Dynamic IPv6 Prefix assignment issue in xDSL users

Derelict · Jan 10, 2019, 5:03 PM

As has been stated, if your ISP has broken IPv6 (and it sounds like that is the case), I would bug them about it. The S in ISP is for Service.

In the meantime, as has been mentioned, you can get a static /48 - free - from www.tunnelbroker.net.

chaispaquichui · Jan 12, 2019, 10:00 AM

I'm sorry but "change of ISP" or "stop paying" is not an answer...

I live in Belgium and I've the exact same problem, ALL the ISP give dynamic prefix and they don't give a shit about my complains.

There is a feature request for this problem on the tracker

https://redmine.pfsense.org/issues/4881

With this feature, we could use ULA on the LAN and nat the prefix... But it's dead since 2-3 years :(

Pfsense has already static NPT, just make it dynamic please

English is not my first language, sorry

Derelict · Jan 12, 2019, 11:51 AM

https://www.tunnelbroker.net/

chaispaquichui · Jan 12, 2019, 12:18 PM

"Yeah, just use a tunnel broker and add 10-15ms of latency for each ipv6 connexion, it's fine"

No, it's not. I realy don't understand your attitude... Pfsense is already capable of doing static NPT, you know it's a thing and there is a feature request for dynamic NPT... You can implement it and solve this stupid issue...

Grimson · Jan 12, 2019, 12:27 PM

@chaispaquichui said in Dynamic IPv6 Prefix assignment issue in xDSL users:

"Yeah, just use a tunnel broker and add 10-15ms of latency for each ipv6 connexion, it's fine"

So what? Those few ms won't kill you.

NAT is ugly and has to die as fast as possible, reviving it for IPv6 would be more than stupid.

johnpoz · Jan 12, 2019, 12:38 PM

There is a HE pop in Amsterdam, NL - I doubt that is going to A 10-15ms to your path.. Maybe 2 or 3 tops.. Its only what 200 miles from one side of belgium to the other side of NL.. So yeah lets at worse call it 3 ms..

Also one in Frankfort - about the same distance.. Paris as well isn't far from any point in Belgium... So you have like 3 that I know of that are what 3ms from anywhere you could be Belgium.. I could see your point if closest pop was 3000 miles away from you... But EU is pretty freaking tiny when it comes to total latency anywhere.. Adding 3ms is not going to be any sort of issue.

Added bonus is the /48 you get.. You can use that on ANY isp you move too.. I have had the same /48 since 2013.. My current isp doesn't even have any ipv6.. Same addressing...

That is going to be way better than doing some nonsense nat on ipv6 because your isp is stupid.

Derelict · Jan 12, 2019, 2:51 PM

@chaispaquichui said in Dynamic IPv6 Prefix assignment issue in xDSL users:

"Yeah, just use a tunnel broker and add 10-15ms of latency for each ipv6 connexion, it's fine"

No, it's not. I realy don't understand your attitude... Pfsense is already capable of doing static NPT, you know it's a thing and there is a feature request for dynamic NPT... You can implement it and solve this stupid issue...

Your ISP can deploy IPv6 correctly and solve this stupid issue.

chaispaquichui · Jan 12, 2019, 2:51 PM

I understood you are not going the implement dynamic NPT but I will stand my case until the end !

Thx for you answer jognpoz but ironically, I know this pop in Amsterdam... I used it during 2 years, before my ISP start giving me native IPv6 addresses. I know for a fact that it gives me 10 or 15 ms of extra latency, I experimented it :(

"NAT is ugly and has to die as fast as possible, reviving it for IPv6 would be more than stupid."

There is no such thing as an "evil" protocol. The NAT you are referring to is "'PAT", NPT is not the same.

I'm not saying you should always do NAT with IPv6, far from it ! But NPT has some uses cases

You want to do IPv6 multihoming withouth BGP ? You can use NPT
You want to be able to leave your ISP without having to renumbered your LAN ? You can use NPT
You want to give the middle finger to greedy ISP who gives you dynamic prefix ? You can use NPT

"That is going to be way better than doing some nonsense nat on ipv6 because your isp is stupid."

It's not "nonsense", it's a solution to a real problem :( My ISP is not supid, he is greedy. If I want a static prefix, I can... I just need to pay 2 or 3 times the actual price of my connexion. And this ISP is not the first to do that and he is not going to be last.

You know what is truly ironic ? I just discovered that pfsense is able to do PAT for IPv6 !

My problem is solved !

But it's ugly and I don't want to do that... Pfsense can do static NPT and PAT for IPv6, please add dynamic NPT, it's less ugly

chaispaquichui · Jan 12, 2019, 2:59 PM

Are you kidding me ?

Edit : okey, thx for the clarification !

