pfSense as tunnel broker

b3er

Hi!
Is there some ability to setup a pfsense machine as a IPv6 to IPv4 tunnel broker, like in Router OS? I have a server, with pfSense is installed, that have ipv6 subnet and i want to use this machine as tunnel broker for clients.

JKnott

@b3er

By "tunnel broker", do you mean providing IPv6 over IPv4, using 6in4 or similar? Yes, it is possible. While you can configure something like that, just setting up a VPN and allowing it to pass IPv6 will do the same thing as well as encrypt it. That's what I have with OpenVPN.

b3er

Yes, i mean 6in4 server, but i want to setup it as SIT tunnel, not as openVpn, so it needs to be working like HE tunnel broker server for clients, but just can't find how to create SIT tunnels in pfSense

Grimson

RTFM: https://docs.netgate.com/pfsense/en/latest/book/interfaces/interfacetypes-gif.html you'll need to add appropriate routes too.

b3er

@Grimson Thanks!
Forgot about GIF, working like a charm now!
Maybe setup is useful for someone!
Create GIF tunnel:
Parent Interface: WAN
GIF remote address: <remote ip of client>
GIF tunnel local address: <some IPv6 address of owned IPv6 Subnet>
GIF tunnel remote address: <Ipv6 owned subnet (need /64 for some clients to work)>
Firewall:
Permit IPV6 proto in/out for remote client
Create OPTX interface from GIF tunnel
Permit IPv6 traffic from your IPv6 subnet in OPT interface
Routes are added automatically when creating OPT interface
Client setup is similar to HE using remote IPv4 address of pfsense router, same IPv6 subnet, and free IPv6 address from this IPv6 subnet

P.S. found interesting behavior, if no LAN interface/subnet exists in router setup, when adding OPT/LAN interface, pfsense moves 443/80/22 permit rule of firewall to OPT interface, so router becomes inaccessible. To prevent this behavior, just add manually the rule to allow 443/22/80 ports to WAN interface before enabling OPT

Gertjan

@b3er said in pfSense as tunnel broker:

if no LAN interface

Your kidding ?
No LAN on a router/firewall ?
Very strange bird that is.

Btw : an OPTx interface is just another LAN with some exceptions like, default, LAN has a pass rule, OPTx interface have none.

b3er

Yep, no LAN, just using pfSense installed in VPS to provide VPN and tunnels. Maybe this kind of setup is overpowered, but good enough use case for me :)

JeGr

@b3er said in pfSense as tunnel broker:

found interesting behavior, if no LAN interface/subnet exists in router setup,

Nothing interesting in that. Just read the documentation: If only a single interface exists, pfSense is not in firewalling/NAT mode (it even says so when installing it after adding the WAN). So without a second interface, you are not actually firewalling anything and adding the OPTx Interface from the GIF tunnel then adds the "second" interface and first LAN interface so automatically gets the default LAN setup and firewalling is engaged so WAN will be properly shielded.