Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv6 hosting website

    Scheduled Pinned Locked Moved IPv6
    22 Posts 5 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      Exocomp
      last edited by

      I have a simple website that currently is only enabled for IPv4, is it possible to have IPv6 on the WAN interface in pfSense and then route the traffic to the servers on the LAN using IPv4?

      1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott
        last edited by

        If you have IPv6 on the WAN side, why not extend it to the LAN?  While it's possible to convert between IPv4 & IPv6, it's better to do it properly.  I assume you have at least a /64 prefix.  If your ISP is not providing IPv6, you'll have to use a tunnel to get IPv6.  One popular tunnel broker is Hurricane Electric.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • E
          Exocomp
          last edited by

          Hi there thanks for the reply.  If I got the terminology right (I've been doing a little reading on the subject) you are stating I should implement a "dual stack" network ?

          My thoughts on the subject are still a jumble.  So if I understand it right with IPv6 there is no need to do NAT right?  But wouldn't I need to do IPv6 NAT between the IPv6 global IP and my internal IPv6 network?

          What I mean is the global IPv6 is added to DNS and when the request reaches the edge router it is then forwarded to the right internal box hosting the website ?

          1 Reply Last reply Reply Quote 0
          • JKnottJ
            JKnott
            last edited by

            Dual stack will provide both IPv4 and IPv6 addresses.  The main reason for using NAT on IPv4 is the lack of addresses.  There is no similar need on IPv6, as the smallest block an ISP is supposed to provide is a /64 prefix, which will give you 18.4 billilon, billion addresses.  Many ISPs provide an even larger block.  Mine gives me a /56, which is 256 /64s.  So, as you can see, there's no need to use NAT on IPv6.  The big question right now is does your ISP provide IPv6?  If not, you'll have to use a tunnel to get it.  You can't add an IPv6 address to DNS, if you don't actually have an IPv6 address!

            PfSense supports both native IPv6 and via tunnels over IPvr.

            BTW, please forget about NAT.  It was a hack to get around a specific problem and that problem does not exist on IPv6.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • E
              Exocomp
              last edited by

              So it appears my ISP does provide IPv6 and I made some progress where I was able to enable IPv6 on pfSense and got an IPv6 address on my WAN on pfSense - yay!

              Ok, what I'm having a hard time understanding now is how do I use pfSense as a firewall in front of my web server?  What would I set the LAN IPv6 interface to on pfSense? And on my web server what would I enter for the address and default gateway?

              1 Reply Last reply Reply Quote 0
              • JKnottJ
                JKnott
                last edited by

                Most ISPs use DHCPv6-PD to assign a block of addresses.  The smallest prefix or block is a /64, which is 18.4 billion, billion addresses.  With this you should have an IPv6 address on the WAN side as well as addresses within your prefix on your LAN.  The address prefix, along with router and DNS addresses are sent by pfSense to the devices on your network.  Each device will create it's own address, using the prefix and the MAC address or a random number.

                Also, an ISP may provide more than one /64 prefix.  Mine gives me a /56, which is 256 /64s.  I can assign these to other interfaces, VLANs etc.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                1 Reply Last reply Reply Quote 0
                • E
                  Exocomp
                  last edited by

                  Thanks for your assistance, I'm up and running on IPv6.  Woohooo!

                  1 Reply Last reply Reply Quote 0
                  • JKnottJ
                    JKnott
                    last edited by

                    @Exocomp:

                    Thanks for your assistance, I'm up and running on IPv6.  Woohooo!

                    Don't forget to update the DNS with the IPv6 address.  Also, one thing to be careful of.  IPv6 has something called "privacy addresses", which change regularly.  After a while, you'll see several of these.  You do not want to have the DNS pointing to one of those.  You need to use the MAC based address or, on Windows, the permanent random number.  Windows can also be configured to use the MAC address.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    1 Reply Last reply Reply Quote 0
                    • E
                      Exocomp
                      last edited by

                      IPv6 has something called "privacy addresses", which change regularly.

                      I saw those and disabled them, :)

                      1 Reply Last reply Reply Quote 0
                      • B
                        bigtfromaz
                        last edited by

                        I have a similar situation. I want to allow inbound traffic to a specific IPv6 host on my LAN.  I read this post and it all made sense to me but there are some things I don't understand.

                        Here is some background:

                        • My ISP does not provide a static delegated prefix, I receive it dynamically by "Tracking" the WAN from the LAN.  At least one of my target hosts will only use auto configuration and I can't change it.

                        • For dynamic DNS, I wrote a PowerShell script that runs on the hosts. It updates my web-facing DNS server whenever the host's addresses change.  That was the easy part for me.

                        • The pfSense firewall is configured to block all inbound IPv6 connections by default.

                        Is there a way to write a firewall rule allowing inbound connections to pass through to a specific host when dynamic prefix delegation is in play?  What happens when my ISP changes the prefix for whatever reason?  Will pfSense alter the rules accordingly when the prefix changes?

                        As a Gold supporter, I have access to The pfSense Book.  Hopefully this isn't a RTFM question but please feel free to point me to the right pages in book.

