Matureness of IPv6 generally
-
Hi All.
I have been following IPv6 for years, and attempted to use it on many sites, but currently its only possible in one location due to the ISP/pfSense combination - pfSense is somewhat to blame here, but so are the ISPs and IPv6 standardization board.
I’m starting to give up on IPv6 - I don’t think it will ever get there. There are just too many options, changes, OSes that does not support this or that, and then the intire COMPLETE MESS of DHCPv6/DHCPv6-PD/SLAAC standardisation (or lack thereoff).
I have about 40 sites going using 6 different ISPs. 4 of them officially supports IPv6, but only one ISP can be brought to work reliably with pfSense using “almost” default DHCPv6 settings.
- One of the 4 requires DHCPv6 options and settings that pfSense does not support (Orange in France)
- Two uses some heavy advanced settings that pfSense can be brought to work with for a short time, but then either renewal or PD renewal fails and it is completely unreliable.
- The last one still requires a few “geek” DHCP6 settings to actually work (DO not wait for RA, Do not send release prefix delegation, specific DIUD selection)
Considering IPv6 also presents a MYRIAD of other problems with:
- No DNS names for hosts unless using DHCPv6 (no android)
- Possible “rapidily” changing PD delegation and thus required Firewall ruleset/settings overhaul
- Private addresses that makes specific outbound firewall filtering completely impossible.
Do you find IPv6 mature? - if not, do you think it will ever get there?
Do you expect it will succed in replacing IPv4 allowing for proper greenfield IPv6 only deployments worldwide - If so, how long will it take?I think I have lost faith. There is no uptake on the whole missing DNS/firewall registration problem - apart from vendor specific solutions based on agents or VERY heavily managed endpoint device solutions, and it seems the industry just decided that DHCPv6 on ISP side should remain a unstandardized jungle.
-
@keyser I am with you on that. I have to reboot pfSense at night times to have IPv6 working on WAN. And if my address(es) changes at daytime, I have to save and apply the WAN-interface, to get it working again. It is tiresome.
I even do IPv6 NAT, to have some functionality back, I used to have with IPv4 (centralized DynDNS) . -
Well, I have been using IPv6 for 13 years. I used a 6in4 tunnel for almost 6 years, then my ISP started providing native IPv6. It's rock solid for me. I do know some ISPs don't have a clue. If your ISP doesn't provide reliable IPv6, you might consider a tunnel from Hurricane Electric.
It might help to mention which ISP you're on, as someone here might have experience with them.
-
@JKnott said in Matureness of IPv6 generally:
you might consider a tunnel from Hurricane Electric.
But only might. I recently gave the free tier from HE another try and all the servers in Europe had problems with packet loss. It is not what it used to be (but still free).
-
I've not really run into any IPv6 issues, it just works here in the UK. Most of my traffic is IPv6 these days. Indeed, I depend on it as not everyone owns a large IPv4 block - IPv6 addresses tend to be both free and abundant!
I've run into a bug or 2 on pfSense where a combination of IPv6 & PPPoE have caused interface issues. One of them was fixed on the last release and the other is in-work.
I guess I am in the 'full-embraced IPv6' community with no scars or injuries. I have been so for a number of years and have transitioned IPv6 from ADSL to VDSL to G.fast and now FTTP.
The slow roll-out in the US has blighted some development work but the tide seems to be changing, even in the US. The US ISP network also suffers horrors such as CGNAT, so there are other issues at play over the pond.
️
-
@keyser said in Matureness of IPv6 generally:
One of the 4 requires DHCPv6 options and settings that pfSense does not support (Orange in France)
I'm using Orange @work, fiber since last January.
Because the connection is used by a company, I got a router update : The Livebox 6 and it's says it's the Pro version.
Just one device is attached to it : pfSense.My WAN setup :
No other checks or options ...
The WANv6 gets an IPv6 Local link addresses, and a IPv6 Address - and in the logs I can see it also got a prefix, which I'm using on my LAN.
I'm not using 'tracking' : I use the prefix obtained from the Livebox a a 'base' and set it up on my LAN :
And from here on, I've set up the DHCPv6 on LAN, and all is well since.
I would love to use he tunnel as a spare IPv6 connection, as they never let me down for the last, many years : a rock solid IPv6 connection.
But surprise : I've tried everything but this new '6' Livebox router doesn't pass '6in4' protocol. The livebox 4, and 5 handled that protocol very well.An there are more issues.
Even if the Livebox has a full /56 available, it only hands out one /64 prefix.The entire story is detailed here.
