IPv6 testing
-
Just a heads-up: databeestje, awesome work!
I'd love to see IPv6 support in PfSense and these certainly are steps in the right direction.
-
Large ISPs like AT&T do not provide IPv6 support. I spoke to their technical service on the phone. They do not have any plans to go to IPv6. Many will look at the cost of upgraded routing equipment and shudder.
That's a lame excuse. The real reason ISPs drag their feed with the IPv6 transition is that with the limited IPv4 address space, they can extract a massive premium for a "business account" from everyone who wants/needs a fixed IP address e.g. to access their media server from everywhere.
Similarly, there's an entire slew of businesses that invade your privacy and rob you blind by providing services that are all based on the dearth of fixed IP addresses, e.g. home surveillance cameras that beam the video stream to a cloud server from which you can view it, against a hefty annual fee, of course.
If IPv6 were widespread and the excuses for that sorry thing called DHCP would go away, and everyone had access to 2^16 fixed IP addresses, every friggin' lightswitch in one's house could have a few IP addresses, and none of these "value added" services would have a reason to exist.
Scarcity is what drives prices up, and delaying IPv6 is an artificial way of introducing scarcity into a market where there truly is none, and thus allows big companies to extract exorbitant service fees from an unsuspecting public.
Similar considerations go for VoIP and the slow adoption of ENUM, etc. etc.Ronald
-
That's a lame excuse. The real reason ISPs drag their feed with the IPv6 transition is that with the limited IPv4 address space, they can extract a massive premium for a "business account" from everyone who wants/needs a fixed IP address e.g. to access their media server from everywhere.
Similarly, there's an entire slew of businesses that invade your privacy and rob you blind by providing services that are all based on the dearth of fixed IP addresses, e.g. home surveillance cameras that beam the video stream to a cloud server from which you can view it, against a hefty annual fee, of course.
If IPv6 were widespread and the excuses for that sorry thing called DHCP would go away, and everyone had access to 2^16 fixed IP addresses, every friggin' lightswitch in one's house could have a few IP addresses, and none of these "value added" services would have a reason to exist.
Scarcity is what drives prices up, and delaying IPv6 is an artificial way of introducing scarcity into a market where there truly is none, and thus allows big companies to extract exorbitant service fees from an unsuspecting public.
Similar considerations go for VoIP and the slow adoption of ENUM, etc. etc.Ronald
All too true.
A pal of mine is on several interest groups and one of the guys he met is on ipv6 development as well. They intend to eventually have household appliances like ovens and irons hold an ipv6 address with (powerline networking) or without networking (the ipv6 address then becomes a trackable serial number). As to whether this will work out….My next RSP is offering me 65535 globally routable ipv6 addresses for US$4.20/ mth.
Getting one static ipv4 costs me about US$58/ mth largely because they pay about that much for the addresses themselves.
It actually costs me less to buy a CIR/ PIR Service Level Agreement on a residential line than to pay for a single ipv4!
They even went as far as to convert their entire routing core internally to ipv6 so that they don't need to pay for ipv4 addresses. Only encapsulating where the outside world connects. The fact is that if all the ISPs around the world do this, we definitely have enough ipv4 left over to last us a much longer time.Over a basic 24 months contract, it actually costs me less to pay for a Cisco router (even before subsidies by my rsp) to PPTP back to their core and 1:1 NAT the ipv6 to a private ipv4 subnet as my wan addresses.
I would have gone for a Vyatta solution if it actually could do this but it appears support for cross ipv6-ipv4 routing is very limited at the moment. But it at least lets me use pfsense without much trouble. -
Awesome take, rcfa. Thanks.
-
Getting one static ipv4 costs me about US$58/ mth largely because they pay about that much for the addresses themselves.
It actually costs me less to buy a CIR/ PIR Service Level Agreement on a residential line than to pay for a single ipv4!Wow. I pay $4/month for a static ipv4 (dynamic is included) and I can buy subnets for under $2/address. The same ISP is testing ipv6 right now with free opt-in.
Don't worry, I make up for it with inflated subscription fees (thanks to the upstream telco for that).
-
Wow. I pay $4/month for a static ipv4 (dynamic is included) and I can buy subnets for under $2/address. The same ISP is testing ipv6 right now with free opt-in.
Don't worry, I make up for it with inflated subscription fees (thanks to the upstream telco for that).
