DHCPv6 response cannot go through the pfsense



  • Hi, newbie here, if there is already post like this, please let me know by giving the link.

    So here is my journey, I have 3 interface attach to the pfsense WAN, LAN, OPT1.
    WAN & OPT1 is IPv6 Network.
    LAN is IPv4 Network. This is used so i can configure the Pfsense with IPv4 network, not for internet.

    I want to bridge the WAN & OPT1, here is my step:

    1. I disabled Outbond NAT
    2. net.link.bridge.pfil_bridge = 1
    3. net.link.bridge.pfil_member = 0
    4. Create bridge with WAN & OPT1 as interface member
    5. Activate the bridge interface
    6. set the IP to none for WAN & OPT1
    7. on firewall, allow all traffic on WAN, OPT1, and Bridge Interface

    gateway ------ wan ------ pfsense ------ opt1 -------- VM

    I check the ip on WAN is already none. And then, I create a VM on OPT1 network using IPv6 network. Set the VM interface to DHCPv6. It does not get the IP address from WAN interface. After that i recheck the pfsense, suddenly the WAN Interface IP is there (not null anymore).

    So i think the problem is the VM DHCPv6 request is already sent to WAN Gateway, but the response is not going through to the OPT1 network, the pfsense use it as WAN address instead. Is there any solution to this?



  • Why would you want to use pfSense as a bridge?
    What kind of connection do you have at your WAN side? Is it static / DHCP / PPPoE?



  • Thx for the respond,

    Why would you want to use pfSense as a bridge?
    We want the pfsense act as bridge (and also firewall) so the VM behind the pfsense still got DHCPv6 from the WAN side and we can create some rule regarding the connection to our VM to improve security. Its part of our trial to compare pfsense with another switch software.

    What kind of connection do you have at your WAN side? Is it static / DHCP / PPPoE?
    Its DHCPv6



  • @bagusf
    If you run it as a bridge it won't be able to act as a firewall at the same time.
    My feeling is that you try to use some of your providers box features while you want pfSense's firewall. I would try only to use only one device.
    Do you get static or dynamic prefix from your provider. Wen can only help as good as your information you give US.



  • Is that true? Refering to pfsense documentation, i can use it as transparent firewall here: https://docs.netgate.com/pfsense/en/latest/interfaces/interface-bridges.html#

    And i follow this guide to make pfsense a bridge between WAN & LAN. The different is I use WAN & OPT1:
    https://community.adamnet.works/hc/en-us/articles/115002725594-Running-on-a-Transparent-pfSense-Bridge

    Hmm.. Lets just say, I have a PC with VMWare installed, connected to IPv6 Network. Inside the VMware I make several VM for different proposes. To improve the security, I want pfsense to act as bridge and firewall inside the VMWare.

    I think the prefix is static.

    Well I think I already give a lot of information including how I configure the pfsense on the first post. But if still not enough, you can ask me.

    thanks



  • @bagusf said in DHCPv6 response cannot go through the pfsense:

    Is that true?

    If have not tried that operation mode but as your linked document says: "It is normally best to avoid such configurations as they can be problematic, ..." There's a reason why network traffic is divided into layer two and three.

    @bagusf said in DHCPv6 response cannot go through the pfsense:

    And i follow this guide...

    I still fail to understand why you would want to bridge but not to route. What advantages will you get from this?

    @bagusf said in DHCPv6 response cannot go through the pfsense:

    Hmm.. Lets just say, I have a PC with VMWare installed, connected to IPv6 Network. Inside the VMware I make several VM for different proposes. To improve the security, I want pfsense to act as bridge and firewall inside the VMWare.

    You won't get increased security with bridging mode. I would consider a Router + Filtered network more secure. But if you think I'm wrong, please try to convince me.

    In the end I think IPv6 has its strengths within routing since it's just large. Exploit that. This guide might give you more comfort idk but I doubt it will be security. Everything you filter in bridged mode you can also filter in routed mode, so.


Log in to reply