Using PFSense and a transparent firewall to create a pure IPv6 network

ClayJones · Sep 30, 2024, 2:57 AM

The company I work for makes products that help validate networks and test connectivity.

Recently we've had several customers begin requesting that we support pure IPv6 networks without any IPv4 present. But creating pure IPv6 networks is actually hard. I've done it using my PFSense router and Vlans but helping 10 other developers do the same thing wouldn't be easy. Plus I now have a pure v4 net and a pure v6 net but sometimes I still need a combined net.

I came up with the idea to add yet another PFSense box as a transparent firewall and just have it strip off all of the IPv4 packets. It mostly works.

I followed the standard rules for a transparent firewall. Then I added a few more things.

Add firewall rules to pass all IPv6 on the bridge
Find the IPv6 LinkLocal address for WAN
Open a web browser to the IPv6 address https://[fe80::xxxxxxxx]
a. The brackets around the ipv6 address are required
b. Might have to use pfctl -d on the console occasionally to finish config
Turn off IPv4 and IPv6 for WAN, LAN, and BRIDGE
a. Don't need any assigned addresses, just the ipv6 link local
Remove all rules allowing IPv4 on WAN, LAN, and BRIDGE
I also added specific rules to block IPv4

Again, it wasn't easy but it does seem to work. My biggest problem is that PFSense has no firewall rule to block ARPs so my pure IPv6 net still has ARP request and replies flying around. Plus there are a few other non-ip protocols flying across the bridge.

As a side note, for Windows to work in a pure IPv6 you have to open ControlPannel / Network Sharing Center / Ethernet / Properties. Then uncheck Internet Protocol Version 4

It seems like I had to do something similar on Ubuntu but I'm too lazy to go check.

As another side note, I really didn't think I had much IPv6 traffic on my home net but when I checked PFSense stats I found that 70% to 80% of my traffic was IPv6. It turns out that most browsers check for IPv6 addresses and will use those by default if your network supports it. So IPv6 has snuck up on all of us without us even realizing it - and that's how it should be. It just works.

EDIT: another hint. You will need to modify your Router Advertising to include DNS info (also called RDNSS) to pass out DNS information. I used the google DNS servers (you can google them). You can also turn on DHCPv6 but many devices don't support it, they use SLAAC to self configure.

johnpoz · Sep 30, 2024, 2:46 AM

@ClayJones said in Using PFSense and a transparent firewall to create a pure IPv6 network:

PFSense has no firewall rule to block ARPs

Yeah it does, if you have plus.. enable ethernet firewall

ClayJones · Sep 30, 2024, 2:49 AM

@johnpoz said in Using PFSense and a transparent firewall to create a pure IPv6 network:

Yeah it does, if you have plus.. enable ethernet firewall

Ahh, there's the rub. Maybe I'll look into it, but for now it's sufficient. Thanks for the answer.

JKnott · Sep 30, 2024, 2:08 PM

@ClayJones said in Using PFSense and a transparent firewall to create a pure IPv6 network:

no firewall rule to block ARPs

There are no ARPs on IPv6, so no need to filter them. IPv6 uses ICMP6 neighbor solicitation instead of ARP.

JKnott · Sep 30, 2024, 2:08 PM

@johnpoz said in Using PFSense and a transparent firewall to create a pure IPv6 network:

Yeah it does, if you have plus.. enable ethernet firewall

There's no such thing as ARP on IPv6, so what are you going to filter?

johnpoz · Sep 30, 2024, 2:26 PM

@JKnott read the thread.. He is looking to block the IPv4 ARPs..

ClayJones · Oct 9, 2024, 6:29 PM

Just as a follow up. The firewall idea is working well. It is remarkable how fully fleshed out IPv6 really is. Only a handful of apps or websites don't work. We have our product pretty well modified to support pure IPv6.

We're purchasing some 1100 appliances for quality engineers and might buy more for sales people or marketing presenters.

Most developers are just using old laptops. with the CE version.

JKnott · Oct 10, 2024, 12:56 AM

@ClayJones said in Using PFSense and a transparent firewall to create a pure IPv6 network:

ust as a follow up. The firewall idea is working well. It is remarkable how fully fleshed out IPv6 really is. Only a handful of apps or websites don't work.

Exactly. I fail to understand why some are so reluctant to move to it. With some, I suspect it's deliberate ignorance. I've had it on my home network for over 14 years and it just works!

BTW, I remember the days when it was necessary to use a tunnel to get it. I did that for almost 6 years, before my ISP provided native IPv6.