IPv6 over NAT
-
Hello,
We are using pfSense as a firewall for a couple of webservers. This is the current setup:
WAN – pfSense -- Switch -- Webserver1
-- Webserver2
-- Etc.The pfSense firewall has multiple public IPv4 adressen connected to its primary interface.
All the webservers have a local IPv4 address (192.168.1.0/24) and one of interfaces of the pfSense machine has on the second interface an address in the same range.
If we add a webserver to this setup, we add an extra IPv4 address to the firewall, create a local IP for the webserver and create a 1:1 link between the two addresses. This works without any problems.
The problems started when we wanted to add an IPv6 address to one of the webservers. To get this working, I added an IPv6 address to pfSense, added an second IPv6 address for the webserver and created an other 1:1 link. I used the IPv6 address as External subnet IP and used the webserver internal IPv4 address as Internal IP.
The first couple of minutes this seems not to do anything. After some time, the firewall starts to drop all connections. :o.
I needed to reboot the firewall to get my connections back up.Can anyone tell me what I did wrong and how I should set this up?
Thanks!
-
How are the IPv6s routed to you? Ideally you should get a small subnet for the WAN side, and a large subnet for the DMZ (server) side. You set up the small subnet on pfsense's WAN, then set up a /64 from the large subnet on your DMZ. Then each server gets an address in that /64. There is no need for 1:1 since all (yes not all, for argument's sake agree to that statement) IPv6s are publicly routable.
-
The problems started when we wanted to add an IPv6 address to one of the webservers. To get this working, I added an IPv6 address to pfSense, added an second IPv6 address for the webserver and created an other 1:1 link. I used the IPv6 address as External subnet IP and used the webserver internal IPv4 address as Internal IP.
The first couple of minutes this seems not to do anything. After some time, the firewall starts to drop all connections. :o.
I needed to reboot the firewall to get my connections back up.Can anyone tell me what I did wrong and how I should set this up?
Thanks!
IPv6 is designed to work without NAT.
If you add IPv6 static addresses yourself, this works possibly against required prefix-delegation.
What is your ISP's method of handing you a global IPv6 prefix ?
-
Actually, IPv4 is designed to work without NAT too. ;)
With IPv6 there should be no reason to use NAT. 18 billion billion addresses per segment ought to be enough for anybody.
If IPv6 is all working, just add a firewall rule to WAN allowing traffic to the web server's IPv6 address on the proper ports. Forget about NAT.
-
Thank you for all your reactions.
I got an /48 routed to the VPS with the firewall installed.
So if I understand it correctly, I can just add an IP from that /48 to my webserver, create a rule and it should work? :o
-
Yes and no.
Take the /48 and split it up into /64s. /64 is the smallest that should be allocated per network (for pfsense's sake it's per interface). Assign one /64 to the WAN side. Assign a different /64 to the DMZ (server side). Then take an address from the /64 (obviously other than the one you use on pfsense) and assign it to the server. Create appropriate rules and you are done.
EDIT: Too early in the morning. What do you mean directly routed to the VPS? does pfsense already have any IPv6 assigned to it on the WAN side? (in other words, is the /48 routed to you over a smaller net?) If yes, ignore my /64 on WAN above, and just split the /48 to /64s and start assigning to servers (not a whole /64 to a server obviously :p)
-
So if I understand it correctly, I can just add an IP from that /48 to my webserver, create a rule and it should work? :o
Basically it works with prefix delegation of a /64 to your LAN side. Then you decide the method to assign a box a number. That is by SLAAC or by DHCPd or static. Focus is on the last 64 bits which you must manage locally.
-
That sounds easy enough :) The problem is that is not working the way I expected. :-[
I added the IPv6 address to the LAN interface on the webserver.
[code]root@webshoptest:~# ifconfigeth1 Link encap:Ethernet HWaddr 52:54:00:58:79:49
inet addr:192.168.7.2 Bcast:192.168.7.255 Mask:255.255.255.0
inet6 addr: fe80::5054:ff:fe58:7949/64 Scope:Link
inet6 addr: 2a01:7c8:aab5:2b7::2/48 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5 errors:0 dropped:0 overruns:0 frame:0
TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:438 (438.0 B) TX bytes:606 (606.0 B)root@webshoptest:~#
I added a (external) IPv6 address to the WAN port on the firewall and added an internal IPv6 address to the LAN port.
And I created two rules for this setup:
The ping rule is working, the http rule is not.What am I missing?
Thanks!
-
-
The ifconfig interface address is wrong. It should say /64 Scope:Global in the end.
-
The rule says the source port should be 80, I'm assuming it's applied to the DMZ interface, which means that outside connections to your server should work (ie server has port 80 open), but server > internet site shouldn't. Is that what you are seeing?
-
-
What am I missing?
My understanding of IPv6. Don't route other or larger (i.e. /48) than a /64. And static IP's are a /128.
-
@hda:
My understanding of IPv6. Don't route other or larger (i.e. /48) than a /64. And static IP's are a /128.
Nope. Being static has nothing to do with how large a subnet is.
IPv6 must be assigned in /64s per interface. So a /64 for LAN, a /64 for DMZ, a /64 for WIFI. You can assign smaller subnets than that, but it's not recommended (auto configuration breaks, since it expects to be able to fit the mac address in the IP address). And with the large number of /64s in a /48 you'll run out of rack space before you can allocate all the /64s, trust me ;)
