IPv6 testing
-
For anyone else who might stumble upon this problem:
After changing /var/etc/lighty-webConfigurator.conf the web server needs to be restarted by /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.confRestarting the system (or web configurator from the console menu) erases changes to /var/etc/lighty-webConfigurator.conf
For those who want the change to be permanent, you can modify the template script used to generate the configuration in /etc/inc/system.inc . Just do a search for "::" (No quotes). There should be three instances (two of which are for the captiveportal). Comment out the lines taking note of and compensating for the open braces you are commenting out as well.
This worked for me as well
-
Just on this section, I had emailed Chris a while ago about this and a possible bounty. I'm really keen to get moving with it and possibly a bounty will speed things up. Any thoughts?
-
As version 2 is already in Beta, I highly doubt the team is willing to make such huge architectural changes in version 2. However, according to the bug tracker, Chris Buechler added a feature request and marked it as 2.1 (or next version after 2).
See http://redmine.pfsense.org/issues/177 -
Do I need to use playback gitsync http://rcs.pfsense.org/projects/pfsense/repos/pfSense-smos
or playback gitsync http://gitweb.pfsense.org/pfsense/pfSense-smos.git
?Ok, with the commit I just made to my own (public) repo I can now use ipv6 on my LAN.
A quick howto for getting started, this is by no means comprehensive. And most communication will work as it should, just rough around the edges.
Install a 2.0 BETA4 from the 26th or later, this has a changed apinger binary that supports ipv6 better (at all).
Get to the shell, run option 12, playback gitsync, use the alternate http:// url provided above.
reboot. All the IPv4 connectivity should still work as before.Create a account with www.tunnelbroker.net for a free /64 account. This works best on a a static or semi permanent ipv4 WAN address.
Make sure that a icmp allow rule is existing on the WAN interface for tunnel assignment by he.net to work.on pfSense go to assign, create a new gif interface, fill in the correct remote ipv4 remote address and ipv6 local and remote addresses.
Go to assign, press +, you should now have a new OPT interface listed. Call this what you want.
Go to the newly created OPT interface, enable it using config "none".
Go to routing, create new gateway on the new OPT interface, add the remote ipv6 here, check default (this is the 1st ipv6 default gateway). After enabling this the gateway status should list it as green, as well as the dashboard.You can now create a icmp allow rule on the OPT ipv6 interface to verify that a remote ipv6 host can ping it. http://lg.he.net is helpful here.
Go to interfaces LAN and change the type from ipv4 to ipv4 + ipv6. You can now enter the routed /64 address range given to you by he.net. I just used 2001:470:prefixhere::1 for the lan address, and 64 bits for the subnetmask.
I created a new ICMP rule on the OPT ipv6 interface to allow ipv6 icmp traffic to the LAN IP address. It works!
Next up is generating a rtadvd config for enabling stateless autoconfig on the LAN. After that dhcpd v6. -
Is it possible that it's just not compatible with pfsense2.0beta5 ?
When I take url.git and answer master brache:yes, custum:yes I get errors (not reachable) -
What do I enter after this last line? (after ulr)
-
Hit enter, answer the question about what location it is, and hit enter again.
It will sync, en i think i needs a reboot after that.-marcus
-
The smos repo hasn't been updated in quite a while, and there have been many changes since then. I would recommend you set up proto 41 passthrough and set up an IPv6 router on a separate machine so that you can get the latest updates. You could also apply the commits since smos last updated the IPv6 repo you are using.
-
Merged up with current 2.0 mainline. Still have not resolved the ipv6 support in the binaries from the snapshot builder
-
We have just got 2x /48 subnets setup. One for our rack at one of the datacenters here in NZ (the DC is probably one of the 10 largest in the country and has less than 100 racks lol). The other for our office fibre connction. I will start the experiments!
-
I've added a fix in 2.0 mainline so that it will not remove the default route when you update to a newer snapshot but have a ipv6 pfsense config. With basic connectivity still working it's a lot easier to re-sync against the git repo.
I have not managed to track down the builder issue where binaries are built without ipv6 support.
-
I was able to install your git with no issues using 2.0-BETA5 (i386) built on Thu Jan 20 05:02:05 EST 2011 but when I rebooted the box dhcpd wouldn't start. In the log it only gave Exit 1 as its error code. Any ideas?
-
I'll have to check that dhcp issue out, I've successfully had simultaneous dhcp v4 and dhcpv6 active, not sure what broke. Could be a silly user or group thing.
Here is another bit of update.
I have slowly been building out support in pfSense, it can do CARP with ipv6 addresses for redundancy now and a test cluster I've built has been working fine for over a month now. That cluster is providing connectivity for a Nameserver, webserver and mailserver. Basic firewalling and routing is working as it should.
I have also been working on the Multiwan support for IPv6, this appears to be biting a number of small business networks or home users that have more then 1 internet connection.
