IPv6 only - Wizard does not allow IPv6 addresses



  • I'm going through the process of learning IPv6 and I decided to setup a dedicated pfSense virtual machine to do some routing / firewalling.

    I ran up the VM and installed pfSense-CE-2.3.1-RELEASE-amd64.
    On the CLI I am able to assign the IPv6 addresses (see Selection_077).
    I DO NOT have any IPv4 addresses assigned, I do not want to use IPv4 addresses.

    I can then open a web page to the LAN address and the wizard appears.
    When I run the wizard, whenever I try and use IPv6 addresses, it tells me they are not valid.

    Attachment Selection_078 shows the DNS server fields not accepting IPv6 addresses.

    Attachment Selection_079 shows that it does not accept an IPv6 address for the WAN interface, it did not detect that the WAN interface already has a static IPv6 assigned.

    Without running the wizard, the firewall works and IPv6 traffic is routed, it's just that the wizard appears to be IPv4 oriented, which is not always going to be the case.







  • @Box293:

    I'm going through the process of learning IPv6 and I decided to setup a dedicated pfSense virtual machine to do some routing / firewalling.

    I ran up the VM and installed pfSense-CE-2.3.1-RELEASE-amd64.
    On the CLI I am able to assign the IPv6 addresses (see Selection_077).
    I DO NOT have any IPv4 addresses assigned, I do not want to use IPv4 addresses.
    …..

    Learning about IPv6 without any IPv4 to start …. well, forget about pfSense then.
    And worse : I can't find out an alternative ....

    I advise you to change your 'learning-plan', you start way to difficult.

    Tip : Subscribe here : https://ipv6.he.net/certification/ and do the entire certification program. If you reach the "Sage" level they will send you a free t-Shirt (they do, I received one !).
    Another tip : rent a cheap VPS somewhere - take a decent OS like Debian (or, why not : FreeBSD) and start from there.



  • @Gertjan:

    Learning about IPv6 without any IPv4 to start …. well, forget about pfSense then.

    I don't believe IPv4 is required for IPv6.

    Why do you say "forget about pfSense"?

    I've demonstrated personally that the product itself seems to do IPv6 routing fine, it's just the wizard which still seems to be IPv4 oriented.

    I'm reporting a bug here with the pfSense wizard … perhaps I've chosen the wrong area to report this?



  • @Box293:

    Why do you say "forget about pfSense"?

    Because that's what you found out.

    To 'kickstart' pfSense, you need to 'init' the DHCPv4 server and its IPv4 address, and then WebGUI 'in' to setup.
    No auto IPv6 assignment or activation exists.
    I use IPv6 on my pfSense box. So I asked myself this question : could I activate all my IPv6 settings without passing by any IPv4 protocol (no SSH, no WebGUI) …..
    Well, I couldn't find the answer.

    Although : when you use a direct serial or VGA connection, it might be possible. After all, its just a question of editing /etc/config.xml with the right parameters. Like you can setup an entire PC by only editing the registry ..... that's real hard-core, but it will work.

    @Box293:

    I don't believe IPv4 is required for IPv6.

    Correct. Your question wouldn't exist if it was only a IPv6 matter. But you try to activate IPv6 without a IPv4 (access) on pfSense.
    This means the GUI won't work out of the box.
    This means you have to set up manually - very manually.
    This means you should know a lot of pfSense.

    @Box293:

    I've demonstrated personally that the product itself seems to do IPv6 routing fine, it's just the wizard which still seems to be IPv4 oriented.
    I'm reporting a bug here with the pfSense wizard … perhaps I've chosen the wrong area to report this?

    It's not a bug, but a feature requests (IMHO).
    Of course, in the future, pfSense will be more and more IPv6 oriented, and finally even completely drop IPv4 (2050 ?).
    Also : pure IPv6 networks without any IPv4 support, these only exists in laboratories ;)



  • @Gertjan:

    To 'kickstart' pfSense, you need to 'init' the DHCPv4 server and its IPv4 address, and then WebGUI 'in' to setup.
    No auto IPv6 assignment or activation exists.
    I use IPv6 on my pfSense box. So I asked myself this question : could I activate all my IPv6 settings without passing by any IPv4 protocol (no SSH, no WebGUI) …..
    Well, I couldn't find the answer.