But : I can't say IPv6 isn't working with Orange + pfSEnse. My LAN is fully IPv6 aware.
I can't 'open' an IPv6 address in the /64 'prefix' range, so I can access one of my LAN based devices. So, so be it, I'm using NAT + IPv4.
I can only reach my pfSense WAN over IPv6, so, technically, I could use IPv6 or IPv4 to reach my OpenVPN pfSense server.The connection is very stable, even under full load, which is a nearly symmetric, close to 1 Gbit/sec.
A new firmware ( SG60-fr-G06.R00.C08_00 ) for my '6' box is in the queue.
Btw : I'm posting here on forum.netgate.com using IPv6 for years now.
-
@Gertjan Yeah, IPv6 works okay from endpoints if you use Orange’s Livebox as a router.
But if you want to use pfSense, having a livebox in front causes doubleNAT on IPv4, no delegation on IPv6, just a /64 - requirering you to do IPv6 NAT or port forward to use the single /64 your pfSense gets on WAN and ULA on LAN.That’s a horrible solution in my opinion - and completely unacceptable in my usecase. So I have pfSense directly attached to the Orange Fiber with a SFP ONT module which works flawlessly. But then comes all the IPv6 “trickery” and non standard things Orange applies to make life difficult for customers attemting to not use the Livebox.
-
@Gertjan But I’m sure if pfSense supported all the nescessary DHCPv6 options I could get IPv6 running with Orange like I have IPv4.
The options and values needed is after all well described by a guy from Orange.The problem would be figuring out the “special” DHCPv6 settings needed to get DHCPv6 going (ia-ra, ia-na, timings of RA, PD request and release settings and what not - all those things that I find is NOT mature/standardized across the industry at all in DHCPv6)
-
@keyser said in Matureness of IPv6 generally:
IPv6 works okay from endpoints if you use Orange’s Livebox as a router.
But if you want to use pfSense,That's how I use them : ISP <fibre> Livebox6 <2.5 Gbit LAN> pfSense <MyLocalPlayGround>
3 NAT rules in the Livebox :
An OpenVPN, endpoint is pfSEnse WAN - so no double NAT.
A Munin node running on pfSense - so no double NAT.
And a double NAT to my pfSense LAN based NAS, so I can use my local NAS as a backup device for my dedicated servers, running in a datacentre in Paris.
I'm not hosting any mail/web/whatever locally.
All this works fine.I don't bother double (or more) NAT, as, ones you know who to NAT, it is soooooo easy.
I'm not trying to not use the Livebox, by injecting the fibre cable into a pfSense WAN NIC (with some kind of adapter).
I leave the ISP connection up to the Livebox router.
I do use the phone connection on the ISP router (Livebox), as it is acting as our 'fax', as the line is free (and while the concept fax still exists - it will die very soon now).@keyser said in Matureness of IPv6 generally:
no delegation on IPv6, just a /64
See the image above : my Livebox delegates a prefix to pfSEnse, to be used by pfSEnse on its LAN. It works.
@keyser said in Matureness of IPv6 generally:
Orange Fiber with a SFP ONT module which works flawlessly.
Ones, some day, I'll adventure in that direction.
@keyser said in Matureness of IPv6 generally:
But then comes all the IPv6 “trickery” and non standard things Orange applies to make life difficult for customers attempting to not use the Livebox.
From what I know - and you know better, I guess :
Some special crafted DHCP options (encoded MAC+fti/xxx login + password) are needed to get an IPv4, gateway, etc.
Same thing for DHCPv6.@keyser said in Matureness of IPv6 generally:
Orange Fiber with a SFP ONT
Interesting.
Do you have details about the SFP ?
I'm using a 4100
The two WAN ports are doubled with SFP slots.
Maybe I'll do some experimenting with them, if I know what SFP to buy. -
@Gertjan Hi Gertjan. I know it can be done like you do it (Did not know it would delegate a /64 however).
But I just think its cumbersome and annoying as he** to have all that translation and workarounds active. Besides, one of my sites is a remote site where there is no staff to help me out if something goes south with the VPN, and it’s just nice to have the Public IP directly in that case.I’m using this particular SFP: https://www.fs.com/de-en/products/133619.html
in two SG-2100’s, but I had one mounted in my SG-6100 briefly (same NICs as the SG-4100), and it works there to.It works completely flawlessly, and all you have to do is register your Livebox GPON Serialnumber and Vendor code in a SSH session (see lafibre.org). Then it’s permanently good to go. Both of mine have been working for 2 years without issues now. The only issue is not Fiber/link related but rather Oranges required DHCP options and lately pfSense’s “quirky” 802.1q tagging of DHCP frames. But it’s no problem getting it to work on IPv4 (and IPv6 on other firewalls). 100% stable im both my cases.
