Need some instructions for getting started with IPv6
-
Followed some instructions on the internet to get started with IPv6 but haven't got much luck so far. Starting all over now, with a freshly installed pfsense. WAN interface has received both IPv4 and IPv6 IP's. Ubuntu is correctly configured to work with IPv6 (works with site https://test-ipv6.com/ if connected directly through a modem/router). Now how do we add pfsense in the middle?
-
Hi,
One of the first questions back to you :
How do you obtain your "IPv6 stuff" from your ISP ?
Normally .... as in the IPv4 world, a page/paper/other doc states how to set up your IPv6.
Related to that : what's in front of pfSense ? Another router ? A modem ? -
All pfsense defaults are used. The WAN interface gets IP's by DHCP and DHCPv6. It gets them from a ADSL modem/router. The LAN interface has a static IP and the DHCP server is running giving ubuntu on the LAN side an IPv4 IP.
-
If your ISP is only providing you with a single /64 and isn't providing you with (or a way to get) a prefix, like a /56, its not going to work.
Documentation on how to set it up can be found here: https://docs.netgate.com/pfsense/en/latest/book/interfaces/ipv6-wan-types.html -
@Ulysses_ said in Need some instructions for getting started with IPv6:
It gets them from a ADSL modem/router.
So pfsense wan IP is rfc1918? Your device in front of pfsense is doing nat?
-
@Ulysses_ said in Need some instructions for getting started with IPv6:
All pfsense defaults are used. The WAN interface gets IP's by DHCP and DHCPv6. It gets them from a ADSL modem/router. The LAN interface has a static IP and the DHCP server is running giving ubuntu on the LAN side an IPv4 IP.
The usual way to provide IPv6 for residential, small business customers is through DHCPv6-PD. The PD stands for prefix delegation. They will also, by default, have the modem in gateway mode. You want it in bridge or bypass mode. In gateway mode, you will likely have only a single /64 prefxi. In bridge mode, you can have as large a prefix as the ISP will provide. I have a /56, which gives me 256 /64s. So, if you're getting RFC 1918 addresses, as mentioned above, your modem is in gateway mode. Once you're in bridge mode, we can provide further advice.
-
@johnpoz said in Need some instructions for getting started with IPv6:
So pfsense wan IP is rfc1918? Your device in front of pfsense is doing nat?This is what pfsense gets:
This is what ubuntu gets connected directly to the ADSL modem/router:
This is what https://test-ipv6.com/ sees:
Your IPv6 address on the public Internet appears to be 2a02:587:220d:8b00:bafb:6402:b954:9ae5
Can pfsense work around this situation if someone does not want to mess with their ADSL modem/router because the support for it by the ISP is not as good as pfsense's? In other words, how do I do IPv4-style NAT with IPv6?
-
@Ulysses_ said in Need some instructions for getting started with IPv6:
So pfsense wan IP is rfc1918? Your device in front of pfsense is doing nat?
This is what pfsense gets:You're definitely in gateway mode, which is why you have the RFC 1918 address for IPv4. In gateway mode, only devices that are connected directly to the modem will gen an IPv6 address. So, while pfSense gets one, no device on the LAN side will.
-
Can't pfsense give devices on the LAN some different IPv6 addresses and translate them to its own, ie do NAT in IPv6?
-
Yes, it can, but that's an incredibly dumb thing to do. NAT was created to get around the IPv4 address shortage, but breaks some things in the process. There is absolutely no need for it, with the unbelievably huge IPv6 address space. A single /64 contains as many addresses as the entire IPv4 address space squared!
Why don't you want to use bridge mode?
-
Because the support for that modem/router by the ISP is not as good as pfsense's here and if anything goes wrong I will be stuck offline and unable to ask you guys or research, even the telephone might not work to call the ISP. What problems would NAT create in our context?
-
Well, on IPv4, you just get another layer of it, so either way you have the same problems. For example, with NAT, VoIP and some games require use of an STUN server, just so that the app knows the real world IP address. With IPSec, NAT breaks authentication headers, which are used to verify the packet hasn't been tampered with. There are other issues. On IPv6, with that modem in gateway mode, you are guaranteeing pfSense cannot properly provide IPv6 to your LAN.
Also, pfSense is likely a much better firewall than what's in your modem. You don't need the one in the modem. As for your modem, call your ISP to ask how to enable bridge or pass through mode for the modem. Lots of other people have a similar setup and the ISP should be able to advise you. Also, the configuration for the Internet connection should have no effect on that modem providing phone or TV service. They are completely independent services that simply happen to share the same box.
