How to let connected-devices use IPv6 ?



  • Hi,

    I am having little trouble , trying to make my local devices to have IPv6 connectivity

    From pfSense's SSH , I can ping6 or curl -6 without problem .

    However , my connected devices , such as my mobile and laptop , can not have IPv6 connectivity

    alt text

    although the first line of ping6 commands makes me feel weird , but since curl -6 is working , I assume it just works....

    I tried number of IPv6 configuration based on guides I found in google , like track interface , DHCPv6 ...etc , but none of them works.

    since I don't know what to look , so I just blindly set ANY on both interface in NAT rule

    alt text

    also on the firewall

    alt text

    and

    alt text

    but v6 test on my laptop always failed :(

    alt text

    what am I missing ?

    Best regards,



  • never mind , I solved it , even I don't how I did it ...



  • @qtwrk My god!! You ARE dangerous.
    ipv6 has nothy to do with Nat.Its not even supported.
    But you HAVE opened your ipv6 devices to the world.
    There is no nat here to protect you.
    Remove alow rule from wan immediately.

    ipv6 will still work.
    I suggest you disable ipv6 and do some reading on basic ipv6 stuff.



  • @netblues said in How to let connected-devices use IPv6 ?:

    ipv6 has nothy to do with Nat.Its not even supported.
    But you HAVE opened your ipv6 devices to the world.

    Right, IPv6 doesn't need NAT, Although, it could be NATted.

    The second image of @qtwrk opens all IPv6 on the firewall, which means that if there were devices on the LAN that uses 'global' IPv6 addresses, they could be reached by everybody on the planet.

    I presume that @qtwrk was dropping in these rules just for testing purposes ;)



  • @Gertjan said in How to let connected-devices use IPv6 ?:

    Right, IPv6 doesn't need NAT, Although, it could be NATted.

    Yes, but not via pfsense gui. (at least for now) ;-)
    In any case for an ipv6 noob, ipv6 is an end to end protocol, and you need firewall features to protect devices behind even the cheapest soho router. (which even those "yougurt enclosures" provide).



  • @netblues said in How to let connected-devices use IPv6 ?:

    But you HAVE opened your ipv6 devices to the world.
    There is no nat here to protect you.

    One thing to bear in mind is that the IPv6 address space is extremely sparsely populated. A single /64 contains 18.4 billion, billion addresses, which means an attacker would have to try a heck of a lot of addresses to find even 1 device. This compares to IPv4, where everything thing is within a bit over 4 billion addresses and many of those aren't used for global addresses. That's quite a difference for someone looking for something to attack.



  • @JKnott Indeed, but this falls to the security through obscurity category. A random attacker won't find it easily for sure.
    However planting a seed (eg a zero pixel, a gaming server etc) will give out the current ip, and an attacker can take it from there.
    Its much more difficult than ipv4, but a firewall block offers much better protection.



  • @netblues
    One other thing, that current IP changes daily when SLAAC and privacy addresses are used. I agree firewalls should be used, but there are some things in IPv6 that make it safer than IPv4. Also, IIRC, pfSense and just about every other firewall defaults to deny all, so unless the OP actually did something to leave it wide open, he should be OK.


Log in to reply