It's the reverse for me.
The government is pushing out a nationwide broadband infrastructure to be completed by 2012 (GPON to every household paid for by tax monies; mine is coming in June next year) and prices are dirt cheap. It costs about US$41/mth for a 100m down/ 50m up GPON line.
The infrastructure provider gives a 25m CIR on the local circuits but the ISPs/ RSPs obviously don't include this for the end users. Since I happen to personally know one of the senior guys at one of the RSPs, I can get certain dubious perks/ vas provided on the residential line. :DComparatively, a 100m/10m cable subscription now is at US$70/ mth.
-
Since I happen to personally know one of the senior guys at one of the RSPs, I can get certain dubious perks
I don't begrudge you taking advantage, but that is socialism in a nutshell.
-
I always felt that I live in a socialist republic anyway. Authoritarian Democracy would be more apt a term. All citizens here are equal, some more-so than others. ;)
I can only pull that off because the RSP is tiny enough. Their noc is less than 10 men strong and I do get contacted by them on and off for networking jobs anyway (infrastructure cabling, tracing and labelling network cables etc.).
I wouldn't quite say I get perks but they at least know I'm not an average network idiot so they can trust me. e.g. I can request for full access to the CPE they deploy or get PPTP access to their routing core with my own router. Stuff that most ISPs and RSPs wouldn't even allow a business customer to do, much less a residential user.
Alright, I think we've veered off the topic too much. In any case at all, I think the guys have done a good job on pfsense. cheers! If some form of ipv6 gets done by june next year, then I'll only need to deploy a single box.
If it doesn't, I'll try and convince the RSP to internally 1:1 NAT the ipv6 into a ipv4 subnet within their core routing and I'll PPTP in to get those ipv4 as my "wan" ip's block. -
That's a cool thing to have.
Speaking in terms of economics, price is determined by supply and demand.
I notice that the supply of IPv4 addresses is running out.
Does anyone else think that the price of IPv4 addresses might go up next year? Am I way off on that?
Wondering if now is a good time to buy.
Thanks
-
Nah, what you will see is that large internet providers will start taking back those public IP ranges for customers, which will break their skype etc by putting 100's of customers on a single IPv4 address via a large scale nat.
There will be premium customers which will get the advantage of a public ipv4 address, it's that or called a business subscription.
For the next 5 years we'll see more and different extortion schemes. I woulnd't even be surprised if they start billing extra for getting a ipv6 address which is just nonsense since tunnel services are already free.
A great example here is KPN in the Netherlands, the CPE is locked down, they have a few hundred thousand connections, the old devices don't support ipv6 and the new CPE devices still don't. Worse even the NAT in the current CPE they deploy is bad enough that even VPN software doesn't work (pptp and ipsec). As you can imagine, if the local NAT device doesn't even work, then the reason to believe that a LSN will work at all is futile.
One must not forget that the LSN does not start at the provider edge, but it already starts at the customer edge. We will no doubt see horrid rfc1918 address colissions with vpn connections. They will likely argue the requirements for a business connection.
The great thing of all this is that they still are not providing native or tunnel ipv6 access. The CPE currently does not have a way to forward protocol 41. And even then. You can't ask for port mapping on a LSN to your private WAN ip and then port forward that on the CPE to the box connected to your LAN.
The reason why NAT is less of a pain as it really should be is that things like uPNP exist. Not the brightest implementation, but atleast you get to punch holes through the NAT to effectively start communication. e.g. the end to end connectivity.
A LSN has no such controls, good luck.Welcome to the world of nat444 or nat 464, we're &&(* either way.
In other news, static routing now works, I managed to add a carp vip and made some more fixes with regards to dhcpd and route advertising. Much work left, but atleast I can already internet without issue at home on dual stack.
-
Impressive!
-
I've made a short writeup of how you can get the IPv6 tunnel with HE.net configured on my experimental code branch.
http://iserv.nl/files/pfsense/ipv6/This should help people get started.
-
Nice writeup!
But i am unsure if i want to upgrade to a branch. This will make updating even harder.
Is there a way to do this with the normal 2.0Beta4 but maybe only from the console instead of the webinterface?
I am trying to get my sixxs tunnel to work for months now, and after modifying the script found here: http://tuts4tech.net/2010/07/18/ipv6-tunnel-on-pfsense/ i could ping the outside world from my pfsense machine. But the outside world could not ping me.