People's minds have been poisoned by NAT, so they now no longer how to properly do things with the Internet. This is just one example.
-
Once in bridged mode, can ordinary devices still connect to the modem directly without too much configuration?
-
I assume you're referring to computers and such. Yes, you can connect one device directly to the modem (with mine, I can connect 2) and it will work. For more, on a LAN, you'd use pfSense in place of the router in the modem. It will still provide NAT for IPv4, nothing you can do about that, but on IPv6, you can have one or more (V)LANs, each providing a /64. Devices connected with then have one or more global addresses. With SLAAC and privacy addresses, each device will have 9 after a week.
-
The wifi will not work, will it. I would miss accessing the internet from my smartphone using that. Also pfsense is used in a VM in my main computer so to use several devices at the same time some more hardware would be needed (nic's). STUN doesn't sound like I'd ever need it.
-
The modem's WiFi probably won't work. If it did, it would be entirely outside of pfSense. However, there's nothing to stop you from having your own access point. You can get dedicated APs or just use an old router as an AP. I have a separate AP, which uses power over Ethernet. This means I can place it in the best place, rather than what's handy for installing the modem. As for the VM, you could use separate NICs or VLANs & a managed switch to separate things.
-
Anyway, I know it's a bad practise and strongly discouraged everywhere, but let's pretend I need the wifi and don't have the $5 to buy nic's, how is NAT done? It is just a line or two of iptables rules in linux for IPv4, can't be too hard in pfsense and IPv6.
-
I have never set up NAT on IPv6, so no help there. However, other than WiFi, there should be no difference between using the modem in gateway and bridge modes. You'd still connect the LAN side exactly the same way. Do you not have an old router kicking around that you can use as an AP?
-
No but I have a wifi usb adapter than probably can act like an ap. Alternatively, how do we do the following in pfsense:
https://serverfault.com/questions/929044/ip6tables-is-not-masquerading-source-address
-
I don't know how well that USB adapter would work. FreeBSD, which pfSense is built on is not that great with WiFi. As for that link, that's about iptables, not ipfilter, which FreeBSD uses.
-
It boils down to the following rules, is the equivalent functionality available in the web interface somewhere? In a package somewhere? In ipfilter?
-A PREROUTING -d 2001:470:4a71:f170::/64 -i eth0 -j DNAT --to-destination fdde:ad00:beef:0:91f5:6dd4:e66f:cf5b
-A POSTROUTING -s fdde:ad00:beef::/64 -o eth0 -j MASQUERADE
-A POSTROUTING -s fd11:22::/64 -o eth0 -p udp -j MASQUERADE
-A POSTROUTING -s fd11:22::/64 -o eth0 -p tcp -j MASQUERADE
-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -
@JKnott said in Need some instructions for getting started with IPv6:
As for that link, that's about iptables, not ipfilter, which FreeBSD uses.
It's also not for pf, which pfSense uses.
OP- I'd expect you could use NPT, which is covered in the Netgate docs.
What exactly is the reason for needing ipv6? Your setup seems complicated enough, what with the virtualized firewall on the workstation and the double nat. -
@dotdash said in Need some instructions for getting started with IPv6:
As for that link, that's about iptables, not ipfilter, which FreeBSD uses.
It's also not for pf, which pfSense uses.
Sorry my mistake. Either way, it doesn't use iptables. I used to use iptables, when I had a Linux based firewall and ipchains before that. However, I never really got into the rules for iptables, as the firewall configuration in SUSE Linux handled most of my needs.
-
What exactly is the reason for needing ipv6? Your setup seems complicated enough, what with the virtualized firewall on the workstation and the double nat.
So far it is just that a Windows VM that had to be worked with a while ago required access to something by Microsoft that was IPv6-only, but sooner or later there will be more and more instances of such in ordinary use of a browser, so better get this sorted once and for all.
Actually it would be nicer if IPv6 was completely missing in all devices except the pfsense VM. And the modem. IPv6 in them is an unnecessary human-unfriendly complexity if STUN is not needed, NAT could be from IPv4 to IPv6 and should be one of the jobs of the pfsense firewall to keep the user's life simpler and a little more private. You'd visit ipv6.google.com and your browser would think it is an IPv4 site.
-
@Ulysses_ said in Need some instructions for getting started with IPv6:
IPv6 in them is an unnecessary human-unfriendly complexity
Strange.
That was very valid for IPv4, a couple of decades ago.
Stuff like NAT was invented, people are still having huge problems with that, just check out this forum alone.Anyway.
There are no more IPv4 left. It's done. -
If IP's have run out it means support for more IP's is needed, it does not mean everyone with a browser needs them.
