IPv6 testing
-
technically running interfaces_gif_configure(); should be enough in /etc/rc.newwanip to reconfigure the gif tunnel. Although I'm not sure that really needs triggering. From the gif point of view the tunnel hasn't changed. It's only the remote side that needs a nudge.
DHCPv6 for the lan is proving a daunting task, it's taking longer then hoped.
-
technically running interfaces_gif_configure(); should be enough in /etc/rc.newwanip to reconfigure the gif tunnel. Although I'm not sure that really needs triggering. From the gif point of view the tunnel hasn't changed. It's only the remote side that needs a nudge.
I was assuming so, I just hadn't looked at your code.
I really love what you are doing here, I think it has been in need for a while now and the pfSense-IPv6 never went anywhere.
Although I'm not a great programmer, and I don't have too much time on my hands this weekend, I'd love to do anything I can to help starting sometime next week. If you need anything or want some idiot to program something, please ask. -
The dhcp server code is very tedious and not yet inline what a proper ipv6 config should be. For example, the static mappings in dhcpv6 do not use the hardware ethernet but something else.
http://tldp.org/HOWTO/Linux+IPv6-HOWTO/hints-daemons-isc-dhcp.html
Just hoping to get a parsing config at this point and add all other bits later.
I just noticed that we still ship isc dhcp server 3.0.7. We need atleast 4. You can manually install the newer one by invoking pkg_add -r isc-dhcp41-server and then saving the dhcp configuration twice.Edit:
Ok, stateless autoconfig now works on the LAN side, still not picking up dhcpv6 on the LAN eventhough it is configured and running.
rtadvd is now started on the LAN interface for route announcement.
Don't forget to add a IPv6 LAN subnet to any rule on the LAN to get out of the network.I configured a DNS server manually on the ubuntu VM on the LAN and I was then able to browse to ipv6.google.com
-
I would strongly recommend having the default NOT use the ethernet MAC (hardware) address.
It is not required by the IETF.
http://playground.sun.com/ipv6/specs/ipv6-address-privacy.html
It is a bad idea for privacy.
-
databeestje, awesome work! Looking forward to testing all this next month.
-
I would strongly recommend having the default NOT use the ethernet MAC (hardware) address.
Yeah we won't default to that.
-
Just a heads-up: databeestje, awesome work!
I'd love to see IPv6 support in PfSense and these certainly are steps in the right direction.
-
Large ISPs like AT&T do not provide IPv6 support. I spoke to their technical service on the phone. They do not have any plans to go to IPv6. Many will look at the cost of upgraded routing equipment and shudder.
That's a lame excuse. The real reason ISPs drag their feed with the IPv6 transition is that with the limited IPv4 address space, they can extract a massive premium for a "business account" from everyone who wants/needs a fixed IP address e.g. to access their media server from everywhere.
Similarly, there's an entire slew of businesses that invade your privacy and rob you blind by providing services that are all based on the dearth of fixed IP addresses, e.g. home surveillance cameras that beam the video stream to a cloud server from which you can view it, against a hefty annual fee, of course.
If IPv6 were widespread and the excuses for that sorry thing called DHCP would go away, and everyone had access to 2^16 fixed IP addresses, every friggin' lightswitch in one's house could have a few IP addresses, and none of these "value added" services would have a reason to exist.
Scarcity is what drives prices up, and delaying IPv6 is an artificial way of introducing scarcity into a market where there truly is none, and thus allows big companies to extract exorbitant service fees from an unsuspecting public.
Similar considerations go for VoIP and the slow adoption of ENUM, etc. etc.Ronald
-
That's a lame excuse. The real reason ISPs drag their feed with the IPv6 transition is that with the limited IPv4 address space, they can extract a massive premium for a "business account" from everyone who wants/needs a fixed IP address e.g. to access their media server from everywhere.
Similarly, there's an entire slew of businesses that invade your privacy and rob you blind by providing services that are all based on the dearth of fixed IP addresses, e.g. home surveillance cameras that beam the video stream to a cloud server from which you can view it, against a hefty annual fee, of course.
If IPv6 were widespread and the excuses for that sorry thing called DHCP would go away, and everyone had access to 2^16 fixed IP addresses, every friggin' lightswitch in one's house could have a few IP addresses, and none of these "value added" services would have a reason to exist.
Scarcity is what drives prices up, and delaying IPv6 is an artificial way of introducing scarcity into a market where there truly is none, and thus allows big companies to extract exorbitant service fees from an unsuspecting public.
Similar considerations go for VoIP and the slow adoption of ENUM, etc. etc.Ronald
All too true.
A pal of mine is on several interest groups and one of the guys he met is on ipv6 development as well. They intend to eventually have household appliances like ovens and irons hold an ipv6 address with (powerline networking) or without networking (the ipv6 address then becomes a trackable serial number). As to whether this will work out….My next RSP is offering me 65535 globally routable ipv6 addresses for US$4.20/ mth.
Getting one static ipv4 costs me about US$58/ mth largely because they pay about that much for the addresses themselves.
It actually costs me less to buy a CIR/ PIR Service Level Agreement on a residential line than to pay for a single ipv4!
They even went as far as to convert their entire routing core internally to ipv6 so that they don't need to pay for ipv4 addresses. Only encapsulating where the outside world connects. The fact is that if all the ISPs around the world do this, we definitely have enough ipv4 left over to last us a much longer time.Over a basic 24 months contract, it actually costs me less to pay for a Cisco router (even before subsidies by my rsp) to PPTP back to their core and 1:1 NAT the ipv6 to a private ipv4 subnet as my wan addresses.
I would have gone for a Vyatta solution if it actually could do this but it appears support for cross ipv6-ipv4 routing is very limited at the moment. But it at least lets me use pfsense without much trouble. -
Awesome take, rcfa. Thanks.
