IPv6 testing
-
all the settings are saved in the config, I am also keeping my git branch uptodate with mainstream, except for the binary platform ofcourse.
If you do use the autoupdate from the UI you can then gitsync my branch over it and all the ipv6 access, addresses, tunnels and settings will be restored, possibly with a reboot. Not too sure on that.
With my branch you can add proper ipv6 rules on the WAN interface so that it can be reached from the internet. Welcome to the stateful firewall. For example add a icmp rule on the wan interface to allow icmp from any to the LAN subnet. Make sure to toggle the ipv6 protocol setting.
I just did a gitsync and followed you guide.
Unfortunately i only can get IPv6 traffic from the router itself to work.
I set up the gif tunnel IF, created a extra interface "WAN01_IPv6" and gave it my endpoint IPv6 ip /128. Now i was able to ping6 ipv6.google.com from the pfsense box.
But whatever rule i try, i cannot seem to be able to ping myself from the outside world. (tried form an ipv6 enabled machine at work and lg.he.net). Did i miss something?I did add a ipv6 ip to the lan interface as i do not have a subnet yet.
Could you give me some pointers at what exact rules i would need to create? Adding allow ICMP IPv6 from any to any on WAN01 or WAN01_IPv6 did not work.
Thx!
-m4rcu5EDIT: i must also note that the SixXS.net gateway does not show up green, but as gathering data on my homescreen.
-
do note that the routed/64 of he.net has 1 character different. In my cas the use 1f14 for the tunnel network and 1f15 for the routed /64.
You can not just assign a random IP of the tunnel network on the lan side, that won't work.
That is one of the biggest mind set changes, it's routing now so the lan range needs to be routed your way. Previously with nat you always used that one external ip.
-
Update:
- It is possible to create a CARP ipv6 interface, carp syncing to the IPv6 address of the backup works too.
- When using the easy firewall rule widget it will default to IPv4 protocol causing a filter rule error, editing the rule and setting the protocol to ipv6 fixes it.
- The webUI can now listen on IPv6 too
- It is currently not possible to configure the IPv6 interfaces from the cli.
- The DHCP server still doesn't work properly, autoconfig for the LAN does work but nameservers need to be configured manually.
- The DHCP server does not support failover pools with IPv6.
Be careful of creating any any rules on the WAN when using a routing config (e.g. IPv6)!
-
Great work!
Update:
- It is possible to create a CARP ipv6 interface, carp syncing to the IPv6 address of the backup works too.
- When using the easy firewall rule widget it will default to IPv4 protocol causing a filter rule error, editing the rule and setting the protocol to ipv6 fixes it.
- The webUI can now listen on IPv6 too
- It is currently not possible to configure the IPv6 interfaces from the cli.
- The DHCP server still doesn't work properly, autoconfig for the LAN does work but nameservers need to be configured manually.
- The DHCP server does not support failover pools with IPv6.
Be careful of creating any any rules on the WAN when using a routing config (e.g. IPv6)!
-
I've been try to do some IPv6 testing. I upgraded firmware to```
[2.0-BETA4][admin@vb-pfsense.example.org]/root(3): uname -a
FreeBSD vb-pfsense.example.org 8.1-RELEASE-p1 FreeBSD 8.1-RELEASE-p1 #1: Wed Nov 17 10:32:05 EST 2010 sullrich@FreeBSD_8.0_pfSense_2.0-snaps.pfsense.org:/usr/obj.pfSense/usr/pfSensesrc/src/sys/pfSense_SMP.8 i386I then attempted to work through the "gitsync" procedure described earlier in this topic. Then the webGUI refused to start: (extract from _# clog /var/log/system.log _)Nov 24 12:39:51 vb-pfsense php: : The command '/usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf' returned exit code '255', the output was '2010-11-24 12:39:27: (network.c.290) gethostbyname failed: 2 ::'
The gitsync procedure I attempted appeared to go wrong: > Welcome to the pfSense php shell system > Written by Scott Ullrich (sullrich@gmail.com) > > Type "help" to show common usage scenarios. > > Available playback commands: > disabledhcpd enableallowallwan enablesshd gitsync removepkgconfig restartdhcpd restartipsec > > pfSense shell: playback gitsync > > Playback of file gitsync started. > > Current repository is http://gitweb.pfsense.org/pfsense/pfSense-smos.git > > Please select which branch you would like to sync against: > > master 2.0 development branch > RELENG_1_2 1.2* release branch > build_commit The commit originally used to build the image > > Or alternatively you may enter a custom RCS branch URL (HTTP). > > **> http://gitweb.pfsense.org/pfsense/pfSense-smos.git** > > NOTE: http://gitweb.pfsense.org/pfsense/pfSense-smos.git was not found. > > Is this a custom GIT URL? [y]? The example at [http://iserv.nl/files/pfsense/ipv6/](http://iserv.nl/files/pfsense/ipv6/) goes only as far as the bold line above so I'm not sure what to answer to the following questions nor if _NOTE: http://gitweb.pfsense.org/pfsense/pfSense-smos.git was not found._ is a serious problem. The failure of the web GUI after this point makes the configuration of the IPv6 tunnel something of a challenge. Is there a quick patch I can make (to define an IPv6 local hostname?) or a particular snapshot build known to work?__ -
The failure of the web GUI after this point makes the configuration of the IPv6 tunnel something of a challenge.
Is there a quick patch I can make (to define an IPv6 local hostname?) or a particular snapshot build known to work?
Theres some IPv6 stuff in /var/etc/lighty-webConfigurator.conf around line 128, if you remove that the web-UI will start.