For this I have implemented "Network Prefix translation" (NPt previously NAT66) support. The way this works is that you can use a ULA range on the LAN networks (I registered my ULA range on sixxs.net). The network prefix translation then replaces the left 64 bits of the network prefix with the global unicast range when traffic goes out onto the internet. It performs the reverse step for traffic directed to the global unicast address which is then mapped the correct ULA address.
In my test setup I have 3 WAN networks, each with their own global unicast range. Using this method all LAN devices have just 1 address and the pfSense firewall will perform all policy routing, this takes away all the need for intelligence on the LAN devices. This also makes all LAN devices directly reachable over either of the 3 internet connections. As long as I make firewall rules that permit the traffic ofcourse.
This is, in my opinion, a huge step forward for management of the network.
Never ever needing to change the local LAN addressing is a huge step in right direction.
-
i should had pasted my log but I think remembering seeing error about the group dhcpd wasn't define. How would I add that to via command line?
-
I just committed a fix for the dhcp server group. It was supposed to be _dhcp, but I was using dhcpd instead.
That should now be fixed. Also, it appears that apinger and lighttpd binaries are now properly built with ipv6 support. Dnsmasq is built with ipv6 support too, I just don't know if it actually listens on a ipv6 socket.
-
Hi all,
I'm having issues setting this up. I am able to ping IPv6 addresses from pfsense, but all of my machines on my LAN are unable to ping external IPv6 addresses.
Pfsense (2001:470:7:XXX:2 HE WAN IP / 2001:470:8:XXX:1 LAN IP):
[2.0-BETA5][root@pfsense.mydomain.net]/tmp(68): ping6 ipv6.google.com
PING6(56=40+8+8 bytes) 2001:470:7:XXX::2 –> 2001:4860:800f::63
16 bytes from 2001:4860:800f::63, icmp_seq=0 hlim=59 time=19.898 ms
16 bytes from 2001:4860:800f::63, icmp_seq=1 hlim=59 time=19.810 ms
16 bytes from 2001:4860:800f::63, icmp_seq=2 hlim=59 time=21.954 ms
16 bytes from 2001:4860:800f::63, icmp_seq=3 hlim=59 time=19.631 msLAN Computer (2001:470:8:XXX::9)
Pinging Google:
D:\Users\Derek>ping 2001:4860:800f::63Pinging 2001:4860:800f::63 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.Traceroute:
D:\Users\Derek>tracert ipv6.google.comTracing route to ipv6.l.google.com [2001:4860:800f::68]
over a maximum of 30 hops:1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 ^CPinging Default Gateway (Pfsense):
D:\Users\Derek>ping 2001:470:8:XXX::1Pinging 2001:470:8:XXX::1 with 32 bytes of data:
Reply from 2001:470:8:XXX::1: time<1ms
Reply from 2001:470:8:XXX::1: time=2ms
Reply from 2001:470:8:XXX::1: time<1ms
Reply from 2001:470:8:XXX::1: time<1msPing statistics for 2001:470:8:XXX::1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 2ms, Average = 0msI see traffic being passed in the firewall when I ping Google and also when I try to ping my self from a website (http://www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-ping.php), so I'm not sure what's going on. Here is a screenshot of my log:
I have disabled the Windows firewall on my PC.
I also tried to run the IPv6 test:
Any ideas?
Thanks,
Derek -
I fixed my issue. For some season pfsense was not forwarding IPv6 traffic. I ran:
sysctl net.inet6.ip6.forwarding=1Where do I need to go to set this so it keeps that setting if I reboot pfsense?
Thanks,
Derek -
you can set that sysctl in the system tunables.
I think you just didn't reboot after gitsyncing. It's in the rc.bootup script.
-
I've noticed a couple of other issues. After rebooting my box when the git is first installs, I can't access the internet. When i try to ping from the box to yahoo, it says there is no route. If i go to interfaces-WAN then click save-apply; I'm able to access the internet. I have to do this every time I reboot the box. When I install http://gitweb.pfsense.org/pfsense/mainline.git or just perform an update to the firmware, everything is back to normal.
When I try get the gateway under routing. The box wont let me input the ipv6 address that i got from he.net. It says the subnet is not within the range. If I leave the gateway blank and click save, it puts the ipv6 address that i try to manually enter.
When creating the WANIP6 interface after creating the gateway, I don't get an option to select the gateway.. Only option is none.
My box is setup with a DHCP WAN from my ISP (TWC). 1 LAN, 2 OpenVPN connects(i didn't create interfaces for them, 1 roadwarrior, the other is a site2site). I have a few packages installed but snort is the only networking one that would touch the wan interface.
When i have time I will do a fresh install without restoring my config file and see if there is a difference.. I've been meaning to do this since I have issues with the traffic-shaper. I can't access the internet after using the shaper wizard.. Somthing is blocking the traffic but i dont see it in the logs…. But that issue is for another thread :-)
-
you can set that sysctl in the system tunables.
I think you just didn't reboot after gitsyncing. It's in the rc.bootup script.
Ahh, ok that must've been the issue. Yeah, I never rebooted.
Thanks!
Derek