Any way to prefer IPv4 over v6 for all traffic?
-
hey experts!
before I give up on IPv6 (yet again) - is there anyway to prefer v4 over v6 for all clients?
I know the flag in settings has pfSense itself prefer v4... but I'd like to do it for all clients. I tried making the IPv4 allow rule higher than the v6 rule, but that doesnt seem to really do it.My issue is that IPv6 seems to just not work well on the wide net. DNS queries take 2-3msecs, sites time out loading... I'm frankly surprised Comcast, for instance, defaults to IPv6 on its modems/APs in some markets. (Comcast isn't my WAN circuit at this site... just saying I'm surprised more general consumers don't have issues).
-
I'm not on Comcast, but IPv6 is rock solid for me. I suspect they're defaulting to IPv6 because, like everyone else, they're running out of IPv4 addresses. In fact, I recall reading an article, a few year ago, they were moving to IPv6 because there weren't enough RFC1918 addresses to manage their network. As for customers, that's not determined by the ISP, but by the client computers.
Maybe you can try a different DNS.
-
@SpaceBass On pfsense 2.6.0, there is "system -> advanced -> networking" and maybe you tried the option: Prefer IPv4 over IPv6
I found that to work on comcast, at least according to test-ipv6. It might depend on your market though. I'd agree with @SpaceBass and try changing DNS to someone else if that doesn't work right.
-
@SpaceBass said in Any way to prefer IPv4 over v6 for all traffic?:
just saying I'm surprised more general consumers don't have issues).
Who says they don't - most "users" have no clue to how the internet works. A slow page load to them while something tries IPv6 but then doesn't work so client switches to IPv4 might not jump out at them as anything wrong that they could fix.. They prob just upgrade their isp speed thinking that is the reason some pages are slow.
No you can not alter anything on pfsense to have client use ipv4 before Ipv6.. If that is your goal, why not just turn it off completely?
You can adjust the window client to prefer IPv4 over IPv6 by adjusting
Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\ Name: DisabledComponentsSet value to
Decimal 32 Hexadecimal 0x20Or you could adjust the prefixpolicies with netsh
$ netsh interface ipv6 show prefixpolicies Querying active state... Precedence Label Prefix ---------- ----- -------------------------------- 50 0 ::ffff:0:0/96 40 1 ::1/128 30 2 ::/0 20 3 2002::/16 5 5 2001::/32 3 13 fc00::/7 1 11 fec0::/10 1 12 3ffe::/16 1 4 ::/96To prefer Ipv4 over IPv6, but I normally have it just disabled on this box anyway. That last one there ::/96 would be IPv4, the ::ffff:0:0/96 likes the IPv4 mapped IPv6 address.. Do some googling, I haven't played with it quite some time, because normally I just have IPv6 disabled on my PC unless I want to play with some IPv6 something.
You should be able to make adjustments in linux to do the same..
Not sure how switching to some other dns would solve your problem.. Client is going to ask for both A and AAAA, you could disable AAAA resolving on your DNS with say something like..
private-address: ::/0
If you set that in unbound, AAAA will fail..
example
Without set
$ dig @192.168.9.253 www.google.com AAAA ; <<>> DiG 9.16.41 <<>> @192.168.9.253 www.google.com AAAA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63457 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.google.com. IN AAAA ;; ANSWER SECTION: www.google.com. 2223 IN AAAA 2607:f8b0:4009:814::2004 ;; Query time: 0 msec ;; SERVER: 192.168.9.253#53(192.168.9.253) ;; WHEN: Thu Jun 08 06:05:08 Central Daylight Time 2023 ;; MSG SIZE rcvd: 71With that set client asks for AAAA and they don't get anything back..
$ dig @192.168.9.253 www.google.com AAAA ; <<>> DiG 9.16.41 <<>> @192.168.9.253 www.google.com AAAA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27821 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.google.com. IN AAAA ;; Query time: 105 msec ;; SERVER: 192.168.9.253#53(192.168.9.253) ;; WHEN: Thu Jun 08 06:05:36 Central Daylight Time 2023 ;; MSG SIZE rcvd: 43But there is nothing you could just click on pfsense and have all your clients prefer ipv4 over ipv6 - that would have to be done on the clients.
If your having issues with doing dns over IPv6 when you resolve - you could set unbound to not do IPv6
do-ip6: no
But that doesn't stop a client from getting the IPv6 address (AAAA) over IPv4.. So the client would still try and talk to IPv6 first to what it asked for.
