Dynamic IPv6 Prefix assignment issue in xDSL users
-
I really don't understand... You could solve this problem and use it for marketing purpose...
Something like "Yep, we know some ISP give you a dynamic prefix but don't worry, pfsense as a solution for that !"
Instead, you completely ignore the users and tell them to complain to the ISP (who doesn't care because it's their business model)
Anyway, it's not important anymore. I switched to OPNsense. They have a ticket for this problem and are working on it.
https://github.com/opnsense/core/issues/2544
-
@chaispaquichui said in Dynamic IPv6 Prefix assignment issue in xDSL users:
Instead, you completely ignore the users and tell them to complain to the ISP (who doesn't care because it's their business model)
How is pfSense supposed to fix something that's been broken by the ISP? If they change your prefix, you can't keep using the old one. This means any existing connections will break. As for more than one address, the normal operation with SLAAC is to use privacy addresses for outgoing connections. These will change daily, but remain within the prefix. There is also a fixed address that does not change daily and can be used for incoming connections. It does not matter if the privacy address changes daily, as a new connection will always use the newest. Older ones remain for a week, to support any existing connection. So, the problem is not that you have multiple addresses, but that the addresses are in different prefixes. That is entirely the ISP's doing. They are the ones that are breaking how IPv6 is supposed to work.
-
And to be honest - any sort of work around on the part of pfsense or any router distro doesn't do anyone any favors at all.. Since it just allows the ISP to remain broken..
Broken or half assed deployments doesn't help promote the movement to IPv6... it just slows it down even more..
-
It's kind of funny seeing comments such as "the ISP has a broken implementation of IPv6" or "you should change your ISP". I wonder what world you guys who suggest these things are living in. Most people have few choices for ISP. For example, my ISP is Telus, which has a somewhat interesting implementation of IPv6. I have a contact in the engineering department who is surprisingly candid about their design decisions. He doesn't necessarily agree with them, but at least he is open to discuss things such as prefixes. IF I don't like Telus, there is Shaw which doesn't support IPv6 at all.
As was said, many ISPs force prefix changes, in order to extract extra $$ from the customers who want stable prefixes. Most ISPs have no f*cks to give if you say you will switch unless they "fix" things that their subscribers consider to be broken. For most people, the first and only point of contact is telephone support, which might be outsourced to a third-world country. Does anyone seriously think complaining to Rajinder will change anything?
As for using a tunnel, Hurricane Electric is maybe the only ISP in the world that listens to feedback. I wish they offered full internet service. If they did, I would pay more to use them. A tunnel is a good way to get IPv6 if you have no other choice, but it has limitations. For one, Netflix doesn't work over it. For another, unless HE's server is in the same city where you live, it tends to mess up location specific websites.
ISPs are widely known for providing terrible service and that's not going to change because they are listening to their subscribers. This is why people ask for pfSense to help "fix" things that the ISP got wrong.
-
Nobody would tolerate that sort of change with routable IPv4 addresses for all of the same reasons it sucks for IPv6. Why should IPv6 be any different? IPv6 is supposed to be "better."
ISPs need to get a clue. The only thing that will change their mind is
or 
.If you use a broken ISP you are probably limited to using their (probably crappy) residential gateways.
I guess if you want IPv6 you could always pay the tax to get it for real if your ISP sucks.
sonic.net also seems to listen, but has a limited footprint (Bay area mostly)
-
@derelict said in Dynamic IPv6 Prefix assignment issue in xDSL users:
Nobody would tolerate that sort of change with routable IPv4 addresses for all of the same reasons it sucks for IPv6. Why should IPv6 be any different? IPv6 is supposed to be "better."
ISPs need to get a clue. The only thing that will change their mind is
or .If you use a broken ISP you are probably limited to using their (probably crappy) residential gateways.
I guess if you want IPv6 you could always pay the tax to get it for real if your ISP sucks.
sonic.net also seems to listen, but has a limited footprint (Bay area mostly)
I don't think it's a matter of people tolerating bad behaviour from clueless ISPs. For many, there simply is no choice. ISPs behave badly because they know many people have no choice.
My ISP has native dual-stack IPv4/IPv6. That's more than some other ISPs offer. Also, fortunately, they chose to allow subscribers to bridge the port on the modem/router so they can use their own router. I have a main pfsense router, plus other routers that I run just to keep on top of them working as they are developed. I haven't encountered any limits such as the number of leases or prefixes. It could be better but it could also be worse.
The benefit that pfsense can offer is a way to help subscribers with broken IPv6 implementations. I think that's why there are repeated requests for some help with dynamic prefixes. Some of the ideas are unworkable, but that's not to say improvements could not be made.
