IPv6 LAN to WAN Difficulties
-
i was think that it wouldn't work if you had the same subnets on both sides of pfsense …
Right. So first your ISP should supply, native IPv6, at least prefix /63 or lower size-value.
I think a /64 prefix won't work for creating a LAN. -
i got a /64 network all to my self, the last 64 bit's of an ipv6 address is for interfaces, so the way it should work is the pfsense just works as an firewall and don't route.. the ipv6 world is an nat free world :)
-
i got a /64 network all to my self, the last 64 bit's of an ipv6 address is for interfaces, so the way it should work is the pfsense just works as an firewall and don't route.. the ipv6 world is an nat free world :)
Well, WAN - LAN on pfSense needs routing. WAN subnetvalue is not equal to LAN subnetvalue.
-
@hda:
i got a /64 network all to my self, the last 64 bit's of an ipv6 address is for interfaces, so the way it should work is the pfsense just works as an firewall and don't route.. the ipv6 world is an nat free world :)
Well, WAN - LAN on pfSense needs routing. WAN subnetvalue is not LAN subnetvalue.
the "routing" is that not what the track interface is for??
-
the "routing" is that not what the track interface is for??
I think Track Interface is in case of renewal of WAN.
Now, suppose you want more than one LAN routed & firewalled, what do you think is needed in such case ?
-
@hda:
the "routing" is that not what the track interface is for??
I think tracking is case renewal of WAN.
Now, suppose you want more than one LAN routed & firewalled, what do you think is needed in such case ?
i am not sure… the way i understand ipv6 is that everyone device get and ipv6 address and the way you limit the access from the wan to your lan and the other way is by firewall.
but if you have a case where you have 1 wan and 2 lan interfaces (to lan1 and lan2) and you wanner control what addresses go to lan1 and lan2 that would be done by some sort of static route but i am not sure i..
-
i am not sure…
but if you have a case where you have 1 wan and 2 lan interfaces (to lan1 and lan2) and you wanner control what addresses go to lan1 and lan2 that would be done by some sort of static route but i am not sure i..
I recommend to study IPv6 RFC's for how IPv6 is supposed to work, before activating pfSense-IPv6 parallel to IPv4.
You want to be secure to control IPv6 streams by understanding what is going on, don't you ?See also http://www.tcpipguide.com/free/t_IPv6GlobalUnicastAddressFormat-2.htm case subnetvalue. You are a site-administrator :)
Reference to my thread-reply #18
-
@hda:
i am not sure…
but if you have a case where you have 1 wan and 2 lan interfaces (to lan1 and lan2) and you wanner control what addresses go to lan1 and lan2 that would be done by some sort of static route but i am not sure i..
I recommend to study IPv6 RFC's for how IPv6 is supposed to work, before activating pfSense-IPv6 parallel to IPv4.
You want to be secure to control IPv6 streams by understanding what is going on, don't you ?See also http://www.tcpipguide.com/free/t_IPv6GlobalUnicastAddressFormat-2.htm case subnetvalue. You are a site-administrator :)
Reference to my thread-reply #18
that one is on me i gave you the wrong addresses i got from my isp it is more like 2001:878:989::xxx/64 my isp is only giving me the interface addresses to play with the prefix and subnet is chosen for me so what i get from my isp is only one subnet it might not be possible to do what i wanner do… as you say having the same subnet on the wan as the lan site should be a problem.. but i was hoping there was a way
-
.. but i was hoping there was a way
There is. :) Demand at least a prefix /63 (or smaller like /62 or /60).
That way pfSense-WAN can occupy subnet 'xxx0' and enable your pfSense-LAN to take subnet 'xxx1'. Then your LAN has address prefix 2001:878:989:xxx1:/64 so a host on that LAN can make a public (no NAT) /128 number by adding its 64-bit ID to that LAN-prefix.
-
@hda:
There is. :) Demand at least a prefix /63 (or smaller like /62 or /60).
That way pfSense-WAN can occupy subnet 'xxx0' and enable your pfSense-LAN to take subnet 'xxx1'. Then your LAN has address prefix 2001:878:989:xxx1:/64 so a host on that LAN can make a public (no NAT) /128 number by adding its 64-bit ID to that LAN-prefix.
i tried that and it just don't do what it should… i can ping google from the wan and local host on pfsense but any thing on the other side of pfsense just don't work.... what ever is wrong is beyond me
-
@hda:
There is. :) Demand at least a prefix /63 (or smaller like /62 or /60).
That way pfSense-WAN can occupy subnet 'xxx0' and enable your pfSense-LAN to take subnet 'xxx1'. Then your LAN has address prefix 2001:878:989:xxx1:/64 so a host on that LAN can make a public (no NAT) /128 number by adding its 64-bit ID to that LAN-prefix.
i tried that and it just don't do what it should… i can ping google from the wan and local host on pfsense but any thing on the other side of pfsense just don't work.... what ever is wrong is beyond me
"Demand prefix /63" I mean your specification towards your ISP.
Then your ISP should supply at least a /63 to you/pfSense, when you do WAN-DHCP6(PD) to them.And your pfSense-box is the direct outbound to your ISP, right ? (Not behind a MoDem/router OK ?)
-
@hda:
"Demand prefix /63" I mean your specification towards your ISP.
Then your ISP should supply at least a /63 to you/pfSense, when you do WAN-DHCP6(PD) to them.And your pfSense-box is the direct outbound to your ISP, right ? (Not behind a MoDem/router OK ?)
tried that and it dont work i set up wan interface as dhcp6 and DHCPv6 Prefix Delegation size as 62 and 63, lan interface set to track interface and all that crap but still no ip's a given to my equipment on the lan side.
but if i set up static ip on the lan and dhcpv6 router advertisements to unmanaged i get ip's that look right but still i can't ping google….
and if you think it could be the firewall it's not that, i set an any any rule so that should not be the problem -
I too just had this issue. Had to allow IPv6 ICMP responses in to the local LAN in order to pass ipv6-test.com. Does anyone have any additional information on this? Seems like allowing this outright might have some security implications?
Thanks!
-
IPv6 needs ICMP to function properly.
Here's one: http://blogs.cisco.com/security/icmp-and-security-in-ipv6
