IPv6 readiness of packages…
-
I think it would be useful to indicate not only which packages are installing in 2.1, but also which are IPv6 ready, since the biggest reason to upgrade to 2.1 is official IPv6 support, so it would be important to see which of the packages are up to par with the base system.
Most packages I look at have no clue about IPv6: vhosts, ipguard, Dansguardian, etc. only have IPv4 address support from all I can tell. I haven't gone through all of them, yet, still…
...it would be easier if that were part of the package description, and one could have a picture of what's going on before upgrading the system, and opening a can of worms. -
squid and snort have IPv6 support but no pfSense GUI yet. Options work when manually added to their advance option
Dansguardian doesn't natively support IPv6. There's a patch but I couldn't make it work a couple of months ago when i tried to compile it. http://tech.groups.yahoo.com/group/dansguardian/message/24827
-
I hoped that some of the package maintainers would have a bit more active stance with regards to Ipv6.
I do see good work, but most of it is targeted to IPv4 features, not even basic interface support for HAproxy for example is there. Nor varnish, squid and others.
I sent a email to the developers list last year pleading for developers to get a tunnel and work from there. I did not get much response at the time. Now a year later there is still almost nothing there.
So unless they step up the packages will ship as they are.
-
jimp posted here a list with information about IPv6. It would be worth a look:
http://forum.pfsense.org/index.php/topic,50603.0.htmlFreeRADIUS2 has IPv6 support ;) - would be great if someone has time to do a test on it.
-
I have a column in the spreadsheet for IPv6, and some comments. I used to have that in the main IPv6 status spreadsheet but moved it to the packages one.
Some things may work as-is, others may need some work. We're at the mercy of both the underlying software, and the package maintainers there.
If someone has tried IPv6 on a package and it works, I'll update the sheet. If it's known not to work, same deal.
Some, like OSPF and BGP, will need some heavy lifting to make it work. Not impossible, but just not there yet.
-
I have a column in the spreadsheet for IPv6, and some comments. I used to have that in the main IPv6 status spreadsheet but moved it to the packages one.
Ah, thanks for the pointer. Just noted that the vhosts package isn't even listed in that spreadsheet, though.
-
There's more than one tab/sheet… :-)
FYI- I was pleasantly surprised to find out darkstat not only started with no extra changes needed, but fully supports and graphs/tracks IPv6.
-
There's more than one tab/sheet… :-)
FYI- I was pleasantly surprised to find out darkstat not only started with no extra changes needed, but fully supports and graphs/tracks IPv6.
on an only slightly related note: how can we get ntop to show tunnelbroker/GIF tunnel traffic? It seems to support IPv6 just fine, but it doesn't show the tunnel as an interface, it only shows the actual physical interfaces, not the logical ones.
-
Not sure there I haven't tried that one yet on my box that has a gif tunnel. I fired it up on a VM and it was happy but I didn't leave it running.
I may toss it on my edge firewall and see how it goes later.
I thought it would listen on any interface it was configured to run on, no matter what type it was.
-
Well, the interface shows up when I reselected it in pfsense's ntop settings tab, it somehow was disabled when I was playing around with the snort-related IPv6 blocking and I recreated the interface assignments.
However, it doesn't show the IPv6 address, it lists gif0 as a loopback device with an IPv4 address of 0.0.0.0 and the IPv6 address shows as empty, when it should have no IPv4 address, and a real IPv6 address instead.
And in ntop's Admin > Switch NIC list, gif0 doesn't show up, either.
-
However, it doesn't show the IPv6 address, it lists gif0 as a loopback device with an IPv4 address of 0.0.0.0 and the IPv6 address shows as empty, when it should have no IPv4 address, and a real IPv6 address instead.
And in ntop's Admin > Switch NIC list, gif0 doesn't show up, either.
I've noticed the same thing with my gif0 interface.. been like that for a while now… wondering if ntop doesn't know what to do with it
-
Have you tried darkstat? It might be able to catch that traffic.
EDIT: darkstat does seem to happily graph data for one of my gif interfaces, but I didn't try it extensively.
-
Have you tried darkstat? It might be able to catch that traffic.
EDIT: darkstat does seem to happily graph data for one of my gif interfaces, but I didn't try it extensively.
Well, darkstat doesn't start up here (from syslog):
Jun 26 19:51:26 php: /status_services.php: The command '/usr/local/etc/rc.d/darkstat.sh stop' returned exit code '1', the output was 'No matching processes were found'
Jun 26 19:50:34 php: /pkg_edit.php: The command '/usr/local/etc/rc.d/darkstat.sh stop' returned exit code '1', the output was 'No matching processes were found'
Jun 26 19:50:34 check_reload_status: Syncing firewall
Jun 26 19:50:31 php: /pkg_edit.php: The command '/usr/local/etc/rc.d/darkstat.sh stop' returned exit code '1', the output was 'No matching processes were found'
Jun 26 19:48:39 php: /pkg_edit.php: The command '/usr/local/etc/rc.d/darkstat.sh stop' returned exit code '1', the output was 'No matching processes were found'
Jun 26 19:48:39 check_reload_status: Syncing firewall
Jun 26 19:48:36 php: /pkg_edit.php: The command '/usr/local/etc/rc.d/darkstat.sh stop' returned exit code '1', the output was 'No matching processes were found'Also, a way that these packages, e.g. darkstat, NTOP, etc. can use things like WAN6 (the name I gave the interface) instead of OPT2 or gif0?
-
select only 1 interface and try again… IIRC darkstat only works with one interface. The GUI shouldn't allow you to select more then one IMHO.. I think that's the reason why I stop using it a while ago..
-
select only 1 interface and try again… IIRC darkstat only works with one interface. The GUI shouldn't allow you to select more then one IMHO.. I think that's the reason why I stop using it a while ago..
Indeed. Bummer. I guess the package could launch multiple instances on different interfaces. And then one would have to access the various web pages for the different interfaces in some way…
-
Yes, you are correct about the one interface limitation. Saw this also.
Saw that the service was "Stopped" and tried to start it manually in CLI to see the result and got the following:I checked the "darkstat.sh" and it includes (for my setting) the following:
"/usr/local/sbin/darkstat -i gif0 -i re0 -p 666"But if I try to do a "./darkstat.sh start" manually it gives the following error:
[2.1-BETA0][admin@pfsense.mrzaz.com]/usr/local/etc/rc.d(25): ./darkstat.sh start
error: already specified argument "-i"
darkstat 3.0.715 (using libpcap version 1.0.0)usage: darkstat [ -i interface ]
[ -r file ]
[ -p port ]
.
.I checked a "man darkstat" on internet and found a one for the linux version and it specifies -i as in singular, not plural.
-i interface
Capture traffic on the specified network interface. This is the only mandatory commandline argument.I don't know if it is possible to run darkstat on multiple interfaces at the same time in one darkstat instance !?
//Danne
-
I don't know if it is possible to run darkstat on multiple interfaces at the same time in one darkstat instance !?
I doubt it. But one might be able to launch several instances, each running on one interface.
-
I don't know if it is possible to run darkstat on multiple interfaces at the same time in one darkstat instance !?
I doubt it. But one might be able to launch several instances, each running on one interface.
However, then it will start separate WEB-instances as well. You could not have it combined.
(eg. <ip>:666, <ip>:667 and so on.) And this is not prepared today in the current package./Dan</ip></ip>