-
@bimmerdriver said in Dynamic IPv6 Prefix assignment issue in xDSL users:
Netflix doesn't work over it.
So what - use IPv4 for that... While I am all for IPv6 and would love to see it move more mainstream... In the BIG picture its not here yet.. There is ZERO reason for you to have to use it, especially as a home user. Sure if you are hosting services to the public you should make sure your services are available on IPv6..
I have been playing with IPv6 for years and years and years.. Way before the root servers for dns were even on IPv6.. Was one of the first few hundred to get my sage cert from HE..
Sorry but there are ZERO reasons to deal with nonsense ISPs that don't get it... Use a freaking tunnel if you are forced to use the ISP you have.. My current isp doesn't even provide IPv6 - I don't give 2 shits because I have 5X the speed for 1/2 the price of comcast..
Multiple threads around here about blocking AAAA for netflix if that is your only concern.. Here is the thing I have IPv6 on my network, I even host to the public ntp on IPv6... Through a tunnel - my devices that I use to watch netflix.. I just don't enable IPv6 on them its that freaking easy.
Its great that you want to learn and play and participate in the future, which for sure is IPv6.. But there is nothing forcing you to use it... Please name 1 actual public resource that is you HAVE to have IPv6 to access... Just 1... Other than some odd ball p0rn fetish site (which there are 100,000 others to choose from)... Or maybe a few sites on the darkweb. How fast you think ISP would get their shit in order if users actually complained about IPv6 issues. Problem is the only ones that give 2 shits about it are people like you.. 1 in 1000, maybe 10000 of their users..
I would love nothing more to just use IPv6.. Sorry not here yet - I am pretty freaking sure I will be retired from the biz well before that happens.. So while I understand your grief - your ranting to the wrong place... Its not the router distro your using problem to fix a BORKED deployment from your ISP..
And to be honest, the few developers have way more important things to worry about than some odd ball ipv6 hack to help some users on some borked isp setup ;) As already mentioned if you want a fix or hack or whatever you want to call it to handle your isp nonsense... Then submit your pull request :)
Or just do the simple thing and use a HE tunnel to get your IPv6 fix...
Or get your own IPv6 space from your local RIR, and get an ISP that will route it to you.. Expecting your typical residential ISP that has billy wanting to download porn and stream internet really doesn't give 2 shits about proper IPv6 deployment nor do they hire the appropriate skilled level engineers to deploy it correctly..
-
@derelict said in Dynamic IPv6 Prefix assignment issue in xDSL users:
@chaispaquichui said in Dynamic IPv6 Prefix assignment issue in xDSL users:
"Yeah, just use a tunnel broker and add 10-15ms of latency for each ipv6 connexion, it's fine"
No, it's not. I realy don't understand your attitude... Pfsense is already capable of doing static NPT, you know it's a thing and there is a feature request for dynamic NPT... You can implement it and solve this stupid issue...
Your ISP can deploy IPv6 correctly and solve this stupid issue.
@Derelict I personally find your attitude stinks. In Australia, we have the same issue. Instead of showing service or caring, you are basically telling everyone who has it to get rid of pfsense, that it's not for them.
Way to go and alienate the people who support the product. Good one.
There is an alternative you know. That is to actually listen to the real world, rather than the world of fiction you seem to want to live in. That is, support the feature. Show customers you care.
Or is it easier to tell them to get stuffed?
-
@bimmerdriver said in Dynamic IPv6 Prefix assignment issue in xDSL users:
@derelict said in Dynamic IPv6 Prefix assignment issue in xDSL users:
Nobody would tolerate that sort of change with routable IPv4 addresses for all of the same reasons it sucks for IPv6. Why should IPv6 be any different? IPv6 is supposed to be "better."
ISPs need to get a clue. The only thing that will change their mind is
or .If you use a broken ISP you are probably limited to using their (probably crappy) residential gateways.
I guess if you want IPv6 you could always pay the tax to get it for real if your ISP sucks.
sonic.net also seems to listen, but has a limited footprint (Bay area mostly)
I don't think it's a matter of people tolerating bad behaviour from clueless ISPs. For many, there simply is no choice. ISPs behave badly because they know many people have no choice.
My ISP has native dual-stack IPv4/IPv6. That's more than some other ISPs offer. Also, fortunately, they chose to allow subscribers to bridge the port on the modem/router so they can use their own router. I have a main pfsense router, plus other routers that I run just to keep on top of them working as they are developed. I haven't encountered any limits such as the number of leases or prefixes. It could be better but it could also be worse.
The benefit that pfsense can offer is a way to help subscribers with broken IPv6 implementations. I think that's why there are repeated requests for some help with dynamic prefixes. Some of the ideas are unworkable, but that's not to say improvements could not be made.
