Need some instructions for getting started with IPv6
-
If your ISP is only providing you with a single /64 and isn't providing you with (or a way to get) a prefix, like a /56, its not going to work.
Documentation on how to set it up can be found here: https://docs.netgate.com/pfsense/en/latest/book/interfaces/ipv6-wan-types.html -
@Ulysses_ said in Need some instructions for getting started with IPv6:
It gets them from a ADSL modem/router.
So pfsense wan IP is rfc1918? Your device in front of pfsense is doing nat?
-
@Ulysses_ said in Need some instructions for getting started with IPv6:
All pfsense defaults are used. The WAN interface gets IP's by DHCP and DHCPv6. It gets them from a ADSL modem/router. The LAN interface has a static IP and the DHCP server is running giving ubuntu on the LAN side an IPv4 IP.
The usual way to provide IPv6 for residential, small business customers is through DHCPv6-PD. The PD stands for prefix delegation. They will also, by default, have the modem in gateway mode. You want it in bridge or bypass mode. In gateway mode, you will likely have only a single /64 prefxi. In bridge mode, you can have as large a prefix as the ISP will provide. I have a /56, which gives me 256 /64s. So, if you're getting RFC 1918 addresses, as mentioned above, your modem is in gateway mode. Once you're in bridge mode, we can provide further advice.
-
@johnpoz said in Need some instructions for getting started with IPv6:
So pfsense wan IP is rfc1918? Your device in front of pfsense is doing nat?This is what pfsense gets:
This is what ubuntu gets connected directly to the ADSL modem/router:
This is what https://test-ipv6.com/ sees:
Your IPv6 address on the public Internet appears to be 2a02:587:220d:8b00:bafb:6402:b954:9ae5
Can pfsense work around this situation if someone does not want to mess with their ADSL modem/router because the support for it by the ISP is not as good as pfsense's? In other words, how do I do IPv4-style NAT with IPv6?
-
@Ulysses_ said in Need some instructions for getting started with IPv6:
So pfsense wan IP is rfc1918? Your device in front of pfsense is doing nat?
This is what pfsense gets:You're definitely in gateway mode, which is why you have the RFC 1918 address for IPv4. In gateway mode, only devices that are connected directly to the modem will gen an IPv6 address. So, while pfSense gets one, no device on the LAN side will.
-
Can't pfsense give devices on the LAN some different IPv6 addresses and translate them to its own, ie do NAT in IPv6?
-
Yes, it can, but that's an incredibly dumb thing to do. NAT was created to get around the IPv4 address shortage, but breaks some things in the process. There is absolutely no need for it, with the unbelievably huge IPv6 address space. A single /64 contains as many addresses as the entire IPv4 address space squared!
Why don't you want to use bridge mode?
-
Because the support for that modem/router by the ISP is not as good as pfsense's here and if anything goes wrong I will be stuck offline and unable to ask you guys or research, even the telephone might not work to call the ISP. What problems would NAT create in our context?
-
Well, on IPv4, you just get another layer of it, so either way you have the same problems. For example, with NAT, VoIP and some games require use of an STUN server, just so that the app knows the real world IP address. With IPSec, NAT breaks authentication headers, which are used to verify the packet hasn't been tampered with. There are other issues. On IPv6, with that modem in gateway mode, you are guaranteeing pfSense cannot properly provide IPv6 to your LAN.
Also, pfSense is likely a much better firewall than what's in your modem. You don't need the one in the modem. As for your modem, call your ISP to ask how to enable bridge or pass through mode for the modem. Lots of other people have a similar setup and the ISP should be able to advise you. Also, the configuration for the Internet connection should have no effect on that modem providing phone or TV service. They are completely independent services that simply happen to share the same box.
People's minds have been poisoned by NAT, so they now no longer how to properly do things with the Internet. This is just one example.
-
Once in bridged mode, can ordinary devices still connect to the modem directly without too much configuration?
-
I assume you're referring to computers and such. Yes, you can connect one device directly to the modem (with mine, I can connect 2) and it will work. For more, on a LAN, you'd use pfSense in place of the router in the modem. It will still provide NAT for IPv4, nothing you can do about that, but on IPv6, you can have one or more (V)LANs, each providing a /64. Devices connected with then have one or more global addresses. With SLAAC and privacy addresses, each device will have 9 after a week.
-
The wifi will not work, will it. I would miss accessing the internet from my smartphone using that. Also pfsense is used in a VM in my main computer so to use several devices at the same time some more hardware would be needed (nic's). STUN doesn't sound like I'd ever need it.
-
The modem's WiFi probably won't work. If it did, it would be entirely outside of pfSense. However, there's nothing to stop you from having your own access point. You can get dedicated APs or just use an old router as an AP. I have a separate AP, which uses power over Ethernet. This means I can place it in the best place, rather than what's handy for installing the modem. As for the VM, you could use separate NICs or VLANs & a managed switch to separate things.
-
Anyway, I know it's a bad practise and strongly discouraged everywhere, but let's pretend I need the wifi and don't have the $5 to buy nic's, how is NAT done? It is just a line or two of iptables rules in linux for IPv4, can't be too hard in pfsense and IPv6.
-
I have never set up NAT on IPv6, so no help there. However, other than WiFi, there should be no difference between using the modem in gateway and bridge modes. You'd still connect the LAN side exactly the same way. Do you not have an old router kicking around that you can use as an AP?
-
No but I have a wifi usb adapter than probably can act like an ap. Alternatively, how do we do the following in pfsense:
https://serverfault.com/questions/929044/ip6tables-is-not-masquerading-source-address
-
I don't know how well that USB adapter would work. FreeBSD, which pfSense is built on is not that great with WiFi. As for that link, that's about iptables, not ipfilter, which FreeBSD uses.
-
It boils down to the following rules, is the equivalent functionality available in the web interface somewhere? In a package somewhere? In ipfilter?
-A PREROUTING -d 2001:470:4a71:f170::/64 -i eth0 -j DNAT --to-destination fdde:ad00:beef:0:91f5:6dd4:e66f:cf5b
-A POSTROUTING -s fdde:ad00:beef::/64 -o eth0 -j MASQUERADE
-A POSTROUTING -s fd11:22::/64 -o eth0 -p udp -j MASQUERADE
-A POSTROUTING -s fd11:22::/64 -o eth0 -p tcp -j MASQUERADE
-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -
@JKnott said in Need some instructions for getting started with IPv6:
As for that link, that's about iptables, not ipfilter, which FreeBSD uses.
It's also not for pf, which pfSense uses.
OP- I'd expect you could use NPT, which is covered in the Netgate docs.
What exactly is the reason for needing ipv6? Your setup seems complicated enough, what with the virtualized firewall on the workstation and the double nat. -
@dotdash said in Need some instructions for getting started with IPv6:
As for that link, that's about iptables, not ipfilter, which FreeBSD uses.
It's also not for pf, which pfSense uses.
Sorry my mistake. Either way, it doesn't use iptables. I used to use iptables, when I had a Linux based firewall and ipchains before that. However, I never really got into the rules for iptables, as the firewall configuration in SUSE Linux handled most of my needs.