Ipv6 guidance

grandrivers · Jan 18, 2016, 7:36 PM

I have 2 wans and one lan prior to ipv6 i have split up which computers went out which wan by using 2 fallover groups and alias and dhcp static mappings to identify

I added 2 ipv6 tunnels (HE) would still like the ability to push some machines out wan 2 have it setup so if wan 1 goes down wan 2 picks up using directions from pfsense docs

I have nor found a good way to do this and maybe its not possible

I have 3 older andriods on my lan so I set the ra to assisted so they do slac maybe I need to stick with managed

maybe theres some more things i havent considered ?

awebster · Jan 20, 2016, 2:14 AM

That's a pretty tall order!
On IPv4 its not such a big issue because pfSense will NAT the internal IP behind whichever WAN interface it is using to send out packets, so replies get back to where the came from and everything works as expected.
IPv6 on the other hand doesn't work that way because every IPv6 IP is always a real, routable IP.
The IPv6 pureists shudder at the thought of IPv6 NAT or whatever you want to call it.
In the end, IPv6 multihoming is a very real problem that doesn't really have a good answer.

This is a bit dated but describes the problem really well.
http://blog.ipspace.net/2011/12/ipv6-multihoming-without-nat-problem.html

I guess this would have to appear somewhere on the pfSense roadmap, but I suspect there is a lot of road to be travelled before it will work "out of the box".

Edit: I just found this, same question, and guidance!
https://forum.pfsense.org/index.php?topic=105136.0

grandrivers · Jan 20, 2016, 3:05 PM

yes that guidance seemed to apply mainly as failover would like to load balance and control which machines go out which wans

jimp · Jan 26, 2016, 8:51 PM

You can still do that with the setup described on https://doc.pfsense.org/index.php/Multi-WAN_for_IPv6

Match by source and policy route out the other WAN or use a LB/Failover group as desired. The NPt on the second WAN will handle translation. It's not ideal, but it will get the job done.

grandrivers · Jan 27, 2016, 1:05 AM

any guidance for the most efficient way to locate certain machines with out physically going to each machine and check its ipv6 address

jimp · Feb 2, 2016, 9:35 PM

Not really. With IPv6 it's quite a bit different and geared toward privacy. You might get lucky and spot the host by its MAC address in the NDP table or catch it in the DHCPv6 leases if it didn't use SLAAC. Otherwise you have to check the client.