100% agree and well said. I do not understand the attitude by negate here. It's arrogant and blatant. It would be nice for them to get off their morale high horse and actually see the world for what it is. The world isn't going to change for pfsense - ISP's won't either.
If negate really don't understand that, then let's see what happens to pfsense over the next 5 years...
-
@johnpoz said in Dynamic IPv6 Prefix assignment issue in xDSL users:
@bimmerdriver said in Dynamic IPv6 Prefix assignment issue in xDSL users:
Netflix doesn't work over it.
So what - use IPv4 for that... While I am all for IPv6 and would love to see it move more mainstream... In the BIG picture its not here yet.. There is ZERO reason for you to have to use it, especially as a home user. Sure if you are hosting services to the public you should make sure your services are available on IPv6..
I have been playing with IPv6 for years and years and years.. Way before the root servers for dns were even on IPv6.. Was one of the first few hundred to get my sage cert from HE..
Sorry but there are ZERO reasons to deal with nonsense ISPs that don't get it... Use a freaking tunnel if you are forced to use the ISP you have.. My current isp doesn't even provide IPv6 - I don't give 2 shits because I have 5X the speed for 1/2 the price of comcast..
Multiple threads around here about blocking AAAA for netflix if that is your only concern.. Here is the thing I have IPv6 on my network, I even host to the public ntp on IPv6... Through a tunnel - my devices that I use to watch netflix.. I just don't enable IPv6 on them its that freaking easy.
Its great that you want to learn and play and participate in the future, which for sure is IPv6.. But there is nothing forcing you to use it... Please name 1 actual public resource that is you HAVE to have IPv6 to access... Just 1... Other than some odd ball p0rn fetish site (which there are 100,000 others to choose from)... Or maybe a few sites on the darkweb. How fast you think ISP would get their shit in order if users actually complained about IPv6 issues. Problem is the only ones that give 2 shits about it are people like you.. 1 in 1000, maybe 10000 of their users..
I would love nothing more to just use IPv6.. Sorry not here yet - I am pretty freaking sure I will be retired from the biz well before that happens.. So while I understand your grief - your ranting to the wrong place... Its not the router distro your using problem to fix a BORKED deployment from your ISP..
And to be honest, the few developers have way more important things to worry about than some odd ball ipv6 hack to help some users on some borked isp setup ;) As already mentioned if you want a fix or hack or whatever you want to call it to handle your isp nonsense... Then submit your pull request :)
Or just do the simple thing and use a HE tunnel to get your IPv6 fix...
Or get your own IPv6 space from your local RIR, and get an ISP that will route it to you.. Expecting your typical residential ISP that has billy wanting to download porn and stream internet really doesn't give 2 shits about proper IPv6 deployment nor do they hire the appropriate skilled level engineers to deploy it correctly..
When did negate get so arrogant? Same issue as I said to Derelect. Get over yourselves and realise you can't dictate to the world how IPv6 is going to be implemented. The ISP's have way more power than you guys do. So get out of your world of fiction, and live in the world your customers do.
Stop abusing us, and start helping us. Or is that just too hard?
-
See if using a scheme like this using both ULA and GUA-PD on the inside interfaces helps with that sort of problem. That is the recommended way to operate when an ISP insists on changing the PD.
https://forum.netgate.com/post/825770
If that doesn't help you'll need to post specific details as to exactly what the ISP is doing and exactly what is causing your problems.
Not a description, but screen shots and real, actual troubleshooting output.
https://www.ripe.net/publications/docs/ripe-690#5--end-user-ipv6-prefix-assignment--persistent-vs-non-persistent
Note that's RIPE - as in Europe. So it's their own RIR telling them they're doing it wrong, too.
RFC7368 is about as close as we have to a controlling document here.
https://tools.ietf.org/html/rfc7368
ULAs should be used within the scope of a homenet to support stable routing and connectivity between subnets and hosts regardless of whether a globally unique ISP-provided prefix is available. In the case of a prolonged external connectivity outage, ULAs allow internal operations across routed subnets to continue. ULA addresses also allow constrained devices to create permanent relationships between IPv6 addresses, e.g., from a wall controller to a lamp, where symbolic host names would require additional non-volatile memory, and updating global prefixes in sleeping devices might also be problematic.
-
Hi guys,
I've followed this conversation quite a while and run into the same issue.
For everyone who would like to have dynamic NPT address to solve this issue please find my repo here: https://github.com/gewuerzgurke84/pfSense-dynamicNptAddress
It's tested it with 1 NPT mapping and 1 "Tracking" Interface with pfSense 2.5.0 and it solves my issue so far. Nevertheless I'd prefer to have this feature as part of the distribution itsself as it is a requirement to get IPv6 running in a reasonable way (at least in Germany)...Best Regards,
Alex
