ipv6 disable on Pfsense
-
@Derelict said in ipv6 disable on Pfsense:
Yeah the real barrier to IPv6 adoption is stupid ISP shenanigans.
Once people have the epiphany that you deal with the address space in /64 interfaces and not all those "wasted" host addresses things start clicking.
I first noticed the problem back around New Years, when web pages were sluggish to load and my email app would time out, trying to send email. I discovered that IPv6 wasn't working, even though I had a prefix. I tried some testing, including pinging Yahoo, with Wireshark running between my modem and Firewall. I noticed if I pinged from pfSense, it worked, but not from anything behind it. That smelled like a prefix issue to me. I could see the correct prefix going out, but nothing at all coming back. Further, I made a capture when pfSense was booting up and found this little gem:
Status Message: No prefix available on Link 'CMTS89.WLFDLE-BNDL1-GRP3'
Even though I had demonstrated to tier 2 support that the problem was at the CMTS, the network guys didn't want to work on the problem, because they don't work on problems on customer's networks!!! I got the office of the president involved, and a bit of testing, on 2 occasions, by the senior tech, before they finally opened a ticket on the CMTS problem.
One mistake that senior tech made, when I wasn't here, was he tried pinging the ULA (the cable modem provides both GUA and ULA prefixes) on his computer and claimed everything worked. When he was here on the 2nd visit, I had to explain what he was doing wrong. Even when talking to tier 2 support, I had to explain how the WAN address was not used for routing and more.
What made it more frustrating was I had done some work at 3 of this company's head ends a few months back and I could describe their setup to them and where I thought the problem was, yet those network guys wouldn't budge.
They need a lot more training and I pointed out some key points, in an email I sent.
-
@JKnott said in ipv6 disable on Pfsense:
Microsoft HomeGroup networking requires IPv6. It won't work without it.
You mean the thing that is not even a thing any more and was never actually a thing in the first place... That thing required IPv6 ;)
Only reason it did was MS said it did.. Sure didn't even transfer files from machine A to B via smb over IPv6, etc..
https://www.microsoft.com/en-us/windows/Windows-10-specifications#feature-deprecation
Home Group: HomeGroup is removed starting with the April 2018 Update, but you still have the ability to share printers, files, and folders. When you update to the April 2018 Update from an earlier version of Windows 10, you won’t see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (Settings > Update & Security > Troubleshoot). Any printers, files, and folders you shared using HomeGroup will continue to be shared. Instead of using HomeGroup, you can now share printers, files, and folders by using features that are built into Windows 10: -
@johnpoz said in ipv6 disable on Pfsense:
You mean the thing that is not even a thing any more and was never actually a thing in the first place... That thing required IPv6 ;)
Yep, that's it and I knew it was deprecated. It used IPv6 link local addresses exclusively. I've never used it though. I run Linux here.
-
And that thing that was never a thing that only worked on the same L2.. That Shit ;) hehehe
I am all for moving to IPv6... But I am with derelict the real thing that is holding is back is ISP nonsense non really having a clue how to deploy it.
And I am so all for user wanting to disable something they are not ready to use.. Its a security problem if its not managed correctly, its a management nightmare if your not ready for it.. Its just more noise on the network if your not going to correctly set it up and configure it.
Its just another pain/failure point in the network, etc. etc.
So the correct thing to do until such time as your ready to embrace it and deploy it correctly is turn it freaking OFF.. Just like turn off any other protocol/service your not actively using..
Billy the user having it on not knowing wtf any of it means doesn't help the world migrate too it.. Now when billy goes to his isp and says I have to have it, and you better freaking give me a correctly deployed /48 and it doesn't freaking change every other week. Then maybe we can get some real progress..
The thing driving that is going to be resources that require IPv6... Where is the game that doesn't let you play unless you have IPv6? Why do console games not correctly use IPv6 so we are not having to deal with my Xbox is strict nat, etc. ;)
Where is the streaming service that says hey if you hit on IPv6 its $X cheaper a month or you can get access extra special library of media, etc.
My isp doesn't even have it, why - because their user base doesn't care and sure don't need it.. And those that do want to play/use it can just freaking tunnel it.. I just looked as of "Total Subscribers of 800,100 as of June 30, 2018" So while they are not comcast, they are not some ma pop isp either.
-
@johnpoz said in ipv6 disable on Pfsense:
And I am so all for user wanting to disable something they are not ready to use.. Its a security problem if its not managed correctly, its a management nightmare if your not ready for it.. Its just more noise on the network if your not going to correctly set it up and configure it.
