IPv6 with two or more LAN-side interfaces
-
@johnpoz Regarding PTR and the HE-tunnel, I created some PTR-Records or to be more precise I guess, HE created them after I made the AAAA-Records. But my DNS-provider is cloudflare, so my question is this, do I have to "glue" something togehter for PTR to be "better" or is this not important, because it works anyway?
-
No there is nothing to glue together... cloudlflare becomes the authoritative NS for the forward records.. HE will always be the authoritative NS for the IP space... Unless they delegated that to clouldlflare.. Which they currently do not allow you to do..
But works just fine this way.. Does your PTR resolve - then your fine.
-
@johnpoz Thank you, John.
Regarding policy routing, in another thread you showed me the use of an Alias RFC1918 for an IPv4-rule.
Now I want to route everything IPv6 from VSERVER out to the HE-Tunnel. Is it therefore advised to have a rule for every other IPv6 enabled interface in my example LAN?
And if yes, I have to do it for every interface I guess, especially that I also use my ISP-IPv6 with is to some degree dynamic.
-
does your wan have its own IPv6? HE prefixes wouldn't work out your wan if it has its own IPv6..
HE would just be your default gateway for IPv6 - there would be no reason to policy route it.. It would just happen on its own with the default * gateway.. Via normal routing..
Not getting the use case to why you would want/need to policy route ipv6..
-
@johnpoz I use both. The ISP one is only /64, it is on LAN and probably has better "ping-times" for gaming etc and is my default. And for the other Interfaces I will use those provided by HE or none.
In this regard, made my post from before sense? -
Ah - ok..
They yeah you would policy route it just like IPv4 then - you send traffic from the networks using HE out HE gateway.
-
@johnpoz But do I need the rule in the middle?
Also you are right with making HE-Tunnel the default if the middle rule does make sense, it would be much easier then to only do it to LAN instead to all the other.
-
Yeah that way works too ;)
I personally would just use HE.. Have you done any testing to see how much latency difference your seeing to different things.. Or you just assuming that your ISP should be faster - all comes down to the peering ;) And if you have a HE pop in your local area.. If the only HE pop you have is on really far away - then yeah ok that could add some latency... If where you wanting to go is in the wrong direction.
You have a shared last mile which is your ISP... But after that it comes down to peering and location - for you know HE is in the same pop, etc. I would be curious to the difference in performance.. Sure HE is in a GRE tunnel and a bit of added overhead but really in the big picture your talking insignificant stuff here..
-
@johnpoz I did some very few ping-tests and my ISP came ahead with one ms, which is nothing.
But now I am thinking to get rid of the /48 and instead open four other tunnels...
-
Huh... They won't let you open 4 tunnels.. You have to have multiple IPv4s to do multiple tunnels.
-
@johnpoz Ah ok, sounds fair.
-
he.net tunnelbroker went to default blocking of "IRC" and SMTP" traffic long ago due to spammers/flooders.
To have it unblocked, they generally require you to pass their "IPv6 Certification testing" to level "Sage", then email them and if they choose to, they'll enable a button on the tunnelbroker advanced config page to "unblock" smtp & irc traffic.**obviously don't use it for devious purposes like spamming/trolling/flooding or you'll very likely get your whole tunnel removed in a hurry.
-
@taz3146 Yep. I somehow managed to get Sage.
-
For getting a PTR for every service that I run, I tried adding a second NIC to my VMs for another IPv6-addresse by the dhcp. But then I found out that the DUID was the same for every NIC, seems to be machine specific, so I couldn't use the DHCPv6 Server anymore, because it is not using the MAC-addresses, only DUID. So I finally switched to give those machines the IPv6 manually. For that I also didn't needed a second NIC in the first place.
Because the prefixes by HE never changes, that worked out well. But some time in the future, I would like to see all this managing is doable in pfSense. -
With PTR in general there seems to be the problem that, if your machine hast two ore more addresses, to tell the server/service/program which of them to use for outgoing connections, right?
-
huh? Ya lost me... What does a dns record have to do with your machine having more than 1 address? And what does that have to do with what an application uses as its source IP?
-
@johnpoz PTR is nice to have but it seems to me, that many server-programs you can't define, which of the ips your machine has, to use for unsolicited outgoing connections (hope I got the term right).
-
Not if your using privacy IPv6 no - but anything would be used a service that would normally require a PTR would only have it 1 global address it uses..
-
@johnpoz So you mean like the machine, yeah so I did that wrong in the first place.
I run two different services on the same machine, which seems to be not a good idea for PTR because it is hard or impossible to bind. -
Privacy IPs not meant to be used by say your MTA sending mail ;) hehehe