                        1 Reply Last reply Reply Quote 0
                        • JKnottJ
                          JKnott
                          last edited by

                          ISPs generally don't provide static prefixes, but with DHCPv6-PD and DUID, you will likely always get the same prefix.  It's similar to what happens on IPv4, where you can request a previous address and get it if it's available.  With an almost static prefix, you don't need a dynamic DNS, as a regular one will work fine.

                          PfSense running on Qotom mini PC
                          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                          UniFi AC-Lite access point

                          I haven't lost my mind. It's around here...somewhere...

                          1 Reply Last reply Reply Quote 0
                          • B
                            bigtfromaz
                            last edited by

                            Thanks for the reply.  I understand what you say but my ISP (Cox) has changed mine, and I wasn't around to make adjustments.

                            Are you saying that I pfSense has no to do this without manual intervention?

                            1 Reply Last reply Reply Quote 0
                            • JKnottJ
                              JKnott
                              last edited by

                              @bigtfromaz:

                              Thanks for the reply.  I understand what you say but my ISP (Cox) has changed mine, and I wasn't around to make adjustments.

                              Are you saying that I pfSense has no to do this without manual intervention?

                              When I first started using pfSense, my prefix would change for something as little as disconnecting & reconnecting the Ethernet cable.  Then an option "Do not allow PD/Address release", on the WAN tab, was added.  With that selected, my prefix does not change.

                              PfSense running on Qotom mini PC
                              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                              UniFi AC-Lite access point

                              I haven't lost my mind. It's around here...somewhere...

                              1 Reply Last reply Reply Quote 0
                              • B
                                bigtfromaz
                                last edited by

                                Already did that but still got a new prefix on a reboot.  No idea why but it's their address and they can do what they want.

                                Note that I am not looking for ways to avoid the change.  I am looking for ways to manage or accomodate the change without manual intervention.  This way any outage, no matter how rare, could be managed without manual intervention.

                                I was hoping that pfSense would have an ability to define a firewall rule Destination something like this: "PD::aaaa:bbbb:cccc:dddd" where "PD" is a variable whose value is the prefix.  This would be similar to the way they prepend the delegated prefix to the host range in the DHCPv6 server.

                                I would like to avoid writing a dynamic prefix change detection script.  I am not a UNIX expert, nor do I have any experience managing firewall rules from a script.  The learning curve would be substantial.

                                1 Reply Last reply Reply Quote 0
                                • JKnottJ
                                  JKnott
                                  last edited by

                                  I don't know if pfSense can filter on a partial IP address, but the lower 64 bits of the address are determined by the MAC address and so will not change, unless you change hardware.

                                  PfSense running on Qotom mini PC
                                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                  UniFi AC-Lite access point

                                  I haven't lost my mind. It's around here...somewhere...

                                  1 Reply Last reply Reply Quote 0
                                  • B
                                    bigtfromaz
                                    last edited by

                                    @JKnott:

                                    I don't know if pfSense can filter on a partial IP address, but the lower 64 bits of the address are determined by the MAC address and so will not change, unless you change hardware.

                                    It would be a nice feature though wouldn't it?

                                    1 Reply Last reply Reply Quote 0
                                    • B
                                      bimmerdriver
                                      last edited by

                                      @Exocomp:

                                      IPv6 has something called "privacy addresses", which change regularly.

                                      I saw those and disabled them, :)

                                      Why disable privacy addresses?

                                      1 Reply Last reply Reply Quote 0
                                      • B
                                        bimmerdriver
                                        last edited by

                                        @bigtfromaz:

                                        @JKnott:

                                        I don't know if pfSense can filter on a partial IP address, but the lower 64 bits of the address are determined by the MAC address and so will not change, unless you change hardware.

                                        It would be a nice feature though wouldn't it?

                                        This feature has been requested numerous times.

                                        1 Reply Last reply Reply Quote 0
                                        • JKnottJ
                                          JKnott
                                          last edited by

                                          Why disable privacy addresses?

                                          No need for them on a server, where you'd normally use the MAC based address.  However, I also don't see the need to delete them.  They're not hurting anything.

                                          PfSense running on Qotom mini PC
                                          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                          UniFi AC-Lite access point

                                          I haven't lost my mind. It's around here...somewhere...

                                          1 Reply Last reply Reply Quote 0
                                          • B
                                            bigtfromaz
                                            last edited by

                                            OK.  If the feature has been requested numerous times, can anyone tell me if there are facilities for managing the firewall from script?  If so, I guess I would need documentation.  This would appear to be a simple matter of detecting a change to the prefix from a given interface, then changing and applying rules having the old prefix to refer to the new prefix.  It is not a fix, but a work around.

                                            For now I am going to turn IPv6 off on my WAN interface and set up an opt/gif tunnel using Hurricane Electric.  I have one running in a sandbox and I must be really close to the Phoenix entry point.  It seems to be adding only about 10 ms to my ping times.  It's a shame that Cox, with billions of subnets at their disposal, won't supply a static one to the account.  HE is doing it for free.

                                            @bimmerdriver:

                                            @bigtfromaz:

                                            @JKnott:

                                            I don't know if pfSense can filter on a partial IP address, but the lower 64 bits of the address are determined by the MAC address and so will not change, unless you change hardware.

                                            It would be a nice feature though wouldn't it?

                                            This feature has been requested numerous times.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.