IPV6 and firewall rules - My newb is showing
-
My ISP CenturyLink offers IPv6 using dynamic address's.
Every time my router reboots, i'm assigned a new range, and CenturyLink reboots the router every month whether i like it or not.
I can get IPV6 working, however i can not set up firewall rules at all.
If i set up a rule, i have to specify source/destination, and if one of those is dynamic as is required by my ISP, then of course the rule doesn't work once something is rebooted.
Apparently Alias's are not supported for using IPv6.My end goal is to turn off the internet at a set time for a list of devices.
How do you do that when you can not use Alias's when using IPV6?
It seems the only solution with PFSense is to not use IPv6 and stick with IPv4?
Im pretty tech savy, but PFSense stretches' my brain with this one.
Forgive my ignorance if im simply using things wrong.So i guess my underlying question might be "How do i properly set up IPv6 with dynamic address's to use firewall rules?"
-
First off, make sure Do not allow PD/Address release on the WAN page is selected. If that doesn't do the trick, you can set up Unique Local Addresses, which you can point your DNS to. Since you configure those yourself, the prefix won't change unless you want it to. Even though the prefix from my ISP doesn't change, I still have ULA enabled.
Also, when you configure DNS, you want to use the consistent address, which is often based on the MAC address. With SLAAC, you will have up to 7 privacy addresses, which you do not want to use with DNS.
-
This post is deleted! -
This post is deleted! -
This post is deleted! -
This post is deleted! -
-
make sure Do not allow PD/Address release on the WAN page is selected.
-This setting does not exist for me -
If that doesn't do the trick, you can set up Unique Local Addresses
-I am unable to complete this as i do not understand the below step
"This is exactly the same as the prefix for the GUA, except that the GUA prefix has been replaced with the ULA prefix"
What is the GUA prefix? Is that what is assigned by the ISP? Where do i find the GUA prefix? -
You end the post with "Once the ULA addresses have been enabled, the DNS can be configured to use those addresses"
Ok, how do i configure dns to use those address's?
-
-
@cr8tor said in IPV6 and firewall rules - My newb is showing:
make sure Do not allow PD/Address release on the WAN page is selected.
-This setting does not exist for meDo you not see this?
You end the post with "Once the ULA addresses have been enabled, the DNS can be configured to use those addresses"
Ok, how do i configure dns to use those address's?On the DNS resolver (or forwarder if you're using that) page there's a section called Host Overrides. You add the DNS entries in there. You create the host name and provide the consistent IPv6 address. You can also add another entry with the same name, but with the IPv4 address.
As for creating the ULA, just follow the instructions on the link I provided. To start, you have to create a 48 bit number starting with fc or fd and then fill out the remaining bits. I provided a couple of ways to generate random numbers. The idea behind the random numbers is to avoid the address collisions that are common on IPv4 when RFC1918 addresses are used. The length of the random number makes that extremely unlikely. ULA stands for Unique Local Address, which is the IPv6 equivalent of the IPv4 RFC1918 address. GUA means Global Unique Address, which is a public address, so if you want to reach devices on your network from elsewhere, you use GUA. These are the addresses you get from your ISP. Also, what size prefix do you get from your ISP? I get a /56 from mine, which provides 2^72 addresses, which can be split into 256 /64s, each of which contains 18.4 billion, billion addresses.
Perhaps you can do a screen capture of your WAN and LAN pages, so I can see what you've done.
-
@jknott
First, thank you for taking the time to respond again. I really wish i had the background and time to learn this in depth my self. Guidance from people like you is very much appreciated. Apologies for my jumbles mess of replies to your first post. :-)
Anyway, I do not see the PD/Address release option. I figured out why though.
I am using a IPv6 Configuration Type: 6rd Tunnel, where you use IPv6 Configuration Type: DHCP6
So i have different options. I'm not sure if i can get DHCP6 working with CenturyLink. The only thing that i have found to get it working is the 6rd tunnel.
I'm also not an expert, do you know enough to recommend settings that should work with CenturyLink? If so id be grateful for more of your time.Below are WAN, LAN, and Dashboard screenshots to give you more info on existing config.
