IPV6 and firewall rules with dynamic IPV6
-
I've got IPv6 working following this guide.
https://bidetly.io/2020/03/20/centurylink-fiber-on-pfsense/
It shows exactly how I'm set up with the exception of the Pi-Hole.
My problem is that i set up a firewall rule to allow my client out, and when my router reboots, it gets a new IPV6 IP which is different from the last and my rules no longer work.How does one deal with this short of just opening up IPV6 completely which i do not want to do.
In short, how does one use an alias with IPV6 that's handing out new IPs each time? -
On the WAN page, make sure Do not allow PD/Address release is selected.
-
@jknott Hello, thanks for taking the time to help out.
I don't see that option though.
-
That setting is for DHCPv6-PD, but I see you're using a tunnel called 6rd. I haven't used 6rd but, IIRC, the IPv6 prefix is dependent on the IPv4 address, so that's likely changing. Does Century Link not use DHCPv6-PD?
-
@jknott For what little i know, i think they do use DHCPv6-PD.
however im not 100% sure and dont know how to find out. Google fu has led me to believe they do, but you know how that goes.The example i found for centurylink and PFsense showed setting it up that way.
Is it possible that if i switch it to DHCPv6 that it would just work?If i choose DHCP6 i then get the below options.
What options would you recommend i try and ill switch it and see what happens.
Other than what you said before in regards to "Do not allow PD/Address release". -
@cr8tor said in IPV6 and firewall rules with dynamic IPV6:
short of just opening up IPV6 completely which i do not want to do.
Why have it enabled at all if your having trouble setting it up the way you want? What resource are you needing/wanting to access that requires IPv6? I am curious why even have it on at all, if you have to jump through so many hoops for something that is not required..
6rd is a tunnel - if your ISP is using that, just use hurricane electric tunnel - its FREE and guess what you can get a static /48 and do whatever you want with it.. Got to be a better setup than your prefix changing every time the wind changes direction ;)
Have been using HE for years and years for me to be able to play with IPv6, which is all I do with it - since I have zero "need" of it - since there is not 1 single resource on the internet that I want to get to that is not available via IPv4.
-
@cr8tor said in IPV6 and firewall rules with dynamic IPV6:
Is it possible that if i switch it to DHCPv6 that it would just work?
Only if they support it. I have no experience with them, so I can't say. You should call their help desk and ask. Do they have a community forum where you can ask questions?
-
@johnpoz said in IPV6 and firewall rules with dynamic IPV6:
since there is not 1 single resource on the internet that I want to get to that is not available via IPv4.
At the moment. In the news last week, I read that China plans to be single stack IPv6 only by 2030. So, if you want to order something from a web site over there, such as the computer I'm currently running pfsense on, you'll need IPv6 to do it.
-
@jknott said in IPV6 and firewall rules with dynamic IPV6:
I read that China plans to be single stack IPv6 only by 2030
Thats great - have never in my life ordered anything from site hosted in China ;)
So you think this site that sells stuff, so they need people to get to it is going to ONLY be available via IPv6? You want to make a bet ;)
2030 huh, its 2021.. Lets say plan on doing it by 2025 even, and just blocking all access from IPv4 after some future cut off date. That is not today, that is not next week, that is not next year even.. So in the current state of affairs there is zero "need" for it.. And from your statement its almost a decade away from a point where he would need IPv6 to order something from china ;) Which I would bet a HUGE sum of money is not going to be the case.. Blocking or preventing access from IPv4 is multiple decades down the road - no matter how much you might want it to be sooner.. Even if XYZ company or country said - hey you can only talk to us on IPv6.. Do you not feel that countries/ISP that are still behind would not put in methods to talk from their IPv4 network to these IPv6 IPs.. Just like how your IPv6 only phone now today talks to IPv4 networks.. Hopefully with a properly deployed IPv6 network for their users - but clearly this is not the case with his current isp and 6rd ;)
To be honest countries or companies that would have the balls to do such a thing and say hey on date X, we are turning off IPv4 and will only communicate with IPv6 would be one way to push the adoption to IPv6 along and actually get it done in our lifetimes ;) hehehe
Even if that date was 10 years in the future.. Not saying IPv6 is not the future, its just that future is not any time soon, and sure not in a state now that anyone that doesn't want to play with IPv6 and spend the cycles to learn it and get up to speed with it really needs to be concerned with it..
And it sure not in a state where some user that wants to allow 1 or couple of his machines to use IPv6 should spend any cycles dicking with 6rd where his prefix changes as the wind blows. If his isp does not provide stable easy to use IPv6 that meets his needs/wants - then change ISP, good luck here in the states actually finding a isp that does IPv6 correctly or well even that is not business level connectivity ;) Or just use say HE where he can get a static /48... I have had mine for like 10+ years, it works.. It takes a couple of minutes to setup.. It would give him all the flexibility he could want to add IPv6 to his network that is stable, easy to manage and configure.