Lots of ways to skin the cat here, but having a client prefer IPv4 over IPv6 would be on the client - unless you don't give him an IPv6 address at all, or don't allow him to get any AAAA responses.
Another way to skin the cat for browsing would be to tell your browser not to do any Ipv6 dns.. on Firefox you can set network.dns.disableIPv6 to true in the about:config.. This stops the browser from asking for AAAA completely, I normally have this set unless again I am playing with IPv6.. Because even if your client has NO ipv6 address, browser will ask for AAAA records - which annoys the shit out of me when it does that ;) Why are you asking for AAAA when you have no IPv6 address ;)
While IPv6 is the future, I haven't found any resource on the net that I need or want that is IPv6 only. So why not make my life simpler and just not enable it.. This makes your firewall rules easier, by not having to worry if some client is going to be using some temp IPv6 address to talk to something out on the internet when all you blocked was its perm address.. There a lots of things that change with Ipv6 from IPv4.. If you are not ready to fully take on that challenge and troubleshoot issues, rethink your firewall rules to include clients just using some random temp IPv6 address to make a connection, etc.. Turning it off is a valid solution to all those headaches..
Is there some specific resource that you have to have a IPv6 to talk to? I have yet to find one to be honest, you not using Ipv6 if you do not want to sure isn't going to slow down the global adoption rate ;) heheh
I have it there if I want to play with something, or test something to help someone else using it, etc. But in general none of my clients get IPv6, unless I click some stuff to make that happen when I want it to happen..
-
@SpaceBass said in Any way to prefer IPv4 over v6 for all traffic?:
before I give up on IPv6 (yet again)
Several 'non expert' thoughts.
Don't worry.
Billions had to learn IPv4 before it became usable and accessible for everybody. It took a decade or two (3 ?). I'm not a biologist, but I presume Darwin's observation could be spot on : humans didn't become much smarter during that period, so they still have to fall back on the good old known process : learn.
The thing is IPv6 looks like IPv4, it might as well smell like IPv6, but isn't IPv4.The good news is : you don't need IPv6 to be a happy on the Internet.
A fully working IPv6 'stack' is nice to have around. Makes us feel like we're ready when IPv4 gets shut down for good. The one that will see that moment isn't born yet I guess."giving up" is the start of 'retrying' which is a good thing. That's what learning all about. Feel good about that.
I advise you to throw in one more factor in the balance : Consider this : add your ISP in the 'what's wrong' list. And before you contact the new one, do some research about them. Go visit that neighbour who uses it already. Test them out. All you need to know is the info they don't publish, like this question 'how do you support IPv6' ? And if so : "details please".@SpaceBass said in Any way to prefer IPv4 over v6 for all traffic?:
DNS queries take 2-3msecs
That's a stellar performance.
A nslookup for whatever.com took me 64 ms.
I do resolving by the way as I like the answers "from the source", I wasn't asking Google.@SpaceBass said in Any way to prefer IPv4 over v6 for all traffic?:
just saying I'm surprised more general consumers don't have issues
We're all the same. If IPv6 doesn't play well, then ok, no big deal "it's optional" for now.
The think is : IPv4 connections are more or less standardized **
IPv6 is .... new ... so : standards are wrongly interpreted (at best).What you see more and more : "use the ISP box, and everything will work just fine".
Or "use your own equipment and guess who needs to be the expert now ?"@SpaceBass said in Any way to prefer IPv4 over v6 for all traffic?:
is there anyway to prefer v4 over v6 for all clients?
As you've said : there is a button that makes pfSense somewhat "prefer" IPv4 over IPv6.
That's not possible any more for every other modern OS these days (edit : ok : just read what has been said above : it is still possible). They all prefer IPv6 over IPv4 as soon as they detect IPv6 is available. For example : take a (one) switch, several Microsoft PC's, and hook them all up together. They will use IPv6 and do 'networking'. Now, say to yourself : how can this be : their is no DHCP (IPv4) server active here, there is only a dumb switch. And yes, IPv4 isn't even operational at that moment.
To keep devices from using IPv6 'to go outside' : do not activate IPv6 on your pfSense LAN's, and you'll be fine. You could even firewall block any traffic on all pfSense LAN devices. If you still have the sites-not-loading-issues, then that won't be IPv6 related.