As mentioned, right now ipv6 works, but i have to set a rule up that allows all ipv6 traffic destination/source as any. I can not limit access to certain PC's using an alias as source.
-
@jknott said in IPV6 and firewall rules - My newb is showing:
so if you want to reach devices on your network from elsewhere, you use GUA.
Also, i do want to be able to reach devices from elsewhere.
Is the GUA the address i receive from the ISP, shown in the screenshot below? -
6rd tunnel is a method of providing IPv6 over an IPv4 network. It does that by encapsulating the IPv6 packet in IPv4. I had used something similar called 6in4 before my ISP provided native IPv6. However, this leaves you completely at the mercy of your ISP with regards to IPv6 addresses. So, you will have to use ULA for local addresses to get DNS to work. As for public addresses, you'll have to use a dynamic DNS service, which I have no experience with. And yes, that address is the global unique address. Only 1/8th of the entire IPv6 address space is assigned to GUA and the addresses start with 2 or 3.
You have to set up ULA on the RA page, as I have done here:
As I mentioned in that article, start the prefix with fc or fd and fill out the remainder with a random number. The right most character, 0 in my example, is used to select the prefix ID for each network you have on the LAN side. 0 is the first, then 1, etc., all the way up as far as you want to go. Also, note the ":" between groups of digits. Each group is 16 bits and :: is a string of continuous 0. So, if you set up yours in a way that looks like mine, then you should be OK.
-
I am not quite following your example. I am a very visual person and i cant see how you are getting things as your examples dont match.
I go to GRC.com
These are the 64 random hexadecimal characters (0-9 and A-F):
181B87B34BED6866F487958F98ECBEEDCCF0E5EE6BC6EEB9FA737F20835FD6F1I take 14 characters and precede them with fd.
fd181B87B34BED68
How do i turn these 16 characters fd181B87B34BED68 into the 12 character subnet and 29 character VIP?I'm guessing the 12 character would be: fd18:1B87:B34B::0
And my virtual IP's would start as below.
fd18:1B87:B34B:0:
fd18:1B87:B34B:1:
fd18:1B87:B34B:2:
But i'm not sure where to get the rest of the VIP from?Again, many thanks. Where can i send a donation to you?
-
Here's how IPv6 addresses work. They are 128 bits long, with 64 used by the prefix and 64 by the device. There are a couple of tricks to reducing the number of digits. In each group of 4 hex digits, with the groups separated by :. Leading 0s don't have to be included. So, :0abc: is the same as . As I mentioned :: represents a string of 0s. You can only do that once. In my ULA prefix, I started with fd. I now need to fill out the remainder of the prefix 64 bits. In the last group, I have 0. The other groups I filled with a random number. On my guest LAN, I have 3 for the last group, but the rest of the prefix is identical. The :: reserves 64 bits for the host portion of the address. So, your examples appear correct. One other trick. I try to keep the prefix ID matching throughout. For example, my guest LAN would have 3 for the prefix ID with both ULA and GUA prefixes. In addition, on IPv4, I use 172.16.0.0 /16 and match the 3rd octet with the prefix ID, so my guest LAN would be 172.16.3.0 /24 and main LAN 172.16.0.0 /24. In addition, I use VLAN3 to connect to the guest SSID on my access point. In this way I can tell, at a glance, which network I'm working with. This is just a convenience however, and not required.
I don't know what size prefix you get from your ISP, /56 is typical, some provide a /48, but your ULA prefix is absolutely huge. It's a /7. By picking random numbers, a collision with some other network is extremely unlikely to cause problems with a VPN.
-
@jknott said in IPV6 and firewall rules - My newb is showing:
So, your examples appear correct.
Correct how when the VIP's are incomplete?
I stated i dont know how to complete the VIP address? :-)If this is the 64 characters from GRC
181B87B34BED6866F487958F98ECBEEDCCF0E5EE6BC6EEB9FA737F20835FD6F1Then fd18:1B87:B34B:0:: works for the subnet.
Total of 13 characters, starts with fd and then 10 more random from the generated line above.But for the VIP's?