Or the simple solution for most home users - just not use it ;) Come back to it in 3 to 5 years and see if ready for prime time at that point..
-
We seem to have different philosophies. I have always been a techie, who likes to learn. For example, I recently started training on Avaya IP Office. I also have decades of experience, which allows me to see the shortcomings of IPv4. I first saw those when I was first learning about IPv4, with only 4 billion addresses. That was in 1995. Shortly after, I read about IPv6 in the April 1995 issue of Byte magazine and realized that was the way forward. Even Vint Cerf has said that 32 bit addresses were only for a demonstration and he planned on much larger address space. Also, over the years, I have come across a lot of people who don't seem to have much ambition to learn more about the technology and just stick their head in the sand. They seem to think adding hacks on hacks to get around the address shortage is a good idea, rather than move to IPv6. IPv4 has been inadequate for decades. In addition to the huge address space, IPv6 brings other benefits, as the designers were able to look at IPv4 to see what the short comings were. That's the reason there are no broadcasts in IPv6 or things like arp moved into ICMP, etc.. IPv4 is holding the Internet back. It's long past time to move fully to IPv6.
-
@johnpoz Well to be honest, internet its self is not something i consider a need. Its a luxury and a tool that is nice to have. It certainly makes life more efficient.
My use case is so my kid and i can both play on xbox live and connect to parties without issues.
Believe it or not, once ipv6 is on, it works flawlessly, where with ipv4 it has all sorts of connection issues.The problem i run into, is that my kid is also a teen that sometimes needs internet regulated to enforce household rules.
It would be nice to have the luxury of the whole family being able to play on xbox live without connection issues while also being able to use rules that contain alias's and schedules.So there is your first real world ipv6 use case.
Xbox live with multiple xbox's on a single connection.So my need is a more enjoyable time with my family when we have family game sessions.
The effort is worth it. Especially if i learn something along the way.
I am a pretty decent hardware guy. I can do anything i have ever needed with IPV4.
It would be nice to get to the same level of understanding with IPV6, and while i follow a lot of the basics, im still struggling with how to make things work within the restrictions i have due to my ISP of which i have no real choice.
I am grateful that my ISP supports IPV6 at all, however their support is laughable when it comes to asking them anything.
Their response is plug in the modem we sent you and see how well it works while we gobble up your data. mmmmm 'nipple twist'So any an all help is appreciated.
The Hurricane Electric thing is not something im aware of. Where can i find more info on that, what it is, how to configure it with PFSense?
I will google search it also, but i figure you might have good links handy or otherwise enjoy sharing about it. If not, all good, im sure there are resources out there.
Also, i have a gigabit connection, can it keep up with that kind of speed?
I am imagining its something along the lines of a vpn like connection which is why i ask so if that will be answered once i google it, dont worry about taking the time to response on that. :-) -
@jknott said in IPV6 and firewall rules with dynamic IPV6:
You should call their help desk and ask. Do they have a community forum where you can ask questions?
I wish that was an option. Their response is to plug their modem back in and see how it magically works. And sure it works, and everything is wide open. Let alone there are zero features.
I do understand the suggestion though.
Honestly in the past i tried to kindly escalate to someone that would know something. After many hours on the phone of begging i did get to someone that seemed quite knowledgeable, and that understood my struggle and wished me luck. haha
Their policy is plug the modem back in and see how magically it works. Past that, they wont even respond to their own tech support when they do go asking about things. -
@johnpoz said in IPV6 and firewall rules with dynamic IPV6:
If his isp does not provide stable easy to use IPv6 that meets his needs/wants - then change ISP, good luck here in the states actually finding a isp that does IPv6 correctly or well even that is not business level connectivity ;)
You said it yourself, changing ISP's is not an option. The choice doesnt have half the speed and charges 3 times as much. Without exaggerating. I am considerably lucky to be in an area of town close enough to the ISP to have fiber at this point. They are only starting to build out.
@johnpoz said in IPV6 and firewall rules with dynamic IPV6:
Or the simple solution for most home users - just not use it ;) Come back to it in 3 to 5 years and see if ready for prime time at that point..
Funny you should say that, i first started trying to use IPV6 about 5 years ago, came back to it a couple times since then. Even as recently as a few months ago on this forum.
Haven't had much luck each time in the past.
This time seems to be not much different.
