IPv6 hosting website
-
I have a simple website that currently is only enabled for IPv4, is it possible to have IPv6 on the WAN interface in pfSense and then route the traffic to the servers on the LAN using IPv4?
-
If you have IPv6 on the WAN side, why not extend it to the LAN? While it's possible to convert between IPv4 & IPv6, it's better to do it properly. I assume you have at least a /64 prefix. If your ISP is not providing IPv6, you'll have to use a tunnel to get IPv6. One popular tunnel broker is Hurricane Electric.
-
Hi there thanks for the reply. If I got the terminology right (I've been doing a little reading on the subject) you are stating I should implement a "dual stack" network ?
My thoughts on the subject are still a jumble. So if I understand it right with IPv6 there is no need to do NAT right? But wouldn't I need to do IPv6 NAT between the IPv6 global IP and my internal IPv6 network?
What I mean is the global IPv6 is added to DNS and when the request reaches the edge router it is then forwarded to the right internal box hosting the website ?
-
Dual stack will provide both IPv4 and IPv6 addresses. The main reason for using NAT on IPv4 is the lack of addresses. There is no similar need on IPv6, as the smallest block an ISP is supposed to provide is a /64 prefix, which will give you 18.4 billilon, billion addresses. Many ISPs provide an even larger block. Mine gives me a /56, which is 256 /64s. So, as you can see, there's no need to use NAT on IPv6. The big question right now is does your ISP provide IPv6? If not, you'll have to use a tunnel to get it. You can't add an IPv6 address to DNS, if you don't actually have an IPv6 address!
PfSense supports both native IPv6 and via tunnels over IPvr.
BTW, please forget about NAT. It was a hack to get around a specific problem and that problem does not exist on IPv6.
-
So it appears my ISP does provide IPv6 and I made some progress where I was able to enable IPv6 on pfSense and got an IPv6 address on my WAN on pfSense - yay!
Ok, what I'm having a hard time understanding now is how do I use pfSense as a firewall in front of my web server? What would I set the LAN IPv6 interface to on pfSense? And on my web server what would I enter for the address and default gateway?
-
Most ISPs use DHCPv6-PD to assign a block of addresses. The smallest prefix or block is a /64, which is 18.4 billion, billion addresses. With this you should have an IPv6 address on the WAN side as well as addresses within your prefix on your LAN. The address prefix, along with router and DNS addresses are sent by pfSense to the devices on your network. Each device will create it's own address, using the prefix and the MAC address or a random number.
Also, an ISP may provide more than one /64 prefix. Mine gives me a /56, which is 256 /64s. I can assign these to other interfaces, VLANs etc.
-
Thanks for your assistance, I'm up and running on IPv6. Woohooo!
-
Thanks for your assistance, I'm up and running on IPv6. Woohooo!
Don't forget to update the DNS with the IPv6 address. Also, one thing to be careful of. IPv6 has something called "privacy addresses", which change regularly. After a while, you'll see several of these. You do not want to have the DNS pointing to one of those. You need to use the MAC based address or, on Windows, the permanent random number. Windows can also be configured to use the MAC address.
-
IPv6 has something called "privacy addresses", which change regularly.
I saw those and disabled them, :)
-
I have a similar situation. I want to allow inbound traffic to a specific IPv6 host on my LAN. I read this post and it all made sense to me but there are some things I don't understand.
Here is some background:
-
My ISP does not provide a static delegated prefix, I receive it dynamically by "Tracking" the WAN from the LAN. At least one of my target hosts will only use auto configuration and I can't change it.
-
For dynamic DNS, I wrote a PowerShell script that runs on the hosts. It updates my web-facing DNS server whenever the host's addresses change. That was the easy part for me.
-
The pfSense firewall is configured to block all inbound IPv6 connections by default.
Is there a way to write a firewall rule allowing inbound connections to pass through to a specific host when dynamic prefix delegation is in play? What happens when my ISP changes the prefix for whatever reason? Will pfSense alter the rules accordingly when the prefix changes?
As a Gold supporter, I have access to The pfSense Book. Hopefully this isn't a RTFM question but please feel free to point me to the right pages in book.
-
-
ISPs generally don't provide static prefixes, but with DHCPv6-PD and DUID, you will likely always get the same prefix. It's similar to what happens on IPv4, where you can request a previous address and get it if it's available. With an almost static prefix, you don't need a dynamic DNS, as a regular one will work fine.
-
Thanks for the reply. I understand what you say but my ISP (Cox) has changed mine, and I wasn't around to make adjustments.
Are you saying that I pfSense has no to do this without manual intervention?
-
Thanks for the reply. I understand what you say but my ISP (Cox) has changed mine, and I wasn't around to make adjustments.
Are you saying that I pfSense has no to do this without manual intervention?
When I first started using pfSense, my prefix would change for something as little as disconnecting & reconnecting the Ethernet cable. Then an option "Do not allow PD/Address release", on the WAN tab, was added. With that selected, my prefix does not change.
-
Already did that but still got a new prefix on a reboot. No idea why but it's their address and they can do what they want.
Note that I am not looking for ways to avoid the change. I am looking for ways to manage or accomodate the change without manual intervention. This way any outage, no matter how rare, could be managed without manual intervention.
I was hoping that pfSense would have an ability to define a firewall rule Destination something like this: "PD::aaaa:bbbb:cccc:dddd" where "PD" is a variable whose value is the prefix. This would be similar to the way they prepend the delegated prefix to the host range in the DHCPv6 server.
I would like to avoid writing a dynamic prefix change detection script. I am not a UNIX expert, nor do I have any experience managing firewall rules from a script. The learning curve would be substantial.
-
I don't know if pfSense can filter on a partial IP address, but the lower 64 bits of the address are determined by the MAC address and so will not change, unless you change hardware.
-
I don't know if pfSense can filter on a partial IP address, but the lower 64 bits of the address are determined by the MAC address and so will not change, unless you change hardware.
It would be a nice feature though wouldn't it?
-
IPv6 has something called "privacy addresses", which change regularly.
I saw those and disabled them, :)
Why disable privacy addresses?
-
I don't know if pfSense can filter on a partial IP address, but the lower 64 bits of the address are determined by the MAC address and so will not change, unless you change hardware.
It would be a nice feature though wouldn't it?
This feature has been requested numerous times.
-
Why disable privacy addresses?
No need for them on a server, where you'd normally use the MAC based address. However, I also don't see the need to delete them. They're not hurting anything.
-
OK. If the feature has been requested numerous times, can anyone tell me if there are facilities for managing the firewall from script? If so, I guess I would need documentation. This would appear to be a simple matter of detecting a change to the prefix from a given interface, then changing and applying rules having the old prefix to refer to the new prefix. It is not a fix, but a work around.
For now I am going to turn IPv6 off on my WAN interface and set up an opt/gif tunnel using Hurricane Electric. I have one running in a sandbox and I must be really close to the Phoenix entry point. It seems to be adding only about 10 ms to my ping times. It's a shame that Cox, with billions of subnets at their disposal, won't supply a static one to the account. HE is doing it for free.
I don't know if pfSense can filter on a partial IP address, but the lower 64 bits of the address are determined by the MAC address and so will not change, unless you change hardware.
It would be a nice feature though wouldn't it?
This feature has been requested numerous times.
