Ipv6 - Is this roughly correct?



  • Hello Everyone,

    I have my Pfsense box (Netgate SG-5100) setup with Comcast.

    I have fully connectivity across IPv4 and IPv6.

    My question is about public facing ip addresses. When I check my public ip at a site like showmyip.net I see that I am correctly showing my public IPv4 which matches my WAN interface. All good there.

    But my IPv6 address does not match the prefix for my WAN IPv6. Instead my public IPv6 address prefix matches what is listed under the LAN interface addresses.

    For example: my WAN interface IPv6 prefix starts with 2001 and my LAN IPv6 interface shows 2601. My laptop is reporting a 2601 IPv6. I would imagine that my laptop should show 2001 prefix that matches my WAN interface address when viewed from the internet.

    For context: My WAN interface is set to DHCP for both V4 and V6. My Lan is set to track interface for IPv6 from WAN. Under WAN, I checked the "Do not wait for a RA" box.

    Is this just a difference between how 4 and 6 addresses work? I have connectivity but want to make sure I am understanding why my IPv6 isn't matching the wan settings. Pretty new to networking overall and any help is appreciated!


  • LAYER 8 Global Moderator

    The reason they do not match, is your not natting like you do with IPv4..

    Your ISP with IPv6 is handing you multiple networks to use with IPv6.. That get routed to you, so no need to nat.

    When you track with pfsense, pfsense asks for a prefix - or subnet as another term from your isp... Lets say a /56.. Which has 256 /64 subnets under it. So pfsense can use 1 of these /64s on your lan, it could use another on your opt networks, etc.

    But anything that falls under this /56 network is routed to your router.. So your devices behind your router can use any IP in all of that space and talk directly to and from any other IPv6 address on the internet.

    With IPv4 instead of giving you a network to use - they give you a single IP that is public, ie it routes on the internet.. Your local addresses you are using 192.168.1.x for example are rfc1918 address. They do not route on the public internet, so for you to talk to say google the router has to change it so 192.168.1.X looks like your public IP 1.2.3.4 that is on your wan.

    You could do the same thing with IPv4 as with IPv6 and not have to nat, if your isp would route IPv4 network to you, via just giving you 1 address. And if you want to pay for that - you could do it if you wanted... But you prob don't want to pay the cost of the IPv4 address to get routed to you.. Really the whole point of IPv6 is that the total address space of IPv4 is limited.. So they needed more IPs - IPv6 allows for what could almost seem unlimited.. You really should look up how much bigger the IPv6 space is compared to IPv4... So yeah ISPs can give you multiple networks to work with, not just 1 IP address.



  • Thank you for your response!

    So basically I don't need to worry if the LAN IPv6 prefix is internet facing since Comcast is most likely just routing a broader range of ip address to me. My WAN and LAN interfaces just pulled different addresses.

    Are there any security issues with having my LAN address show up on the internet?


  • LAYER 8 Global Moderator

    Well it doesn't really show up ;) Out of the box all unsolicited inbound traffic to you be it ipv4 or IPv6 is blocked. With IPv4 you have to create a port forward to allow traffic from the internet that you did not ask for via request, ie you starting the conversation to get to something behind pfsense.

    With IPv6 you have to allow such traffic with a firewall rule..

    I wouldn't suggest you just go opening up pfsense to allow all unsolicited inbound traffic to anything behind pfsense via IPv6 ;)

    Example - While you can ping the IPv6 address of my IPv6 ntp server that is part of the ntp pool, and you can ask it for ntp.. And have setup pfsense to allow for traceroute all the way through to the ntp server... All other traffic is blocked. Other than pinging the pfsense wan IPv6 address.

    ipv6rules.png
    alias.png

    Out of the box - pfsense would block all IPv6 inbound to you..



  • Thank you again for the info. I appreciate the help. I've tried to keep most settings default since Pfsense has good default settings. I don't have any rules beyond the default ones and intend to keep it that way unless some very pressing need arises.

    I just want to make sure I'm not being exceptionally thick today. I'm sometimes not sure I'm explaining exactly what I mean.

    Here are my interfaces.

    Snip.png

    So from what I'm gathering from your responses, it doesn't really matter that my laptop is showing a 2601 range for IPv6 when viewed from the internet (pic below), which matches my LAN interface instead of the WAN 2001 range. Correct?

    Snip.png



  • @broor said in Ipv6 - Is this roughly correct?:

    But my IPv6 address does not match the prefix for my WAN IPv6. Instead my public IPv6 address prefix matches what is listed under the LAN interface addresses.

    This is entirely normal. That WAN address has absolutely nothing to do with routing. If you check your gateway address, you will likely see a link local address is used. Link local addresses start with fe80. That WAN address is used when you want to reach your firewall for VPNs, etc..

    Are there any security issues with having my LAN address show up on the internet?

    One thing with IPv6 is privacy addresses. These are random number addresses, which change daily and last for a week. These privacy addresses are what's used when you connect to a web site, etc.. There are also consistent addresses, often MAC based, which do not change. Those are used for incoming connections and are what you'd point your DNS to. Also, even knowing your prefix won't do much for attackers, given the huge number of addresses on your local network. With a /64 prefix, there are 18.4 billion, billion addresses, compare to 4.3 billion for the entire IPv4 address space. This makes it a much harder job to find a working address within your network.



  • Thank you JKnott!

    That answers my question perfectly.


  • LAYER 8 Global Moderator

    Yeah as Jknott has stated its normal.. It is also possible that the wan never even gets global address, and just use link-local.. Im not a fan of that, I like to see a global address on my wan ;)

    There is plenty of IPs to go around ;) ISP can afford to assign a global to the transit network ;)

    edit: to expand on the sheer number of IPs.. A min assignment from RIR for an ISP is a /32 - I just got one for a ipv6 project we are doing from Arin.. That is 65K /48s ;) or 4 billion /64s..

    Comcast got a /9 - which is 36 quadrillion /64s - you would think they can afford a few /64 for transit networks ;)

    And its not like they can't get more... It took a couple of weeks to get the /32 - all you have to do is show basic need.. And a basic plan on how your going to use them..

    These ISPs telling users they can only get 1 /64 is just nuts... You can head over to HE and they will give you a /48 you can tunnel for free. I have had mine for over 10 years..

    ISPs should have no issues giving users either a 48 or at min a /56 and using a global for their transit network.


Log in to reply