The first step i want to do is set up the tunnel and later on route a subnet over it.-m4rcu5
-
all the settings are saved in the config, I am also keeping my git branch uptodate with mainstream, except for the binary platform ofcourse.
If you do use the autoupdate from the UI you can then gitsync my branch over it and all the ipv6 access, addresses, tunnels and settings will be restored, possibly with a reboot. Not too sure on that.
With my branch you can add proper ipv6 rules on the WAN interface so that it can be reached from the internet. Welcome to the stateful firewall. For example add a icmp rule on the wan interface to allow icmp from any to the LAN subnet. Make sure to toggle the ipv6 protocol setting.
-
databeestje, big thanks to the HE.net write up got me going fast and easy.
-
all the settings are saved in the config, I am also keeping my git branch uptodate with mainstream, except for the binary platform ofcourse.
If you do use the autoupdate from the UI you can then gitsync my branch over it and all the ipv6 access, addresses, tunnels and settings will be restored, possibly with a reboot. Not too sure on that.
With my branch you can add proper ipv6 rules on the WAN interface so that it can be reached from the internet. Welcome to the stateful firewall. For example add a icmp rule on the wan interface to allow icmp from any to the LAN subnet. Make sure to toggle the ipv6 protocol setting.
I just did a gitsync and followed you guide.
Unfortunately i only can get IPv6 traffic from the router itself to work.
I set up the gif tunnel IF, created a extra interface "WAN01_IPv6" and gave it my endpoint IPv6 ip /128. Now i was able to ping6 ipv6.google.com from the pfsense box.
But whatever rule i try, i cannot seem to be able to ping myself from the outside world. (tried form an ipv6 enabled machine at work and lg.he.net). Did i miss something?I did add a ipv6 ip to the lan interface as i do not have a subnet yet.
Could you give me some pointers at what exact rules i would need to create? Adding allow ICMP IPv6 from any to any on WAN01 or WAN01_IPv6 did not work.
Thx!
-m4rcu5EDIT: i must also note that the SixXS.net gateway does not show up green, but as gathering data on my homescreen.
-
do note that the routed/64 of he.net has 1 character different. In my cas the use 1f14 for the tunnel network and 1f15 for the routed /64.
You can not just assign a random IP of the tunnel network on the lan side, that won't work.
That is one of the biggest mind set changes, it's routing now so the lan range needs to be routed your way. Previously with nat you always used that one external ip.
- 8 days later
-
Update:
- It is possible to create a CARP ipv6 interface, carp syncing to the IPv6 address of the backup works too.
- When using the easy firewall rule widget it will default to IPv4 protocol causing a filter rule error, editing the rule and setting the protocol to ipv6 fixes it.
- The webUI can now listen on IPv6 too
- It is currently not possible to configure the IPv6 interfaces from the cli.
- The DHCP server still doesn't work properly, autoconfig for the LAN does work but nameservers need to be configured manually.
- The DHCP server does not support failover pools with IPv6.
Be careful of creating any any rules on the WAN when using a routing config (e.g. IPv6)!
-
Great work!
Update:
- It is possible to create a CARP ipv6 interface, carp syncing to the IPv6 address of the backup works too.
- When using the easy firewall rule widget it will default to IPv4 protocol causing a filter rule error, editing the rule and setting the protocol to ipv6 fixes it.
- The webUI can now listen on IPv6 too
- It is currently not possible to configure the IPv6 interfaces from the cli.
- The DHCP server still doesn't work properly, autoconfig for the LAN does work but nameservers need to be configured manually.
- The DHCP server does not support failover pools with IPv6.
Be careful of creating any any rules on the WAN when using a routing config (e.g. IPv6)!
