IPv6 = no?



  • Here's is my situation. I have ipv4 coming in on WAN and want ipv6 to go out on LAN. I have found the ability via google to go ipv6 in and ipv6 out but not ipv4 in on WAN and ipv6 out on LAN. Is ipv4 on WAN and ipv6 on LAN possible?



  • Just to let you know, there is an actual IPv6 section here that would probably be able to better answer your question. In any case let me try and answer your question as best as I understand IPv6 right now. What you are wanting is basically to turn your pfSense box into a 6-to-4 NAT, or a 4-to-6 NAT depending on which side of the box you look at it. I'm not sure that's possible. There are servers out there that do that but they're generally hosted at ISPs, I've never known one that you could run yourself (mainly because it's generally better to do IPv6 entirely on your end but I could be wrong).

    What is your plan or reasoning for wanting to do this scenario? Are you trying to get ahead of the game and do IPv6 on your LAN in preparation for getting it on the WAN side? If so you should just do a tunnel from something like HE.net. You will have to change your LAN addressing range anyway unless you used the private range. HE.net and most ISPs who are testing/deploying IPv6 are handing out LARGE chunks of addresses so you won't have to run a private range on your LAN (although you certainly CAN). With still having IPv4 on the WAN side you won't be able to get to any IPv6 only sites (of which I think there are VERY few and most have IPv4 counterparts anyway).



  • @JoelC707:

    What is your plan or reasoning for wanting to do this scenario? Are you trying to get ahead of the game and do IPv6 on your LAN in preparation for getting it on the WAN side? If so you should just do a tunnel from something like HE.net. You will have to change your LAN addressing range anyway unless you used the private range. HE.net and most ISPs who are testing/deploying IPv6 are handing out LARGE chunks of addresses so you won't have to run a private range on your LAN (although you certainly CAN). With still having IPv4 on the WAN side you won't be able to get to any IPv6 only sites (of which I think there are VERY few and most have IPv4 counterparts anyway).

    Thanks for the reply Joel. Yes, I am trying to do 6-to-4 and 4-to-6 translation.  I am just trying to learn basically and want to implement in a home network so no concern if it breaks.  I was going to use the private range on my internal LAN.  I am not too concerned about getting to IPV6 websites, I just want to "try" and make it work.  So, to sum up, am I correct in saying that the current version of pfSense does not support IPv6?  I saw the post to configuring ipv6, http://remcobressers.nl/2009/08/configuring-native-ipv6-pfsense/, however, I do not feel comfortable hacking up a firewall to implement an untested (in a security sense) solution.

    The other option is using a Cisco device.  I have acquired a Cisco 5505 firewall that I can put behind the pfSense firewall for routing.  I read some documentation and it appears that it will support IPv6, however, I am not certain it can translate between IPv4 and IPv6.

    Any suggestions? Thanks again for the help.



  • Have you read the howto on my website to get a ipv6 tunnel? Then you get a real ipv6 connection and you can actually use it. See the sticky in the IPv6 board.


  • Rebel Alliance Global Moderator

    'I do not feel comfortable hacking up a firewall to implement an untested (in a security sense) solution."

    Not sure I would call using the development code from pfsense for ipv6 a bit earlier than its in the mainstream release "hacking up".

    I can tell you for sure that it works GREAT!!!  Sure a few bugs here and there, but have been running it since early Feb and no major problems to be honest.

    But then again with this statement "I was going to use the private range on my internal LAN.  I am not too concerned about getting to IPV6 websites"

    if you don't care about getting to the internet with ipv6, what does it matter what your router supports..  You can use ipv6 on your local lan just fine, your router has NOTHING to do with it your just going to use ipv6 between your lan devices.

    But if you want to actually use it on – then sure put it at your gateway, and if your running pfsense - then the code instructions provided an work great!  Putting the endpoint of the tunnel at your gateway is MUCH safer btw then putting it on some box inside your firewall device.  Now you can allow or block any traffic you want to any of your ipv6 devices at the pfsense box vs having to worry about ipv6 software firewalls on each device since your tunnel ends inside your border device.



  • The remco bressers post is indeed hackery. And as you also mention this is very different from the current IPv6 code in my branch which is far more turn key.

    I just setup another v6 box at work, and it's becoming easier, just plug in some addresses and it works. That was the whole intention of pfSense.

    Your advice on configuring proper IPv6 over fiddling around is a good suggestion. It's far more valuable and less likely to break your internet in interesting ways. :-)


Locked