-
Is there anything I can do to help? Have you defined the tasks to complete for IPv6 support?
-
The failure of the web GUI after this point makes the configuration of the IPv6 tunnel something of a challenge.
Is there a quick patch I can make (to define an IPv6 local hostname?) or a particular snapshot build known to work?
Theres some IPv6 stuff in /var/etc/lighty-webConfigurator.conf around line 128, if you remove that the web-UI will start.
For anyone else who might stumble upon this problem:
After changing /var/etc/lighty-webConfigurator.conf the web server needs to be restarted by /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.confRestarting the system (or web configurator from the console menu) erases changes to /var/etc/lighty-webConfigurator.conf
-
What can be done to make those changes permanent ?
-
This solution might have some negative side effects, but you could set the file so that it is read-only.
chmod 444 /var/etc/lighty-webConfigurator.conf
I see the potential for this to prevent other (good/necessary) changes from pfSense though.
-
it appears that both apinger and lighttpd are still not built with ipv6 support which is causing this issue.
I will investigate.I will investigate the options
-
Just a notice I got it all to work with my HE net tunnel
Excellent work! (Top gedaan ;) )
-
For anyone else who might stumble upon this problem:
After changing /var/etc/lighty-webConfigurator.conf the web server needs to be restarted by /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.confRestarting the system (or web configurator from the console menu) erases changes to /var/etc/lighty-webConfigurator.conf
For those who want the change to be permanent, you can modify the template script used to generate the configuration in /etc/inc/system.inc . Just do a search for "::" (No quotes). There should be three instances (two of which are for the captiveportal). Comment out the lines taking note of and compensating for the open braces you are commenting out as well.
–-----------------------
I had a problem with how the default routes are set up, it appears to be a copy-and-pasting error in the system_routing_configure() function in system.inc. There were instances where the "v6" portion of the variable names were left out causing a mixing of v4 and v6 configuration; route was not happy.
For those who can successfully ping a v6 host from pfSense but not from LAN, do add a "allow" "IPv6" from "LAN net" to "any" firewall rule.
I'm not sure if an exception had to be made, but when following the instructions from http://iserv.nl/files/pfsense/ipv6/ , I had to change the subnet mask to 126 in the WANIPV6 static address configuration or else the gateway is not accepted by the ui (since it insists that the gateway has to be in the same subnet as the WANIPV6).
Sorry about being so vague, I made these changes without actually noting them down, but I hope it helps someone.
-
For anyone else who might stumble upon this problem:
After changing /var/etc/lighty-webConfigurator.conf the web server needs to be restarted by /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.confRestarting the system (or web configurator from the console menu) erases changes to /var/etc/lighty-webConfigurator.conf
For those who want the change to be permanent, you can modify the template script used to generate the configuration in /etc/inc/system.inc . Just do a search for "::" (No quotes). There should be three instances (two of which are for the captiveportal). Comment out the lines taking note of and compensating for the open braces you are commenting out as well.
This worked for me as well
-
Just on this section, I had emailed Chris a while ago about this and a possible bounty. I'm really keen to get moving with it and possibly a bounty will speed things up. Any thoughts?
-
As version 2 is already in Beta, I highly doubt the team is willing to make such huge architectural changes in version 2. However, according to the bug tracker, Chris Buechler added a feature request and marked it as 2.1 (or next version after 2).
See http://redmine.pfsense.org/issues/177 -
Do I need to use playback gitsync http://rcs.pfsense.org/projects/pfsense/repos/pfSense-smos
or playback gitsync http://gitweb.pfsense.org/pfsense/pfSense-smos.git
?Ok, with the commit I just made to my own (public) repo I can now use ipv6 on my LAN.
A quick howto for getting started, this is by no means comprehensive. And most communication will work as it should, just rough around the edges.
Install a 2.0 BETA4 from the 26th or later, this has a changed apinger binary that supports ipv6 better (at all).
Get to the shell, run option 12, playback gitsync, use the alternate http:// url provided above.
reboot. All the IPv4 connectivity should still work as before.Create a account with www.tunnelbroker.net for a free /64 account. This works best on a a static or semi permanent ipv4 WAN address.
Make sure that a icmp allow rule is existing on the WAN interface for tunnel assignment by he.net to work.on pfSense go to assign, create a new gif interface, fill in the correct remote ipv4 remote address and ipv6 local and remote addresses.
Go to assign, press +, you should now have a new OPT interface listed. Call this what you want.
Go to the newly created OPT interface, enable it using config "none".
Go to routing, create new gateway on the new OPT interface, add the remote ipv6 here, check default (this is the 1st ipv6 default gateway). After enabling this the gateway status should list it as green, as well as the dashboard.You can now create a icmp allow rule on the OPT ipv6 interface to verify that a remote ipv6 host can ping it. http://lg.he.net is helpful here.
Go to interfaces LAN and change the type from ipv4 to ipv4 + ipv6. You can now enter the routed /64 address range given to you by he.net. I just used 2001:470:prefixhere::1 for the lan address, and 64 bits for the subnetmask.
I created a new ICMP rule on the OPT ipv6 interface to allow ipv6 icmp traffic to the LAN IP address. It works!
Next up is generating a rtadvd config for enabling stateless autoconfig on the LAN. After that dhcpd v6. -
Is it possible that it's just not compatible with pfsense2.0beta5 ?
When I take url.git and answer master brache:yes, custum:yes I get errors (not reachable) -
What do I enter after this last line? (after ulr)
-
Hit enter, answer the question about what location it is, and hit enter again.
It will sync, en i think i needs a reboot after that.-marcus