the pinger is working.

            I turned off the setting you suggested. I had it set because it was part of the settings recommended earlier that got my IPv6 connectivity working. It turns out that this setting wasn't a necessary part of the changes, so turnng if off got the pinger working again without causing problems. I guess that link local address and the x.x.x1 adress are technically the gateway -- but with multiple L3 addresses on an interface showing though it still shows a link-local address in the widget.

            @JKnott said in Very Basic IPv6 security question.:

            You can add the interfaces widget to the dashboard. As for your monitor, as I mentioned you don't need it. Normally pfSense will use the gateway as the monitor address. That works for IPv4, but with Rogers, on IPv6, it doesn't work, because the Rogers gateway doesn't respond to ping.

            @JKnott thanks for the suggestion about the Interfaces widget, that gives me what I want.

            As I mentioned earlier, I just ran a traceroute to Google and picked the first GUA that turned up.

            Isn't that a bit risky in this day of infrastructure as code? I don't think the public IP is going to change anytime soon, but what about the path to it?

            If you find my post useful, please give it a thumbs up!
            pfSense 2.8.0-RELEASE

            JKnottJ 1 Reply Last reply Reply Quote 0
            • JKnottJ Offline
              JKnott @guardian
              last edited by

              @guardian said in Very Basic IPv6 security question.:

              Isn't that a bit risky in this day of infrastructure as code? I don't think the public IP is going to change anytime soon, but what about the path to it?

              That address is still on my ISP's network, so it likely won't change. As long as it's there, along the path or not, it will work. Regardless, the worst that could happen is the monitor stops working. Big deal..

              I have a public IPv4 address, but the pinger widget displays the gateway (x.x.x.1) address even though the pinger is working.

              By default, the gateway address is used. However, as I mentioned, that didn't work on IPv6 with Rogers, as the IPv6 gateway doesn't respond to pings. If it did, the link local address would have worked, with or without a WAN GUA.

              You're discovering some of the ways IPv6 differs from IPv4. With IPv4, you don't have the link local address to use for routing etc.. You also don't need a WAN GUA, something you couldn't get away with on IPv4.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator @JKnott
                last edited by johnpoz

                @JKnott said in Very Basic IPv6 security question.:

                You also don't need a WAN GUA, something you couldn't get away with on IPv4.

                Says who? You can for sure do the same thing with IPv4.. You can use 169.254 as a transit, you can use any rfc1918 as transit - the transit network doesn't have to route to use it as transit network.. See it all the time actually..

                Where it makes less sense to do with is IPv6 - where you have a bajillion pretty much unlimited IP space.. Unlike with IPv4.. Not putting a gua on the transist in IPv6 is pretty stupid to be honest.. Why should you not make it routeable when you don't have to worry about running out of IP space to use ;)

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                JKnottJ 1 Reply Last reply Reply Quote 0
                • JKnottJ Offline
                  JKnott @johnpoz
                  last edited by

                  @johnpoz said in Very Basic IPv6 security question.:

                  . You can use 169.254 as a transit, you can use any rfc1918 as transit - the transit network doesn't have to route to use it as transit network.. See it all the time actually..

                  I was referring to WAN addresses. My ISP used to use some RFC1918 addresses internally. I saw them when I did a traceroute.

                  @johnpoz said in Very Basic IPv6 security question.:

                  Not putting a gua on the transist in IPv6 is pretty stupid to be honest..

                  Maybe the ISP doesn't want to "waste" a whole /65 to support it. ๐Ÿ˜‰

                  I don't have a problem with using the link local addresses for routing. In fact, you don't even need any address, with a point to point link. All you need is the interface.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  M 1 Reply Last reply Reply Quote 0
                  • M Offline
                    MoonKnight @JKnott
                    last edited by

                    Hi, sorry for open this topic after 1 year :/
                    I have disable all IPv6 on my system, and also added
                    49f5dc0a-791e-4836-b2c8-96d8c45d0d90-image.png

                    Have been running like this for a long time. Until I notice when i do a "DNS Lookup"
                    It takes almost 20 seconds to you get any answer. And why?
                    155090d0-75d1-4296-a22d-3beacadb19a7-image.png
                    As you can see the Name server that not respond is ::1 (IPv6 localhost)

                    So when i change this to YES.
                    80a5068c-8e7a-4a27-8707-b4c5baf86fca-image.png

                    And do another DNS Lookup its answer right away.
                    e6d162e1-5bb0-4adb-8535-3dd3d9b14266-image.png
                    And now ::1 responds also
                    I don't know if this is an bug or not. But it is quite annoying when you have to wait almost 20 seconds for every DNS lookup. :)

                    --- 25.07.1 ---
                    Intel(R) Xeon(R) CPU D-1518 @ 2.20GHz
                    Kingston DDR4 2666MHz 16GB ECC
                    2 x HyperX Fury SSD 120GB (ZFS-mirror)
                    2 x Intel i210 (ports)
                    4 x Intel i350 (ports)

                    RobbieTTR 1 Reply Last reply Reply Quote 1
                    • RobbieTTR Offline
                      RobbieTT @MoonKnight
                      last edited by

                      @MoonKnight

                      If you have anything, including DNS, that points to an IPv6 address (such as a name server) and you disable bits of IPv6 then yes, you will have a problem. To stop using IPv6 you have to be meticulous in removing all uses of it.

