Can FDQN resolve to the active IPV6 address?



  • I'm trying to create a firewall rule to block IPV6 traffic from an iOS device that's being routed through my VPN. An alias defined with an FDQN for the device works for routing its IPV4 traffic, but not for its IPV6 traffic. Every time the device connects to the network it gets a new IPV6 address (the IPV4 address stays the same unless I renew the lease.)

    I'm happy to set static IPs to get around this problem, but while I can set a static IPV4 address it seems that iOS doesn't allow configuration of a static IPV6 address. Usually there are 2-4 IPV6 addresses in the list, but they can't be edited. Even in Static mode the last IPV6 address in the list changes each time the device connects, and that seems to be the active address (the other addresses generally stay constant, but don't work in the firewall rules.)

    Is there any way to get an FDQN to resolve to the active IPV6 address?



  • Those changing addresses are called privacy addresses.  They change regularly.  On my computer, I get a new one every day and they last for a week.  However, there should also be a consistent MAC address based address.  However, that one is not normally used for outgoing connections.  One of the privacy addresses will be and will change regularly.  I doubt there will be a FQDN for those addresses.  On my own network, the DNS points to the MAC based addresses, not privacy.



  • @peppersass:

    I'm trying to create a firewall rule to block IPV6 traffic from an iOS device that's being routed through my VPN. An alias defined with an FDQN for the device works for routing its IPV4 traffic, but not for its IPV6 traffic. Every time the device connects to the network it gets a new IPV6 address (the IPV4 address stays the same unless I renew the lease.)

    I'm happy to set static IPs to get around this problem, but while I can set a static IPV4 address it seems that iOS doesn't allow configuration of a static IPV6 address. Usually there are 2-4 IPV6 addresses in the list, but they can't be edited. Even in Static mode the last IPV6 address in the list changes each time the device connects, and that seems to be the active address (the other addresses generally stay constant, but don't work in the firewall rules.)

    Is there any way to get an FDQN to resolve to the active IPV6 address?

    The phone reads the router advertised subnet prefix in an icmp packet, and generates random addresses that are not currently in use for its outgoing connections. These addresses change regularly, and are not predictable.
    pFsense somehow "knows" to what device those addresses belong to, because it knows the associated mac address, and that one (presumably) stays the same. But I don't think that you can make a firewall rule on that one.
    I don't know how you can accomplish what you need with ipv6. Maybe with mac based vlans, but I don't think pFsense supports those.



  • Thanks for the replies. Pretty-much confirms what I thought.

    pfSense knows the MAC addresses of all the devices connected to my network. Sure would be nice if it supported firewall rules based on LAN MAC addresses. Seems like it wouldn't be hard to implement. Is there some security reason not to support it?



  • @peppersass:

    Thanks for the replies. Pretty-much confirms what I thought.

    pfSense knows the MAC addresses of all the devices connected to my network. Sure would be nice if it supported firewall rules based on LAN MAC addresses. Seems like it wouldn't be hard to implement. Is there some security reason not to support it?

    Read me first to see what has been said already  ;)


  • Rebel Alliance Global Moderator

    you could just turn off ipv6 on your network ;)

    Or you could put your ios device on a different segment so you can route the traffic that way.  Dynamic vlans perfect sort of solution for this when you want to use the same ssid, etc.

    Privacy IPs yeah going to make a lot of firewalling stuff more difficult..



  • @peppersass:

    Thanks for the replies. Pretty-much confirms what I thought.

    pfSense knows the MAC addresses of all the devices connected to my network. Sure would be nice if it supported firewall rules based on LAN MAC addresses. Seems like it wouldn't be hard to implement. Is there some security reason not to support it?

    You said that iPhone was coming through a VPN.  That means it's MAC will not be available.  MAC addresses are on the local network only.  They do not pass through routers, most VPNs etc..


  • Rebel Alliance Global Moderator

    I don't think the device is coming in a vpn, sounds like to me he is trying to route specific traffic out a vpn.. Ie a client vpn setup on pfsense.  In such a case pfsense would know the mac of the device behind it on one of its locally connected networks.



  • johnpz is correct. I'm trying to route iOS devices to the VPN.

    I haven't dug into VLANs yet, but if I understand the recommendation it sounds like I could put all devices that use the VPN on a separate segment and route based on that. I'll check it out.

