IPv6 hosting website
-
So it appears my ISP does provide IPv6 and I made some progress where I was able to enable IPv6 on pfSense and got an IPv6 address on my WAN on pfSense - yay!
Ok, what I'm having a hard time understanding now is how do I use pfSense as a firewall in front of my web server? What would I set the LAN IPv6 interface to on pfSense? And on my web server what would I enter for the address and default gateway?
-
Most ISPs use DHCPv6-PD to assign a block of addresses. The smallest prefix or block is a /64, which is 18.4 billion, billion addresses. With this you should have an IPv6 address on the WAN side as well as addresses within your prefix on your LAN. The address prefix, along with router and DNS addresses are sent by pfSense to the devices on your network. Each device will create it's own address, using the prefix and the MAC address or a random number.
Also, an ISP may provide more than one /64 prefix. Mine gives me a /56, which is 256 /64s. I can assign these to other interfaces, VLANs etc.
-
Thanks for your assistance, I'm up and running on IPv6. Woohooo!
-
Thanks for your assistance, I'm up and running on IPv6. Woohooo!
Don't forget to update the DNS with the IPv6 address. Also, one thing to be careful of. IPv6 has something called "privacy addresses", which change regularly. After a while, you'll see several of these. You do not want to have the DNS pointing to one of those. You need to use the MAC based address or, on Windows, the permanent random number. Windows can also be configured to use the MAC address.
-
IPv6 has something called "privacy addresses", which change regularly.
I saw those and disabled them, :)
-
I have a similar situation. I want to allow inbound traffic to a specific IPv6 host on my LAN. I read this post and it all made sense to me but there are some things I don't understand.
Here is some background:
-
My ISP does not provide a static delegated prefix, I receive it dynamically by "Tracking" the WAN from the LAN. At least one of my target hosts will only use auto configuration and I can't change it.
-
For dynamic DNS, I wrote a PowerShell script that runs on the hosts. It updates my web-facing DNS server whenever the host's addresses change. That was the easy part for me.
-
The pfSense firewall is configured to block all inbound IPv6 connections by default.
Is there a way to write a firewall rule allowing inbound connections to pass through to a specific host when dynamic prefix delegation is in play? What happens when my ISP changes the prefix for whatever reason? Will pfSense alter the rules accordingly when the prefix changes?
As a Gold supporter, I have access to The pfSense Book. Hopefully this isn't a RTFM question but please feel free to point me to the right pages in book.
-
-
ISPs generally don't provide static prefixes, but with DHCPv6-PD and DUID, you will likely always get the same prefix. It's similar to what happens on IPv4, where you can request a previous address and get it if it's available. With an almost static prefix, you don't need a dynamic DNS, as a regular one will work fine.
-
Thanks for the reply. I understand what you say but my ISP (Cox) has changed mine, and I wasn't around to make adjustments.
Are you saying that I pfSense has no to do this without manual intervention?
-
Thanks for the reply. I understand what you say but my ISP (Cox) has changed mine, and I wasn't around to make adjustments.
Are you saying that I pfSense has no to do this without manual intervention?
When I first started using pfSense, my prefix would change for something as little as disconnecting & reconnecting the Ethernet cable. Then an option "Do not allow PD/Address release", on the WAN tab, was added. With that selected, my prefix does not change.
-
Already did that but still got a new prefix on a reboot. No idea why but it's their address and they can do what they want.
Note that I am not looking for ways to avoid the change. I am looking for ways to manage or accomodate the change without manual intervention. This way any outage, no matter how rare, could be managed without manual intervention.
I was hoping that pfSense would have an ability to define a firewall rule Destination something like this: "PD::aaaa:bbbb:cccc:dddd" where "PD" is a variable whose value is the prefix. This would be similar to the way they prepend the delegated prefix to the host range in the DHCPv6 server.
I would like to avoid writing a dynamic prefix change detection script. I am not a UNIX expert, nor do I have any experience managing firewall rules from a script. The learning curve would be substantial.
-
I don't know if pfSense can filter on a partial IP address, but the lower 64 bits of the address are determined by the MAC address and so will not change, unless you change hardware.
-
I don't know if pfSense can filter on a partial IP address, but the lower 64 bits of the address are determined by the MAC address and so will not change, unless you change hardware.
It would be a nice feature though wouldn't it?
-
IPv6 has something called "privacy addresses", which change regularly.
I saw those and disabled them, :)
Why disable privacy addresses?
-
I don't know if pfSense can filter on a partial IP address, but the lower 64 bits of the address are determined by the MAC address and so will not change, unless you change hardware.
It would be a nice feature though wouldn't it?
This feature has been requested numerous times.
-
Why disable privacy addresses?
No need for them on a server, where you'd normally use the MAC based address. However, I also don't see the need to delete them. They're not hurting anything.
-
OK. If the feature has been requested numerous times, can anyone tell me if there are facilities for managing the firewall from script? If so, I guess I would need documentation. This would appear to be a simple matter of detecting a change to the prefix from a given interface, then changing and applying rules having the old prefix to refer to the new prefix. It is not a fix, but a work around.
For now I am going to turn IPv6 off on my WAN interface and set up an opt/gif tunnel using Hurricane Electric. I have one running in a sandbox and I must be really close to the Phoenix entry point. It seems to be adding only about 10 ms to my ping times. It's a shame that Cox, with billions of subnets at their disposal, won't supply a static one to the account. HE is doing it for free.
I don't know if pfSense can filter on a partial IP address, but the lower 64 bits of the address are determined by the MAC address and so will not change, unless you change hardware.
It would be a nice feature though wouldn't it?
This feature has been requested numerous times.
-
I was hoping that pfSense would have an ability to define a firewall rule Destination something like this: "PD::aaaa:bbbb:cccc:dddd" where "PD" is a variable whose value is the prefix. This would be similar to the way they prepend the delegated prefix to the host range in the DHCPv6 server.
Funny you mention this… I asked for this functionality over a year ago. See this: Allow IPv6 firewall entries with dynamic PD prefix + static host address
-
It's a shame that Cox, with billions of subnets at their disposal, won't supply a static one to the account. HE is doing it for free.
Cox is a typical ISP. HE is not a typical ISP. If HE offered residential internet service, I would pay more for it.