I think there is no need to the the tricks mentioned above. If a Windows PC can't find a IPv6 gateway, it will not try to use it .... (this makes sense I guess).
With other words : if pfSense isn't announcing itself as a IPv6 gateway, it won't get used as a IPv6 gateway.
So : the PC (device) won't even bother asking for AAAA records.** wait : no ! Call Starlink, get their kit, ditch their router, hook up your pfSense directly to the dish and enter the "W*F is this IPv4 connection ?" game.
I didn't saw any forum messages yet about Starlink + IPv6 ..... ;)Btw : IMHO : an IPv6 eye opener : just try these guys one : https://tunnelbroker.net/ - it's free.
pfSense has he.net IPv6 support build in.
Finish this one (take your time) : https://ipv6.he.net/certification/ and they will send you a free (100 %) tshirt :
They have a real static /48 for you - for live.
Even if you don't want to use them for always, they give you the "it works for 99,99 % of the time IPv6" experience. That is, they did so for me.Sorry for the ramble
-
@johnpoz said in Any way to prefer IPv4 over v6 for all traffic?:
Who says they don't - most "users" have no clue to how the internet works. A slow page load to them while something tries IPv6 but then doesn't work so client switches to IPv4 might not jump out at them as anything wrong that they could fix.. They prob just upgrade their isp speed thinking that is the reason some pages are slow.
Occam's razor - this feel accurate
No you can not alter anything on pfsense to have client use ipv4 before Ipv6.. If that is your goal, why not just turn it off completely?
That's where I'm at... I really wanted to make it work, but in practice, it is breaking too much stuff for me and my users.
While IPv6 is the future, I haven't found any resource on the net that I need or want that is IPv6 only. So why not make my life simpler and just not enable it.
This feels particularly, if not also disappointingly, poignant
-
Thanks for the thoughts and reply @Gertjan
@Gertjan said in Any way to prefer IPv4 over v6 for all traffic?:
Consider this : add your ISP in the 'what's wrong' list.
I'm in close touch with the ISP folks - they are amazingly responsive and supportive. It's an expensive circuit and they support it accordingly.
DNS queries take 2-3msecs
That's a stellar performance.
A nslookup for whatever.com took me 64 ms.oops! Typo.... 2-3 seconds, not msecs
What you see more and more : "use the ISP box, and everything will work just fine".
In this case, 10Gbps circuit, they provide an ONT-like device, but nothing else. Which, in our case, is fine.
Thanks for the suggestion on a tunnel ... not really viable. Way too slow.
They have a real static /48 for you - for live.
Our ISP gives us a static /48 along with our v4 /28
-
I'm using these settings in my unbound (DNS Query Forwarding disabled), along with "system -> advanced -> networking" and maybe you tried the option: Prefer IPv4 over IPv6.
server: do-ip4: yes prefer-ip4: yes do-ip6: no prefer-ip6: no
Image from: https://manpages.debian.org/testing/unbound/unbound.conf.5.en.html
-
@SpaceBass yeah I came to that conclusion like 12 or 13 years ago ;) heheh when first start playing with ipv6.
I try it again every year or so hoping the isp has learned and fixed stuff, etc. My current isp doesn't even offer ipv6 native.. I have to use HE tunnel.
Which I setup something like 12 years ago, and has really been pretty rock solid for when I use IPv6 - which again is only play.. I did for many years host ntp into the ntp pool off my IPv6 via the tunnel. But while back said to myself why.. And just turned that off as well.
Don't get me wrong, works great on my phone - they only give you IPv6, no ipv4 at all - and they connect you to ipv4 using 464XLAT I am pretty sure. And this seems to work just fine on anything accessing on my phone. But when I am out and about on my phone trying to get to amazon.com or fanduel over cell.. I am not real worried about firewall rules, etc.
For the typical home user with their isp gateway, hey they can get to amazon.com or their favorite porn site - most of them don't even know what an IP address is, let alone the difference between v4 and v6..
The simple solution for your "power" user if you will - someone that has taken the jump to pfsense vs some isp gateway device and is now segmenting their network and creating firewall rules to limit what say their iot devices can do.. IPv6 has a pretty steep learning curve, and brings all kinds of complexity to securing your network..
If you want to play - I would suggest HE, you can get a /48 that doesn't change.. And from my experience has been pretty rock solid.. And deploy it how you want to devices you want to play with it, etc.
You not enabling it on your network isn't going to hold the world back from transitioning - in 20 some years or so it might be there ;)