- 9 days later
-
I've been try to do some IPv6 testing. I upgraded firmware to```
[2.0-BETA4][admin@vb-pfsense.example.org]/root(3): uname -a
FreeBSD vb-pfsense.example.org 8.1-RELEASE-p1 FreeBSD 8.1-RELEASE-p1 #1: Wed Nov 17 10:32:05 EST 2010 sullrich@FreeBSD_8.0_pfSense_2.0-snaps.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_SMP.8 i386I then attempted to work through the "gitsync" procedure described earlier in this topic. Then the webGUI refused to start: (extract from _# clog /var/log/system.log _)
Nov 24 12:39:51 vb-pfsense php: : The command '/usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf' returned exit code '255', the output was '2010-11-24 12:39:27: (network.c.290) gethostbyname failed: 2 ::'
The gitsync procedure I attempted appeared to go wrong: > Welcome to the pfSense php shell system > Written by Scott Ullrich (sullrich@gmail.com) > > Type "help" to show common usage scenarios. > > Available playback commands: > disabledhcpd enableallowallwan enablesshd gitsync removepkgconfig restartdhcpd restartipsec > > pfSense shell: playback gitsync > > Playback of file gitsync started. > > Current repository is http://gitweb.pfsense.org/pfsense/pfSense-smos.git > > Please select which branch you would like to sync against: > > master 2.0 development branch > RELENG_1_2 1.2* release branch > build_commit The commit originally used to build the image > > Or alternatively you may enter a custom RCS branch URL (HTTP). > > **> http://gitweb.pfsense.org/pfsense/pfSense-smos.git** > > NOTE: http://gitweb.pfsense.org/pfsense/pfSense-smos.git was not found. > > Is this a custom GIT URL? [y]? The example at [http://iserv.nl/files/pfsense/ipv6/](http://iserv.nl/files/pfsense/ipv6/) goes only as far as the bold line above so I'm not sure what to answer to the following questions nor if _NOTE: http://gitweb.pfsense.org/pfsense/pfSense-smos.git was not found._ is a serious problem. The failure of the web GUI after this point makes the configuration of the IPv6 tunnel something of a challenge. Is there a quick patch I can make (to define an IPv6 local hostname?) or a particular snapshot build known to work?__
-
The failure of the web GUI after this point makes the configuration of the IPv6 tunnel something of a challenge.
Is there a quick patch I can make (to define an IPv6 local hostname?) or a particular snapshot build known to work?
Theres some IPv6 stuff in /var/etc/lighty-webConfigurator.conf around line 128, if you remove that the web-UI will start.
-
Is there anything I can do to help? Have you defined the tasks to complete for IPv6 support?
-
The failure of the web GUI after this point makes the configuration of the IPv6 tunnel something of a challenge.
Is there a quick patch I can make (to define an IPv6 local hostname?) or a particular snapshot build known to work?
Theres some IPv6 stuff in /var/etc/lighty-webConfigurator.conf around line 128, if you remove that the web-UI will start.
For anyone else who might stumble upon this problem:
After changing /var/etc/lighty-webConfigurator.conf the web server needs to be restarted by /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.confRestarting the system (or web configurator from the console menu) erases changes to /var/etc/lighty-webConfigurator.conf
- 15 days later
-
What can be done to make those changes permanent ?
-
This solution might have some negative side effects, but you could set the file so that it is read-only.
chmod 444 /var/etc/lighty-webConfigurator.conf
I see the potential for this to prevent other (good/necessary) changes from pfSense though.
- 7 days later
-
it appears that both apinger and lighttpd are still not built with ipv6 support which is causing this issue.
I will investigate.I will investigate the options
-
Just a notice I got it all to work with my HE net tunnel
Excellent work! (Top gedaan ;) )
-
For anyone else who might stumble upon this problem:
After changing /var/etc/lighty-webConfigurator.conf the web server needs to be restarted by /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.confRestarting the system (or web configurator from the console menu) erases changes to /var/etc/lighty-webConfigurator.conf
For those who want the change to be permanent, you can modify the template script used to generate the configuration in /etc/inc/system.inc . Just do a search for "::" (No quotes). There should be three instances (two of which are for the captiveportal). Comment out the lines taking note of and compensating for the open braces you are commenting out as well.
–-----------------------
I had a problem with how the default routes are set up, it appears to be a copy-and-pasting error in the system_routing_configure() function in system.inc. There were instances where the "v6" portion of the variable names were left out causing a mixing of v4 and v6 configuration; route was not happy.
For those who can successfully ping a v6 host from pfSense but not from LAN, do add a "allow" "IPv6" from "LAN net" to "any" firewall rule.
I'm not sure if an exception had to be made, but when following the instructions from http://iserv.nl/files/pfsense/ipv6/ , I had to change the subnet mask to 126 in the WANIPV6 static address configuration or else the gateway is not accepted by the ui (since it insists that the gateway has to be in the same subnet as the WANIPV6).
