Using PFSense and a transparent firewall to create a pure IPv6 network
-
The company I work for makes products that help validate networks and test connectivity.
Recently we've had several customers begin requesting that we support pure IPv6 networks without any IPv4 present. But creating pure IPv6 networks is actually hard. I've done it using my PFSense router and Vlans but helping 10 other developers do the same thing wouldn't be easy. Plus I now have a pure v4 net and a pure v6 net but sometimes I still need a combined net.
I came up with the idea to add yet another PFSense box as a transparent firewall and just have it strip off all of the IPv4 packets. It mostly works.
I followed the standard rules for a transparent firewall. Then I added a few more things.
- Add firewall rules to pass all IPv6 on the bridge
- Find the IPv6 LinkLocal address for WAN
- Open a web browser to the IPv6 address https://[fe80::xxxxxxxx]
a. The brackets around the ipv6 address are required
b. Might have to use pfctl -d on the console occasionally to finish config - Turn off IPv4 and IPv6 for WAN, LAN, and BRIDGE
a. Don't need any assigned addresses, just the ipv6 link local - Remove all rules allowing IPv4 on WAN, LAN, and BRIDGE
- I also added specific rules to block IPv4
Again, it wasn't easy but it does seem to work. My biggest problem is that PFSense has no firewall rule to block ARPs so my pure IPv6 net still has ARP request and replies flying around. Plus there are a few other non-ip protocols flying across the bridge.
As a side note, for Windows to work in a pure IPv6 you have to open ControlPannel / Network Sharing Center / Ethernet / Properties. Then uncheck Internet Protocol Version 4
It seems like I had to do something similar on Ubuntu but I'm too lazy to go check.
As another side note, I really didn't think I had much IPv6 traffic on my home net but when I checked PFSense stats I found that 70% to 80% of my traffic was IPv6. It turns out that most browsers check for IPv6 addresses and will use those by default if your network supports it. So IPv6 has snuck up on all of us without us even realizing it - and that's how it should be. It just works.
EDIT: another hint. You will need to modify your Router Advertising to include DNS info (also called RDNSS) to pass out DNS information. I used the google DNS servers (you can google them). You can also turn on DHCPv6 but many devices don't support it, they use SLAAC to self configure.
-
@ClayJones said in Using PFSense and a transparent firewall to create a pure IPv6 network:
PFSense has no firewall rule to block ARPs
Yeah it does, if you have plus.. enable ethernet firewall
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
@johnpoz said in Using PFSense and a transparent firewall to create a pure IPv6 network:
Yeah it does, if you have plus.. enable ethernet firewall
Ahh, there's the rub. Maybe I'll look into it, but for now it's sufficient. Thanks for the answer.
-
@ClayJones said in Using PFSense and a transparent firewall to create a pure IPv6 network:
no firewall rule to block ARPs
There are no ARPs on IPv6, so no need to filter them. IPv6 uses ICMP6 neighbor solicitation instead of ARP.
-
@johnpoz said in Using PFSense and a transparent firewall to create a pure IPv6 network:
Yeah it does, if you have plus.. enable ethernet firewall
There's no such thing as ARP on IPv6, so what are you going to filter?
-
@JKnott read the thread.. He is looking to block the IPv4 ARPs..
-
Just as a follow up. The firewall idea is working well. It is remarkable how fully fleshed out IPv6 really is. Only a handful of apps or websites don't work. We have our product pretty well modified to support pure IPv6.
We're purchasing some 1100 appliances for quality engineers and might buy more for sales people or marketing presenters.
Most developers are just using old laptops. with the CE version.
-
@ClayJones said in Using PFSense and a transparent firewall to create a pure IPv6 network:
ust as a follow up. The firewall idea is working well. It is remarkable how fully fleshed out IPv6 really is. Only a handful of apps or websites don't work.
Exactly. I fail to understand why some are so reluctant to move to it. With some, I suspect it's deliberate ignorance. I've had it on my home network for over 14 years and it just works!
BTW, I remember the days when it was necessary to use a tunnel to get it. I did that for almost 6 years, before my ISP provided native IPv6.
