Need some instructions for getting started with IPv6

JKnott

@Ulysses_

The modem's WiFi probably won't work. If it did, it would be entirely outside of pfSense. However, there's nothing to stop you from having your own access point. You can get dedicated APs or just use an old router as an AP. I have a separate AP, which uses power over Ethernet. This means I can place it in the best place, rather than what's handy for installing the modem. As for the VM, you could use separate NICs or VLANs & a managed switch to separate things.

Ulysses_

Anyway, I know it's a bad practise and strongly discouraged everywhere, but let's pretend I need the wifi and don't have the $5 to buy nic's, how is NAT done? It is just a line or two of iptables rules in linux for IPv4, can't be too hard in pfsense and IPv6.

JKnott

@Ulysses_

I have never set up NAT on IPv6, so no help there. However, other than WiFi, there should be no difference between using the modem in gateway and bridge modes. You'd still connect the LAN side exactly the same way. Do you not have an old router kicking around that you can use as an AP?

Ulysses_

No but I have a wifi usb adapter than probably can act like an ap. Alternatively, how do we do the following in pfsense:

https://serverfault.com/questions/929044/ip6tables-is-not-masquerading-source-address

JKnott

@Ulysses_

I don't know how well that USB adapter would work. FreeBSD, which pfSense is built on is not that great with WiFi. As for that link, that's about iptables, not ipfilter, which FreeBSD uses.

Ulysses_

It boils down to the following rules, is the equivalent functionality available in the web interface somewhere? In a package somewhere? In ipfilter?

-A PREROUTING -d 2001:470:4a71:f170::/64 -i eth0 -j DNAT --to-destination fdde:ad00:beef:0:91f5:6dd4:e66f:cf5b
-A POSTROUTING -s fdde:ad00:beef::/64 -o eth0 -j MASQUERADE
-A POSTROUTING -s fd11:22::/64 -o eth0 -p udp -j MASQUERADE
-A POSTROUTING -s fd11:22::/64 -o eth0 -p tcp -j MASQUERADE
-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

dotdash

@JKnott said in Need some instructions for getting started with IPv6:

As for that link, that's about iptables, not ipfilter, which FreeBSD uses.

It's also not for pf, which pfSense uses.

OP- I'd expect you could use NPT, which is covered in the Netgate docs.
What exactly is the reason for needing ipv6? Your setup seems complicated enough, what with the virtualized firewall on the workstation and the double nat.

JKnott

@dotdash said in Need some instructions for getting started with IPv6:

As for that link, that's about iptables, not ipfilter, which FreeBSD uses.

It's also not for pf, which pfSense uses.

Sorry my mistake. Either way, it doesn't use iptables. I used to use iptables, when I had a Linux based firewall and ipchains before that. However, I never really got into the rules for iptables, as the firewall configuration in SUSE Linux handled most of my needs.

Ulysses_

What exactly is the reason for needing ipv6? Your setup seems complicated enough, what with the virtualized firewall on the workstation and the double nat.

So far it is just that a Windows VM that had to be worked with a while ago required access to something by Microsoft that was IPv6-only, but sooner or later there will be more and more instances of such in ordinary use of a browser, so better get this sorted once and for all.

Actually it would be nicer if IPv6 was completely missing in all devices except the pfsense VM. And the modem. IPv6 in them is an unnecessary human-unfriendly complexity if STUN is not needed, NAT could be from IPv4 to IPv6 and should be one of the jobs of the pfsense firewall to keep the user's life simpler and a little more private. You'd visit ipv6.google.com and your browser would think it is an IPv4 site.

Gertjan

@Ulysses_ said in Need some instructions for getting started with IPv6:

IPv6 in them is an unnecessary human-unfriendly complexity

Strange.
That was very valid for IPv4, a couple of decades ago.
Stuff like NAT was invented, people are still having huge problems with that, just check out this forum alone.

Anyway.
There are no more IPv4 left. It's done.

Ulysses_

If IP's have run out it means support for more IP's is needed, it does not mean everyone with a browser needs them.

JKnott

@dotdash said in Need some instructions for getting started with IPv6:

What exactly is the reason for needing ipv6?

That's where the world is heading. There are nowhere near enough IPv4 addresses to meet the need. I recently posted a link to an article that tells about how there are no longer any IPv4 addresses available in Europe & Middle Easy, unless someone sells some surplus. Anyone who thinks we shouldn't be moving to IPv6 is head in sand stupid.

