Configuration IPV6
-
Hi,
Context: Pro, Novice student in IPV6, pfSense installed on a DELL server, test environment
Need: To be seen from the outside with an IP other than that of the firewall (IPV6)
Diagram: My ISP provides me with a range in /56- WAN : 2001:920:7090:200::/64
- LAN : 2001:920:7090:201::/64
Configuration: Basic with filter rules in *.
A little aside in IPV4 to explain what I'm looking for.
Currently, in IPV4, we use NAT 1:1 to map a public IP with a private IP on our LAN. Then, when we go to monip.org on a Windows server, we get the public IP address of the latter and not the one of the firewall. This then allows our applications to work correctly.Now I would like to get the same result with IPV6 knowing that NAT is not possible.
Imagined track: Setting up a filtering bridge. Unfortunately, after the configuration of this one I encounter network instability. My Windows machines ping today at 10am and no longer ping at 4pm for example.
Question: Without using a filtering bridge, is it possible to set up a configuration similar to ipv4?
-
You don't need to use anything like NAT with IPv6. You should have plenty of addresses. You say bridge. What are you bridging? What's your connection to your ISP. Also, having your WAN address within your /56 is unusual.
-
Yes that's what I understood about NAT and that's why I don't understand how to implement ipv6 to get a similar result.
What do you call "bridge"? : I had set up a transparent firewall first before switching back to a classic WAN LAN configuration.
My provider actually provides us with a /56. Other than that I don't have any more information, but I could ask for more.
-
The typical way an ISP provides IPv6 is through DHCPv6-PD. Does yours? Have you configured for it? It requires the modem to be in bridge mode, not gateway. Also, you don't even need a WAN address, as routing is often done through the link local address.
I also have a /56 and my WAN address is not from my /56 prefix.
-
My ISP does not offer DHCPv6-PD, only static.
If I understand correctly, I need my ISP to offer me a DHCPv6-PD then put my pfSense in bridge mode ?
-
@dimix971
If your ISP IPv6 is all static, you have to assign your interface "all static".
No DHCP(v6) needed on your WAN side.
It's static, or dynamic (DHCP), rarely/never both.DHCPv6 offers a minimal set up on your side.
No need to hassle with these huge numbers.@dimix971 said in Configuration IPV6:
I need my ISP to offer me a DHCPv6-PD
They won't do that 'just for you'. But if possible, that would be 'easier'.
-
@gertjan said in Configuration IPV6:
They won't do that 'just for you'. But if possible, that would be 'easier'.
Easier until you start assigning IP address ranges to VPN connectivity, set up firewall rules, DNS overrides for "static" hosts (i.e. SLAAC EUI64 addresses), and then your prefix changes after a power failure and you have to manually update all that stuff that you had set.
If your ISP gives you a static IPv6 block, you may need to do a bit more manual configuration of your network(s) initially, but for the fact that it won't change at all, I'd be happy to do a little extra work up front.
Unless pfSense/Netgate has plans to make "Track Interface"-like automation with the prefix for OpenVPN, WireGuard, IPSEC, DNS overrides, and other things that currently require manual entering of an entire IPv6 address or prefix, I don't see any case where DHCPv6-PD would be desirable over a static IPv6 block. But maybe that's just me.
-
@virgiliomi
My prefix is rock solid. It survived changing NICs, etc. It was only when I moved to a new computer that it changed.
-
@jknott My prefix was rock solid on my last ISP (Comcast). But I took Verizon up on their bi-directional Gigabit service for less than i was paying Comcast for 200/10 (which was provisioned to 250/12), and while I realize that technically their IPv6 is still in testing (I'm in one of a single-digit number of areas that have it), my prefix has changed at least three times when doing things as simple as unplugging the interface or rebooting.
Dynamic means it can change. It may not change often, but it can change. Clearly Verizon doesn't utilize the DUID to provide the same prefix that a DUID had previously. Why, I don't know. But they don't. Because my DUID hasn't changed... it's the same it was when I was on Comcast.
-
My second WAN is via T-Mobile Prepaid LTE and the prefix changes every two or three days. NAT makes it usable.
-
@virgiliomi
I used to have that problem until the setting Do not allow PD/Address release was added to the WAN page.
-
@jknott Yep... I had that option set with Comcast, and still have it set now. And having a DUID set in the Advanced Networking settings (which I've also kept since having Comcast) doesn't seem to help either.
-
@virgiliomi said in Configuration IPV6:
Easier until you start assigning IP ..........
I don't see any case where DHCPv6-PD would be desirable over a static IPv6 block. But maybe that's just me.Noop, you got a point.
I have to add that I'm using a static IPv6 setup myself, as my ISP
- doesn't know what IPv6 is.
- and if they do, they come up with a single /64
- or a /56 but only the first /64 is routable
- or ..... (whatever, their BOX has just one LAN so they don't understand the fuzz - not even that some clients are actually companies and they could have more then 1 LAN ....)
with he.net, the one I'm using, the price is : not worlds fastest ISP, but free and rock solid. And very static.
@virgiliomi said in Configuration IPV6:
My prefix was rock solid on my last ISP (Comcast). .....
unplugging the interface or rebooting.A pretty solid proof that '$$$€€€' and 'Mbits/sec' is just a part of the equation.
Good 'protocol' support is as important. And this one doesn't need the reading of their promises on paper. It will always be "Hands on testing for 6 months" ;)@virgiliomi said in Configuration IPV6:
But they don't. Because my DUID hasn't changed...
They probably cleared out their DHCPv6 server cache and settings.
As you said : they are probably in the implementing phase.