If only PFsense supported alias's with dynamic IPV6 address's. sigh -
@johnpoz said in IPV6 and firewall rules with dynamic IPV6:
@jknott said in IPV6 and firewall rules with dynamic IPV6:
I read that China plans to be single stack IPv6 only by 2030
Thats great - have never in my life ordered anything from site hosted in China ;)
So you think this site that sells stuff, so they need people to get to it is going to ONLY be available via IPv6? You want to make a bet ;)
2030 huh, its 2021.. Lets say plan on doing it by 2025 even, and just blocking all access from IPv4 after some future cut off date. That is not today, that is not next week, that is not next year even.. So in the current state of affairs there is zero "need" for it.. And from your statement its almost a decade away from a point where he would need IPv6 to order something from china ;) Which I would bet a HUGE sum of money is not going to be the case.. Blocking or preventing access from IPv4 is multiple decades down the road - no matter how much you might want it to be sooner.. Even if XYZ company or country said - hey you can only talk to us on IPv6.. Do you not feel that countries/ISP that are still behind would not put in methods to talk from their IPv4 network to these IPv6 IPs.. Just like how your IPv6 only phone now today talks to IPv4 networks.. Hopefully with a properly deployed IPv6 network for their users - but clearly this is not the case with his current isp and 6rd ;)
To be honest countries or companies that would have the balls to do such a thing and say hey on date X, we are turning off IPv4 and will only communicate with IPv6 would be one way to push the adoption to IPv6 along and actually get it done in our lifetimes ;) hehehe
Even if that date was 10 years in the future.. Not saying IPv6 is not the future, its just that future is not any time soon, and sure not in a state now that anyone that doesn't want to play with IPv6 and spend the cycles to learn it and get up to speed with it really needs to be concerned with it..
And it sure not in a state where some user that wants to allow 1 or couple of his machines to use IPv6 should spend any cycles dicking with 6rd where his prefix changes as the wind blows. If his isp does not provide stable easy to use IPv6 that meets his needs/wants - then change ISP, good luck here in the states actually finding a isp that does IPv6 correctly or well even that is not business level connectivity ;) Or just use say HE where he can get a static /48... I have had mine for like 10+ years, it works.. It takes a couple of minutes to setup.. It would give him all the flexibility he could want to add IPv6 to his network that is stable, easy to manage and configure.
Or the simple solution for most home users - just not use it ;) Come back to it in 3 to 5 years and see if ready for prime time at that point..
Yeah, and Xbox live is a good use case for it right now. I assume youll see my other comment about what im trying to do so i wont re-explain.
-
Check your IPv4 address. As I mentioned 6rd uses it to determine your prefix. Maybe your ISP can do something with it.
-
@cr8tor said in IPV6 and firewall rules with dynamic IPV6:
Their policy is plug the modem back in and see how magically it works. Past that, they wont even respond to their own tech support when they do go asking about things.
My ISP has provided native IPv6 for about 6 years and via 6rd and 6to4 before that. I used 6in4 from a tunnel broker for almost 6 years before my ISP offered native IPv6. My ISP has a community forum, where I'm occasionally referred to as an expert(?) on pfsense. I have also noticed that the support people generally know IPv6, but not the finer details that can affect service.
-
@jknott said in IPV6 and firewall rules with dynamic IPV6:
Check your IPv4 address. As I mentioned 6rd uses it to determine your prefix. Maybe your ISP can do something with it.
It may be used to determine my prefix, however my address changes each time i reboot their ONT or my PFSense box.
Their is nothing they will do. "Plug in the modem that is supposed to be there" is all they care about and will not help past that.I appreciate your help.
It seems that until PFsense supports an alias with a dynamic IPV6 address's i'm hosed.Side note, i'm finding that the hurricane electric tunnel does not play nice with Xbox live so it doesn't seems to be an option at the moment. Am still researching though.
By the time i get all this working our last kid will be grown and out of the house and it wont matter any more.
-
@jknott said in IPV6 and firewall rules with dynamic IPV6:
My ISP has a community forum
My ISP refers to Facebook as a community forum. haha
-
@cr8tor said in IPV6 and firewall rules with dynamic IPV6:
i'm finding that the hurricane electric tunnel does not play nice with Xbox live
And why is that.. the xbox wouldn't have any idea your running through a tunnel - just like your tunnel your using via 6rd..
If all you want it for is your xbox - put that on its own vlan.. Only box on that vlan - then who cares if its IPv6 address changes via 6rd..
-
@johnpoz said in IPV6 and firewall rules with dynamic IPV6:
@cr8tor said in IPV6 and firewall rules with dynamic IPV6:
i'm finding that the hurricane electric tunnel does not play nice with Xbox live
And why is that.. the xbox wouldn't have any idea your running through a tunnel - just like your tunnel your using via 6rd..
If all you want it for is your xbox - put that on its own vlan.. Only box on that vlan - then who cares if its IPv6 address changes via 6rd..
Because a moderator on an xbox live forum said so. Please note, i did also finish with "Am still researching though." Far be it for a forum moderator to be incorrect.
You sure do seem sour. Not pleasant to deal with. But alas, thanks for the suggestions anyways.
I know im not always the best to deal with either so i am not flaming, just sharing.
I am curious. Are you currently drunk so as "to spend time with his fools".
That seems like an odd quote to have in your signature. Seems to imply we are fools.