Configuring IPv6 on PFsense



  • Hello,

    Currently I am trying to setup an IPv6 only network within my XCP-NG host.

    I have internet access on my VM's but from my home pc I cannot reach those VM's by putting in the IPv6 address of that machine.
    Currently I have configured DHCPv6 on the LAN interface because I got an /49 subnet from my datacenter (I am assuming it is a public subnet).

    So what I am trying to ask is how to access VM's directly on the server in the datacenter with an IPv6 IP. Do I have to configure DHCPv6 on the WAN interface or LAN? As I am confused and trying to learn IPv6.



  • @appollonius333

    I'm not sure I'm understanding your question. You say the VMs have Internet access. Do they have valid gloabal IPv6 addresses? If you connect a computer directly to the LAN does it get addresses? How is IPv6 being provided?



  • @JKnott Hey thanks for your answer, currently I am trying something. Will keep you posted about it if it works :)



  • @appollonius333 Hi

    so when I get this right, there's the evil internet, then the pfSense and then the VMs. The VMs have a public ip and are able to connect to the evil interwebtubez but connecting to the VMs is not working.

    Well...

    pfSense is a firewall and to allow stuff in from WAN to LAN you have to create a rule that allows it.

    Just create a rule for testing on the WAN interface allow any/any to vm-ip/service-port and see if that works. If it does, you solved your problem.

    Cu



  • @Grimeton

    Where are you trying to connect to the VM from? If elsewhere on the Internet, then you'd need a rule to allow that. However, first off, see if you can reach the Internet from the VM.



  • I am gonna explain it in detail now, so you guys got a better picture of it.

    I have 2 servers in a datacenter.

    For these 2 servers I have 2 IPv4 IP addressen in a shared subnet (So reachable from the evil internet).
    I also got 2 IPv6/64 adresses which are also reachable from the evil internet.

    Next to that I got a /48 network which is routed through my sharedsubnet IPv6 addresses, so it is reachable from the internet.
    This is the /48 subnet: 2a02:898:267::/48 which is splitted into 2 /49 networks

    Here is my network layout.

    PFsense WAN: 2a02:898:0:20::267:/64 with the gateway for internet.
    PFsense LAN: 2a02:898:267::/49

    So my VM's are connecting to the LAN interface of PFsense.
    Because this extra subnet is routed through my shared subnet for public access, I am wondering why I cannot ping from my home PC to a VM in the LAN network.
    Would this be because of the rules I would have to add?

    What the datacenter is telling me is to apply the IPv6 shared subnet to the Hypervisor Host (XCP-NG). Create a small subnet between the HOST and PFsense with the 2a02:898:267::/48 network. And then in PFsense create subnets for all my VM's. So I can connect to my VM's from my home PC. I am actually really confused about this as I don't understand why I cant apply the shared subnet directly to the WAN interface of the PFsense VM....



  • @appollonius333

    Yes, if you're coming in from outside, you have to create rules to allow it. Also, make sure the routing is correct. For example, since you're passing through one network, the pfSense system connected to the Internet has to know the route to the 2 /49s.
    It works pretty much the same as IPv4.



  • @JKnott Thanks for your reply.

    So the following configuration would work?

    XCP-NG host:
    (Management port linked on switch)NIC0: 2a02:898:0:20::267::/64 Gateway: 2a02:898:0:20::
    (WAN)NIC1: 2a02:898:267::/64 gateway: 2a02:898:0:20::267::/64

    PFsense VM:
    (WAN)NIC1: 2a02:898:267::/64 Gateway: 2a02:898:267::/64
    (LAN)NIC2: 2a02:898:267::/49 (Or whatever subnet)



  • I have realized this setup:

    HOST:
    (Management)NIC0:
    IPv6: 2a02:898:0:20::267:1/64
    Gateway: 2a02:898:0:20::1

    (WAN)NIC1:
    IPv6: 2a02:898:267::1/64

    PFsense VM:
    (WAN)NIC1:
    IPv6: 2a02:898:267::2/64
    Gateway: 2a02:898:267::1

    I can ping from the PFsense VM everything except the gateway of (Management)NIC0 on the HOST machine...



  • @appollonius333 said in Configuring IPv6 on PFsense:

    I can ping from the PFsense VM everything except the gateway of (Management)NIC0 on the HOST machine...

    Start from the inside and work out. Can you ping from that VM to the outside world? Can you ping the pfSense systems? If you can't ping out, you won't be able to ping in. Just take things one step at a time and see where what fails. One you can ping the outside world, you can start thinking about incoming rules.

    So, start pinging and see how far you get.



  • @JKnott Thanks for your response.

    I have tested pinging all networks from my PFsense box, which made me stumble upon a problem. I cannot ping the HOST Gateway on NIC0, while I can ping the IPv6 IP.

    Also I tested from the HOST machine to my PFsense box to ping 2a02:898:267::2/64 on the WAN interface which didnt work either.
    But pingingen this address on the WAN interface did work: 2a02:898:267::1/64
    So I assume this would be a host problem and not a rule problem in PFsense.

    EDIT:

    Well this is fun, I discovered that I actually can ping the gateway 2a02:898:0:20::1 of the HOST from my PFsense WAN interface. But when I try it again it does not work anymore. I am laughing myself to dead right now as I have been busy 2 days with this and I still cannot figure this stuff out.....

    Fixed another issue, I can ping from the host to the PFsense WAN interface now, by allowing all rules (To test this). This works.
    Only problem is as I have right now is that I cannot ping the IPv6 gateway of the HOST from PFsense WAN interface...

    Managed to fix it, my HOST had IPtables on, which resulted in this blockade...



  • Alright so that is working, but now the LAN VM's have no access to the WAN. I have been troubleshooting for a while now on what this could be but cannot find anything on it... I have no gateway for LAN nor routing setup.


Log in to reply