Prefer ipv4 over ipv6


  • LAYER 8 Global Moderator

    Ok, I have working ipv6 tunnel with HE - and it works great, etc etc.  And yes I have unbound setup so I can query it via IPv6 address, etc. etc.  But in general I do not want to use ipv6 unless I am specifically dealing with something on ipv6

    by default I want pfsense to use ipv4 before ipv6

    Now from googlefu I have found that if I run this command
    /etc/rc.d/ip6addrctl prefer_ipv4

    It likes ipv4 better than ipv6, ie doing a dig +trace for some record does not use ipv6 for the .net tld root servers.
    ; <<>> DiG 9.8.1-P1 <<>> www.neowin.net +trace
    ;; global options: +cmd
    ;; Received 228 bytes from 192.168.1.253#53(192.168.1.253) in 2578 ms
    ;; Received 489 bytes from 2001:500:2f::f#53(2001:500:2f::f) in 1366 ms
    ;; Received 134 bytes from 192.5.6.30#53(192.5.6.30) in 188 ms

    But can not seem to find clear instructions on how I setup a ip6addrctl.conf for other file that maintains this setting after reboot.

    I have look over the file /etc/rc.d/ip6addrctl – but not sure if just not enough coffee yet, or just having a brain fart on correct way to set this after reboot other then setting up the command "/etc/rc.d/ip6addrctl prefer_ipv4"  to run but that doesn't seem like the correct way to me ;)

    If I read it right if I want to use .conf file then I need to setup the whole table and since I want ipv4 used before ipv6 then set ::ffff:0.0.0.0/96 prefix with a higher precedence

    Maybe this is something that could be added as simple click in the gui? ;)


  • Rebel Alliance Developer Netgate

    Install the shellcmd package and just add a shellcmd in there to run the command you want, it will then run at each boot.


  • LAYER 8 Global Moderator

    Thats not really proper way to do it ;)

    Look like I just have to configure the preferences I want in the .conf – time to read up on http://www.ietf.org/rfc/rfc3484.txt

    I'm really bad on the whole sorting of destination addresses based upon preference, etc.  I know higher preference is better than lower so if I want ipv4 before IPv6 I need to set ::ffff:0.0.0.0/96 with higher precendence.



  • Do note that setting this preference on pfSense has absolutely no affect on the address selection of the client nodes.

    There is no setting where routers can tell clients which address family to use.


  • LAYER 8 Global Moderator

    Agreed, but I know how to do it windows and in linux as well ;)

    So in windows simple as
    prefer ipv4 over ipv6
    reg add hklm\system\currentcontrolset\services\tcpip6\parameters /v DisabledComponents /t REG_DWORD /d 32

    in linux just edit the gai.conf file so ::ffff:0.0.0.0/96 in not commented out

    But freebsd/pfsense does not have gai.conf, seems its controlled with ip6addrctl

    Just to read up how to setup its .conf file is all

    And here's the thing when ipv6 is preferred by default  and using unbound looking up from roots, even though you ask unbound using ipv4, and it talks to say root with ipv4, it then talks to tld root using ipv6 which has to go over the ipv6 tunnel, which is slower for me..  Pinging gateway ipv4 is like 9 to 14ms, pinging ipv6 gateway is like 44ms

    From my example
    ;; Received 228 bytes from 192.168.1.253#53(192.168.1.253) in 2578 ms
    ;; Received 489 bytes from 2001:500:2f::f#53(2001:500:2f::f) in 1366 ms
    ;; Received 134 bytes from 192.5.6.30#53(192.5.6.30) in 188 ms

    So don't get me wrong I love my HE tunnel – but I don't want it doing dns over ipv6 unless I am specifically wanting to do dns over ipv6, etc.  by default I want all traffic to use ipv4 unless I am using ipv6, etc.

    so now with set to prefer ipv4 and I do dig for something it always using ipv4 and doesn't take the ipv6 address just because it gets back a AAAA record, etc.

    Just need to figure out syntax of .conf for ip6addctrl is all -- and a check box somewhere in the pfsense gui would be a kewl option ;)




  • LAYER 8 Global Moderator

    yeah yeah I have seen that ;)  But is there someowhere where it talks more about the config file?

    other than just this?

    install configfile
        Install policy entries from a configuration file named
        configfile.  The configuration file should contain a set of pol-
        icy entries.  Each entry is specified in a single line which con-
        tains an IPv6 prefix, a decimal precedence value, and a decimal
        label value, separated with white space or tab characters.  In
        the configuration file, lines beginning with the pound-sign (`#')
        are comments and are ignored.