    Meanwhile, yeah – I turned off IPV6.


  • Rebel Alliance Global Moderator

    Yup if you want specific devices to use vpn be it ipv4 or ipv6 if you put them on their own network then really easy to force all their traffic or all their ipv6 or ipv4 traffic out a vpn..

    If your going to want to play with vlans you will want/need a vlan capable switch and a vlan capable of AP.. After that its easy peasy lemon squezzy.. Both such devices are very reasonable priced these days even on a home budget..

    With IPv4 its not an issue just doing simple policy routing.. But with ipv6 and the temp addresses for outgoing connections that clients use it gets to be more difficult to be sure.  So unless you can turn those off on a client and set them up to only use specific ipv6 address it is very difficult to know what ipv6 address is a specific client.



  • @johnpoz:

    If your going to want to play with vlans you will want/need a vlan capable switch and a vlan capable of AP.. After that its easy peasy lemon squezzy.. Both such devices are very reasonable priced these days even on a home budget..

    Yeah, just before reading your post my quick study of VLAN revealed that I'll need new hardware. Reasonable prices on an individual basis, but to be able to route any device to the VPN or not, I'll have to replace five GB switches and 2 APs, one of which is 802.11/ac. Probably looking at about $400-$500, less what I can get for the old stuff on eBay. Any recommendations on models?

    Also, my switches are cascaded (daisy-chained). I think I'd have to set it up so the ports used for cascading aren't defined as VLAN ports so a downstream switch can have ports on two different VLANs and they would pass through on upstream non-VLAN ports to the router. In other words, only ports connected to devices would be assigned to a VLAN, not the interconnecting ports. Would that work?

    All that said, given the cost its probably best to disable IPV6 until iOS allows configuration of static IPV6 addresses. OSX does, so maybe there's hope. Maybe iOS 11 will have it.

    [EDIT] I just realized that a managed wireless AP might do the trick because the iOS devices are wireless only. Can the managed AP enter the LAN through one of the unmanaged switches and still have its respective VLANs respected? What about rest of the devices that connect to the unmanaged switches? Would they just be on the regular LAN?


  • Rebel Alliance Global Moderator

    What switches do you have an what AP?

    You can connect a dumb switch to a vlan switch where all ports on the dumb switch are on a specific vlan you set on the smart switch..  And while a dumb switch can carry vlan tags quite often.. That is borked setup.. Understand how your connected and why and what devices are where we can determine if you can still get by with leveraging your dumb switches..

    If they are all just downstream from say a core switch then replace the core with smart and you can still use all your dumb - just limit to all devices on the dumb would have to be on same vlan.  But each dumb could be on a different vlan.

    Also how many nics does pfsense have?  You can just do physical networking vs vlans for wired devices.  And if you can connected a AP that does vlans directly to pfsense port you could still do vlans.

    Running vlans over a dumb switch can work - but its BORKED setup.. And not secure, etc. etc.. And depending on the dumb switch it could strip the tags, etc.  But again you most likely would not have to replace all your switches just the 1 between your AP and pfsense if you can not connect your AP directly to pfsense.

    All of that said switches that can do vlans are not all that expensive..  Nor are AP that can do vlans..

    Best case cost.

    5 x 8 port smart = 5 x $30 = 150$
    2 x AP (both AC) = 2 x $80 = 180$

    So brand new equipment your looking at 330 roughly..

    The unifi ac lite model is $80
    And you can pick up 8 port gig switches, tp-link, netgear, etc. for 30 bucks..

    If you draw up your network and what hardware your working with for port density, AP (maybe they run 3rd party firmware like dd-wrt that does vlans) we can figure out how to get you started with vlans on the cheap!!!

    Depending on  your layout maybe you only need 1 switch and can get by with 1 AP to provide you the guest and other wifi networks you want, etc.



  • Doh! I thought I needed a managed switch to get VLAN capabiliy, and that was going to run $55-$65 per switch. When you mentioned $30 I found some "unmanaged" switches that have fully configurable VLAN support, like the TP-Link TL-SG108E for $33. Thanks.

