Prefer ipv4 over ipv6
-
Ok, I have working ipv6 tunnel with HE - and it works great, etc etc. And yes I have unbound setup so I can query it via IPv6 address, etc. etc. But in general I do not want to use ipv6 unless I am specifically dealing with something on ipv6
by default I want pfsense to use ipv4 before ipv6
Now from googlefu I have found that if I run this command
/etc/rc.d/ip6addrctl prefer_ipv4It likes ipv4 better than ipv6, ie doing a dig +trace for some record does not use ipv6 for the .net tld root servers.
; <<>> DiG 9.8.1-P1 <<>> www.neowin.net +trace
;; global options: +cmd
;; Received 228 bytes from 192.168.1.253#53(192.168.1.253) in 2578 ms
;; Received 489 bytes from 2001:500:2f::f#53(2001:500:2f::f) in 1366 ms
;; Received 134 bytes from 192.5.6.30#53(192.5.6.30) in 188 msBut can not seem to find clear instructions on how I setup a ip6addrctl.conf for other file that maintains this setting after reboot.
I have look over the file /etc/rc.d/ip6addrctl – but not sure if just not enough coffee yet, or just having a brain fart on correct way to set this after reboot other then setting up the command "/etc/rc.d/ip6addrctl prefer_ipv4" to run but that doesn't seem like the correct way to me ;)
If I read it right if I want to use .conf file then I need to setup the whole table and since I want ipv4 used before ipv6 then set ::ffff:0.0.0.0/96 prefix with a higher precedence
Maybe this is something that could be added as simple click in the gui? ;)
-
Install the shellcmd package and just add a shellcmd in there to run the command you want, it will then run at each boot.
-
Thats not really proper way to do it ;)
Look like I just have to configure the preferences I want in the .conf – time to read up on http://www.ietf.org/rfc/rfc3484.txt
I'm really bad on the whole sorting of destination addresses based upon preference, etc. I know higher preference is better than lower so if I want ipv4 before IPv6 I need to set ::ffff:0.0.0.0/96 with higher precendence.
-
Do note that setting this preference on pfSense has absolutely no affect on the address selection of the client nodes.
There is no setting where routers can tell clients which address family to use.
-
Agreed, but I know how to do it windows and in linux as well ;)
So in windows simple as
prefer ipv4 over ipv6
reg add hklm\system\currentcontrolset\services\tcpip6\parameters /v DisabledComponents /t REG_DWORD /d 32in linux just edit the gai.conf file so ::ffff:0.0.0.0/96 in not commented out
But freebsd/pfsense does not have gai.conf, seems its controlled with ip6addrctl
Just to read up how to setup its .conf file is all
And here's the thing when ipv6 is preferred by default and using unbound looking up from roots, even though you ask unbound using ipv4, and it talks to say root with ipv4, it then talks to tld root using ipv6 which has to go over the ipv6 tunnel, which is slower for me.. Pinging gateway ipv4 is like 9 to 14ms, pinging ipv6 gateway is like 44ms
From my example
;; Received 228 bytes from 192.168.1.253#53(192.168.1.253) in 2578 ms
;; Received 489 bytes from 2001:500:2f::f#53(2001:500:2f::f) in 1366 ms
;; Received 134 bytes from 192.5.6.30#53(192.5.6.30) in 188 msSo don't get me wrong I love my HE tunnel – but I don't want it doing dns over ipv6 unless I am specifically wanting to do dns over ipv6, etc. by default I want all traffic to use ipv4 unless I am using ipv6, etc.
so now with set to prefer ipv4 and I do dig for something it always using ipv4 and doesn't take the ipv6 address just because it gets back a AAAA record, etc.
Just need to figure out syntax of .conf for ip6addctrl is all -- and a check box somewhere in the pfsense gui would be a kewl option ;)
-
It's described here.
http://www.freebsd.org/cgi/man.cgi?query=ip6addrctl&sektion=8 -
yeah yeah I have seen that ;) But is there someowhere where it talks more about the config file?
other than just this?
install configfile
Install policy entries from a configuration file named
configfile. The configuration file should contain a set of pol-
icy entries. Each entry is specified in a single line which con-
tains an IPv6 prefix, a decimal precedence value, and a decimal
label value, separated with white space or tab characters. In
the configuration file, lines beginning with the pound-sign (`#')
are comments and are ignored.Maybe an example conf file?