What could be a problem is stuff like Teredo, which is on by default, yet most people don't know about it. Turning off IPv6 in pfSense would do nothing about that. As I mentioned above, that senior tech didn't know about it and it was causing him confusion, because he didn't know what he was looking at.
One of the points I made in that email was that Teredo be disabled on the computers techs use.
PfSense running on Qotom mini PC
i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
UniFi AC-Lite access pointI haven't lost my mind. It's around here...somewhere...
-
Its quite possible that his box is using teredo - sure.. I would hope if he is asking about turning off in pfsense he looked into turning it off in windows..
Simple enough to do with single reg entry or gpo, etc.
-
@JKnott said in ipv6 disable on Pfsense:
One of the points I made in that email was that Teredo be disabled on the computers techs use.
Or give the techs "real" computers to use.
-
I started using IPv6 long before my ISP offered it by using a tunnel from HE. It was quite a few years ago. (I'm a big fan of HE. If I could use them as my ISP, I would.) At the time I was using Sophos UTM as my router/firewall. One thing Sophos UTM does very well is provide usage reports. Using the monthly reports, it was easy to see how much of the traffic on my network was IPv4 or IPv6. Often, there were monthly reports where the IPv6 usage was well over 50%. In some cases, well over 75%. It depends on what the usage is.
While it's true that no one "needs" IPv6, many websites and services offer it and if you have it, access will be over IPv6. IPv6 is the preferred protocol for web browsers and for Office 365. Microsoft has invested heavily in IPv6 and it's preferred protocol for many Windows and Windows Server operating system features.
IMO, the more people that use IPv6, the more IPSs will get the message that it's the way to go. I can see no reason whatsoever for anyone to not enable IPv6 if they can. Even if I still had to implement a tunnel, I would do so.
-
Right - but if you're not ready to deal with it it breaks stuff. Best thing to do in that case is, often, to turn it off until you're ready to deal with it.
Using a workstation that thinks it has IPv6 but doesn't is not a good experience.
-
@Derelict said in ipv6 disable on Pfsense:
Right - but if you're not ready to deal with it it breaks stuff. Best thing to do in that case is, often, to turn it off until you're ready to deal with it.
Using a workstation that thinks it has IPv6 but doesn't is not a good experience.
Maybe this is a sweeping generality, but I would hope that anyone who can set up pfsense (or something similar) and set up a tunnel should be able to determine if IPv6 is working properly or not.
Also, I agree that using a computer that thinks it has IPv6, but it doesn't isn't a good experience. I've experienced exactly that, but the other way around. A company I worked for did not "support" IPv6. As far as I know, IPv6 was "disabled" by the IT department using a third party security solution installed on the computer. As long as the computer was on a network that didn't support IPV6, it worked fine. As soon as it was connected to a network that had working IPv6, it got an IPv6 address, and the Office 365 applications (Outlook, Skype, etc.) used it, because that's what they're supposed to do. Of course, since IPv6 on the computer was broken, these applications didn't work properly. Every time they tried to go to the network, the request over IPv6 had to time out, so they basically ground to a halt. The only way this could be "fixed" was by disabling IPv6 in the network adapter. None of this would have happened if IPv6 was just allowed to work out of the box, the way it's supposed to.
-
@bimmerdriver said in ipv6 disable on Pfsense:
started using IPv6 long before my ISP offered it by using a tunnel from HE.
I also used a 6in4 tunnel, but not from HE.
Or give the techs "real" computers to use.
He had one of those rugged Panasonic computers, but it was running Windows. I find Linux is much better for working on networking issues.
-
In the properties of the interfaces IPv6 set in Pfsense "None".
I repeat,
this is interested in turning off:
1.how to disable ipv6 on PfSense? for ifconfig not to give out a string inet6?
2. And DNS Resolver in Diagnostics\Tables\Table to Display not resolution ipv6 addresses?
for example:
178.18.231.121
178.18.231.122
2a02:26f0:d8:394::356e
2a02:26f0:d8:3a2::356ehow is it most likely done by means FreeBSD 11?
Through rc.conf, loader.conf, sysctl I did not find how to do it or in other ways. -
@lucas1 said in ipv6 disable on Pfsense:
1.how to disable ipv6 on PfSense? for ifconfig not to give out a string inet6?