    Maybe an example conf file?



  • I see your dns query times are horrible. I see this happen at the AMS pop from HE frequently too.

    They restart the resolver process there frequently but it still bogs down very frequently.

    dnsmasq is faster in that it asks all server simultaneously on pfsense. But that will be replaced with unbound soon? which would make this a issue.

    I've since switched to the google anycasted IPv6 DNS servers which works pretty well.
    My tunnel latency is about +8ms which is hardly a issue, your latency is +30ms which is pretty good. Everything below <100ms is very hard to notice, but clearly the resolver on that end is stuck as well seeing > 2000ms latencies.

    74.82.42.42 10 msec
    2001:4860:4860::8844 22 msec
    2001:470:20::2 10 msec

    That's more like it.

    Google also has the 2001:4860:4860::8888 resolver, to keep in line with their ip4 resolvers.

    Everytime I see the latency on their resolvers spike it does not show on their v4 resolver, leading me to believe these are seperate devices.


  • LAYER 8 Global Moderator

    are you talking about this?

    ;; Received 228 bytes from 192.168.1.253#53(192.168.1.253) in 2578 ms

    That is my local pfsense box running unbound on IPv6, but that query was done over ipv4 – not sure why the response was so bad??  I wasn't looking at the response time.

    But this
    ;; Received 489 bytes from 2001:500:2f::f#53(2001:500:2f::f) in 1366 ms

    Is one of the root servers
    ;; ANSWER SECTION:
    f.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.f.2.0.0.0.0.5.0.1.0.0.2.ip6.arpa. 7200 IN PTR f.root-servers.net.

    Yeah my tunnel response is not very good, which is why I try and not have anything default to using IPv6 through the tunnel, unless I am specifically wanting to play/use the IPv6 address.

    That clearly has nothing to do with the he dns resolvers - I am not using them at all.

    Must be something with the VM, doing queries from my windows box on the same network to both ipv4 and ipv6 address of my unbound running on pfsense both very low, like 3 to 6 ms..  But on VM it fluctuates quite a bit actually some are like 4, others 121ms, etc..  Seems higher with ipv6 than ipv4 -- but very limited sample of tests ;)


  • LAYER 8 Global Moderator

    ok – got woke up early because of a false node down call so had some time to look at this this morning ;)

    So from what I have read, if you create a /etc/ip6addrctrl.conf file with what you want, so I created

    
    ::ffff:0.0.0.0/96 50 0
    ::1/128 40 1
    ::/0 30 2
    2002::/16 20 3
    ::/96 10 4
    
    

    Which is prefix precedence label and from my understanding sets ipv4 over ipv6, normally ::ffff:0.0.0.0/96 would have prec of 10

    So tested it with ip6addrctl install /etc/ip6addrctl.conf and worked – great so added ip6addrctl_enable="YES" to rc.conf and should run at startup see the /etc/ip6addrctrl.conf file and load it

    But forgot that pfsense overwrites rc.conf on reboot??  So I just copied ip6addrctl to /usr/local/etc/rc.d/ and added .sh to it and reboot and yeah now have my policy installed

    
    [2.1-DEVELOPMENT][root@pfsense.local.lan]/(17): ip6addrctl
    Prefix                          Prec Label      Use
    ::ffff:0.0.0.0/96                 50     0        0
    ::1/128                           40     1        0
    ::/0                              30     2      126
    2002::/16                         20     3        0
    ::/96                             10     4        0
    
    

    Not sure this is the proper way to do it, but from what I have read this is the way to do it.



  • @Saturn2888:

    I agree that there should be a better way to prioritize one over the other.

    Note this thread is strictly about traffic initiated by the firewall, which in most networks is little to none (only syncing its time, pulling in packages, update checking). For traffic initiated by hosts in your network, you must configure those hosts accordingly, the firewall cannot impact whether they use v4 or v6.


  • LAYER 8 Global Moderator

    exactly.. its only the pfsense traffic.  Where I noticed the slow down was it using my ipv6 tunnel when talking to root dns.

    I want the ability to use ipv6 for dns when I am testing it, but I don't want that to be the default, etc.

    I would be a nice feature to be able to choose this - when running native it might not matter for latency.. But I can tell for sure that my he tunnel is slower than ipv4


Log in to reply