-
I see your dns query times are horrible. I see this happen at the AMS pop from HE frequently too.
They restart the resolver process there frequently but it still bogs down very frequently.
dnsmasq is faster in that it asks all server simultaneously on pfsense. But that will be replaced with unbound soon? which would make this a issue.
I've since switched to the google anycasted IPv6 DNS servers which works pretty well.
My tunnel latency is about +8ms which is hardly a issue, your latency is +30ms which is pretty good. Everything below <100ms is very hard to notice, but clearly the resolver on that end is stuck as well seeing > 2000ms latencies.74.82.42.42 10 msec
2001:4860:4860::8844 22 msec
2001:470:20::2 10 msecThat's more like it.
Google also has the 2001:4860:4860::8888 resolver, to keep in line with their ip4 resolvers.
Everytime I see the latency on their resolvers spike it does not show on their v4 resolver, leading me to believe these are seperate devices.
-
are you talking about this?
;; Received 228 bytes from 192.168.1.253#53(192.168.1.253) in 2578 ms
That is my local pfsense box running unbound on IPv6, but that query was done over ipv4 – not sure why the response was so bad?? I wasn't looking at the response time.
But this
;; Received 489 bytes from 2001:500:2f::f#53(2001:500:2f::f) in 1366 msIs one of the root servers
;; ANSWER SECTION:
f.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.f.2.0.0.0.0.5.0.1.0.0.2.ip6.arpa. 7200 IN PTR f.root-servers.net.Yeah my tunnel response is not very good, which is why I try and not have anything default to using IPv6 through the tunnel, unless I am specifically wanting to play/use the IPv6 address.
That clearly has nothing to do with the he dns resolvers - I am not using them at all.
Must be something with the VM, doing queries from my windows box on the same network to both ipv4 and ipv6 address of my unbound running on pfsense both very low, like 3 to 6 ms.. But on VM it fluctuates quite a bit actually some are like 4, others 121ms, etc.. Seems higher with ipv6 than ipv4 -- but very limited sample of tests ;)
-
ok – got woke up early because of a false node down call so had some time to look at this this morning ;)
So from what I have read, if you create a /etc/ip6addrctrl.conf file with what you want, so I created
::ffff:0.0.0.0/96 50 0 ::1/128 40 1 ::/0 30 2 2002::/16 20 3 ::/96 10 4Which is prefix precedence label and from my understanding sets ipv4 over ipv6, normally ::ffff:0.0.0.0/96 would have prec of 10
So tested it with ip6addrctl install /etc/ip6addrctl.conf and worked – great so added ip6addrctl_enable="YES" to rc.conf and should run at startup see the /etc/ip6addrctrl.conf file and load it
But forgot that pfsense overwrites rc.conf on reboot?? So I just copied ip6addrctl to /usr/local/etc/rc.d/ and added .sh to it and reboot and yeah now have my policy installed
[2.1-DEVELOPMENT][root@pfsense.local.lan]/(17): ip6addrctl Prefix Prec Label Use ::ffff:0.0.0.0/96 50 0 0 ::1/128 40 1 0 ::/0 30 2 126 2002::/16 20 3 0 ::/96 10 4 0Not sure this is the proper way to do it, but from what I have read this is the way to do it.
-
I agree that there should be a better way to prioritize one over the other.
Note this thread is strictly about traffic initiated by the firewall, which in most networks is little to none (only syncing its time, pulling in packages, update checking). For traffic initiated by hosts in your network, you must configure those hosts accordingly, the firewall cannot impact whether they use v4 or v6.
-
exactly.. its only the pfsense traffic. Where I noticed the slow down was it using my ipv6 tunnel when talking to root dns.
I want the ability to use ipv6 for dns when I am testing it, but I don't want that to be the default, etc.
I would be a nice feature to be able to choose this - when running native it might not matter for latency.. But I can tell for sure that my he tunnel is slower than ipv4