-
Getting one static ipv4 costs me about US$58/ mth largely because they pay about that much for the addresses themselves.
It actually costs me less to buy a CIR/ PIR Service Level Agreement on a residential line than to pay for a single ipv4!Wow. I pay $4/month for a static ipv4 (dynamic is included) and I can buy subnets for under $2/address. The same ISP is testing ipv6 right now with free opt-in.
Don't worry, I make up for it with inflated subscription fees (thanks to the upstream telco for that).
-
Wow. I pay $4/month for a static ipv4 (dynamic is included) and I can buy subnets for under $2/address. The same ISP is testing ipv6 right now with free opt-in.
Don't worry, I make up for it with inflated subscription fees (thanks to the upstream telco for that).
It's the reverse for me.
The government is pushing out a nationwide broadband infrastructure to be completed by 2012 (GPON to every household paid for by tax monies; mine is coming in June next year) and prices are dirt cheap. It costs about US$41/mth for a 100m down/ 50m up GPON line.
The infrastructure provider gives a 25m CIR on the local circuits but the ISPs/ RSPs obviously don't include this for the end users. Since I happen to personally know one of the senior guys at one of the RSPs, I can get certain dubious perks/ vas provided on the residential line. :DComparatively, a 100m/10m cable subscription now is at US$70/ mth.
-
Since I happen to personally know one of the senior guys at one of the RSPs, I can get certain dubious perks
I don't begrudge you taking advantage, but that is socialism in a nutshell.
-
I always felt that I live in a socialist republic anyway. Authoritarian Democracy would be more apt a term. All citizens here are equal, some more-so than others. ;)
I can only pull that off because the RSP is tiny enough. Their noc is less than 10 men strong and I do get contacted by them on and off for networking jobs anyway (infrastructure cabling, tracing and labelling network cables etc.).
I wouldn't quite say I get perks but they at least know I'm not an average network idiot so they can trust me. e.g. I can request for full access to the CPE they deploy or get PPTP access to their routing core with my own router. Stuff that most ISPs and RSPs wouldn't even allow a business customer to do, much less a residential user.
Alright, I think we've veered off the topic too much. In any case at all, I think the guys have done a good job on pfsense. cheers! If some form of ipv6 gets done by june next year, then I'll only need to deploy a single box.
If it doesn't, I'll try and convince the RSP to internally 1:1 NAT the ipv6 into a ipv4 subnet within their core routing and I'll PPTP in to get those ipv4 as my "wan" ip's block. -
That's a cool thing to have.
Speaking in terms of economics, price is determined by supply and demand.
I notice that the supply of IPv4 addresses is running out.
Does anyone else think that the price of IPv4 addresses might go up next year? Am I way off on that?
Wondering if now is a good time to buy.
Thanks
-
Nah, what you will see is that large internet providers will start taking back those public IP ranges for customers, which will break their skype etc by putting 100's of customers on a single IPv4 address via a large scale nat.
There will be premium customers which will get the advantage of a public ipv4 address, it's that or called a business subscription.
For the next 5 years we'll see more and different extortion schemes. I woulnd't even be surprised if they start billing extra for getting a ipv6 address which is just nonsense since tunnel services are already free.
A great example here is KPN in the Netherlands, the CPE is locked down, they have a few hundred thousand connections, the old devices don't support ipv6 and the new CPE devices still don't. Worse even the NAT in the current CPE they deploy is bad enough that even VPN software doesn't work (pptp and ipsec). As you can imagine, if the local NAT device doesn't even work, then the reason to believe that a LSN will work at all is futile.
One must not forget that the LSN does not start at the provider edge, but it already starts at the customer edge. We will no doubt see horrid rfc1918 address colissions with vpn connections. They will likely argue the requirements for a business connection.
The great thing of all this is that they still are not providing native or tunnel ipv6 access. The CPE currently does not have a way to forward protocol 41. And even then. You can't ask for port mapping on a LSN to your private WAN ip and then port forward that on the CPE to the box connected to your LAN.
The reason why NAT is less of a pain as it really should be is that things like uPNP exist. Not the brightest implementation, but atleast you get to punch holes through the NAT to effectively start communication. e.g. the end to end connectivity.
A LSN has no such controls, good luck.Welcome to the world of nat444 or nat 464, we're &&(* either way.
In other news, static routing now works, I managed to add a carp vip and made some more fixes with regards to dhcpd and route advertising. Much work left, but atleast I can already internet without issue at home on dual stack.
-
Impressive!
-
I've made a short writeup of how you can get the IPv6 tunnel with HE.net configured on my experimental code branch.
http://iserv.nl/files/pfsense/ipv6/This should help people get started.
-
Nice writeup!
But i am unsure if i want to upgrade to a branch. This will make updating even harder.
Is there a way to do this with the normal 2.0Beta4 but maybe only from the console instead of the webinterface?
I am trying to get my sixxs tunnel to work for months now, and after modifying the script found here: http://tuts4tech.net/2010/07/18/ipv6-tunnel-on-pfsense/ i could ping the outside world from my pfsense machine. But the outside world could not ping me.
The first step i want to do is set up the tunnel and later on route a subnet over it.-m4rcu5
-
all the settings are saved in the config, I am also keeping my git branch uptodate with mainstream, except for the binary platform ofcourse.
If you do use the autoupdate from the UI you can then gitsync my branch over it and all the ipv6 access, addresses, tunnels and settings will be restored, possibly with a reboot. Not too sure on that.
With my branch you can add proper ipv6 rules on the WAN interface so that it can be reached from the internet. Welcome to the stateful firewall. For example add a icmp rule on the wan interface to allow icmp from any to the LAN subnet. Make sure to toggle the ipv6 protocol setting.