IPv6 is a different issue on pfSense as Orange requires DHCP options that pfSense does not support. So for now I’ve given up attempting IPv6 on Orange - I while back I had it running for a while using OPNsense’s DHCP6c client ported to pfSense. But I decided against this approach as it required some “hacks” I didn’t care for in upgrade situations and such.
-
@keyser
I'm scratching my head a little and not sure why a simple configuration, similar to mine below, would not work for you?My ISP provides a static /48 address block but I set it as DHCPv6, using the prefix only and set a unique prefix ID on each LAN/VLAN interface - giving them their own /64 to work with. (I understand you get a /56 but that still leaves plenty for subnetting.)
WAN Interface:
LAN Interface:
️
-
@RobbieTT The issue is not that it does not work in pfSense. The issue is that each ISP (if you elect to skip using their CPE) uses some absurdly finicky DHCPv6 settings that takes hours and hours of packet capture analysis to decode and replicate in terms of pfSense DHCPv6 configuration. My point is that DHCPv6 is not “standard” like DHCP4 where it is HIGHLY unusual for it not to work if you just enable it.
If the ISP then changes som settings, DHCPv6 stops working again, and you have to start over.
-
@keyser said in Matureness of IPv6 generally:
If the ISP then changes som settings, DHCPv6 stops working again, and you have to start over.
Then it's not a problem with IPv6. It's a problem with some ISPs. You can't make a direct comparison with IPv4, as IPv6 can do so much more, such as providing a prefix, rather than just a single address. You also don't need NAT with it, to support multiple devices.
-
@JKnott said in Matureness of IPv6 generally:
Then it's not a problem with IPv6. It's a problem with some ISPs. You can't make a direct comparison with IPv4, as IPv6 can do so much more, such as providing a prefix, rather than just a single address. You also don't need NAT with it, to support multiple devices.
You are absolutely correct - in principle. But my point is that IPv6 routing - and specifically DHCPv6(-PD) and SLAAC assignments - have been changed and augmented so many times to allow for all manners of quirky needs and demands, that it takes a PHD and complete eyelevel communication with the party setting up the other end - otherwise odds are it will not work when we are talking ISP to end customer without CPE setups (not your average LAN IPv6 service).
-
@keyser said in Matureness of IPv6 generally:
My point is that DHCPv6 is not “standard” like DHCP4 where it is HIGHLY unusual for it not to work if you just enable it.
Perhaps we are just beaten into submission when it comes to the horridness that comes with IPv4. All that messing with DHCP addresses, working with the constraints of NAT, no globally routable addresses for clients, reduced performance due to NAT overhead, DHCP pool allocations for WAN that can change, additional cost of static IPv4 addresses (if available), use of services such as DDNS, reverse proxies, port forwarding, UPNP etc etc.
IPv4 is a car crash but we are just used to its many pitfalls.
️
-
@JKnott But I’m also reffering to the no-mans land of missing Name service registration, missing options for standardized central control of if clients should DNS register, not use private addresses and prioritize their use of which IPv6 address?
-
Can you show me those services for IPv4? As for address scope, IPv6 tries to use the best address type to reach the destination. If a destination has both ULA and global addresses, then ULA will be used. Nothing mysterious about that.
BTW, every Saturday morning, some friends and I have a video conference (we used to meet in a restaurant before COVID). One of my friends set up a Jitsi server for this. The friend where the server is located is on an ISP that does not provide consistent IPv4 addresses and so we use DDNS to reach it. However, when the address changes, my friend has to go in to make some changes, so Jitsi will work with the new address. Also, since the friend who has the server in his home uses an RFC 1918 address and everyone else is coming in from the Internet, through NAT, the server sometimes causes problems for the guy with the server in his home. Lots of fun.
-
@JKnott I’m not arguing that IPv4 is nice or better (or even good), because I to hate all the work and issues NAT (sometimes multiple) and limited amount of addresses introduces. I’m a huge fan of IPv6 and would love everything to go greenfield IPv6.
Im just questioning if that will ever happen due to IPv6’s less than stellar maturity and ease of use? Considering it’s 15 years old I think it’s appaling the amount of issues there are still present or not handled with ease. -
I seem to remember that the draft for IPv6 was out before IPv4 NAT became a thing. Even the original author of NAT (Paul Francis?) didn't think much would come of it. Then came PIX hardware and the world changed.
-