    My setup is detailed below. I think the big problem is that I have three switches cascaded downstream from my main switch (the one on the pfSense LAN NIC). Even if I replace all three dumb switches with smart switches, all the devices on those switches would have to be on the same VLAN unless I cascade them on non-VLAN ports. Can I do that? Will the non-VLAN ports pass VLAN tags? I suspect you would call this configuration "borked", but I don't see any other way to be able to configure any downstream devices to use any VLAN.

    That said, I think most – if not all -- of the downstream devices don't have IPV6 capability, so I can route them to the VPN (or not) based on their host names or configure static IPV4 addresses for them. The only real issue is dealing with the the iOS devices coming through the main AP. Those need to be on VLANs so I can route their IPV6 traffic properly.

    I think I can do this with a single AP (or maybe two if I want to route guests through the VPN, which is doubtful). Would it be totally borked to have a couple of VLANs defined in the AP and have all the hardwired devices on the non-VLAN network? After all, doesn't the AP have to connect to the main switch on a non-VLAN port?

    Here's my setup:

    OFFICE (work at home, so it's a business office)

    Running pfSense on a Zotac ZBOX C1327 with two NICs (not expandable)

    ZBOX NIC rel0    ----> Comcast Business DPC3939 modem/router in bridged mode (75mbps/15mbps, native IPV6.)
    ZBOX NIC rel1    ----> Dumb switch #1 (NetGear GS108)

    Dumb Switch #1 ----> ZBOX NIC rel1
                            ----> Dumb switch #2 in office (NetGear GS308)
                            ----> Dumb switch #3 in upstairs entertainment center (NetGear GS108)
                            ----> AP - Secure 802.11ac/b/g/n primary wi-fi network (Apple Time Capsule, bridged)
                            ----> 2 printers
                            ----> 2 SDRs (software defined radios)

    Dumb Switch #2 ----> Dumb switch #1
                            ----> Dumb switch #4 in basement equipment closet (old Linksys 10/100 switch, not currently used)
                            ----> SDR

    Time Capsule      ----> Dumb switch #1
                            ----> Desktop PC
                            ----> MacBook Pro

    ENTERTAINMENT CENTER

    Dumb switch #3  ----> Dumb switch #1 in office
                              ----> Dumb switch #5 in basement entertainment center (Netgear GS108)
                              ----> Dish Hopper
                              ----> Apple TV
                              ----> DVD Player
                              ----> Serial-to-Ethernet converter for audio system control

    BASEMENT ENTERTAINMENT CENTER

    Dumb switch #5  ----> Dumb switch #3
                              ----> Dumb switch #6 on utility panel  (NetGear GS105)
                              ----> Dish Joey
                              ----> TV
                              ----> PS 4
                              ----> AV receiver
                              ----> DVD Player
                              ----> Apple Time Capsule (older model, runs unsecured Guest network)

    UTILITY PANEL

    Dumb switch #6  ----> Dumb switch 5
                              ----> Electricity usage monitor
                              ----> Interface/storage for electricity monitor
                              ----> Vonage telephone interface

    BASEMENT EQUIPMENT CLOSET

    Dumb switch #4  ----> Dumb switch #1


  • Rebel Alliance Global Moderator

    "TP-Link TL-SG108E"

    One thing on that switch, there has been tons of talk here about the tp-link cheap switches.  And while they do support vlans.. You can not remove vlan 1 from any port.. For a home/smb setup not a deal breaking..  But its pretty shitty to be honest..  I have one in my av cab..

    "Even if I replace all three dumb switches with smart switches, all the devices on those switches would have to be on the same VLAN unless I cascade them on non-VLAN ports. "

    No.. that is not how it works.. If you have 3 smart switches daisy chained then any port on any switch in that chain could be on any vlan you want..  So you have a nice breakdown here of your devices.  Which devices there do you want on different networks/vlans?

    If you state what vlan/network you want on your devices then we can figure out how many smart switches you need..

    "oesn't the AP have to connect to the main switch on a non-VLAN port?"

    Again no that is not how it works.. The port you connect to your AP (that is going to do vlans) would be a trunk port, ie it would carry tags of all the different vlans you want to use on your wifi networks..

    If your going to connect your AP to your switch1, and all the devices on downstream can be on same network, or atleast all devices on the downstream switches can be on same then you only need 1 smart switch..

    So you have this.. See attached.




  • I think I get it. I happened to read up on access ports and trunk ports before you posted but didn't realize the AP would connect via a trunk port and the switches would be cascaded on trunk ports. That makes sense.