Why do you persist in that, if you are told multiple times now, that it simply isn't necessary?! It doesn't matter if the interface still outputs an inet6 with a fe80 link local address - if the general switch is off OR you didn't configure any IPv6 rules on an interface, all IPv6 traffic is blocked and ignored!
- And DNS Resolver in Diagnostics\Tables\Table to Display not resolution ipv6 addresses?
DNS is supposed to answer your request with what is configured in the DNS zone. If the domain has AAAA entries, those are shown. If your client has no IPv6 capable interface, it won't use them. If you're not sure your clients behave correctly you can also set the advanced option to prefer IPv4 over IPv6 when answering.
Otherwise I don't see the problem - an interface configured without IPv6 doesn't talk over IPv6. -
Just turn off get dns from dhcp and those go away.. Out of the box pfsense should be resolving anyway - you have zero need for any dns from your isp be it ipv4 or ipv6.
-
A good answer is just a little nervous start. -> ?!
Yes, I agree about resolution DNS in Diagnostics\Tables\Table and so what IPv6 traffic is blocked
and option to prefer IPv4 .But you yourself wrote - an interface configured without IPv6 doesn't talk over IPv6.
This action (interface configured without IPv6) immediately performs and replaces the necessary settings System\Advanced\Networking.
And in general, why should I not learn how to disable IPv6 in FreeBSD and/or PfSense? -
@johnpoz said in ipv6 disable on Pfsense:
So only 21% of top 1000 sites are IPv6... Doesn't seem like majority protocol to me..
Ok, very true, if you "isolate" your view to public stats, taken from 'public' routers.
When I wrote "the main network protocol" is was more thinking about all network traffic, thus also what's being used locally, on our LAN's - device to device, etc.
Example : when my ISP (Orange, France) starts to deploy 'IPv6' a whopping 30 million users will suddenly throwing out IPv6 traffic if a point-to-point connection can be made. -
@Gertjan Additionally, the graph from Google clearly states "among Google users". Not everyone (including border routers, servers, etc.) is a Google user ;) So ~23% from Google ist definitly lower than reality.
-
Here is the thing I work in the space... I just came out of discussion with up and coming security/sdwan company... 42 Pops globally, etc.. Asked them about their ipv6 support, if on their roadmap, etc..
Nope ;) Their solution arch stated they kind of waiting to see if anyone actually uses it ;) hehehehe
You guys can all dream about it all you want... I work in the biz... While there might be traffic... Its not a major player at all unless you count mobile devices... Which really account for most of the traffic to be honest.. .Yeah when you have a bajillion phones kind of hard to give the IPv4 ;)
But once you move those all to IPv6 - the rest of its going to be slow to come to the plate..
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
@johnpoz said in ipv6 disable on Pfsense:
Its not a major player at all unless you count mobile devices... Which really account for most of the traffic to be honest.. .Yeah when you have a bajillion phones kind of hard to give the IPv4 ;)
My cell phone is IPv6 only. It uses 464XLAT to handle IPv4.
BTW, more fun with my Internet connection (same company). I just found out that the guys who are supposed to fix this closed the ticket, because I have my own router/firewall!!! This is after a senior tech came to my home with another modem, in gateway mode, and it failed too! He also went back to the head end and tried 3 other CMTS, in addition to the one I'm connected to. It failed only on mine. Yet these Bozos are once again trying to blame pfSense, after their own senior tech proved otherwise and tier 2 support verified, back in January, that the problem was on the CMTS.
-
@JKnott said in ipv6 disable on Pfsense:
@johnpoz said in ipv6 disable on Pfsense:
Its not a major player at all unless you count mobile devices... Which really account for most of the traffic to be honest.. .Yeah when you have a bajillion phones kind of hard to give the IPv4 ;)
My cell phone is IPv6 only. It uses 464XLAT to handle IPv4.
BTW, more fun with my Internet connection (same company). I just found out that the guys who are supposed to fix this closed the ticket, because I have my own router/firewall!!! This is after a senior tech came to my home with another modem, in gateway mode, and it failed too! He also went back to the head end and tried 3 other CMTS, in addition to the one I'm connected to. It failed only on mine. Yet these Bozos are once again trying to blame pfSense, after their own senior tech proved otherwise and tier 2 support verified, back in January, that the problem was on the CMTS.
Some of my colleagues in Germany have an ISP that provides IPv4 over IPv6.
Sorry to hear about your ISP grief. What a PITA. FWIW, Telus has no issues at all with pfSense.
