Thank you for the IPv6 NAT capabilities in 2.5
-
Much appreciated. I used to have an ISP who only gave out one single /64 to the customer. But even now, where I got more dynamic ones, I could use this for doing DDNS for the WAN IPv6 within pfSense and don't have to do it on every "server" myself.
So finally, I got rid of the HE-Tunnel.Sure, most benefits of IPv6 are lost with NAT, but if you don't need those, it is great to have the IPv6 NAT capabilities in your toolkit (and now webinterface).
Thank you netgate.Btw I had to start fresh with 2.5 and I see no problems with IPv6.
-
It's amazing how some ISPs are so d*mn cheap with addresses, when you consider Hurricane Electric hands out /48s for free. My ISP gives me a /56.
-
@jknott said in Thank you for the IPv6 NAT capabilities in 2.5:
It's amazing how some ISPs are so d*mn cheap with addresses,
Is it that - or they just not understand IPv6 and think something like that could work? Its either they are cheap or they are stupid ;)
Or is the OP behind the isp router, and that is why they can not get a prefix delegation because the ISP think there will be only 1 lan, and no need for more than one /64..
-
@johnpoz No, it was the ISP, we had somewhat similar discussions before.
Now I have an ISP who gives out an dynamic /56. And although this time I have a new (ISP-like) router in front, it still can delegate those prefixes to the pfSense.
What is not working, if the prefix changes, pfSense wouldn't notice or do anything about it, so I made a cron job to reboot pfSense in the night, near after the time this is happening. I found no other script that would work as good as the reboot-script. So there is still room to improve on pfSense side.
-
If your ISP is doing things right, the prefix should rarely change, if ever. There's a setting in pfsense to prevent release of the prefix.
-
@jknott You gave this hint before and were right. This time there is another router in front of pfSense, so it will not work. Plus, I don't mind that. If it is dynamic, I don't care if it changes daily or every three month.
Btw has your new machine arrived? I noticed you had some vpn problems lately. -
@bob-dig said in Thank you for the IPv6 NAT capabilities in 2.5:
so I made a cron job to reboot pfSense
Hi,
pls. allow me a question
is it a good thing if a "cron" always restarts a firewall?
you're just losing, we've tried
-
@daddygo The prefix changes daily and pfsense don't know about it, because of the router upfront, so I have to it
-
@bob-dig said in Thank you for the IPv6 NAT capabilities in 2.5:
The prefix changes daily and pfsense don't know about it
Yupppp...
it's an ISP issue + own setting, not pfSense
can we agree with that?
a good setting, = no restarts required + acceptable service providerBTW:
I would go crazy, - if the solution was a daily reboot -
@daddygo It is not the ISP this time, its me having another router in front of pfsense. Need this for telephony and as a modem.
-
@bob-dig said in Thank you for the IPv6 NAT capabilities in 2.5:
its my having another router in front of pfsense.
hmmm.... it hurts
It's up to you, throw it out
Sure it's a joke, but you don't have another phone?
+++edit:
maybe we talked about it earlier
is it a dual-NAT configuration? -
@daddygo Actually it is a fax, that I need three times a year.
-
@bob-dig said in Thank you for the IPv6 NAT capabilities in 2.5:
it is a fax
then it is time for liquidation..
+++edir:
seriously it is necessary -
@daddygo You can vote with that... not with email. I am talking about the US.
-
@bob-dig said in Thank you for the IPv6 NAT capabilities in 2.5:
You can vote with that
I do not believe it
I am not interested in the votes systems, just be safe
+edit:
good daily readings.....
https://thehackernews.com/
https://www.theregister.com/ -
While its commendable you want to use IPv6 - since it is the future.. As of yet there is no actual "need" for it.. Do you have some actual need of IPv6 - is there some resource you can not access without IPv6? Are you behind a nat from your ISP, and the only service you can get that allows for unsolicited inbound is if your IPv6? Are you playing or hosting some game that only works via IPv6? I have yet to run into one of these unicorns..
Only reason I have any IPv6 at all - is well yes it is cool ;) And it is the future.. And this sort of stuff is fun for me.. But actual "need" nope haven't seen it.. I have a public IPv4, nothing is blocked inbound on it from the isp (25 and smb maybe). I can serve up what I want to serve up just via IPv4, while I do provide ntp for the pool via both IPv4 and v6.. That is not something I need to do..
Such scenarios with my isp at the time comcast shitty ipv6 deployment (changing prefixes) etc. I went with just a HE tunnel like 10+ years ago.. Guess what, multiple isps later - with current one not even supporting IPv6 and I still have my same /48 ;)
Never changes. Its static - I can assign whatever prefixes I want out of that /48 to my lans.. ie no need to track a prefix to assign.
For what maybe a couple of extra ms in latency, slight extra overhead since tunnel.. You could have your cake and eat it too if just went with HE - just saying.. More likely than not HE has better peering than your ISP anyway, atleast for IPv6..
There is no reason to try and find some work around or "method" that works with some isp, when in 30 seconds you could have a very stable, fast and static /48 assigned and even allows for PTR on the space.. Other than say some video services blocking it - because it could allow for geoip circumvention.. I have has zero problems with a HE tunnel as a way to use IPv6. And it frees you up to use really any isp you want, be it they support ipv6 or not.. If what you want is ipv6.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
@johnpoz said in Thank you for the IPv6 NAT capabilities in 2.5:
While its commendable you want to use IPv6 - since it is the future..
Hi John, we talked a long time ago...-
(I'm really starting to understand you)
now the situation is that I totally agree with you..!!!!
-
@johnpoz I even became sage and it was a lot of fun. But I don't have a need for sending emails over IPv6 anymore and like you said, it is still totally optional, at least for me having dual-stack anyway.
-
Well then why dick with something that would change, or do NAT (uggggh).. Just use HE for your clearly "optional" IPv6 needs - way less hassle, and more functionality to be honest than what most isps call IPv6 ;)
edit: Yeah sage was fun.. Still have the shirt.. Even though it is starting show its age ;)
Certification Level: Sage earned at 2011-01-26 09:05:43
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
@johnpoz said in Thank you for the IPv6 NAT capabilities in 2.5:
Even though it is starting show its age ;)
BTW:
otherwise, the colleague is very evolving @Bob-Dig