    I'm not clear on what happens to the underlying LAN subnet when you use a VLAN. If a smart switch is connected to the firewall NIC via a trunk, must all the switch ports be assigned to a VLAN or designated as a trunk, or can a port be neither – i.e., on the underlying LAN subnet? In other words, once you enable/define VLAN ports is the underlying LAN subnet directly accessible?

    Suppose I had a dumb switch connected to the NIC and a smart switch connected via a trunk port to the dumb switch. Would the dumb switch be able to pass the trunk info? If so, then the other ports on the dumb switch would be on the underlying LAN subnet, right?

    One reason I'm asking about this is to determine how to connect to the pfSense web interface in a VLAN environment (especially when defining the VLANs.) I saw a recommendation not to use the same LAN for VLANs that's used to connect to pfSense. I only have one LAN NIC, so that's not possible. I've also seen instructions to enable WAN access to the firewall when defining VLANs to keep from getting locked out. Not sure I like that idea. So I'm wondering if I can connect to pfSense on the underlying LAN subnet by using a switch port that's not defined as a VLAN or trunk port.



  • "dumb" switches usually (at least my dumb switches work that way) don't touch the 802.1q tags: dumb switches ignore them and pass them on. so yes: you can feed a trunk port into a dumb switch, and split the packets to the correct vlan with a "smart" switch connected to the dumb switch.


  • Rebel Alliance Global Moderator

    "Suppose I had a dumb switch connected to the NIC and a smart switch connected via a trunk port to the dumb switch. "

    And what vlan on that trunk would be the native untagged vlan?  You would not configure it that way.  The port you connect a dumb switch to would be just access and be in a specific vlan on the smart switch and any traffic sent out its port would be untagged..

    What you would do in your setup is lan would be untagged the native network on the physical interface.. Then any other networks you create would be vlans that sit on top of the physical lan interface and their traffic would be tagged.

    So you going to mark your stuff on what should be in what?  And I we can draw it up - which makes it easier to understand.



  • @peppersass:

    I think I get it. I happened to read up on access ports and trunk ports before you posted but didn't realize the AP would connect via a trunk port and the switches would be cascaded on trunk ports. That makes sense.

    I'm not clear on what happens to the underlying LAN subnet when you use a VLAN. If a smart switch is connected to the firewall NIC via a trunk, must all the switch ports be assigned to a VLAN or designated as a trunk, or can a port be neither – i.e., on the underlying LAN subnet? In other words, once you enable/define VLAN ports is the underlying LAN subnet directly accessible?

    Suppose I had a dumb switch connected to the NIC and a smart switch connected via a trunk port to the dumb switch. Would the dumb switch be able to pass the trunk info? If so, then the other ports on the dumb switch would be on the underlying LAN subnet, right?

    One reason I'm asking about this is to determine how to connect to the pfSense web interface in a VLAN environment (especially when defining the VLANs.) I saw a recommendation not to use the same LAN for VLANs that's used to connect to pfSense. I only have one LAN NIC, so that's not possible. I've also seen instructions to enable WAN access to the firewall when defining VLANs to keep from getting locked out. Not sure I like that idea. So I'm wondering if I can connect to pfSense on the underlying LAN subnet by using a switch port that's not defined as a VLAN or trunk port.

    What happens is VLAN tags are applied to frames that are on a VLAN.  However, the VLAN traffic is mixed in with the native LAN traffic.  Only devices that are configured for the VLAN will receive those frames.  Dumb switches are generally capapble of passing VLAN frames.  In pfSense, you can configure VLANs on an interface and then use it as you would any other interface.


  • Rebel Alliance Global Moderator

    "Dumb switches are generally capapble of passing VLAN frames."

    True but they do not honor them or understand them..  So to them all traffic is no different than its default traffic… So you loose your separation of layer 2 traffic and broadcast and multicast that should be in a vlan now get sent to all ports on the switch..  Its not a good edit to do this, pretty much ever!!!  Maybe if you your smart switch died and you had dumb switch you could use, until the new dumb switch gets delivered..  Other than that - no I would never suggest anyone ever do such a thing..

