To IPv6 or not to be - that is the question?
-
IPv6 is currently disabled on my pfsense router.
But I am not too sure why and what are the best practices and pros and cons.
So sending this query to this fine group.
Please tell your opinion for and against using Iv6 ?
Thx
-
IPv6 is the future of the Internet, as IPv4 has nowhere near enough addresses available. Your next question is how do you get it. For many of us, our ISP provides native IPv6. Others may have to use a tunnel broker, to provide IPv6 via 6in4 tunnel. Either way works.
As for the number of addresses, most people only get 1 or 2 public IPv4 addresses, but many others don't get any and their ISP uses NAT to provide IPv4. With IPv6, the smallest block that an ISP is supposed to provide is a /64 prefix. That means 64 bits of the address point to your network, leaving the other 64 bits for devices on your network. That /64 provides 18.4 billion, billion addresses. Many ISPs provide a larger block. For example, mine gives me a /56 prefix, which is 256 /64s. With pfSense, I can split off each of those for use on any network or VLAN as I choose. Other ISPs may provide a /48, which is 65536 /64s. Just to give you an indication of how big the IPv6 address space is, with only 1/8th of the IPv6 address space allocated to global unicast addresses, there are enough to give each person on earth over 4000 /48s. This compares to IPv4, where most people are lucky to get a single address.
There are other changes in IPv6, that provide a performance improvement over IPv4, better support for mobile IP and multicasts and more.
-
Well its a lot info to digest !
Thx! ;)
My ISP says this https://wiki.sonic.net/wiki/Fusion_IPv6_Tool
Any suggestion how to set it up with pfsense to try out ?
-
They appear to be using tunnels to provide IPv6. While I used to use a tunnel, prior to my ISP providing native IPv6, I haven't used pfSense with one. Perhaps someone else here can help. There may even be someone on your ISP.
-
JKnott, I would love it if you translate the above in Executive Summary terms :D so what does this mean (what do we have to do) for the layman user?
Would we still use private LAN addresses?
Will pFsense still perform NAT? -
JKnott, I would love it if you translate the above in Executive Summary terms :D so what does this mean (what do we have to do) for the layman user?
Would we still use private LAN addresses?
Will pFsense still perform NAT?No to both questions. With IPv6 everything uses fully routable addresses (except for administrative traffic and for example gateway addresses for the next hop upstream) and this greatly simplifies packet filtering on the firewall because you no longer have to take NAT into account when writing firewall rules.
-
All that being said.. Yes iPv6 is the future.. But at this time there really is zero reason for you to use it.
There is not 1 resource on the net, other than maybe some p0rn and darkweb stuff that is only available via IPv6.
Corp world will not be going to it any time soon no matter how much JKnott wants it to happen. While there are advantages to it sure - there are also huge draw backs to the migration. For starters $, 2nd management and security. Not only do you have to worry about ipv4 you also now have to contend with ipv6 on the same network since its almost impossible to do a clean cut and only run ipv6.
There is really zero reason for the corp world to migrate their existing internal networks from the rfc1918 space - which is not going anywhere..
What I would suggest is if your interested then sure start playing with it. Hurricane Electric has a certification you can get.. https://ipv6.he.net/certification/ which has some practical parts where you actually have to bring online some IPv6 services.. So its a great learning tool. It was a fun couple of hours the years ago on a sunday I got it.. When you get SAGE level they atleast use to give you a IPv6 t-shirt that is fun to wear at techy stuff ;) Mines starting to show its age though.. hehehe
I have been playing with it for years and years. My previous isp provided it native - but to be honest it was crap rollout. Many ISP that provide it native don't actually do it correctly. They might only give you 1 /64 when to be honest all sites should get a /48 at min.. Shoot many DC don't even do it right and try and hand off a customer a single /64..
So vs dealing with the ISP BS, I just used a tunnel.. This gives you way more control - not sure what your ISP is using but you can always get a free /48 from Hurricane and set that up with pfsense with a few clicks and then sure leverage IPv6 as little or as much as you want. I use it in a controlled manner.. While I provide some services to the public net via ipv6 (ntp).. And I some machines on my network do have it and use it - I also disable it on some segments because there are some huge draw backs like I said.. One being if your tunneled for example many streamers might block you netflix for example because a ipv6 tunnel is kind of like a vpn and can distort your geolocation, etc.
So yes I would encourage learning about ipv6 and playing with it.. Do not think its some sort of actual requirement at this time.. Yes there are many places of the world that are low on ipv4.. Doesn't mean the whole world is - shoot my company just transfered off a /17 of our /16 to 2 different companies ramping up ipv4 space in the public market..
While I would encourage learning about IPv6 for sure - especially if your in the field or if just a home geek ;) But no matter how much jknott wants it to be.. Sorry its not any sort of thing that will be required for you to have running for years and years and years.
But pfsense does make it really easy to use that is for sure.. My current isp does not have support as of yet - nor do I really care if they bring it online anytime in the next 10 or 20 years to be honest. They have way more important things to work on if you ask me.
-
JKnott, I would love it if you translate the above in Executive Summary terms :D so what does this mean (what do we have to do) for the layman user?
Would we still use private LAN addresses?
Will pFsense still perform NAT?No NAT or private addresses. The reason for NAT on IPv4 was to extend addresses, as there are not anywhere near enough of them. So, NAT was used to make multiple devices appear as one. With IPv6, there are so many addresses available, that there's no need to share any. In fact, a single /64 (18.4 billion, billion addresses) could probably suffice for all your devices. ;)
-
There is not 1 resource on the net, other than maybe some p0rn and darkweb stuff that is only available via IPv6.
Actually, there's plenty in Asia, where they ran out of IPv4 quite some time ago and only IPv6 is available.
Corp world will not be going to it any time soon no matter how much JKnott wants it to happen. While there are advantages to it sure - there are also huge draw backs to the migration. For starters $, 2nd management and security. Not only do you have to worry about ipv4 you also now have to contend with ipv6 on the same network since its almost impossible to do a clean cut and only run ipv6.
Well, if we don't start moving, we'll never get there. As for firewalls, in some, such as pfSense, it's possible to use a single filter for both IPv4 and IPv6, though NAT messes that up a bit. Same thing with Cisco. You can set up identical rules for IPv4 and IPv6, again allowing for NAT, if filtering on protocol only. Address based rules will have to be different though. To not move to IPv6 means being stuck with NAT, with all the problems it brings. Of course, this is before we start considering the performance improvement that, while transparent to users, may be important to ISPs & carriers. Then there things that were designed in to IPv6 that were at best add ons to IPv4, such as multicast and mobile IP. So, there are a lot of reasons for moving to IPv6 beyond just a larger address space. Of course, we can't forget there are many in this world who are forced to be on NAT, as their ISP doesn't have any IPv4 addresses to hand out to customers. That means you can't remotely access your network, without a lot of effort and hacks to get around NAT.
BTW, I believe the OP said his ISP is currently using 6RD, so that may be a place for him to start.
-
Would we still use private LAN addresses?
Just to clarify, there are "private" addresses. There are unique local addresses, which are similar in function to the RFC 1918 addresses in IPv4. However, they are not normally used for NAT. There are also link local addresses, which have no equivalent in IPv4. Every IPv6 capable device has one, usually based on the MAC address. It's what's used for router addresses. It's also used for other things that are confined to the local network. For example, Windows HomeGroup networking uses it. In fact, it won't even work over IPv4.