-
@dotdash said in Need some instructions for getting started with IPv6:
What exactly is the reason for needing ipv6?
That's where the world is heading. There are nowhere near enough IPv4 addresses to meet the need. I recently posted a link to an article that tells about how there are no longer any IPv4 addresses available in Europe & Middle Easy, unless someone sells some surplus. Anyone who thinks we shouldn't be moving to IPv6 is head in sand stupid.
-
@Ulysses_ said in Need some instructions for getting started with IPv6:
If IP's have run out it means support for more IP's is needed, it does not mean everyone with a browser needs them.
No, the world has to move to IPv6 and that means everyone. Otherwise we'll wind up in a situation where some people are on IPv4 and others on IPv6, with some means to translate between them. Sticking with IPv4 means sticking with NAT, STUN servers, trying to stretch IPv4 addresses more and more, with more things breaking. Even Vint Cerf, one of the developers of TCP/IP said 32 bits was only used for proof on concept and the plan was to go with much longer addresses. IPv4 is a dead end and it's long past time to move to IPv6. I've been using it for almost 10 years.
-
It wouldn't be half the world sticking with IPv4 and NAT or NAT46, it would be guys in particular situations, such as wanting to keep that old wifi up and running while using pfsense as a firewall. If pfsense's job is to act in the middle, NAT or NAT46 or NAT64 or DNS46 or DNS64 are all legitimate pfsense functionalities for particular scenarios. And quoting someone from a link given above:
"And for the "IPv6 doesn't need NAT!" brigade - sometimes you DO need it, for example if you want to run Docker containers on AWS. It doesn't support DHCP PD so you're stuck with NAT."
-
WiFi should be transparent to the protocol. You should be able to run IPv4, IPv6, Appletalk, IPX and DECNet without issue, as WiFi is a layer 2 transport, not layer 3 where IPv4 & 6 are.
Why is NAT needed with Docker on AWS? What would you do if NAT wasn't available?
-
@JKnott said in Need some instructions for getting started with IPv6:
WiFi should be transparent to the protocol. You should be able to run IPv4, IPv6, Appletalk, IPX and DECNet without issue, as WiFi is a layer 2 transport, not layer 3 where IPv4 & 6 are
Exact.
My close-to-a-decade-old Wifi AP's transport just fine IPv4 and IPv6 used by iPhone and other devices. -
@JKnott said in Need some instructions for getting started with IPv6:
That's where the world is heading. There are nowhere near enough IPv4 addresses to meet the need. I recently posted a link to an article that tells about how there are no longer any IPv4 addresses available in Europe & Middle Easy, unless someone sells some surplus. Anyone who thinks we shouldn't be moving to IPv6 is head in sand stupid.
Putting that aside for the moment, I was asking why a home user, running pfSense in a VM, already double natting and unwilling to change that, needs to bother with ipv6. Maybe if he had a firewall that the whole network was using, not just him and his vms, or if it wasn't behind the isp's nat box...
-
My close-to-a-decade-old Wifi AP's transport just fine IPv4 and IPv6 used by iPhone and other devices.
I think you may have missed the point. The wifi AP here fully supports IPv6. But we are asked to remove the router function from the modem/router which I believe will stop wifi working but I may be wrong, maybe the modem can be used simultaneously by 4 ethernet devices and lots of wifi ones without a router function.
-
@dotdash said in Need some instructions for getting started with IPv6:
already double natting and unwilling to change that,
Perhaps we should be asking why they're unwilling to change. NAT is a curse on networks, caused by the inadequate IPv4 address space.
In my own network, I get a single IPv4 address, which I have to NAT to handle all my devices. I have no choice in the matter. On IPv6, I have a block of 4.72236648287 x 10²¹ addresses, so no NAT needed. Every IPv6 capable device gets global unique addresses. This means I can directly access any of those devices from elsewhere, without having to worry about port forwarding, etc..
-
@Ulysses_ said in Need some instructions for getting started with IPv6:
But we are asked to remove the router function from the modem/router
We are here because we use pfSense. Most people running pfSense will put their modem into bridge mode and let pfSense handle everything for routing and firewall. The WiFi is a secondary issue and you're likely better off with a proper AP anyway. It is not IPv6 that's causing this issue, it's your sticking with the modem in gateway mode.
BTW, I live in a condo. If I relied on the modem WiFi, I would have a great signal at one end, but poor at the other. By using a PoE AP, I was able to put it roughly in the middle of my unit and so get a good signal throughout. My AP is high up on the wall in my laundry room. Very often, sticking with the WiFi on the modem results in a poorer signal. Also, the firewall that's built into my modem is crap that's nowhere near as capable as pfSense. So, considering WiFi signal, IPv6 and firewall, I'm far better off with the modem in bridge mode.
