WAN Firewall Rules for IPv6
-
I've been running pfSense since v2.4, and am now up to v2.7. I just enabled enabled IPv6 for the first time, and I've been having problems with intermittent IPv6 connections. (Rogers)
At this point I only want IPv6 on one VLAN.
Should I have any special ICMP rules on either the WAN or the VLAN interface? I thought that I read somewhere that the lasted version of pfSense add some rules when the interfaces are created, but this doesn't happen when an older configuration is modified.
If you find my post useful, please give it a thumbs up!
pfSense 2.7.2-RELEASE -
I'm not aware of any special rules, however if you don't want IPv6 on an interface, don't enable it there.
-
@guardian said in WAN Firewall Rules for IPv6:
the lasted version of pfSense add some rules when the interfaces are created
Pfsense AFAIK has always added the required IPv6 icmpv6 rules needed for ipv6 to function - been using pfsense since really the get go of pfsense. And don't recall ever having to add any special rules to get Ipv6 to work.
As to when they get enabled, I would think that would only happen when you enable IPv6 on the interface.. You could always check to see what "hidden" rules are on your interfaces.
https://docs.netgate.com/pfsense/en/latest/firewall/pf-ruleset.html
-
@johnpoz, @JKnott Thanks guys I really appreciate the support as I'm really struggling with this IPv6 stuff.
It seems like the problem is that my DHCP6 isn't passing along the DNS server address.
Here is how I have the interface set up:
and the DHCPv6 Server tab looks like this (nothing in the area below what is shown)
I have this connected to through an SG300 switch as an untagged access port which connects to a linux laptop. The laptop has the wired interface connected with both IPV4/6 set to automatic.
DNS4 got picked up correctly (I force all DNS to go through pfSense}, but the only way I could get IPv6 going was to manually code a DNSv6 server address on the laptop. Since my endgame is to supply IPv6 for a TV box with limited configurablilty I pretty sure I need to get DHCPv6 passing along a DNSv6 server address. (@JKnott do you know if am I mistaken on this?)What I also find interesting is that the interface has 2 gua (both in the delegated prefix). In the NDP Table, one address has a lease, and the other is permanent. The permanent address has exactly the same bottom 3 hextets as all the other interfaces, but the 4th hextet is different. What is going on here? Also given that I have set IPv6 to configuration None, why do all the other interfaces have an IPv6 address in the NDP Table? Is this going to cause problems?
Will IPv6 go through a bridge the same way as IPv4? My current IPv4 setup has a couple of VLANs that are trunked to a Tomato router, and I have the ports on the router switch bridged to pick up the VLANs and just pass them to the ports. Devices get their IP address/DNS directly from pfSense, so the router just acts like a combination managed switch/access point. Will IPv6 act the same way? (I'm sure my ignorance is really showing at this point - so any suggestions as to what to google or a reference to read would be much appreciated.)
If you find my post useful, please give it a thumbs up!
pfSense 2.7.2-RELEASE -
@guardian said in WAN Firewall Rules for IPv6:
It seems like the problem is that my DHCP6 isn't passing along the DNS server address.
Is there some reason you're using DHCP6? NormallySLAAC is fine and there's a setting to enable RDNSS. Also, thanks to some genius at Google, Android devices don't support DHCP6.
-
@guardian said in WAN Firewall Rules for IPv6:
Will IPv6 go through a bridge the same way as IPv4?
Yep, as will IPX, NetBIOS, SNA, DECNet, etc..
