@jan_berg This approach seemed to be working for me: https://wiki.cable-wiki.xyz/OPNsense
Can't be done through UI, needs to be executed in a shell.
The tunnel will not be visible in the UI.
Doesn't persist. Would need to re-execute every time the WAN comes up and has a global IPv6 assigned.
Need to extract the AFTR name and its IPv6 address. In my case, the name comes through via DHCPv6 from the ISP as option 64. Could extract it via tcpdump. Then resolved it to an IP address and used that when setting up the tunnel.
Breaks again if AFTR name/IP changes.
So, no real DS-Lite support in pfSense currently, but possible to set up manually.
vielen Dank für die vielen Antworten.
Ich werde das ganze am Wochenende mal trennen.
Das macht Sinn ja. :)
Aktuell komme ich nur nicht dazu, weshalb das ganze hier etwas eingeschlafen ist.
Bei einem anderen Peer klappts scheinbar.
Aber ja, trennen macht sinn.
I am in the software and services business and we have begun running into situations where some client host machines only have IPv6 because their ISPs have run out of IPv4 addresses. That means the only way they can reach my servers is via IPv6. There aren't many and they are non-US but they are important.
It's probably time for the industry to switch to an IPv6-first stance (Apple and Google seem to be there already). Given the absence of vigorous competition in my area, the ISPs are putting themselves before their customers. I am betting it's a common theme.
Thanks for the heads-up regarding the lack of fair play by Netflix. It's probably due to the fact that they have restricted distribution rights for content and can't be sure of your location. You could probably work around that with a guest VLAN having no IPv6. Kids are really good at getting and spreading computer viruses. A guest VLAN would help you minimize your risk.
I am going to see if I can get the addresses registered in a DNS server on the pfSense and replicate to my Windows AD Server. If I write some code that turns out to be useful I'll put it on GitHub and share a link here.
Yeah, there are several avenues to deal with the IPv6 and Netflix thing, but the kids are only here rarely and I have plenty of IDS/IPS protections for critical stuff. Also, it's only a home network. There are no national defense secrets, Democratic National Committee emails, or documents relating to secret payoffs to porn stars stored here ... LOL.
And yes, Netflix blocks HE IPv6 blocks for precisely the reason you stated: users without strict morals use those to get around geoip blocks that Netflix has in place to enforce their distribution contracts with content owners.
I wish all the ISPs of the world would just start supporting IPv6. Unfortunately that appears to be a very slow process. Even some of those that are supporting it are doing so in strange ways. They seem to be doing their darndest to avoid giving out static IPv6 addresses, for instance.
If you're on a UNIX-like system you can use this to capture remotely from a UniFi AP and from pfSense -- I found this somewhere and noted it down.
Change X.X.X.X for the correct address.
UniFi AP ssh ubnt@X.X.X.X 'tcpdump -f -i br0 -w - not port 22' | wireshark -k -i -
You need Wireshark installed, obviously--works on Macs too and it won't get super hot like when you capture directly on it.
pfSense ssh root@X.X.X.X 'tcpdump -f -i em0_vlan100 -w - not port 22' | wireshark -k -i -
Here you'll need to change em0_vlan100 for the correct interface, but you can SSH in and get them with ifconfig. :) Good luck!