IPv6 no routing from DMZ to internet

tku

Dear all,

I'm running PfSense (in a datacenter) for a couple of years with IPv4 without any problems.
To get connected in the future I would like to use IPv6. My datacenter ISP gives me a static /96 IPv6 block (let's say 2a00:1aa0:0:368:8:0:X:X), to use it as a stic WAN address I should use a /64 subnet mask.

When setting a static IPv6 on my WAN interface (let say 2a00:1aa0:0:368:8:0:1:1 /64) and enabling IPv6 on my PfSense my PfSense can ping and IPv6 address. A computer on my DMZ side can't access an IPv6 site, quite logical because I didn't configure any DHCPv6.
So my plan was to create an DHCPv6 on my DMZ interface for the address 2a00:1aa0:0:368:8:0:2:1, but that's impossible because it's used in the WAN address subnet. Is there a way to fix this so my computer in the DMZ get's a static IPv6 address?

Another option I've got is to get an dynamic IPv6 on my WAN interface based on DHCPv6 from my provider.
I also tried this confoguration.
On my DMZ interface I'm tracking IPv6 from my WAN interface, I didn't enable DHCPv6 on DMZ but put the 'Router mode' on 'Router Advertisements' to Assisted.
Result, my PfSense gets an IPv6 address (started with 2a00:1aa0:0:368:XXXXX) and my box can still ping an IPv6 address succesfully.
My machine in DMZ get's an IPv6 address (also starting with 2a00:1aa0:0:368) so that looks great, but when I'm trying to ping an IPv6 address or IPv6 based site I can't connect. (nice detail when accessing an IPv6 based site, I can see my linux-machine first attempts to access the site on his IPv6 address, when there's no connection he's falling back to IPv4.)
My firewall rules allows IPv6 traffic, so that's shouldn't be the problem.

Anyone having an idea how to fix this? And any tips how to access an machine in my DMZ directly on my statis IPv6 address?

Kind regards
Tim

Gertjan

@tku said in IPv6 no routing from DMZ to internet:

My datacenter ISP gives me a static /96 IPv6 block (let's say 2a00:1aa0:0:368:8:0:X:X), to use it as a stic WAN address I should use a /64 subnet mask.
When setting a static IPv6 on my WAN interface (let say 2a00:1aa0:0:368:8:0:1:1 /64) and enabling IPv6 on my PfSense my PfSense can ping and IPv6 address

Wrong example.

Your /96 (really /96 ?)
2a00:1aa0:0:368:8:0:X:X
overlaps with your LAN (== DMZ) /64 :
2a00:1aa0:0:368:8:0:1:1

Doesn't the numbers look more like :
2001:470:1f12:5c0::2 which is a (close to) /128
and a first /64 like
2001:470:1f24:5c0:2::1
?

It's like putting, simply said, 192.168.1.1 on WAN and 92.168.1.2 for LAN.
That will stop routing for sure.

tku

And yes I really got an /96 subnet (don't know what to do with 4 millions addresses.. )
I changed the numbers a little bit to 'mask' my machine.

@Gertjan said in IPv6 no routing from DMZ to internet:

It's like putting, simply said, 192.168.1.1 on WAN and 92.168.1.2 for LAN.
That will stop routing for sure.

Agree, I can imagine that it will not work when assigning static address.
I don't understand why it's not working when getting an dynamic IPv6 address on WAN, and let the DMZ interface track this interface. Should I create a static route somewhere myself or create some kind of bridge?

Gertjan

Just assign the first
@tku said in IPv6 no routing from DMZ to internet:

my DMZ interface for the address 2a00:1aa0:0:368:8:0:2:1

/64 to your LAN or other LAN type interface.

Btw : My WAN IPv6 is a /128.

JKnott

@tku said in IPv6 no routing from DMZ to internet:

To get connected in the future I would like to use IPv6. My datacenter ISP gives me a static /96 IPv6 block (let's say 2a00:1aa0:0:368:8:0:X:X), to use it as a stic WAN address I should use a /64 subnet mask.

With a /96, you're limited to static configuration as neither SLAAC nor DHCPv6 will work. Both require a /64. Also, why are they telling you to use a /64 prefix, but giving you only a /96?

And yes I really got an /96 subnet (don't know what to do with 4 millions addresses.. )

I have a /56 at home. That's 2^72 addresses or 256 /64s all to myself. Some ISPs hand out /48s. So, I don't know why they'd give you just a /96. Other than for point to point links, /64 is the normal prefix size for a LAN.

Btw : My WAN IPv6 is a /128.

That means your WAN address is not used for routing. Routing on IPv6 is often done with link local addresses.

Gertjan

@JKnott said in IPv6 no routing from DMZ to internet:

Btw : My WAN IPv6 is a /128.

That means your WAN address is not used for routing.

Well, yes, no, whatever.
It's the he.net / GIF setup confusions :
It's this

on the ISP side.

( note the "Routed Ipv6 Prefixes", /64 for initial amusement, and then a whopping /48 for serious local networking )

And this :
On my (pfSEnse) side :

which states /128 .... the smallest wins, right ;)

Btw : he.net : very impressive IPv6 access supplier for years now. Perfect price performance ration.

JKnott

@Gertjan said in IPv6 no routing from DMZ to internet:

which states /128 .... the smallest wins, right ;)

A /128 indicates a single address, which means it cannot be used for routing. That takes at least a /127, which is what is normally used with IPv6. The tunnel addresses you show need a /127 to include both. I have never used he.net, so I can't comment on their config and almost 4 years since I used a 6in4 tunnel with another provider.

tku

Hi people,

Thanks for your reactions! I will give it a try to change some settings, I will let you know if I succeed.

tku

Hi all,

I found the problem, it was somewhere between the backrest and monitor....

I checked again al my settings with DHCPv6 on WAN and my DMZ as tracking interface.
An Linux machine was getting a proper IPv6 address. From my Linux machine accessing an IPv6 website (ipv6.google.com) didn't succeed, I could see the hostname was resolved to an IPv6 address but connecting to it was impossible.

So that takes me back to my firewall rules, I checked that there was a rule allowing outgoing IPv6 traffic, rule present.
But, I'm using PfBlocker which I configured (in all my enthusiasm) to add (blocking)rules to all interfaces, for some reason the ipv6.google.com-IPv6 address is on the list. So some kind of logical that connecting to the IPv6 website didn't work.
And guess what, removing the PfBlocker rules from my DMZ interface solved my issue :)

For now I can continue my IPv6 project. Thanks for all your help!

Gertjan

@tku said in IPv6 no routing from DMZ to internet:

But, I'm using PfBlocker which I configured (in all my enthusiasm) to add (blocking)rules to all interfaces, for some reason the ipv6.google.com-IPv6 address is on the list. So some kind of logical that connecting to the IPv6 website didn't work.

I'm using pfBlockerNG-devel - and some IPv6 lists.
ipv6.google.com never was problem for me.

What is the IPv6 that google uses - the one you use to connect to ?
Is this IPv6 (network) really present on a list ?

What is this list ? IPv6_known_search_engines ?