IPv6 local network only

  • I'm trying to configure IPv6 addresses to all the machines inside my network but don't currently have a Internet facing IPv6 range as my ISP still does not support it but i need addresses internally to start testing code against IPv6.

    My plan was to configure a fd00::/8 address on the LAN interface of my pfsense box and have it assign these addresses either through DHCP or SLAC to all the machines in my network. I'm assuming that this wont cause any issues as i understand it as these addresses are not routable over the internet.

    I'm hoping that by using this address range I wont hit issues where clients get public AAAA records and try to communicate using their IPv6 address introducing latency until it fails back to ipv4, if the client support happy eyeballs.

    Is this a good idea or is there another recommended way of doing this?

  • What about considering to also use real IPv6 per device on your LAN by adding a real IPv6 ?
    You can have that right know (takes 10 minutes in theory).

    Read this first : https://doc.pfsense.org/index.php/Using_IPv6_with_a_Tunnel_Broker
    ipv6.he.net is used by many, because, like you, many ISP just "think about IPv6", but do not offer it to their clients yet, or worse, offer a non-usable IPv6.
    IPv6 by he.net is a next-best plan, very stable and permit you to get ready for IPv6, so when your ISP start to offer you a first "beta" IPv6 show (and having their support desk being exploded that very moment) you'll be having a working setup and can wait our the storm (your ISP getting things right).

    The nasty one : go here : https://ipv6.he.net/ read - then join the certification program. You will NOT regret it. They pay well - yes, you read that - they will give you something besides an IPv6 access.

  • I was looking at Hurricane electric but not sure I want to route all my networks traffic through it of if i would be allowed to on the free plan.

    Was just looking really to get it working internally so we can get developers with IPv6 on their machines so they can test it works correctly so local is good enough for now.

    We are using virgin in the UK and they appear to be doing trails of IPv6 internally so hopefully it's not too long until I can get actual IPv6 working.

  • LAYER 8 Global Moderator

    Their free plan can give you a /48.. So you can use a global ipv6 locally.  You do not have to let any traffic out to the internet if you don't want to.  But having this ability will allow your developers not only to test their applications locally but all to and from the internet as needed.

    You could always setup ULA ipv6 space to use locally.. But would just be easier if you ask me to get a /48 from HE (its free) and then get best of both worlds - local use if IPv6 and internet (if you want it)..

    Once your isp rolls out ipv6, simple enough to change to that if you want.  My isp provides IPv6 and I still use HE, because its just easier and to be honest more stable than my isp ipv6 deployment ;)

  • signed up for HE and working my way through the guide but im stuck on this bit.

    "A dynamic gateway entry will be automatically created for the tunnel. Now edit it and set the Default Gateway option, keeping the gateway field set to dynamic."

    No dynamic gateway entry has been created and if I try to create it manually I get no option for dynamic in the gateway box.

    Also should this second option be ticked ?

  • @jeffsmith82:

    Also should this second option be ticked ?

    No that option does not need to be checked, that setting is for a different type of configuration. As far as the gateway not showing up, double check your settings up to that point and make sure the tunnel is up in Status/Interfaces.

  • LAYER 8 Global Moderator

  • Yep that's the guide.

    This is what the interface looks like and i'm assuming green is up.

    Created a new Gateway as the guide says but its just says pending as its status, Nothing interesting in the logs im assuming dpinger only seems to run every 10 mins.

    Any other suggestions ?

  • @jeffsmith82:

    This is what the interface looks like and i'm assuming green is up.

    Where ? What ? Image is lost ?
    "green" could be the gateway status


    Yep that's the guide.
    Any other suggestions ?

    Yep, one to motivate you.

    I just made a backup of my pfsense.
    Then, I removed the DHCPipv6 server on my lan, removed the "HE.Net" interface, deleted the gateway (System => routing and deleted  it) and finaly I deleted my GIF interface (Interface => (assign) => GIF and delete).
    I rebooted pfSense …. and check that I had a working IPv4, just like the old days.

    I went to https://doc.pfsense.org/index.php/Using_IPv6_with_a_Tunnel_Broker
    I logged into my he.net account, the page where all the nifty details are shown : https://tunnelbroker.net/tunnel_detail.php........
    ... and followed the procedure ... (basically a Ctrl-C -> Ctrl-V sequence and gave them a useful name / description).

    At this moment, I didn't reboot ( ! ), from the SSH access to pfSEnse, a 'ping6' to google.com (the IPv6 way) should work :

    [2.3.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: ping6 google.com
    PING6(56=40+8+8 bytes) 2001:470:1f12:5c0::2 --> 2a00:1450:4007:817::200e
    16 bytes from 2a00:1450:4007:817::200e, icmp_seq=0 hlim=53 time=90.675 ms
    16 bytes from 2a00:1450:4007:817::200e, icmp_seq=1 hlim=53 time=89.866 ms
    --- google.com ping6 statistics ---
    2 packets transmitted, 2 packets received, 0.0% packet loss
    round-trip min/avg/max/std-dev = 89.866/90.270/90.675/0.405 ms

    To be sure my PC got a new fresh IPv4/IPv6 I removed the Rj45 - counted to 10, and put it back in (I could have "ipconfig /renew") -> My PC received a IPv4 and IPv6 again.
    When setting up the "Set Up DHCPv6 and RA", be sure to enable (this isn't shown in the image) the DHCPv6 server. -> Check it.
    When done, CHECK your DHCP logs => you'll see devices asking for IPv6 when you force them to do so, and pfSense start to hand out IPv6.

    http://test-ipv6.com/ is happy => 10/10
    This one http://ipv6-test.com/ wasn't happy for 100 % ("ping din't pass") so I added on the OPT2 (or whatever you called your he.net IPv6 dedicated interface) a rule like this : (see image).
    Now  http://ipv6-test.com/ is happy.

    Basic IPv6 is now done.
    No more NAT, just IPv6 firewall rules on the OPT2 interface if you want IPv6 INCOMING (!) traffic (outgoing will be fine).

  • thanks Gertjan, I basically deleted all the config and redid it and it now works.

    I think I might have screwed up because inputting HE's ipv6 addresses because I left the /64 at the end of the address. (might be a bug it allows me to do this)

    Either that or when I created the interface I picked another unused interface and then changed it to GIF so the routing rule was not automatically created. Either way its all working now :-)

    thanks for all the help everyone.

  • LAYER 8 Global Moderator

    If you grabbed a /48 right?  But the /64 you get from them is not going to do you any good for internal use between multiple segments..  You would not subnet the /64 you can get from HE..  If you need more than 1 local segment you need to get the /48 and that you can break up in to your /64s you need.