IPv6 with two or more LAN-side interfaces
-
To capture with Wireshark, you need some way to insert a computer running it between the modem and the pfSense computer. This is can be done with a managed switch, configured for port mirroring. Failing that, you can use the Packet Capture that's built in to pfSense. You can then capture the packets when you disconnect/reconnect the WAN port. You can then download the capture to view in Wireshark. If you use a managed switch, you can capture everything from power up, instead of just disconnecting the WAN port. You want to filter on DHCPv6, which is port 546 or 547. You can use either. That should leave you with the XID packets, which you can then open and find the info.
-
@JKnott So is that it? Or is it not?
-
@JKnott Just to be sure, this is what my ISP is giving out or what I asked for? I want to be absolute sure about this once and for all.
-
I see your prefix length is 64, which means you get a single /64. My length is 56, which leaves room for 256 /64s.
Can your ISP provide a better prefix? As I mentoned, I have a /56, but other ISPs provide a /60 for 16 /64s or a /48, for 65536.
-
@JKnott Thank you.
No, as far I can tell, my ISP is not changing that. Could you call comcast and ask for a larger prefix? Sure you could, but it would took ages to get someone on the phone who is even capable of understanding it. I am almost not.Thanks again and I replaced the picture.
-
@Bob-Dig said in IPv6 with two or more LAN-side interfaces:
No, as far I can tell, my ISP is not changing that.
Have you even tried? Handing out a single /64 has to be the ultimate in stingy. There are enough /48s to give well over 4000 of them to every single person on earth and that's with only 1/8 the IPv6 address space allocated to Global Unique Addresses.
BTW, he.net will give, for free, a /48. Prior to my ISP (Rogers) offering IPv6, I used a tunnel broker who gave me a /56 for free.
-
@JKnott Most home users will not notice it anyway. I can live with it but I wanted to know it for sure.
-
Still, it wouldn't hurt to ask.
-
@JKnott It would hurt me. Had enough problems with my isp in the last years and know some thing or two how they operate.
-
Maybe you should get a different ISP then.
-
You understand it would take you all of a couple of minutes to get everything you want to do up and running with a FREE /48 from HE.. You can do your statics on and not have to worry about any changes in the prefix... You can even take the same /48 with you if you change ISPs
You also can set PTRs on this /48 space if you have any need for that, etc.
There really is little reason to have to "deal" with lack luster and shitty isps when it comes to doing ipv6.. Giving out 1 /64 is just plain stupid.. But when the vast majority of their users are using their device, and only have 1 flat network behind - why not just do it that way, etc..
So find an isp that does what you want, or just run a tunnel.. It really is a couple of minutes to setup.
-
@johnpoz Is there a noob friendly tutorial for HE around here?
For my noob-E-Mail-Server it would be nice to have PTR.
Can I have two ore more IPs with each there own PTR for one machine/host? So that every Service got its own IP/PTR, even when it is on the same machine as another Service? -
You can setup PTRs for any of your IPv6 addresses.. I have a few setup
here is the pfsense docs
https://docs.netgate.com/pfsense/en/latest/interfaces/using-ipv6-with-a-tunnel-broker.htmlHaven't run through it years... But I would assume its current and ready to go from a quick look over it looks fine..
I don't run smtp on it, I know a few years back they had some issues with abuse of users sending spam, etc. etc. And you had to enable it if you were sage, and now that is even gone - and you might have to contact them to enable 25.. Guess I could do a simple test to see if 25 is open in and out over the IPv6, etc.. But just be aware that might be something you will have to contact them about.
edit: did a simple test of outbound and that is open
telnet -6 2607:f8b0:4001:c03::1a 25 Trying 2607:f8b0:4001:c03::1a... Connected to 2607:f8b0:4001:c03::1a. Escape character is '^]'. 220 mx.google.com ESMTP e24si5820214ioh.159 - gsmtpSo I don't see why outbound would be open without inbound.. I haven't kept up with all the stuff on their forums and such for years and years since its just rock solid and no need.. Only time I was on there frequentlly was years ago like early 2011 or something when got sage via their free certification test.. You can get a FREE tshirt ;) I still sport mine now and then..
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.03 | Lab VMs 2.7.2, 24.03 -
@johnpoz said in IPv6 with two or more LAN-side interfaces:
You can setup PTRs for any of your IPv6 addresses.. I have a few setup
Where can I do that? I got a he tunnel just now but can't find that option.
-
I got it.
-
@johnpoz Regarding PTR and the HE-tunnel, I created some PTR-Records or to be more precise I guess, HE created them after I made the AAAA-Records. But my DNS-provider is cloudflare, so my question is this, do I have to "glue" something togehter for PTR to be "better" or is this not important, because it works anyway?
-
No there is nothing to glue together... cloudlflare becomes the authoritative NS for the forward records.. HE will always be the authoritative NS for the IP space... Unless they delegated that to clouldlflare.. Which they currently do not allow you to do..
But works just fine this way.. Does your PTR resolve - then your fine.
-
@johnpoz Thank you, John.
Regarding policy routing, in another thread you showed me the use of an Alias RFC1918 for an IPv4-rule.
Now I want to route everything IPv6 from VSERVER out to the HE-Tunnel. Is it therefore advised to have a rule for every other IPv6 enabled interface in my example LAN?
And if yes, I have to do it for every interface I guess, especially that I also use my ISP-IPv6 with is to some degree dynamic.
-
does your wan have its own IPv6? HE prefixes wouldn't work out your wan if it has its own IPv6..
HE would just be your default gateway for IPv6 - there would be no reason to policy route it.. It would just happen on its own with the default * gateway.. Via normal routing..
Not getting the use case to why you would want/need to policy route ipv6..
-
@johnpoz I use both. The ISP one is only /64, it is on LAN and probably has better "ping-times" for gaming etc and is my default. And for the other Interfaces I will use those provided by HE or none.
In this regard, made my post from before sense?
