IPv6 Setup with two chained pfSense Firewalls

rvjr

Hi everybody,

I recently wanted to setup IPv6 with pfSense since we received a true dual stack fiber connection. However my knowledge of how address assignment should work is far too bad to configure this. Our setup consists of a pfSense box providing NAT-ed internet access to four separate internal LANs. An additional pfSense box sits on the 'outside' cable between our main gateway and the ISP for doing some traffic shaping for all LANs together. The traffic shaper also has NAT enabled.

Graphically:

ISP <–-> pfSense(TrafficShaper) <---> pfSense(Router) <---> Internal LANs 1-4

Lets say the four internal LANs are 10.1.0.0/16 to 10.4.0.0/16, the network between Router and TrafficShaper has 10.254.0.0/24. This works perfectly in IPv4.

We do have an external /48 IPv6 subnet. How can I setup IPv6 (without NAT is ok for the moment) over these two levels of firewalls? I think I could figure out how to do it over one firewall, but I can't really come up with a solution for the two stage setup.

Could anybody provide a suggestion? I'm very glad for any answers! I hope I will eventually understand IPv6 routing like I do for v4 right now.

Best regards
Rainer

NogBadTheBad

Split your /48 into /64s

Allocate a /64 to each of your lan interfaces.

On the pfSense(TrafficShaper) allocate the first address of an unused /64 to the pfSense(TrafficShaper) to pfSense(Router) interface interface and the next free address on the other end of the interlink on the pfSense(Router)

The pfSense(Router) would route all unknown IPv6 traffic out its WAN interface.

The pfSense(TrafficShaper) would need a route added for your IPv6 subnets pointing to the pfSense(Router)

You don't NAT IPv6.

http://www.gestioip.net/cgi-bin/subnet_calculator.cgi

rvjr

Ah, I see. So the intermediate network between Router and TrafficShaper would be a completely separate /64 subnet.

My main problem was that I thought I need some kind of hierarchical network setup where the intermediate network between Router and TrafficShaper is a larger (e.g. /60) network containing the /64 networks of the LANs. This was obviously a misbelief.

Thank's a lot. I'll try that tomorrow.

Btw: could I use a link local or unique local address in this intermediate network or one of the public subnets beside the LAN ones? Does it matter?

JKnott

Btw: could I use a link local or unique local address in this intermediate network or one of the public subnets beside the LAN ones? Does it matter?

IPv6 routers normally use the link local address.  You can see this by examining your routes.  For example, here is the default IPv6 route on a Linux system:

default via fe80::1:1 dev eth0  proto ra  metric 1024  expires 54sec hoplimit 64 pref medium

Notice, the link local address is not MAC based, but created by the router.

However it may be desirable to have another address for it.  It doesn't have to be a global unicast address, it could be a unique local, which is used in the same manner as RFC1918 addresses in IPv4.  That is they're routeable, but not allowed on the public Internet.

kpa

Link-local gw address is what you'll get from automatic configuration, SLAAC or DHCPv6. A routable Unicast IPv6 address is perfectly fine as the gw address for manual configuration.

rvjr

Ok, now more questions arose, somehow I don't get it:

Lets say my public v6 range is ac::/48. ac::1 is the ISPs gateway.

I now did the following:
*I gave the TrafficShaper a static address of ac::2/48 on the WAN interface and ac:ffff::1/64 on the LAN side.
*I gave the Router a static address of ac:ffff:2/64 on his WAN interface facing the TrafficShaper and ac:1::1/64 to ac:4::1/64 on the four internal LANs.

Now I have 5 /64 subnets, four (ac:1 to ac:4) for the actual LANs, and another one (ac:ffff) for the intermediate network between Router and TrafficShaper.

Pinging works over single hops only now:

*a client in LAN1 can ping ac:1::1
*the Router can ping ac:ffff:1
*the TrafficShaper can ping ac::1

So basically the upstream direction should work, probably also over all hops. But what do I have to do to make the replies go through?

*Do I have to manually add exceptions to the firewall now because of the missing NAT for IPv6?
*How does TrafficShaper know where to route packets to ac:1::/64 to ac:4::/64? It doesn't know about these networks and without NAT the requests originate from hosts inside these networks, not the Router WAN IP.
*Is it correct to have the WAN interface of TrafficShaper set to /48, or should this be smaller was well? Because /48 would actually hide the /64 subnet on its LAN side.

I'm really at a loss here.

NogBadTheBad

Did your ISP give you two blocks of addresses ?

I was given a /64 for the WAN and a /48 for my LANs.

It might be worded ND Prefix & PD prefix.

/64 Neighbour Discovery (ND) Prefix. This is used to automatically address the WAN interface of your Router, or if you are directly connected without a router, the WAN interface of that device.

/48 Delegation Prefix. This is usually provided over DHCPv6, and requires that your router acts as a requesting router for the purpose of IPv6 delegation RFC3633 - (https://tools.ietf.org/html/rfc3633). Subnets of this prefix are used by the CPE to address devices on the LAN. If prefix delegation is not supported on the router, a suggested interface ID and static route is available, which should allow routing to take place.

JKnott

/64 Neighbour Discovery (ND) Prefix. This is used to automatically address the WAN interface of your Router, or if you are directly connected without a router, the WAN interface of that device.

Actually, it's router advertisements that do that.  The router advertisements tell the device the network address and the router link local address.  If necessary, a device can to a router solicitation to trigger an advertisement.  Neighbour discovery is used to find the MAC address for a host's IPv6 address.