    And just because they are generally capable of not stripping the tags, this is not for sure and could be possible they just do not pass on the tags or strip them completely... Lets go over it again - its a bad idea to think its ok to send tagged traffic over a dumb switch. ;)



  • @johnpoz:

    And just because they are generally capable of not stripping the tags, this is not for sure and could be possible they just do not pass on the tags or strip them completely… Lets go over it again - its a bad idea to think its ok to send tagged traffic over a dumb switch. ;)

    Actually, since switches are not suppose to touch the frame they're passing, they shouldn't even notice it's a VLAN frame.  It's just another valid frame.  Where the issue may arise is if the frame is larger than the standard maximum Ethernet frame size, due to the extra 4 bytes the tags use.  However, I don't know how common that situation is.  Of course, only 802.3 frames have a maximum size.  Ethernet II frames have no such restriction.  IP is normally carried on Ethernet II frames.

    One situation where you often have VLANs to the user is with VoIP.  With VoIP phones, you can usually connect a computer to the phone, which in turn connects to the switch.  An unmanaged switch will work, though CoS will not be available.  You just need to have the VoIP PBX provide it's own VLAN tagging and the phones configured to use the VLAN.  Regardless, managed switches should be used in all but the smallest networks.



  • @johnpoz:

    So you going to mark your stuff on what should be in what?  And I we can draw it up - which makes it easier to understand.

    I haven't made firm decisions on which devices need to be on the VPN and which don't. I'm pretty sure I'll want all computers, phones and tablets to go though the VPN, but for now just my desktop PC, the MacBook, my phone and my tablet need to go through the VPN. The PC and MacBook have Ethernet connections in the office, and the phone and tablet come in on the Time Capsule AP in the office.

    I think my first pass at this is to define two VLANs, one for VPN connections and one for direct WAN connections. Let's call them VLAN 10 and VLAN 20, respectively.

    1. I would replace dumb switch #1 with a smart switch and connect it to the NIC (I think I need to use a trunk port for that connection, no?) I'd move the PC and MacBook from the Time Machine to ports on the smart switch defined as VLAN 10 (VPN).  If I need to take the PC or MacBook off the VPN, I can always temporarily change the VLAN assignment on their respective switch ports.

    2. The two SDRs would be moved from switch #1 to switch #2 to make room for the PC and MacBoook on switch #1.

    3. The new smart AP would connect to the smart switch via a trunk port. I'd define two SSIDs on the new AP, one connected to VLAN 10 and one connected to VLAN 20. That should make it easy to switch my Wi-Fi devices to use the VPN or not.

    4. All of the family devices are on Wi-Fi and normally use the Office AP. I'd initially configure them to use the non-VPN SSID on the new AP, then move them to the VPN SSID one at a time and see if anyone complains (e.g., about not being able to use netflix, weird geolocation results, etc.)

    5. I'd connect the Time Capsule AP to a VLAN 20 port. I'd turn off its wireless use it for an upstairs guest network. It's network drive and Ethernet ports would be assigned to VLAN 20.

    6. The rest of the switches in the network would stay as dumb switches for now and will be connected to VLAN 20 ports on the smart switch (no VPN.)

    7. Later I'll may replace switches #3 and #5 (and maybe #6) with smart switches so their devices can be assigned to the VPN or non-VPN VLAN.

    Two question marks in this are the Guest Network AP and shared devices (network media drive on the Time Capsule, printers, etc.):

    • The Guest network will come in on VLAN 20, so guests will use the ISP directly. At some point I may want to move guests to the VPN by default, at which point it would probably make sense to replace the existing AP with a smart AP and have SSIDs for Guest VPN and Guest non-VPN. Of course I'd have to replace switches #4 and #5 with smart switches for that to work.

    • One printer is used only by my PC, so it can be on the same VLAN. Not sure how to attach the other printer, which is shared by everyone. Same goes for the network media drive. Can a device on one VLAN use a device on another VLAN? I'm hoping I can control that from the firewall – i.e., allow specific user devices to access the shared devices or not.

    Big question: The PC and a tablet are my main devices for accessing the pfSense web interface. Is it dangerous to have them on VLANs? Do I need to do anything special to allow pfSense to be accessed (or not) by devices on the VLANs. If worse comes to worse, can I connect a device to an undefined port on the smart switch or directly to the NIC to access pfSense? What about configuring the WAN to allow access?


