Very Basic IPv6 security question.
-
@JKnott said in Very Basic IPv6 security question.:
@guardian said in Very Basic IPv6 security question.:
For some reason the connection monitor isn't working - it was working before, but then everything else wasn't working, so it didn't matter. Is there a way to fix it?
What address are you using? It has to be a global address, not link local.
The address in brackets is the monitor address, which is the Google DNS IPv6 equivalent of 8.8.8.8.
It was workiing before I made the last round of changes that I documented in my last post. My internet connection started to work as it was supposed to, but the monitor just stopped. at some point.
I even tried to reboot my phone, and nothing changed.
-
@guardian what did you not understand about you can not ping a gua from link local?
You can for sure use a link-local as a transit network. But you can not monitor some gua address out on the internet without having a gua address.
-
@johnpoz said in Very Basic IPv6 security question.:
@guardian what did you not understand about you can not ping a gua from link local?
You can for sure use a link-local as a transit network. But you can not monitor some gua address out on the internet without having a gua address.
Since he's on Rogers, he should have a WAN GUA. In my own testing, I've determined that a link local monitor address won't work, as the gateway address doesn't respond to pings. It's been so long since I set up my own system that I forgot that was why I couldn't use a link local address. However, a monitor address is not necessary for a working system. There's also the IPv4 one that should work.
-
@johnpoz said in Very Basic IPv6 security question.:
@guardian what did you not understand about you can not ping a gua from link local?
You can for sure use a link-local as a transit network. But you can not monitor some gua address out on the internet without having a gua address.
@johnpoz I understand you can not ping a gua from link local - what I don't understand is what pfSense is actually doing, and how the gateway monitor gets set up or what address the pings get sent from. Ping/traceroute work from the menu, (but the actual address used isn't shown), but the pinger isn't working and I had no idea why. There was a point (when I didn't have a working system), that I had a working pinger - I believe it was before I set up prefix delegation - I think the router was being issued a single /64 - but I can't remember.
@JKnott said in Very Basic IPv6 security question.:
@johnpoz said in Very Basic IPv6 security question.:
@guardian what did you not understand about you can not ping a gua from link local?
You can for sure use a link-local as a transit network. But you can not monitor some gua address out on the internet without having a gua address.
Since he's on Rogers, he should have a WAN GUA. In my own testing, I've determined that a link local monitor address won't work, as the gateway address doesn't respond to pings. It's been so long since I set up my own system that I forgot that was why I couldn't use a link local address. However, a monitor address is not necessary for a working system. There's also the IPv4 one that should work.
@JKnott, @johnpoz is there a way forward, or should I just disable the montior and hide it from the dashbord?
I notice the same thing with IPv4, that the monitor is using internal addresses. Is there some way to display my public IP on the dashboard? (if not, no big deal, but it would be "nice" to have.).
-
@guardian said in Very Basic IPv6 security question.:
Is there some way to display my public IP on the dashboard?
Does your wan have a public IPv4 address? Or are you behind a nat?
For you IPv6 - not getting a gua, do you have this set?
If you actually have public IPv4 and IPv6 address - they would be shown on what your gateway is and the actual interfaces
-
@guardian said in Very Basic IPv6 security question.:
@JKnott, @johnpoz is there a way forward, or should I just disable the montior and hide it from the dashbord?
I notice the same thing with IPv4, that the monitor is using internal addresses. Is there some way to display my public IP on the dashboard? (if not, no big deal, but it would be "nice" to have.).
You can add the interfaces widget to the dashboard. As for your monitor, as I mentioned you don't need it. Normally pfSense will use the gateway as the monitor address. That works for IPv4, but with Rogers, on IPv6, it doesn't work, because the Rogers gateway doesn't respond to ping. As I mentioned earlier, I just ran a traceroute to Google and picked the first GUA that turned up.
-
@johnpoz said in Very Basic IPv6 security question.:
@guardian said in Very Basic IPv6 security question.:
Is there some way to display my public IP on the dashboard?
Does your wan have a public IPv4 address? Or are you behind a nat?
For you IPv6 - not getting a gua, do you have this set?
If you actually have public IPv4 and IPv6 address - they would be shown on what your gateway is and the actual interfaces
@johnpoz, @JKnott - TLDR; Pinger working now thanks--and IPv6 still OK!
I have a public IPv4 address, but the pinger widget displays the gateway (x.x.x.1) address even though the pinger is working.
I turned off the setting you suggested. I had it set because it was part of the settings recommended earlier that got my IPv6 connectivity working. It turns out that this setting wasn't a necessary part of the changes, so turnng if off got the pinger working again without causing problems. I guess that link local address and the x.x.x1 adress are technically the gateway -- but with multiple L3 addresses on an interface showing though it still shows a link-local address in the widget.
@JKnott said in Very Basic IPv6 security question.:
You can add the interfaces widget to the dashboard. As for your monitor, as I mentioned you don't need it. Normally pfSense will use the gateway as the monitor address. That works for IPv4, but with Rogers, on IPv6, it doesn't work, because the Rogers gateway doesn't respond to ping.
@JKnott thanks for the suggestion about the Interfaces widget, that gives me what I want.
As I mentioned earlier, I just ran a traceroute to Google and picked the first GUA that turned up.
Isn't that a bit risky in this day of infrastructure as code? I don't think the public IP is going to change anytime soon, but what about the path to it?