                      I've no idea why anyone wants to remove the more modern IP system that is IPv6 from their network - it is clearly beyond my brain. I guess there must be a reason somewhere but the future that is IPv6 will get you at some point... .

                      Almost all my traffic is IPv6 these days, what little IPv4 there is seems to be confined to some servers and services in the US. Weird.

                      โ˜•๏ธ

                      M 1 Reply Last reply Reply Quote 2
                      • M Offline
                        MoonKnight @RobbieTT
                        last edited by

                        @RobbieTT
                        Hi, yeah I know the IPv6 is the future, but right now my system are only using IPv4 for many years. And after upgrading to 24.03 or something, somtning new appears
                        e4b68f62-2178-4e2f-b595-21cae7574cba-image.png
                        And I don't know how to get ride of it :) Even i'm sure I have disable all IPv6 settings.

                        --- 25.07.1 ---
                        Intel(R) Xeon(R) CPU D-1518 @ 2.20GHz
                        Kingston DDR4 2666MHz 16GB ECC
                        2 x HyperX Fury SSD 120GB (ZFS-mirror)
                        2 x Intel i210 (ports)
                        4 x Intel i350 (ports)

                        the otherT JonathanLeeJ 2 Replies Last reply Reply Quote 0
                        • the otherT Online
                          the other @MoonKnight
                          last edited by

                          @MoonKnight
                          no sweat!
                          Just ignore that...it's just IPv6`s way of saying: Home is where 127.0.0.1 AND ::1 are...
                          :)

                          the other

                          pure amateur home user, no business or professional background
                          please excuse poor english skills and typpoz :)

                          M 1 Reply Last reply Reply Quote 1
                          • M Offline
                            MoonKnight @the other
                            last edited by MoonKnight

                            @the-other

                            hehe :) I know, but I believe this is an bug. Not that ::1 is there, but DNS Lookup is so slow if you disable all IPv6. And because of that, DNS Lookup still useIPv6 for dns lookup. :/
                            I was hoping maybe some others have found the same "issue" :)

                            --- 25.07.1 ---
                            Intel(R) Xeon(R) CPU D-1518 @ 2.20GHz
                            Kingston DDR4 2666MHz 16GB ECC
                            2 x HyperX Fury SSD 120GB (ZFS-mirror)
                            2 x Intel i210 (ports)
                            4 x Intel i350 (ports)

                            1 Reply Last reply Reply Quote 0
                            • JonathanLeeJ Offline
                              JonathanLee @johnpoz
                              last edited by

                              @johnpoz said in Very Basic IPv6 security question.:

                              @JKnott I think it is at the root of the question. Trying to lock down IPv6 is much harder than just IPv4 because of temp IPv6 address. With IPv4 if a device has address 1.2..3.4 it can't just randomly use 1.2.3.5 to make a connection..

                              You could still do static IPv6 assignments I did that and there was no longer temps showing up

                              Make sure to upvote

                              1 Reply Last reply Reply Quote 0
                              • JonathanLeeJ Offline
                                JonathanLee @MoonKnight
                                last edited by

                                @MoonKnight that is just a loopback

                                Make sure to upvote

                                1 Reply Last reply Reply Quote 0
                                • JonathanLeeJ Offline
                                  JonathanLee @guardian
                                  last edited by JonathanLee

                                  @guardian said in Very Basic IPv6 security question.:

                                  Hi - I have been using pfSense for several years, but just with IPv4 since I have yet to get my head around what I need to do to secure IPv6. At the moment I have IPv6 disabled on all interfaces including the WAN.

                                  I am being forced into IPv6 by my ISP due to changes in the cable TV system which is moving from a legacy RF system to an IPTV system that uses IPv6. (Rogers in Canada-Ignite TV-I was told it is a similar system to Comcast in the US-I think it is called Xfinity or something like that.)

                                  IIUC, I should be able to enable IPv6 on the WAN and get an IPv6 address (I think it uses DHCP6, but I'm not sure so I need to experiment), and since none of the other interfaces have IPv6 enabled there should be no traffic flow to/from the network.

                                  Am I correct, or do I need to take measures to protect my network?

                                  My initial goal is just to get IP connectivity to the router. Once I have done that to see if I can pipe IPv6 traffic over a VLAN.

                                  P.S.: Any suggestions as to helpful learning resources would be much appreciated.

                                  You can access the web gui over IPv6. So make sure you sure that fyi

                                  Example every interface can access the firewall gui unless you block it...

                                  Screenshot 2024-07-28 at 20.40.46.png

                                  Test it and see..

                                  Make sure to upvote

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.