  • Rebel Alliance Global Moderator

    "I haven't made firm decisions on which devices need to be on the VPN and which don't."

    This doesn't matter what network/vlan they are on - you can do this with a simple policy route..  IP address X go out the vpn… Just set a reservation for that machine so it gets that IP or set it static - and it will use the vpn.

    The big thing you want to decide is what you want to be able to isolate from each other.  What uses the vpn doesn't matter if on specific vlan or not..  Sure you can have this vlan use your vpn, this vlan not.. But you can get as granular with that as you want with simple firewall rule.

    As to pc and tablet being on whatever - makes zero difference.  The web gui for pfsense can be gotten to from any vlan if you want it to be available.



  • @johnpoz:

    This doesn't matter what network/vlan they are on - you can do this with a simple policy route..  IP address X go out the vpn… Just set a reservation for that machine so it gets that IP or set it static - and it will use the vpn.

    You may recall that I originally setup the firewall to route hosts to the VPN based on static IPs or FQDNs. But the problem that brought all this up is not being able to set a static IPV6 address on iOS devices. Every time they connect via wireless they get a new IPV6 address. So I can't route their IPV6 traffic to the VPN using a static IPV6 address and it doesn't appear that their FDQNs resolve to their current IPV6 addresses (though maybe if I wait long enough it'll resolve correctly – haven't tested that yet.)

    If I route the iOS devices based on their static IPV4 or FQDN, their IPV6 traffic leaks. So, either I turn off IPV6 system-wide or, per your recommendation, I use VLANs to route the iOS devices (and maybe others) to the VPN.

    Make sense?


  • Rebel Alliance Global Moderator

    Ah my bad sorry.. Forgot about the whole ipv6 problem..

    Yes the simple solution to ipv6 is do it based upon network and that way you don't care what IPv6 they use to go outbound on..

    So which devices do you want to use the vpn via ipv6.. Where are they in your network, what switches or are they all wifi - if all wifi its easy and you really only need the 1 smart switch to connect your AP that does vlan on.



  • @johnpoz:

    So which devices do you want to use the vpn via ipv6.. Where are they in your network, what switches or are they all wifi - if all wifi its easy and you really only need the 1 smart switch to connect your AP that does vlan on.

    Good question. Generally speaking I want ipv6 capability for any device that supports it, which I think at this point are the PC, Macbook, phones and tablets. The rest of the devices aren't capable of ipv6 and it's unclear at this point whether I want them on the VPN to protect against inbound incursion. Different subject. Anyway, the PC is hardwired and the Mac is setup for hardwired on wi-fi. The phones and tablets are wi-fi.

    I moved ahead this weekend. Got a TL-SG108E and a Unify Lite AP. The smart switch has replaced dumb Switch #1. The Unifi has replaced the Time Capsule as the main upstairs AP and I moved the TC downstairs to replace the older Guest Network TC that doesn't support 802.11ac. Defined a couple of VLANs and played around with them this weekend. Got a good education about configuring VLANs, as well as some further experience with firewall rules.

    I have VLAN 10 and VLAN 20, with the intent being VLAN 10 or LAN for non-VPN and VLAN 20 for VPN. I setup SSIDs on the Unifi for VLAN10, VLAN20 and LAN (upstairs guest network.) Configured The smart switch port 1, which connects to the router NIC, and port 2, which connects to the AP, as tagged on both VLAN10 and VLAN20. Defined the PC port as untagged on VLAN20. At first I had the rest of the devices untagged on VLAN10, but ran into enough issues with certain devices wanting to be on certain subnets that I put them all back on VLAN 1 until I can figure out what firewall rules they need. Also put in a bunch of firewall rules for the PC so it can access the LAN and either VLAN (for example, couldn't access the network printer until I did that.) Came to the conclusion that I might not need VLAN10. Non-VPN devices can use the LAN. But left VLAN10 configured just in case.

    All it'll take is two or three more smart switches to be able to have complete flexibility for any device. And I think I've got a handle on the firewall rules I'll need to grant or restrict access.

    As far as switching from VPN to non-VPN, the wireless devices have it easy – just switch networks. It's a bit of a pain to reconfigure the PC switch port, so I left an empty LAN port on the smart switch so I can just plug the PC into a VPN or non-VPN port as needed.