JKnott

@Ulysses_ said in Need some instructions for getting started with IPv6:

If IP's have run out it means support for more IP's is needed, it does not mean everyone with a browser needs them.

No, the world has to move to IPv6 and that means everyone. Otherwise we'll wind up in a situation where some people are on IPv4 and others on IPv6, with some means to translate between them. Sticking with IPv4 means sticking with NAT, STUN servers, trying to stretch IPv4 addresses more and more, with more things breaking. Even Vint Cerf, one of the developers of TCP/IP said 32 bits was only used for proof on concept and the plan was to go with much longer addresses. IPv4 is a dead end and it's long past time to move to IPv6. I've been using it for almost 10 years.

Ulysses_

It wouldn't be half the world sticking with IPv4 and NAT or NAT46, it would be guys in particular situations, such as wanting to keep that old wifi up and running while using pfsense as a firewall. If pfsense's job is to act in the middle, NAT or NAT46 or NAT64 or DNS46 or DNS64 are all legitimate pfsense functionalities for particular scenarios. And quoting someone from a link given above:

"And for the "IPv6 doesn't need NAT!" brigade - sometimes you DO need it, for example if you want to run Docker containers on AWS. It doesn't support DHCP PD so you're stuck with NAT."

JKnott

@Ulysses_

WiFi should be transparent to the protocol. You should be able to run IPv4, IPv6, Appletalk, IPX and DECNet without issue, as WiFi is a layer 2 transport, not layer 3 where IPv4 & 6 are.

Why is NAT needed with Docker on AWS? What would you do if NAT wasn't available?

Gertjan

@JKnott said in Need some instructions for getting started with IPv6:

WiFi should be transparent to the protocol. You should be able to run IPv4, IPv6, Appletalk, IPX and DECNet without issue, as WiFi is a layer 2 transport, not layer 3 where IPv4 & 6 are

Exact.
My close-to-a-decade-old Wifi AP's transport just fine IPv4 and IPv6 used by iPhone and other devices.

dotdash

@JKnott said in Need some instructions for getting started with IPv6:

That's where the world is heading. There are nowhere near enough IPv4 addresses to meet the need. I recently posted a link to an article that tells about how there are no longer any IPv4 addresses available in Europe & Middle Easy, unless someone sells some surplus. Anyone who thinks we shouldn't be moving to IPv6 is head in sand stupid.

Putting that aside for the moment, I was asking why a home user, running pfSense in a VM, already double natting and unwilling to change that, needs to bother with ipv6. Maybe if he had a firewall that the whole network was using, not just him and his vms, or if it wasn't behind the isp's nat box...

Ulysses_

My close-to-a-decade-old Wifi AP's transport just fine IPv4 and IPv6 used by iPhone and other devices.

I think you may have missed the point. The wifi AP here fully supports IPv6. But we are asked to remove the router function from the modem/router which I believe will stop wifi working but I may be wrong, maybe the modem can be used simultaneously by 4 ethernet devices and lots of wifi ones without a router function.

JKnott

@dotdash said in Need some instructions for getting started with IPv6:

already double natting and unwilling to change that,

Perhaps we should be asking why they're unwilling to change. NAT is a curse on networks, caused by the inadequate IPv4 address space.

In my own network, I get a single IPv4 address, which I have to NAT to handle all my devices. I have no choice in the matter. On IPv6, I have a block of 4.72236648287 x 10²¹ addresses, so no NAT needed. Every IPv6 capable device gets global unique addresses. This means I can directly access any of those devices from elsewhere, without having to worry about port forwarding, etc..

JKnott

@Ulysses_ said in Need some instructions for getting started with IPv6:

But we are asked to remove the router function from the modem/router

We are here because we use pfSense. Most people running pfSense will put their modem into bridge mode and let pfSense handle everything for routing and firewall. The WiFi is a secondary issue and you're likely better off with a proper AP anyway. It is not IPv6 that's causing this issue, it's your sticking with the modem in gateway mode.

BTW, I live in a condo. If I relied on the modem WiFi, I would have a great signal at one end, but poor at the other. By using a PoE AP, I was able to put it roughly in the middle of my unit and so get a good signal throughout. My AP is high up on the wall in my laundry room. Very often, sticking with the WiFi on the modem results in a poorer signal. Also, the firewall that's built into my modem is crap that's nowhere near as capable as pfSense. So, considering WiFi signal, IPv6 and firewall, I'm far better off with the modem in bridge mode.