LAN - fd18:1B87:B34B:0:????:????:????:????
WIRELESS - fd18:1B87:B34B:1:????:????:????:????What do i use from that 64 character string to complete this correctly? Do i just add more random characters like so?
LAN - fd18:1B87:B34B:0:ED68:66F4:8795:8F98
WIRELESS - fd18:1B87:B34B:1:ED68:66F4:8795:8F98 -
@cr8tor said in IPV6 and firewall rules - My newb is showing:
I stated i dont know how to complete the VIP address? :-)
It happens automagically.
With SLAAC, the device provides it's own suffix to go with the prefix. This can be based on the MAC or a random number. Also, with SLAAC, there are privacy addresses, with a new one every day for up to 7. These are used for outgoing connections and the consistent address is used for incoming. Here's how my ULA look on this computer. The computer has been up for over a week, so I have 1 consistent address, the first one ending in f5fa, and the rest are privacy addresses. I have similar with GUA.inet6 fd48:1a37:2160:0:76d4:35ff:fe5b:f5fa prefixlen 64 scopeid 0x0<global> inet6 fd48:1a37:2160:0:58e2:3166:6e0:2b26 prefixlen 64 scopeid 0x0<global> inet6 fd48:1a37:2160:0:695d:b446:442d:a1f6 prefixlen 64 scopeid 0x0<global> inet6 fd48:1a37:2160:0:358f:4c9c:a6a5:cfce prefixlen 64 scopeid 0x0<global> inet6 fd48:1a37:2160:0:21ff:5569:891d:b317 prefixlen 64 scopeid 0x0<global> inet6 fd48:1a37:2160:0:fd33:fb34:5207:5bfe prefixlen 64 scopeid 0x0<global> inet6 fd48:1a37:2160:0:c8fc:f5d1:217d:2086 prefixlen 64 scopeid 0x0<global> inet6 fd48:1a37:2160:0:e51c:9fc5:89d7:f7e6 prefixlen 64 scopeid 0x0<global>
-
@jknott
I disagree.
None of this is automagically filling it self out.
Also, you keep talking about GUA
I understand what it is, i have no clue what mine is nor how to find it. -
That's not where it happens. You're looking at the WAN side and you'll have to follow the directions from CenturyLink. Those addresses I provided are on a Linux computer connected to my LAN. The computer receives the prefix via SLAAC and then appends the suffixes.
GUA - Global Unique Address - public address. They start with 2 or 3 and you will have them on the LAN and possibly on the WAN interface. Not all ISPs use them on the WAN side.
ULA - Unique Local Address - private addresses where you create the prefix. They start with fc or fd. They are the same concept as the RFC1918 addresses in IPv4, in that they're not allowed on the Internet, but can be used within your own network.
Also, you should be on the RA page, not VIP.
-
@jknott Im still back trying to follow directions from a few posts ago.
You told me a couple of times to follow the directions on "Using Unique Local Addresses"
Im still trying to figure out this step. -
@jknott
Is this my GUA?
-
@cr8tor said in IPV6 and firewall rules - My newb is showing:
You told me a couple of times to follow the directions on "Using Unique Local Addresses"
On that page, I said "There are two parts to enabling ULA. First, a prefix has to be created on the Router Advertisements page.". The other part is about assigning an address to the pfsense LAN interface. Funny thing though, ULA will work without that address assigned. You just won't be able to communicate with pfsense, though you can route through it, as link local addresses are used for routing. However, when you create a VIP, you can just copy your existing GUA LAN address for that interface and replace the prefix portion with the ULA prefix you created, to create the full 128 bit address. The address will then have the ULA prefix, but the original GUA suffix. However, there is no need for the ULA and GUA suffixes to match, it's just a convenience. You could have just as easily used ::1 or some other number for the suffix. In fact, pfsense does that with the link local address. The link local address for pfsense, which is used for a lot of stuff, on my LAN is fe80::1:1. Fe80 indicates a link local address, and the remainder can be anything, though often based on the MAC. In this example, ::1:1 is used.
Yes, that is the GUA, as it starts with 2.
Here's a Wikipedia article which covers the different address types.