  • Rebel Alliance Global Moderator

    "Generally speaking I want ipv6 capability for any device that supports it"

    Why to be honest?  If your so worried about sending their traffic out a vpn or not?? IPv6 while the future has ZERO requirement currently.. There is not one legit resource on the internet that you can not get to via ipv4..

    "I want them on the VPN to protect against inbound incursion."

    Huh???  Yeah your going to need to expand on that ;)

    I am all for ipv6 adoption, it is best to get ahead of the curve - even if the curve has a very very long way to go still.. I run it on my own network, but in very controlled manner.  Only devices I want to use it on have it enabled.  I don't have it on all my segments..  And I don't give too shits about any traffic having to go out some vpn or not.

    So I don't see why you should cause yourself grief??  There is actually zero reason for a device to need ipv6 on your network. If your concerned about what wan be it vpn or not your clients take - this seems to be your primary concern.  Then make it easy on yourself and just disable ipv6 for those networks.  I am really curious what vpn your using that supports ipv6? Since you have another thread which really points to it not working anyway.  Which prob correct - does the vpn service you running actually state they support ipv6? The whole point of privacy ipv6 is to prevent tracking who is who.. with the 18 quintillion IPs in a /64 kind of hard to say who is who when the ips keep changing, etc.

    Post up your rules if you don't mind.. New users to pfsense almost always get it wrong ;)  With rules that are not required or make no sense.

    Rules are evaluated top down, first rule to trigger wins no other rules are evaluated.



  • Like I said, I'm new to all this, especially IPV6 and sophisticated routing/firewall tools!

    I guess I needed to hear from someone in the know that IPV6 is a long way from being a requirement. With that in mind, I have two options:

    1. Disable IPV6 network-wide.
    2. Allow native IPV6 on the ISP WAN but disable IPV6 on VPN connections (requires VLANs to get around iOS not allowing static IPV6 addresses).

    The VPN is Perfect Privacy. Near as I can tell, they're the only VPN that supports IPV6. As I said in the other thread, it works with IKEv2 on iOS – IPV6 addresses get mapped properly so there's no leak.

    IPV6 leakage seems to be an issue with VPN security watchdogs. That's why every VPN with pfSense configuraion instructions tells you to turn off IPV6 system-wide. If you don't, you have to use firewall rules to prevent the native IPV6 addresses from leaking. But if the IPV6 addresses aren't static, and change each time a device connects (as they do under iOS), then you need VLANs, as we've discussed here.

    As for the danger of leakage, if the IPV6 address leaks, couldn't someone identify my network as the source of the traffic (assuming they had access to my ISP's logs?)


  • Rebel Alliance Global Moderator

    In your other thread - they DONT support IPv6, not in anyway that makes sense.. They are giving you 1 IPv6 address and expecting you to nat all your traffic to it.  Sorry but that is BORKED out of the gate..

    "As for the danger of leakage, if the IPV6 address leaks, couldn't someone identify my network as the source of the traffic (assuming they had access to my ISP's logs?)"

    That is a lot of ifs.. Most ISPs the ipv6 range they give you changes all the time.. Part of the reason I don't use native from comcast is the prefix keeps changing and is a pain in the butt ;)  I use a tunnel from HE.. So I get a /48 and can assign the specific prefixes I want to my my different segments..

    So this somebody or someone is going to have a court order?  Why would they have access to your ISP logs?  Is this someone at the ISP?  So website X sees IPv6 xyz access their server.. The would know it came from isp abc sure.  But now how are they going to have the logs from your isp to know that we gave that prefix to Joe on 123 Street.. That is even if the ISP has such logs.. I find that hard to believe to be honest….  Reboot your modem and you will have a completely different prefix anyway most likely.. Lets say they have this info and are sharing it without the court order. So now they know that "someone" or some device on 123 Street had that IP at that that time..  Who was it exactly?  Was it susan that lives there?  Was it Billy?  How do you prove it was Joe?  Maybe it was Kevin from down the street that was on Joes wifi at the time, etc..

    How tight is your tinfoil hat exactly? ;)

    So who says this VPN is not logging every IP they give you, and what your doing and what you ask for dns?  Because they say so??  Why do you believe them and not your ISP?  I never understand this logic.. You pay your isp way more money I would think then some vpn that you pay a few bucks a month, etc.

