PfSense behind a neutered router and DSlite

dr0n3 · Sep 26, 2014, 5:21 PM

Hi,

I'm playing with the though of building a pfSense box and using it as a VPN server, firewall, webcache and stuff.
My setup is probably the most awful you could imagine.

.–------------. .--------------. .--------------. .--------------.
| ISP +---+ Router +---+ pfSense +---+ LAN |
'--------------' '--------------' '--------------' '--------------'

ISP: KabelBW (Germany)
It's a cable provider.
I get public IPv6 with a /56 prefix, the IPv4 is routed through Carrier-grade NAT (DualStack lite).

Router: Technicolor TC 7200
Is a branded device.
Is neutered through the provider.
No Bridge mode (I would need to switch to a more expensive business plan to get them to unlock it).
No DMZ, no prefix delegation. BUT it is able to log to a syslog server.
I can NOT use my own modem.

pfSense:
I have NOT bought one yet.
I want to grab some opinions on how to set it up, if possible at all.
Should work as a VPN server, SquidCache, Firewall etc.

LAN:
The usual.
Switch, WiFi AP, several devices, VM's, what not.

Since i can not put my router into bridge mode, how would you suggest setting this up?

Double NAT (rather triple NAT, since DSlite) should work for IPv4. But due to the carrier-NAT, it is slower than native IPv6 traffic.
Since the router does not support prefix delegation, it shouldn't be possible to get public IPv6 behind the pfSense (or should it?).

Does pfSense support IPv6-NAT? I found this, put no corresponding entry in the wiki.
I do know, that IPv6 is not meant to be NATed, but that would probably solve the issue.

If i would bridge LAN and WAN on pfSense to get it running in a transparent mode like here, would it still be possible to use pfSense as a VPN server, SquidCache etc? And how would IPv6 behave?

Thanks.

kejianshi · Sep 28, 2014, 11:02 AM

I think you can bypass your NAT problems with IPV6 depending on geography. Where are you?

stefvienna · Sep 28, 2014, 5:28 PM

@dr0n3:

ISP: KabelBW (Germany)
It's a cable provider.
I get public IPv6 with a /56 prefix, the IPv4 is routed through Carrier-grade NAT (DualStack lite).

Hi,
I have a similar setup here in Vienna - same Provider, i.e. UPC (same holding company as Unitymedia/KabelBW).
I also have a modem with DSLite, IPv6.
I run a mash network of two PCEngines apu1d4 and a bigger Soekris box, all three on pfSense v2.1.5. Running everything (i.e. three OpenVPN-tunnels) on IPv4 works like charm.
But just yesterday I tried to switch in IPv6 as well and all hell broke loose …
As soon as I sitched on both v4 and v6 on the WAN interface all tunnel became unstable and throughput bace abysmal .... not sure what I did wrong .... tge only IPv6 rules I had inserted was to block everything besides DHCPv6. :-(

Cheers, Stefan

dr0n3 · Sep 28, 2014, 6:18 PM

@kejianshi:

I think you can bypass your NAT problems with IPV6 depending on geography. Where are you?

I'm not sure what you are talking about. I'm in Germany.

@stefvienna:

Hi,
I have a similar setup here in Vienna - same Provider, i.e. UPC (same holding company as Unitymedia/KabelBW).
I also have a modem with DSLite, IPv6.
I run a mash network of two PCEngines apu1d4 and a bigger Soekris box, all three on pfSense v2.1.5. Running everything (i.e. three OpenVPN-tunnels) on IPv4 works like charm.
But just yesterday I tried to switch in IPv6 as well and all hell broke loose …
As soon as I sitched on both v4 and v6 on the WAN interface all tunnel became unstable and throughput bace abysmal .... not sure what I did wrong .... tge only IPv6 rules I had inserted was to block everything besides DHCPv6. :-(

Cheers, Stefan

Well, i don't own a box yet. So i can't really help you there.

kejianshi · Sep 29, 2014, 2:25 AM

Well - You can have many layers of IPV4 NAT and still use Hurricane Electric IPV6 for example, as long as the first router at the modem allows ICMP.

Then you don't need to come up with any schemes to NAT IPV6.

Servers are in berlin and frankfurt - So, latency and speed should be nice if you did that.

dr0n3 · Sep 29, 2014, 6:56 AM

The problem would be, that i would be routing IPv6 over IPv4.
And since IPv4 is NATed by the ISP, I am not able to max out my connection and therefore would prefer my native IPv6 connection.

kejianshi · Sep 29, 2014, 9:01 AM

I don't think NAT is going to slow down your IPV6 at all.

I have it both ways. Native and hurricane electric and let me tell you, so far, native sucks compared to Hurricane electric.

dr0n3 · Oct 17, 2014, 2:45 PM

I do have pfSense up and running now and am trying to configure it.

First of all: a Hurricane Electric tunnel does not work, since my IPv4 is, as i already said, behind DSlite and the ISP seems to block ICMP.

Otherwise than that, it is mostly like I expected it to be.
The WAN interface gets a 192.168.0.x IP, because it's running behind a router.
It also gets IPv6 through SLAAC. Judging by the info of the ISP router, it's a /64 subnet. (not like previously stated /56. The router itself does receive /64 but only hands out /56 on the LAN ports)
Using the ping tool integrated into pfSense shows, that there is a valid IPv6 connection on the WAN port.

How do i proceed now?

pfSense seems to be able to obtain an IPv6 through DHCP6. Would setting up a DHCP relay be an option?
I tried setting it up but my computer does not get an IPv6 at all. Not even, if I set up the DHCP6 service.

Any ideas?

Edit:

Just read this thread.

I did set the LAN IPv6 to track WAN and rebooted.
-> Computer and pfSense LAN both obtain IPv6 addresses from the /64 subnet.

However, tracing ipv6.google.com shows, that I am able to reach the pfSense LAN interface and that's it. It's followed by timeouts.

Think-Networks · Oct 20, 2014, 8:06 AM

I'm using KD also now and have a Hitron modem in Bridge mode which therefore disables IPv6 >:(. I'm hoping they enable that function soon as that would be better than double NAT.

Speaking of which though, you should be able to bridge from the customer portal on the website? That's where I did it but as mentioned IPv6 will be disabled till they figure that out.

Didn't know this thing was DSLite also, need to go check up on that.

dr0n3 · Oct 20, 2014, 8:48 AM

I'm with Unitymedia/KabelBW, not Kabel Deutschland.

And I would be pleased, if I could get a bridge mode.

The option itself is available through the webinterface of the router. But if you enable it, it restarts, pulls the configuration from the ISP and sets it back to router mode.
If you want them to enable bridge mode, you would need to get a business contract.

Guest · Oct 20, 2014, 9:00 AM

I would not put too many effort in this, hopefully next year they can fu** off with this router-sttuff

http://www.teltarif.de/wirtschaftsministerium-routerzwang-abschaffen/news/57335.html

kejianshi · Oct 20, 2014, 9:29 AM

I wonder why any government would want to control what types of routers its citizens can use?

Only one thing comes to mind…

The one-size fits all solution of forcing a particular (usually crappy) router to be used is bad for many many people.