    Although : when you use a direct serial or VGA connection, it might be possible. After all, its just a question of editing /etc/config.xml with the right parameters. Like you can setup an entire PC by only editing the registry ..... that's real hard-core, but it will work.

    When I ran up the pfSense VM I was able to use the console and with the built in console menu to assign my IPv6 addresses to both the WAN and LAN, it was very straight forward.

    After doing that I was able to easily log into the web page using the LAN IPv6 address http://[xxxx]

    @Gertjan:

    @Box293:

    I don't believe IPv4 is required for IPv6.

    Correct. Your question wouldn't exist if it was only a IPv6 matter. But you try to activate IPv6 without a IPv4 (access) on pfSense.
    This means the GUI won't work out of the box.
    This means you have to set up manually - very manually.
    This means you should know a lot of pfSense.

    I think you may be over complicating it. Following my steps above I was able to get it running pretty quickly and easily and I don't know a lot of pfSense at all. The only issue I had was with the wizard, which I assume is just a "getting started for dummies" interface.

    What do you mean by activate? Perhaps I'm missing something.

    @Gertjan:

    Of course, in the future, pfSense will be more and more IPv6 oriented, and finally even completely drop IPv4 (2050 ?).
    Also : pure IPv6 networks without any IPv4 support, these only exists in laboratories ;)

    I may not have a "pure" environment here, but I'm planning on implementing something very close. End users will have both IPv4 and IPv6 networks co-existing with each other for a long time to come, however some implementations may decide to use one appliance for IPv4 and another for IPv6. I've worked in companies before that have tried to make one appliance do lots of things and it usually ends up being more hassle than it's worth. Being able to break out the components has it's merits.

    While it may be a while off in the future before IPv6 becomes more mainstream, it requires people like me to report issues like this, because I know if I've come across it then I'm not the only one who has … I might just be the person that reports it and gets it addressed in the product so that future users benefit. Reporting the behaviour can only improve the product in the long run for everyone.



  • I'm nearly certain that out-of-the-box, with a WAN connection that provides IPv6 via DHCPv6+PD, pfSense 2.3+ will request a /64 prefix and assign it to the LAN. If you watch pfSense boot via the console, you'll see the IPv6 address and thus be able to connect via IPv6. You can skip the wizard (which yes, does only accept IPv4 addresses) by clicking the pfSense logo at the top, then go through the settings manually to put IPv6 addresses where applicable, and you can also change the LAN interface to be IPv6-only.



  • @Box293:

    What do you mean by activate? Perhaps I'm missing something.

    By default, no IPv is assigned to the WAN (or comparable) interface.
    I didn't find a dhcp client running that uses "scan" WAN style interfaces which checks if the upstream provides an IPv6.

    Btw : setting up manually the config.xml is of course the way to go - and you can definitely consider yourself as a not-pfsense-dummy if you pulled that one off :)

    @Box293:

    with a WAN connection that provides IPv6 via DHCPv6+PD, pfSense 2.3+ will request a /64 prefix and assign it to the LAN

    Which means, when booting, some DHCP-client look-alike is executing to obtain an IPv6/[whatever], putting an IPv6 on WAN and init LAN with an IPv6.
    (are you sure ? - all this 'out of the box' without any user preparation ?)

    Again : I'm not advertising that I know a lot of IPv6, I use the "tunnel" proposed by he.net. It work quiet well, but isn't really a native solution. I consider it as some sort of "plan B". My ISP is Orange, the biggest in France, 16 million 'victims', sorry => 'clients' - and they still don't know what "IPv6" is. During the last 6 years they are 'testing it' ….. (and right now, they are probably are in strike again  ;)).