    All that being said - again IPv6 is the future!!  And yes it is coming.. But I am fairly sure I will be freaking retired from the industry before it becomes any sort of requirement to get anywhere.  I am 52, so I have like 15 years left for sure..  Yes there is a shitton of stuff on ipv6, and yes the amount of traffic flowing over ipv6 grows every day.. But until they start turning off stuff like ipv4 access to something - its not a requirement!!  So when you can not get to www.google.com unless you have IPv6 - then yeah its a requirement..  Name one source that is not dark web or p0rn current that is only available via ipv6 that you want/need to get to..  Until you can name this service it is not a requirement to run ipv6.

    Play with it!! Run it controlled on your network - learn about it!!  Get a tunnel from HE so you can deploy how ever many /64 segments you want.. Work with getting a vpn working with it if you want - bug your vpn provider to do it correctly! etc. etc..  But sorry as much as us in the field want to speed along and become a requirement/mainstream - its just not there yet.. And I would really be surprised if happens in the next 15 years..

    I work for a service branch of tier 1 provider - and what I can tell you is there is ZERO ipv6 in NA on their network..  I should know I have access to all of it ;)  And to be honest I don't think much if any on their global network other than the other sister company that does cell phones.. There is talk, and they say its coming... I have been asking about it for the the 8+ years I have worked for them.. Still nothing... None of the major customers we support or that I work on directly have it, not on on their local networks - not on their public networks, etc. etc..  These are not web companies.. These are companies actually making stuff or providing services, etc.  I would love nothing more to get put on a ipv6 rollout project!  But just not any sort of push..



  • Points well taken. I'm doing all this because I got the bug to see if I could make my presence on the Internet as private and untraceable as possible. Easier said than done (e.g., getting google out of one's life), and I'm far from reaching conclusions on what's really possible.

    But before we cast aspersions on the VPN's implementation of IPV6, take a look at my latest post in my other IPV6 thread. The IPV4 and IPV6 addresses reported for my connection to the VPN when I used IKEv2 on iOS are different for each device. I think this means they assign an IPV4 subnet and an IPV6 prefix.

    In any case, I'll ask the VPN and post what they say.



  • @peppersass:

    … But the problem that brought all this up is not being able to set a static IPV6 address on iOS devices.

    As long as my IPv6 supplier (he.net) doesn't change the prefix, the IPv6 my iPhone obtains has been the same for the last 2 years or so …
    (Ok, I helped somewhat by setting up a static lease in the dhcp6d)

    So, when your IPv6 setup is ok on the WAN side, the inner side, LAN, etc, will work just fine.



  • @Gertjan:

    (Ok, I helped somewhat by setting up a static lease in the dhcp6d)

    I'm not sure what you mean by this. Where and how did you set the static lease?



  • @peppersass:

    @Gertjan:

    (Ok, I helped somewhat by setting up a static lease in the dhcp6d)

    I'm not sure what you mean by this. Where and how did you set the static lease?

    Here : => Services => DHCPv6 Server & RA => LAN => DHCPv6 Server - at the bottom of the page I added a boatload of

    DHCPv6 Static Mappings for this Interface
    DUID 	IPv6 address 	Hostname 	Description
    .....
    

    Like in the old IPv4 days, all my devices (iOS stuff included) have their "fixed" IPv6. When I open up an IPv6 address in the firewall (the he.net IPv6 only interface) I can reach the device from the net.
    With a (mine) DNS server on net and some arpa reverse magic I can even uses URL's like "diskstation.brit-hotel-fumel.net" port 22 to rsync to it - using only IPv6.
    " And, hey, Mam : Look ! No NAT ! " :)
    My IPv6 addresses didn't change for the last several years.



  • Thanks. I have my network setup to use the native IPV6 address from my ISP. The WAN interface IPV6 is set to DHCP6 and the LAN interface IPV6 is set to Track Interface (WAN). I got that from an article on how to configure pfSense to use Comcast native IPV6. Everything seems to work the same as when I had the Comcast modem doing the routing. Only problem is the iOS devices. If I understand correctly, your method has pfSense doing the IPV6 assignment and you defined static IPV6 addresses for all the devices. Right?

    If I were to go down that road, what would I use for an IPV6 prefix? Something I make up? Something based on the Comcast native IPV6 prefix?