-
@guardian said in Very Basic IPv6 security question.:
Isn't that a bit risky in this day of infrastructure as code? I don't think the public IP is going to change anytime soon, but what about the path to it?
That address is still on my ISP's network, so it likely won't change. As long as it's there, along the path or not, it will work. Regardless, the worst that could happen is the monitor stops working. Big deal..
I have a public IPv4 address, but the pinger widget displays the gateway (x.x.x.1) address even though the pinger is working.
By default, the gateway address is used. However, as I mentioned, that didn't work on IPv6 with Rogers, as the IPv6 gateway doesn't respond to pings. If it did, the link local address would have worked, with or without a WAN GUA.
You're discovering some of the ways IPv6 differs from IPv4. With IPv4, you don't have the link local address to use for routing etc.. You also don't need a WAN GUA, something you couldn't get away with on IPv4.
-
@JKnott said in Very Basic IPv6 security question.:
You also don't need a WAN GUA, something you couldn't get away with on IPv4.
Says who? You can for sure do the same thing with IPv4.. You can use 169.254 as a transit, you can use any rfc1918 as transit - the transit network doesn't have to route to use it as transit network.. See it all the time actually..
Where it makes less sense to do with is IPv6 - where you have a bajillion pretty much unlimited IP space.. Unlike with IPv4.. Not putting a gua on the transist in IPv6 is pretty stupid to be honest.. Why should you not make it routeable when you don't have to worry about running out of IP space to use ;)
-
@johnpoz said in Very Basic IPv6 security question.:
. You can use 169.254 as a transit, you can use any rfc1918 as transit - the transit network doesn't have to route to use it as transit network.. See it all the time actually..
I was referring to WAN addresses. My ISP used to use some RFC1918 addresses internally. I saw them when I did a traceroute.
@johnpoz said in Very Basic IPv6 security question.:
Not putting a gua on the transist in IPv6 is pretty stupid to be honest..
Maybe the ISP doesn't want to "waste" a whole /65 to support it.
I don't have a problem with using the link local addresses for routing. In fact, you don't even need any address, with a point to point link. All you need is the interface.
-
Hi, sorry for open this topic after 1 year :/
I have disable all IPv6 on my system, and also added
Have been running like this for a long time. Until I notice when i do a "DNS Lookup"
It takes almost 20 seconds to you get any answer. And why?
As you can see the Name server that not respond is ::1 (IPv6 localhost)So when i change this to YES.
And do another DNS Lookup its answer right away.
And now ::1 responds also
I don't know if this is an bug or not. But it is quite annoying when you have to wait almost 20 seconds for every DNS lookup. :) -
If you have anything, including DNS, that points to an IPv6 address (such as a name server) and you disable bits of IPv6 then yes, you will have a problem. To stop using IPv6 you have to be meticulous in removing all uses of it.
I've no idea why anyone wants to remove the more modern IP system that is IPv6 from their network - it is clearly beyond my brain. I guess there must be a reason somewhere but the future that is IPv6 will get you at some point... .
Almost all my traffic is IPv6 these days, what little IPv4 there is seems to be confined to some servers and services in the US. Weird.
️
-
@RobbieTT
Hi, yeah I know the IPv6 is the future, but right now my system are only using IPv4 for many years. And after upgrading to 24.03 or something, somtning new appears
And I don't know how to get ride of it :) Even i'm sure I have disable all IPv6 settings. -
@MoonKnight
no sweat!
Just ignore that...it's just IPv6`s way of saying: Home is where 127.0.0.1 AND ::1 are...
:) -
hehe :) I know, but I believe this is an bug. Not that ::1 is there, but DNS Lookup is so slow if you disable all IPv6. And because of that, DNS Lookup still useIPv6 for dns lookup. :/
I was hoping maybe some others have found the same "issue" :) -
@johnpoz said in Very Basic IPv6 security question.:
@JKnott I think it is at the root of the question. Trying to lock down IPv6 is much harder than just IPv4 because of temp IPv6 address. With IPv4 if a device has address 1.2..3.4 it can't just randomly use 1.2.3.5 to make a connection..
You could still do static IPv6 assignments I did that and there was no longer temps showing up
-
@MoonKnight that is just a loopback
-
@guardian said in Very Basic IPv6 security question.:
Hi - I have been using pfSense for several years, but just with IPv4 since I have yet to get my head around what I need to do to secure IPv6. At the moment I have IPv6 disabled on all interfaces including the WAN.
I am being forced into IPv6 by my ISP due to changes in the cable TV system which is moving from a legacy RF system to an IPTV system that uses IPv6. (Rogers in Canada-Ignite TV-I was told it is a similar system to Comcast in the US-I think it is called Xfinity or something like that.)
IIUC, I should be able to enable IPv6 on the WAN and get an IPv6 address (I think it uses DHCP6, but I'm not sure so I need to experiment), and since none of the other interfaces have IPv6 enabled there should be no traffic flow to/from the network.
Am I correct, or do I need to take measures to protect my network?
My initial goal is just to get IP connectivity to the router. Once I have done that to see if I can pipe IPv6 traffic over a VLAN.
P.S.: Any suggestions as to helpful learning resources would be much appreciated.
You can access the web gui over IPv6. So make sure you sure that fyi
Example every interface can access the firewall gui unless you block it...
Test it and see..