Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to let connected-devices use IPv6 ?

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 4 Posters 749 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Q
      qtwrk
      last edited by

      Hi,

      I am having little trouble , trying to make my local devices to have IPv6 connectivity

      From pfSense's SSH , I can ping6 or curl -6 without problem .

      However , my connected devices , such as my mobile and laptop , can not have IPv6 connectivity

      alt text

      although the first line of ping6 commands makes me feel weird , but since curl -6 is working , I assume it just works....

      I tried number of IPv6 configuration based on guides I found in google , like track interface , DHCPv6 ...etc , but none of them works.

      since I don't know what to look , so I just blindly set ANY on both interface in NAT rule

      alt text

      also on the firewall

      alt text

      and

      alt text

      but v6 test on my laptop always failed :(

      alt text

      what am I missing ?

      Best regards,

      1 Reply Last reply Reply Quote 0
      • Q
        qtwrk
        last edited by

        never mind , I solved it , even I don't how I did it ...

        N 1 Reply Last reply Reply Quote 0
        • N
          netblues @qtwrk
          last edited by

          @qtwrk My god!! You ARE dangerous.
          ipv6 has nothy to do with Nat.Its not even supported.
          But you HAVE opened your ipv6 devices to the world.
          There is no nat here to protect you.
          Remove alow rule from wan immediately.

          ipv6 will still work.
          I suggest you disable ipv6 and do some reading on basic ipv6 stuff.

          GertjanG JKnottJ 2 Replies Last reply Reply Quote 0
          • GertjanG
            Gertjan @netblues
            last edited by

            @netblues said in How to let connected-devices use IPv6 ?:

            ipv6 has nothy to do with Nat.Its not even supported.
            But you HAVE opened your ipv6 devices to the world.

            Right, IPv6 doesn't need NAT, Although, it could be NATted.

            The second image of @qtwrk opens all IPv6 on the firewall, which means that if there were devices on the LAN that uses 'global' IPv6 addresses, they could be reached by everybody on the planet.

            I presume that @qtwrk was dropping in these rules just for testing purposes ;)

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            N 1 Reply Last reply Reply Quote 0
            • N
              netblues @Gertjan
              last edited by

              @Gertjan said in How to let connected-devices use IPv6 ?:

              Right, IPv6 doesn't need NAT, Although, it could be NATted.

              Yes, but not via pfsense gui. (at least for now) ;-)
              In any case for an ipv6 noob, ipv6 is an end to end protocol, and you need firewall features to protect devices behind even the cheapest soho router. (which even those "yougurt enclosures" provide).

              1 Reply Last reply Reply Quote 0
              • JKnottJ
                JKnott @netblues
                last edited by

                @netblues said in How to let connected-devices use IPv6 ?:

                But you HAVE opened your ipv6 devices to the world.
                There is no nat here to protect you.

                One thing to bear in mind is that the IPv6 address space is extremely sparsely populated. A single /64 contains 18.4 billion, billion addresses, which means an attacker would have to try a heck of a lot of addresses to find even 1 device. This compares to IPv4, where everything thing is within a bit over 4 billion addresses and many of those aren't used for global addresses. That's quite a difference for someone looking for something to attack.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                N 1 Reply Last reply Reply Quote 0
                • N
                  netblues @JKnott
                  last edited by netblues

                  @JKnott Indeed, but this falls to the security through obscurity category. A random attacker won't find it easily for sure.
                  However planting a seed (eg a zero pixel, a gaming server etc) will give out the current ip, and an attacker can take it from there.
                  Its much more difficult than ipv4, but a firewall block offers much better protection.

                  JKnottJ 1 Reply Last reply Reply Quote 0
                  • JKnottJ
                    JKnott @netblues
                    last edited by

                    @netblues
                    One other thing, that current IP changes daily when SLAAC and privacy addresses are used. I agree firewalls should be used, but there are some things in IPv6 that make it safer than IPv4. Also, IIRC, pfSense and just about every other firewall defaults to deny all, so unless the OP actually did something to leave it wide open, he should be OK.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.