Sorry about being so vague, I made these changes without actually noting them down, but I hope it helps someone.
-
For anyone else who might stumble upon this problem:
After changing /var/etc/lighty-webConfigurator.conf the web server needs to be restarted by /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.confRestarting the system (or web configurator from the console menu) erases changes to /var/etc/lighty-webConfigurator.conf
For those who want the change to be permanent, you can modify the template script used to generate the configuration in /etc/inc/system.inc . Just do a search for "::" (No quotes). There should be three instances (two of which are for the captiveportal). Comment out the lines taking note of and compensating for the open braces you are commenting out as well.
This worked for me as well
- 14 days later
-
Just on this section, I had emailed Chris a while ago about this and a possible bounty. I'm really keen to get moving with it and possibly a bounty will speed things up. Any thoughts?
-
As version 2 is already in Beta, I highly doubt the team is willing to make such huge architectural changes in version 2. However, according to the bug tracker, Chris Buechler added a feature request and marked it as 2.1 (or next version after 2).
See http://redmine.pfsense.org/issues/177 -
Do I need to use playback gitsync http://rcs.pfsense.org/projects/pfsense/repos/pfSense-smos
or playback gitsync http://gitweb.pfsense.org/pfsense/pfSense-smos.git
?Ok, with the commit I just made to my own (public) repo I can now use ipv6 on my LAN.
A quick howto for getting started, this is by no means comprehensive. And most communication will work as it should, just rough around the edges.
Install a 2.0 BETA4 from the 26th or later, this has a changed apinger binary that supports ipv6 better (at all).
Get to the shell, run option 12, playback gitsync, use the alternate http:// url provided above.
reboot. All the IPv4 connectivity should still work as before.Create a account with www.tunnelbroker.net for a free /64 account. This works best on a a static or semi permanent ipv4 WAN address.
Make sure that a icmp allow rule is existing on the WAN interface for tunnel assignment by he.net to work.on pfSense go to assign, create a new gif interface, fill in the correct remote ipv4 remote address and ipv6 local and remote addresses.
Go to assign, press +, you should now have a new OPT interface listed. Call this what you want.
Go to the newly created OPT interface, enable it using config "none".
Go to routing, create new gateway on the new OPT interface, add the remote ipv6 here, check default (this is the 1st ipv6 default gateway). After enabling this the gateway status should list it as green, as well as the dashboard.You can now create a icmp allow rule on the OPT ipv6 interface to verify that a remote ipv6 host can ping it. http://lg.he.net is helpful here.
Go to interfaces LAN and change the type from ipv4 to ipv4 + ipv6. You can now enter the routed /64 address range given to you by he.net. I just used 2001:470:prefixhere::1 for the lan address, and 64 bits for the subnetmask.
I created a new ICMP rule on the OPT ipv6 interface to allow ipv6 icmp traffic to the LAN IP address. It works!
Next up is generating a rtadvd config for enabling stateless autoconfig on the LAN. After that dhcpd v6. -
Is it possible that it's just not compatible with pfsense2.0beta5 ?
When I take url.git and answer master brache:yes, custum:yes I get errors (not reachable) -
-
Hit enter, answer the question about what location it is, and hit enter again.
It will sync, en i think i needs a reboot after that.-marcus
-
The smos repo hasn't been updated in quite a while, and there have been many changes since then. I would recommend you set up proto 41 passthrough and set up an IPv6 router on a separate machine so that you can get the latest updates. You could also apply the commits since smos last updated the IPv6 repo you are using.
-
Merged up with current 2.0 mainline. Still have not resolved the ipv6 support in the binaries from the snapshot builder
-
We have just got 2x /48 subnets setup. One for our rack at one of the datacenters here in NZ (the DC is probably one of the 10 largest in the country and has less than 100 racks lol). The other for our office fibre connction. I will start the experiments!
-
I've added a fix in 2.0 mainline so that it will not remove the default route when you update to a newer snapshot but have a ipv6 pfsense config. With basic connectivity still working it's a lot easier to re-sync against the git repo.
I have not managed to track down the builder issue where binaries are built without ipv6 support.
-
I was able to install your git with no issues using 2.0-BETA5 (i386) built on Thu Jan 20 05:02:05 EST 2011 but when I rebooted the box dhcpd wouldn't start. In the log it only gave Exit 1 as its error code. Any ideas?