Very Basic IPv6 security question.
-
@JKnott said in Very Basic IPv6 security question.:
@guardian said in Very Basic IPv6 security question.:
For some reason the connection monitor isn't working - it was working before, but then everything else wasn't working, so it didn't matter. Is there a way to fix it?
What address are you using? It has to be a global address, not link local.
The address in brackets is the monitor address, which is the Google DNS IPv6 equivalent of 8.8.8.8.
It was workiing before I made the last round of changes that I documented in my last post. My internet connection started to work as it was supposed to, but the monitor just stopped. at some point.
I even tried to reboot my phone, and nothing changed.
-
@guardian what did you not understand about you can not ping a gua from link local?
You can for sure use a link-local as a transit network. But you can not monitor some gua address out on the internet without having a gua address.
-
@johnpoz said in Very Basic IPv6 security question.:
@guardian what did you not understand about you can not ping a gua from link local?
You can for sure use a link-local as a transit network. But you can not monitor some gua address out on the internet without having a gua address.
Since he's on Rogers, he should have a WAN GUA. In my own testing, I've determined that a link local monitor address won't work, as the gateway address doesn't respond to pings. It's been so long since I set up my own system that I forgot that was why I couldn't use a link local address. However, a monitor address is not necessary for a working system. There's also the IPv4 one that should work.
-
@johnpoz said in Very Basic IPv6 security question.:
@guardian what did you not understand about you can not ping a gua from link local?
You can for sure use a link-local as a transit network. But you can not monitor some gua address out on the internet without having a gua address.
@johnpoz I understand you can not ping a gua from link local - what I don't understand is what pfSense is actually doing, and how the gateway monitor gets set up or what address the pings get sent from. Ping/traceroute work from the menu, (but the actual address used isn't shown), but the pinger isn't working and I had no idea why. There was a point (when I didn't have a working system), that I had a working pinger - I believe it was before I set up prefix delegation - I think the router was being issued a single /64 - but I can't remember.
@JKnott said in Very Basic IPv6 security question.:
@johnpoz said in Very Basic IPv6 security question.:
@guardian what did you not understand about you can not ping a gua from link local?
You can for sure use a link-local as a transit network. But you can not monitor some gua address out on the internet without having a gua address.
Since he's on Rogers, he should have a WAN GUA. In my own testing, I've determined that a link local monitor address won't work, as the gateway address doesn't respond to pings. It's been so long since I set up my own system that I forgot that was why I couldn't use a link local address. However, a monitor address is not necessary for a working system. There's also the IPv4 one that should work.
@JKnott, @johnpoz is there a way forward, or should I just disable the montior and hide it from the dashbord?
I notice the same thing with IPv4, that the monitor is using internal addresses. Is there some way to display my public IP on the dashboard? (if not, no big deal, but it would be "nice" to have.).
-
@guardian said in Very Basic IPv6 security question.:
Is there some way to display my public IP on the dashboard?
Does your wan have a public IPv4 address? Or are you behind a nat?
For you IPv6 - not getting a gua, do you have this set?
If you actually have public IPv4 and IPv6 address - they would be shown on what your gateway is and the actual interfaces
-
@guardian said in Very Basic IPv6 security question.:
@JKnott, @johnpoz is there a way forward, or should I just disable the montior and hide it from the dashbord?
I notice the same thing with IPv4, that the monitor is using internal addresses. Is there some way to display my public IP on the dashboard? (if not, no big deal, but it would be "nice" to have.).
You can add the interfaces widget to the dashboard. As for your monitor, as I mentioned you don't need it. Normally pfSense will use the gateway as the monitor address. That works for IPv4, but with Rogers, on IPv6, it doesn't work, because the Rogers gateway doesn't respond to ping. As I mentioned earlier, I just ran a traceroute to Google and picked the first GUA that turned up.
-
@johnpoz said in Very Basic IPv6 security question.:
@guardian said in Very Basic IPv6 security question.:
Is there some way to display my public IP on the dashboard?
Does your wan have a public IPv4 address? Or are you behind a nat?
For you IPv6 - not getting a gua, do you have this set?
If you actually have public IPv4 and IPv6 address - they would be shown on what your gateway is and the actual interfaces
@johnpoz, @JKnott - TLDR; Pinger working now thanks--and IPv6 still OK!
I have a public IPv4 address, but the pinger widget displays the gateway (x.x.x.1) address even though the pinger is working.
I turned off the setting you suggested. I had it set because it was part of the settings recommended earlier that got my IPv6 connectivity working. It turns out that this setting wasn't a necessary part of the changes, so turnng if off got the pinger working again without causing problems. I guess that link local address and the x.x.x1 adress are technically the gateway -- but with multiple L3 addresses on an interface showing though it still shows a link-local address in the widget.
@JKnott said in Very Basic IPv6 security question.:
You can add the interfaces widget to the dashboard. As for your monitor, as I mentioned you don't need it. Normally pfSense will use the gateway as the monitor address. That works for IPv4, but with Rogers, on IPv6, it doesn't work, because the Rogers gateway doesn't respond to ping.
@JKnott thanks for the suggestion about the Interfaces widget, that gives me what I want.
As I mentioned earlier, I just ran a traceroute to Google and picked the first GUA that turned up.
Isn't that a bit risky in this day of infrastructure as code? I don't think the public IP is going to change anytime soon, but what about the path to it?
-
@guardian said in Very Basic IPv6 security question.:
Isn't that a bit risky in this day of infrastructure as code? I don't think the public IP is going to change anytime soon, but what about the path to it?
That address is still on my ISP's network, so it likely won't change. As long as it's there, along the path or not, it will work. Regardless, the worst that could happen is the monitor stops working. Big deal..
I have a public IPv4 address, but the pinger widget displays the gateway (x.x.x.1) address even though the pinger is working.
By default, the gateway address is used. However, as I mentioned, that didn't work on IPv6 with Rogers, as the IPv6 gateway doesn't respond to pings. If it did, the link local address would have worked, with or without a WAN GUA.
You're discovering some of the ways IPv6 differs from IPv4. With IPv4, you don't have the link local address to use for routing etc.. You also don't need a WAN GUA, something you couldn't get away with on IPv4.
-
@JKnott said in Very Basic IPv6 security question.:
You also don't need a WAN GUA, something you couldn't get away with on IPv4.
Says who? You can for sure do the same thing with IPv4.. You can use 169.254 as a transit, you can use any rfc1918 as transit - the transit network doesn't have to route to use it as transit network.. See it all the time actually..
Where it makes less sense to do with is IPv6 - where you have a bajillion pretty much unlimited IP space.. Unlike with IPv4.. Not putting a gua on the transist in IPv6 is pretty stupid to be honest.. Why should you not make it routeable when you don't have to worry about running out of IP space to use ;)
-
@johnpoz said in Very Basic IPv6 security question.:
. You can use 169.254 as a transit, you can use any rfc1918 as transit - the transit network doesn't have to route to use it as transit network.. See it all the time actually..
I was referring to WAN addresses. My ISP used to use some RFC1918 addresses internally. I saw them when I did a traceroute.
@johnpoz said in Very Basic IPv6 security question.:
Not putting a gua on the transist in IPv6 is pretty stupid to be honest..
Maybe the ISP doesn't want to "waste" a whole /65 to support it.
I don't have a problem with using the link local addresses for routing. In fact, you don't even need any address, with a point to point link. All you need is the interface.