IPV6 and firewall rules - My newb is showing

cr8tor

@jknott said in IPV6 and firewall rules - My newb is showing:

So, your examples appear correct.

Correct how when the VIP's are incomplete?
I stated i dont know how to complete the VIP address? :-)

If this is the 64 characters from GRC
181B87B34BED6866F487958F98ECBEEDCCF0E5EE6BC6EEB9FA737F20835FD6F1

Then fd18:1B87:B34B:0:: works for the subnet.
Total of 13 characters, starts with fd and then 10 more random from the generated line above.

But for the VIP's?
LAN - fd18:1B87:B34B:0:????:????:????:????
WIRELESS - fd18:1B87:B34B:1:????:????:????:????

What do i use from that 64 character string to complete this correctly? Do i just add more random characters like so?
LAN - fd18:1B87:B34B:0:ED68:66F4:8795:8F98
WIRELESS - fd18:1B87:B34B:1:ED68:66F4:8795:8F98

JKnott

@cr8tor said in IPV6 and firewall rules - My newb is showing:

I stated i dont know how to complete the VIP address? :-)

It happens automagically.
With SLAAC, the device provides it's own suffix to go with the prefix. This can be based on the MAC or a random number. Also, with SLAAC, there are privacy addresses, with a new one every day for up to 7. These are used for outgoing connections and the consistent address is used for incoming. Here's how my ULA look on this computer. The computer has been up for over a week, so I have 1 consistent address, the first one ending in f5fa, and the rest are privacy addresses. I have similar with GUA.

  inet6 fd48:1a37:2160:0:76d4:35ff:fe5b:f5fa  prefixlen 64  scopeid 0x0<global>
    inet6 fd48:1a37:2160:0:58e2:3166:6e0:2b26  prefixlen 64  scopeid 0x0<global>
    inet6 fd48:1a37:2160:0:695d:b446:442d:a1f6  prefixlen 64  scopeid 0x0<global>
    inet6 fd48:1a37:2160:0:358f:4c9c:a6a5:cfce  prefixlen 64  scopeid 0x0<global>
    inet6 fd48:1a37:2160:0:21ff:5569:891d:b317  prefixlen 64  scopeid 0x0<global>
    inet6 fd48:1a37:2160:0:fd33:fb34:5207:5bfe  prefixlen 64  scopeid 0x0<global>
    inet6 fd48:1a37:2160:0:c8fc:f5d1:217d:2086  prefixlen 64  scopeid 0x0<global>
    inet6 fd48:1a37:2160:0:e51c:9fc5:89d7:f7e6  prefixlen 64  scopeid 0x0<global>

cr8tor

@jknott
I disagree.
None of this is automagically filling it self out.

Also, you keep talking about GUA
I understand what it is, i have no clue what mine is nor how to find it.

JKnott

@cr8tor

That's not where it happens. You're looking at the WAN side and you'll have to follow the directions from CenturyLink. Those addresses I provided are on a Linux computer connected to my LAN. The computer receives the prefix via SLAAC and then appends the suffixes.

GUA - Global Unique Address - public address. They start with 2 or 3 and you will have them on the LAN and possibly on the WAN interface. Not all ISPs use them on the WAN side.

ULA - Unique Local Address - private addresses where you create the prefix. They start with fc or fd. They are the same concept as the RFC1918 addresses in IPv4, in that they're not allowed on the Internet, but can be used within your own network.

Also, you should be on the RA page, not VIP.

cr8tor

@jknott Im still back trying to follow directions from a few posts ago.

You told me a couple of times to follow the directions on "Using Unique Local Addresses"

Im still trying to figure out this step.

cr8tor

@jknott
Is this my GUA?

JKnott

@cr8tor said in IPV6 and firewall rules - My newb is showing:

You told me a couple of times to follow the directions on "Using Unique Local Addresses"

On that page, I said "There are two parts to enabling ULA. First, a prefix has to be created on the Router Advertisements page.". The other part is about assigning an address to the pfsense LAN interface. Funny thing though, ULA will work without that address assigned. You just won't be able to communicate with pfsense, though you can route through it, as link local addresses are used for routing. However, when you create a VIP, you can just copy your existing GUA LAN address for that interface and replace the prefix portion with the ULA prefix you created, to create the full 128 bit address. The address will then have the ULA prefix, but the original GUA suffix. However, there is no need for the ULA and GUA suffixes to match, it's just a convenience. You could have just as easily used ::1 or some other number for the suffix. In fact, pfsense does that with the link local address. The link local address for pfsense, which is used for a lot of stuff, on my LAN is fe80::1:1. Fe80 indicates a link local address, and the remainder can be anything, though often based on the MAC. In this example, ::1:1 is used.

Yes, that is the GUA, as it starts with 2.

Here's a Wikipedia article which covers the different address types.

JKnott

@cr8tor

BTW, one thing I'd recommend is using Wireshark to watch the traffic on your LAN. You can learn a lot that way. Pfsense includes Packet Capture, but I find Wireshark is much better.

cr8tor

@jknott said in IPV6 and firewall rules - My newb is showing:

The subnet in RA is done.
Its set to fd18:1B87:B34B:0:: as i used in my example.

However, when you create a VIP, you can just copy your existing GUA LAN address for that interface and replace the prefix portion with the ULA prefix you created, to create the full 128 bit address. The address will then have the ULA prefix, but the original GUA suffix.

How do i do this?
Step by step.
Copy from where, paste to where? Replace what with from where?
You speak as if speaking to someone that knows what they are doing. I do not. Hence, "My newb is showing" in the title.