NogBadTheBad · Jan 12, 2019, 2:57 PM

It could be the forum seeing you post from a different IP address, its not people disliking your post.

https://forum.netgate.com/topic/137638/posts-being-marked-as-spam-on-my-lan

johnpoz · Jan 12, 2019, 3:02 PM

Well its possible your ISP doesn't peer with HE and your taking a long path to get to that pop, try one of the other pops in EU that are also only about 200 some miles from anywhere in Belgium.

dem · Jan 17, 2019, 2:14 PM

If you need a firewall that will automatically track a changing prefix delegation and adjust firewall rules, etc, pfSense is not for you.

You should maybe put that on the SG-1100 product page. I bet tens of millions of residential users in the US can't get static IPv6.

@chaispaquichui Thank you for pointing out that NAT (or PAT, whatever) works fine with IPv6. Though ugly it solves a real problem, and perhaps allows Multi-WAN without static IPv6 from either provider.

johnpoz · Jan 17, 2019, 2:18 PM

Rules are dynamically adjusted for when the tracked prefix changes on the lan side interfaces, that is the whole point of using the built in "network" aliases... They allow you to create rules so even if the interfaces network changes the rules would allow clients in this new network to still be allowed through the rules, etc.

If you hard code a cidr and that network changes - that would be on you.

Derelict · Jan 17, 2019, 6:02 PM

@dem said in Dynamic IPv6 Prefix assignment issue in xDSL users:

If you need a firewall that will automatically track a changing prefix delegation and adjust firewall rules, etc, pfSense is not for you.

You should maybe put that on the SG-1100 product page. I bet tens of millions of residential users in the US can't get static IPv6.

Right, but many providers understand how IPv6 works and honor the DUID and very, very rarely change the prefix delegation. A change in PD is nearly always due to mitigating circumstances, such as you changing the DUID you send.

I personally have dynamic IPv6 from Cox and get the same PD every time. This is because Cox "gets it."

Dynamic IPv6 works fine when properly-implemented at the ISP side. Have you complained to them? If they want to do something nonstandard, you might be relegated to using their "residential gateway" hardware if you choose to use them for ISP service.

@grimson said in Dynamic IPv6 Prefix assignment issue in xDSL users:

Many German ISPs actually enforce a regular IP change for IPv4 and prefix change for IPv6. That is intended by the ISPs because a fixed IP is a premium option for their business offerings.

This, if factual, is the problem. Not lack of documentation on the pfSense site. And this is nothing specific to the SG-1100.

Derelict · Jan 17, 2019, 6:41 PM

@johnpoz said in Dynamic IPv6 Prefix assignment issue in xDSL users:

Rules are dynamically adjusted for when the tracked prefix changes on the lan side interfaces, that is the whole point of using the built in "network" aliases... They allow you to create rules so even if the interfaces network changes the rules would allow clients in this new network to still be allowed through the rules, etc.

If you hard code a cidr and that network changes - that would be on you.

Right but that is only part of the problem.

Making things like DMZs you would have to take great care when blocking access to other local subnets. Since we can't just use the Block Everything RFC1918 hammer any more.

For instance you could get a /56 PD and route a /60 or whatever to a downstream switch. That would not be contained in any interface subnet auto-alias. So there's another place that would need to be changed when a PD was maliciously changed by the ISP. I'm sure there are hundreds of places.

The whole point is to put public addresses everywhere on the inside. This type of behavior is unheard of in the IPv4 space. Why should it be tolerated in IPv6?

ISPs should not change PDs willy-nilly or should be killed by customer dissatisfaction and churn.

johnpoz · Jan 17, 2019, 7:24 PM

@derelict said in Dynamic IPv6 Prefix assignment issue in xDSL users:

ISPs should not change PDs willy-nilly or should be killed by customer dissatisfaction and churn.

Yup completely agree!!! Once they give me my /48 it should be mine until I am no longer a customer.. It should never change.. If they only want to give a /56 or even a /60 ok... But once given to me, it should never change..

pfadmin · Jan 18, 2019, 8:49 AM

with duid telekom change the IPv6 rarely, but it changes. Thats reality, a fact we can not change. So ignore the users, it's ok. Or do a little bit of coding! Give us an alias which I can add to my rules. I can build my rules with this alias and have not to look and change manualy. And give this alias to DNS Resolver where I can build the server IP with alias and known interface identifyer. We can discus what one of the biggest telko should do or not or we can just solve the problems/wishes of potentialy millions of users in europe.

thanks

Derelict · Jan 18, 2019, 6:08 PM

@pfadmin Pull requests are always appreciated.

pfadmin · Jan 18, 2019, 7:26 PM

one of those:

https://redmine.pfsense.org/issues/6626

Derelict · Jan 18, 2019, 8:11 PM

A feature request is not a pull request.

A pull request is "here's proposed code to implement/fix this."