OpenVPN and Deutsche Glasfaser - IPV6 and CGNAT blocking connection?
-
Thanks everyone for your help - it seems that a little background reading would be a good idea sometime soon. This may well change the settings in the firewall rules, then?
-
That depends on what the rules do. If filtering on protocol, then you can often create a single rule that handles both. If filtering on address, then you'd need separate rules.
-
So here it is, best I can remember it. All the things I changed to get this working:
System - Advanced - Networking
Interfaces - WAN
Interfaces - LAN:
The PFSense WAN IPv6 address is then in the Dashboard.
Finally I meant to link to beechy.de above but got the wrong link pasted in.
-
That link @Bob-Dig provided says 6rd is going to be shut down, which means you should be configuring for DHCPv6 instead. My ISP did the same thing. They provided both 6rd and 6to4 tunnels, until they provided native IPv6 via DHCPv6-PD. This is what you should be configuring for, as that link describes.
-
@Bob-Dig said in OpenVPN and Deutsche Glasfaser - IPV6 and CGNAT blocking connection?:
this
Feeling brave I tried DHCPv6 like suggested instead of 6rd and from a quick late-night hack it broke the IPv6 connectivity for me. This is one for more experimentation.
For the moment my pressing requirement is to fix my OpenVPN authentication issue rather than future-proofing the IPv6 connection.
-
My authentication problems seem to be documented as a PFSense bug here so I have downgraded the login to SSL/TLS only and it works. Will keep researching the correct settings for DHCPv6. Cue small celebration here...
One further question - is there any way I can access my home network over IPv4? This would be very handy, for one thing my employer only allows IPv4 traffic through their network, and I am sure to travel to corners of the world where the mobile network is not quite so modern as here. I have no idea what options there may be for this.
-
If you mean connecting to your home network over an IPv4 tunnel, with IPv4 endpoints, probably not.
-
Not with that CGNAT address. Perhaps you could get an IPv6 tunnel from he.net. It will send IPv6 in IPv4 UDP packets, similar to that 6rd tunnel you were using. Then you'd use IPv6 to access your network.
It sure will be nice when the world moves fully to IPv6, so that we can put all this NAT nonsense behind us.
-
I think he was asking about accessing his network from an IPv4 source. Seems he has IPv6 worked out.
-
Exactly that - I am able to reach my home network when the remote device is on an IPv6 capable network but I am willing to bet that much of the world is still IPv4 only. From these networks I apparently have no possibility to establish a link home, which seems a bit of a problem.
-
That is why I suggested he.net. They will provide IPv6 over IPv4, so that you can access IPv6 from an IPv4 only network. I haven't used he.net myself, but I used to use a 6in4 tunnel from another provider. With it, I could arrange for a /56 for a network a single IPv6 address for a device. I'd get a single address for my notebook computer, in addition to the /56 for my home network. I used a 6in4 tunnel for almost 6 years. Your ISP provided a 6rd tunnel, but I doubt it could be used off their network.
-
@JKnott HE probably will not work, because the topic-creator has no reachable and pingable IPv4-address, which is a demand from HE.
-
The tunnel was for use at the other end, so that he can use it to get to his IPv6 address. This is exactly what I used to do, when I set up my notebook computer with a single IPv6 address via tunnel. He wants to reach an IPv6 address from work, which supports IPv4 only. So, he configures a computer at work to get an IPv6 address from he.net and he can then reach his home IPv6 address.
-
Doesn't he have at least a firewall address at work? I recall the restriction on the static address, but I thought that had been dropped. I haven't worked with he.net, so I don't know the details of working with them. If not them, what about another tunnel provider?
-
OK - thanks very much everyone, I will have a look at he.net and see what they can do. There seems to be a free service so a good place to start.
-
As I mentioned, I don't have experience with he.net, so perhaps someone else here can help you with it.