I am sure you are frustrated trying to help me with my lack of understanding.
Many thanks though for continuing to work with me.

JKnott

@cr8tor said in IPV6 and firewall rules - My newb is showing:

How do i do this?
Step by step.
Copy from where, paste to where? Replace what with from where?
You speak as if speaking to someone that knows what they are doing. I do not. Hence, "My newb is showing" in the title.

On the Dashboard, all the interfaces are shown with their GUA. You can copy the LAN GUA from there. Then paste the entire address into the box where you create the VIP. Next, replace the prefix with the one you created.

I have been running IPv6 on my home network for over 11 years and have done a lot of reading about it. I also got my Cisco CCNA. I first started learning about IP in 1995, working with Ethernet in the late '80s and LANs in 1978.

cr8tor

@jknott
Here is whats on my dashboard.

My LAN GUA is below correct?
2602:b8:6364:a00::1

I take that and paste the entire address into the box where I create the VIP.
Next, replace the prefix with one I created.

So this: 2602:b8:6364:a00::1
Becomes this: fd18:1B87:B34B:0::1 which is what put in the VIP?

JKnott

@cr8tor

Yes, that's correct. That page is interesting. They provide only the prefix, not a usable address on the WAN. Also, there isn't an IPv6 address for the wireless. What size prefix are they giving you? It looks like it might be a single /64, which means you might not have one for the wireless. As I mentioned, I get a /56 from my ISP, which provides 256 /64s. I have one each for my LAN, guest WiFi, test LAN, connection to a Cisco router and OpenVPN and have plenty left over.

Perhaps there's someone here who knows CenturyLink better.

cr8tor

@jknott said in IPV6 and firewall rules - My newb is showing:

@cr8tor

Yes, that's correct.

Why did we copy the GUA LAN just to replace everything by the 1 at the end??

That page is interesting. They provide only the prefix, not a usable address on the WAN. Also, there isn't an IPv6 address for the wireless.

What page? I dont know what you are talking about?

What size prefix are they giving you? It looks like it might be a single /64, which means you might not have one for the wireless. As I mentioned, I get a /56 from my ISP, which provides 256 /64s. I have one each for my LAN, guest WiFi, test LAN, connection to a Cisco router and OpenVPN and have plenty left over.

How would i look this up?

Perhaps there's someone here who knows CenturyLink better.

I just need to know what address to type into the virtual IP box.
I dont understand why you dont just answer that without all the extraneous information and side talk. You have me so confused just trying to figure out your own example with a bunch of other random info thrown in.. ugh

Ive given you all my info, just tell type out what 29 characters i should be putting in the VIP address box. Ive been trying to figure out this one thing for 5 or 6 posts now and you keep going off on whatever.
Just give me the address please. What do i put in the box. Once its working i can backtrace it and play with it and learn how it works. But until it works, its broken and i dont learn how to make it work.

JKnott

@cr8tor said in IPV6 and firewall rules - My newb is showing:

Why did we copy the GUA LAN just to replace everything by the 1 at the end??

I didn't know it would be ::1 at the end. Take a look at mine and you'll see what my address was.

What page? I dont know what you are talking about?
That page you provided that showed your WAN, LAN and Wireless addresses.

How would i look this up?

I don't know with CenturyLink. Perhaps you could call support.

I just need to know what address to type into the virtual IP box.

It's the address you created with the ULA prefix and the ::1 at the end. As for all that other info, I'm just trying to help you understand how things work.

JKnott

@cr8tor

I may have forgotten to provide the ULA address for pfsense on my LAN. Here it is:

fd48:1a37:2160:0:4262:31ff:fe12:b66c

As you can see, it doesn't end in ::1.

Bob.Dig

@cr8tor said in IPV6 and firewall rules - My newb is showing:

So i guess my underlying question might be "How do i properly set up IPv6 with dynamic address's to use firewall rules?"

It is somewhat easy to do with DHCP6, but if your ISP is not providing this, then forget it and stick with a HE-tunnel.

Derelict

@cr8tor First thing is to save your DHCP DUID in the configuration (System > Advanced, Firewall & NAT)

You need to be sure you are giving the provider the same DUID every time so you get the same prefix delegation every time.

If you do this and they continue to give you a different prefix, they are broken.

IPv6 should be static for the all of these reasons. ISPs chose to implement dynamic addressing instead.

Bob.Dig

@derelict said in IPV6 and firewall rules - My newb is showing:

First thing is to save your DHCP DUID in the configuration (System > Advanced,

Interesting. Can I use this option to randomly change the host part of the IPv6 address on WAN? I do some NATing with it and would like to have something like privacy extensions for it or maybe this? The prefix is dynamic and I have to reboot pfSense daily via cron anyway.

JKnott

@bob-dig

Why would anyone want to run NAT on IPv6? NAT is a hack that was used to get around the IPv4 address shortage and it breaks things in the process.

If you want stable addresses for local DNS and your ISP won't supply them, then use Unique Local Addresses, as discussed above.

Bob.Dig

Changing it to DUID-LLT did nothing for me, even after a reboot.

@jknott I use it on one interface to give only one special host IPv6 connectivity to the internet, everything else on this interface has no NAT rule and because of that no IPv6 internet. I got dynamic prefixes and with this, it is one simple solution to my "problem".

I also use it to do DDNS on pfSense and not have to do it on the hosts. I wish the DHCPv6 Server could to DDNS by itself, this would be the best spot, but pfSense is not ready yet I guess.

I myself like dynamic IPs and prefixes because of privacy reasons, as long as DDNS is working.