Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN and Deutsche Glasfaser - IPV6 and CGNAT blocking connection?

    Scheduled Pinned Locked Moved OpenVPN
    45 Posts 5 Posters 6.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      charry2014
      last edited by

      Thanks everyone for your help - it seems that a little background reading would be a good idea sometime soon. This may well change the settings in the firewall rules, then?

      JKnottJ 1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott @charry2014
        last edited by

        @charry2014

        That depends on what the rules do. If filtering on protocol, then you can often create a single rule that handles both. If filtering on address, then you'd need separate rules.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • C
          charry2014
          last edited by

          So here it is, best I can remember it. All the things I changed to get this working:

          System - Advanced - Networking
          a539b8e1-4fea-4842-a249-397b68fe9769-image.png

          Interfaces - WAN
          0f469929-d495-4ecc-918c-10c081001e7f-image.png
          d5ac4ad4-c53f-4b6c-b78b-d608e71c7687-image.png

          Interfaces - LAN:
          cb7eb2b6-7155-4731-8e0d-eeae16b2cae9-image.png
          6655c340-d9fb-4936-ae80-1b32133c45ef-image.png

          The PFSense WAN IPv6 address is then in the Dashboard.

          Finally I meant to link to beechy.de above but got the wrong link pasted in.

          JKnottJ 1 Reply Last reply Reply Quote 0
          • JKnottJ
            JKnott @charry2014
            last edited by

            @charry2014

            That link @Bob-Dig provided says 6rd is going to be shut down, which means you should be configuring for DHCPv6 instead. My ISP did the same thing. They provided both 6rd and 6to4 tunnels, until they provided native IPv6 via DHCPv6-PD. This is what you should be configuring for, as that link describes.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 1
            • C
              charry2014
              last edited by

              @Bob-Dig said in OpenVPN and Deutsche Glasfaser - IPV6 and CGNAT blocking connection?:

              this

              Feeling brave I tried DHCPv6 like suggested instead of 6rd and from a quick late-night hack it broke the IPv6 connectivity for me. This is one for more experimentation.

              For the moment my pressing requirement is to fix my OpenVPN authentication issue rather than future-proofing the IPv6 connection.

              1 Reply Last reply Reply Quote 0
              • C
                charry2014
                last edited by

                My authentication problems seem to be documented as a PFSense bug here so I have downgraded the login to SSL/TLS only and it works. Will keep researching the correct settings for DHCPv6. Cue small celebration here...

                One further question - is there any way I can access my home network over IPv4? This would be very handy, for one thing my employer only allows IPv4 traffic through their network, and I am sure to travel to corners of the world where the mobile network is not quite so modern as here. I have no idea what options there may be for this.

                JKnottJ 1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  If you mean connecting to your home network over an IPv4 tunnel, with IPv4 endpoints, probably not.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • JKnottJ
                    JKnott @charry2014
                    last edited by

                    @charry2014

                    Not with that CGNAT address. Perhaps you could get an IPv6 tunnel from he.net. It will send IPv6 in IPv4 UDP packets, similar to that 6rd tunnel you were using. Then you'd use IPv6 to access your network.

                    It sure will be nice when the world moves fully to IPv6, so that we can put all this NAT nonsense behind us.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      I think he was asking about accessing his network from an IPv4 source. Seems he has IPv6 worked out.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • C
                        charry2014
                        last edited by

                        Exactly that - I am able to reach my home network when the remote device is on an IPv6 capable network but I am willing to bet that much of the world is still IPv4 only. From these networks I apparently have no possibility to establish a link home, which seems a bit of a problem.

                        JKnottJ 1 Reply Last reply Reply Quote 0
                        • JKnottJ
                          JKnott @charry2014
                          last edited by

                          @charry2014

                          That is why I suggested he.net. They will provide IPv6 over IPv4, so that you can access IPv6 from an IPv4 only network. I haven't used he.net myself, but I used to use a 6in4 tunnel from another provider. With it, I could arrange for a /56 for a network a single IPv6 address for a device. I'd get a single address for my notebook computer, in addition to the /56 for my home network. I used a 6in4 tunnel for almost 6 years. Your ISP provided a 6rd tunnel, but I doubt it could be used off their network.

                          PfSense running on Qotom mini PC
                          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                          UniFi AC-Lite access point

                          I haven't lost my mind. It's around here...somewhere...

                          Bob.DigB 1 Reply Last reply Reply Quote 0
                          • Bob.DigB
                            Bob.Dig LAYER 8 @JKnott
                            last edited by Bob.Dig

                            @JKnott HE probably will not work, because the topic-creator has no reachable and pingable IPv4-address, which is a demand from HE.

                            JKnottJ 2 Replies Last reply Reply Quote 0
                            • JKnottJ
                              JKnott @Bob.Dig
                              last edited by

                              @Bob-Dig

                              The tunnel was for use at the other end, so that he can use it to get to his IPv6 address. This is exactly what I used to do, when I set up my notebook computer with a single IPv6 address via tunnel. He wants to reach an IPv6 address from work, which supports IPv4 only. So, he configures a computer at work to get an IPv6 address from he.net and he can then reach his home IPv6 address.

                              PfSense running on Qotom mini PC
                              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                              UniFi AC-Lite access point

                              I haven't lost my mind. It's around here...somewhere...

                              1 Reply Last reply Reply Quote 0
                              • JKnottJ
                                JKnott @Bob.Dig
                                last edited by

                                @Bob-Dig

                                Doesn't he have at least a firewall address at work? I recall the restriction on the static address, but I thought that had been dropped. I haven't worked with he.net, so I don't know the details of working with them. If not them, what about another tunnel provider?

                                PfSense running on Qotom mini PC
                                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                UniFi AC-Lite access point

                                I haven't lost my mind. It's around here...somewhere...

                                1 Reply Last reply Reply Quote 0
                                • C
                                  charry2014
                                  last edited by

                                  OK - thanks very much everyone, I will have a look at he.net and see what they can do. There seems to be a free service so a good place to start.

                                  JKnottJ 1 Reply Last reply Reply Quote 0
                                  • JKnottJ
                                    JKnott @charry2014
                                    last edited by

                                    @charry2014

                                    As I mentioned, I don't have experience with he.net, so perhaps someone else here can help you with it.

                                    PfSense running on Qotom mini PC
                                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                    UniFi AC-Lite access point

                                    I haven't lost my mind. It's around here...somewhere...

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.