-
What jknott is trying to tell you is your not going to get IPv6 to work as it designed when your isp device in front of pfsense is doing nat.. While it might hand out and IPv6 address to pfsense wan... Its not going to be able to do correct delegation of the prefix(es) that would allow pfsense to put an IPv6 prefix on its lan..
So you can either go the hacky way of doing it and do some sort of nat on the ipv6 address pfsense gets on its wan... This can work sure - but is not how ipv6 is meant to be used.
The correct solution would be to use your isp device as bridge.. So it doesn't do nat, and then hopefully pfsense can get a delegated prefix or prefixes that it can use for network on its lan side. But this would depend again on your ISP - many of them do ipv6 all F'd up and only hand out 1 /64 anyway... Its freaking moronic at best ;)
While this will pretty much break the isp devices use as wifi AP... Normally you would want wifi behind pfsense as well, this would be done with either some wifi router being used as just AP, or an actual AP or multiples... I have 3 myself in my little sub 1500 sq ft house ;) Expecting to get "good" wifi from 1 AP located the 1 router is problematic to say the least.. Unless your in some small studio setup or something...
Another work around if you do not want to put your isp device into bridge mode, would be to setup a Hurricane Electric tunnel (FREE BTW) so you could get a /48 and break that up into your /64s to put behind pfsense.
And while jknott doesn't like this point of view - there is also the point well made by Ulysses_ that do you really need IPv6.. It is just plain fact currently that it is not an actual requirement at this time... There is not one actual resource that you would actually need to get to that is not available via IPv4.. So there is no actual "need" for IPv6 for the end user at this time... And to be honest I do not see that changing for many many many years!!! All the devices that were sucking up IPv4 space - ie phones!! are being migrated to IPv6 and then an IPv6 to IPv4 gateway run by the company to allow these IPv6 devices to talk to the IPv4 space..
So my advice is if you do not want to take the time to learn what is required to properly deploy, use, troubleshoot and secure IPv6 - its quite often a better and easier option to just not enable its use on "YOUR" network... Until such time that want to put in the work to do it correctly.
I would love nothing more for a massive push to get everyone on ipv6.. It for sure the future - but that future is not actually now no matter how many people want to believe it is.. I too have been using it for 10 some years... And while I love playing with it, and learning about it, and experimenting with it - just have yet to run into anything be it personal or professional that actually truely requires that it be available to the end user. Now if worked in the say the mobile phone business that might be a different story ;)
-
Another issue is privacy. Have you ever thought if the designers of IPv6 are so keen with giving a unique IP to every single device in the world, for reasons other than neatness?
For example, pretty much everyone has plenty of 192.168.0.0/16 and 10.0.0.0/8 IP's for their devices in their LAN. If the designers wanted simplicity they would just leave this alone and ISP's would just give out a single IPv6 IP to each customer. But no, Big Brother wants it all, every single device in the world must be tracked.
-
By the way, why are there two IPv6 IP's here?
-
That second one (fe80...) is link local.. There could also be more actual global addresses as well.. IPv6 uses out of the box will have many privacy address in the same prefix.. unless that feature is turned off..
If you think IPv6 for each device is for tracking purposes? From Big Brother? Think maybe someone been reading some conspiracy sites ;) Do they also cause autism? ;)
You understand when IPv4 was first started, the idea was every address was to be globally reachable - NAT came latter as after thought to when hey there is going to be more devices on this network than we ever imagined ;)
Such questions are clear examples of someone needing to understand IPv6 more before attempting to actually use it ;)
That first one there is owned by OTE, so your in Greece..
Link-Local addresses are like their IPv4 cousins the 169.254 range which is meant as L2 only address.. They don't route but serve a huge function in IPv6 use.. Every device that uses IPv6 will have a link local address.
-
IPv6 for each device is for tracking purposes? From Big Brother? Think maybe someone been reading some conspiracy sites ;) Do they also cause autism? ;)
What's for sure, 10.0.0.3 is more readable than 2a02:587:220d:8b00:bafb:6402:b954:9ae5.
A sound design would insulate the end user from this, and only the infrastructure people would need to learn IPv6.
By the way, I hope you realise Big Brother is a metaphor, not a literal person. How do you feel about the Russian government dumping Windows 10 from all their public sector and armed forces systems, in favour of a debian derivative of their own build with added strong encryption? I think Microsoft trying to be Big Brother is a major part of it.
https://en.wikipedia.org/wiki/Astra_Linux