IPv6 and Ip renumbering



  • Hi,

    basically, I want to know whether or not pfsense supports my setup. I have not found specific information on my questions.

    I come from a Sophos UTM and have been using this setup quite some time. I want to switch to another firewall as Sophos limits the UTM home license to 50 IPs. (Which does not work well with IPv6 and temporary IP addresses).

    Following setup:

    • PC engines APU (headless AMD box with 3 Ethernet interfaces, I know pfsense works there, I have another installation at a church using pfsense, but IPv4 only).
    • Vigor Draytek 130 Modem, PPPoE Passthrough, the Firewall makes the connection.
    • Telekom (Germany) VDSL, using PPPoE
    • Telekom offers native Dual Stack IPv4/IPv6.

    The Sophos UTM WAN interface gets the IPv4 and IPv6 using DHCP, I get an advertised /56 network, I can then assign IPv6 addresses to my LAN and DMZ interfaces, make an RA into the LAN to advertise a /64 network there for the devices to use.
    Telekom does, from time to time, give a new IPv4 address and a new advertising IPv6. Sophos then renumbers automatically all of the advertisings, interface addresses and even host objects that I use for firewall policies.

    Will this work using pfsense? If so, I will reinstall immediately!

    All the best,

    Thomas


  • LAYER 8 Global Moderator

    Yeah you can track your PD your given and assign different /64 to the different lan segments..

    While sure the RA will update itself with the new PD if changes, etc. There might be some blips when this happens, etc. etc.

    As to host objects for rules - this might be a bit trickier.. How exactly do you create the host objects in the UTM? What are they based on - mac address? DNS record?

    Just from my own curiosity - I don't get why people continue to cause themselves grief with IPv6.. What exactly are you accessing or doing that actually requires IPv6? Seems use of IPv6 is forcing you to move off a product your otherwise happy with because of license cost. And then have to work with a new system, and along with that have changing IPv6 space that is going to possible cause you added work in firewall rules - blips when it changes, etc. etc. Wouldn't it just be simpler to not leverage ipv6 at this time? Or use it in a limited fashion for your learning and playing that doesn't cause you extra work and grief in management of your network..

    If your ISP likes to change address space on you - wouldn't it be easier to just get a free tunnel from HE that will never change IPv6 space.. You can even move to different isps and keep the same space. Allows you to have full control of the /48 PTRs, etc. etc.. Then allows you to assign whatever /64s you want out of the space on your different segments, etc. etc.

    Sorry if a off topic - but I just don't get why people deal with stuff that causes them extra work when there is simpler easier to managed and implement solutions that are right there for free.

    While I have been playing with IPv6 for years and years - and do run on my network in a controlled manner. Even provide services to the public on it (ntp server ipv4 and ipv6 to the pool). And at some point when I get around to it will make my plex server available via IPv6 to my friends and family - none of who have clue one to what IPv6 even is ;) I have yet to find an actual NEED for it to be honest... Sure its the future - but its not next week sort of future, shoot its not even next year future to be honest. I will more than likely be retired from the biz (15 years ish) before it actually becomes "required" etc.

    So your just doing this because you want to? I take it ;)



  • Hi,

    thanks for the quick response!

    actually, I don't need IPv6, but, as we in Germany say, it is sort of a chicken - egg problem. If nobody uses it, then no services will be made available. If no services are available, no one will use it.

    Anyhow, the German Telekom started DualStack quite some time ago, and I want to use, if only for the reason of it being the future, and no immediate need. I expect current devices to use it where possible. But you are right, no necessary need has arisen, yet.

    To solve my problem: A guy in the german telekom forum asked the same questions, to which somebody else posted screenshots. They work perfectly for my setup. So I will leave the link here for documentation purposes:
    German Telekom Forum
    This setup does exactly what I want and it works without further config need.

    All the best,

    Thomas