IPV6 + PfSense 2.1 - What's the point
-
I have an IPV6 enabled Comcast WAN connection with the LAN port configured to 'Track interface' and all works well… so to speak. A dumb switch would do just as well!
- I've lost all control of LAN side address assignment. I can't set a fixed V6 address for the LAN interface as required for DHCPV6 and the auto-generated privacy addresses would defeat this anyway.
- I can't use alias anymore since there is no possibility of assigning static IPV6 addresses.
- dummynet rate shaping doesn't seem to work for V6 connections.
What's the point. What value does PfSense add when it comes to IPV6? It 'supports' IPV6... but then so does a dumb switch!
-
I agree that it would be nice to be able to use DHCP6 on the LAN side with prefix delegation (see ticket), but that hardly makes the whole thing useless. Also, a switch won't do you much good with Comcast, as you'll only get a single /128 without PD.
-
And a switch isn't a firewall…
-
Nope,
- A switch will allow me to connect any number of devices, each with a distinct address within a /64.
- No firewall, I can connect directly from the Internet.
-
- A switch will allow me to connect any number of devices, each with a distinct address within a /64.
Unless you're talking about link-local addresses (i.e., your devices talk only to each other, but not to the outside world), this is definitely not the case: As I mentioned earlier, without DHCP6-PD (which requires a router), Comcast won't delegate a /64 to you in the first place. (And cable modems will generally not talk to more than one device directly at any given time anyway.)
But by all means, go ahead and just give it a try. Let us know how that works out for you.
-
I have Comcast and the latest version of Pfsense with issues myself. Right my computer has an IPV6 address, but can't resolve IPV6 DNS names. My router can resolve names fine though.
My PC can resolve IPV6 IPs however. I copied the address my router pinged for ipv6.google.com, and put it into windows command prompt at "ping 2607:f8b0:4005:800::1010" and got a response. When I input "ping ipv6.google.com" it tells me that the address cannot be found.
-
Check your nameserver with ipconfig /all (if windows). Windows does not support DNS server config in RAs as specified in http://tools.ietf.org/html/rfc5006. Unless you are using DHCPv6, you will not get a nameserver automatically. You can manually set one. OpenDNS (http://www.opendns.com/technology/ipv6/) has public recursive IPv6 servers that you can use.
-
It turns out if you do a fresh config, by default out of the box everything will work how you would expect. It set's up to track and everything passes down properly. As soon as you go to modify the interface config(ie: change from 192.168.1.0/24 to something else) it breaks everything and ipv6 stops working.
-
I have an IPV6 enabled Comcast WAN connection with the LAN port configured to 'Track interface' and all works well… so to speak. A dumb switch would do just as well!
- I've lost all control of LAN side address assignment. I can't set a fixed V6 address for the LAN interface as required for DHCPV6 and the auto-generated privacy addresses would defeat this anyway.
- I can't use alias anymore since there is no possibility of assigning static IPV6 addresses.
- dummynet rate shaping doesn't seem to work for V6 connections.
What's the point. What value does PfSense add when it comes to IPV6? It 'supports' IPV6... but then so does a dumb switch!
I agree, not being able to set a static V6 address seems like a serious limitation.
Is the firewall bypassed when you are set up for IPv6? -
- I've lost all control of LAN side address assignment. I can't set a fixed V6 address for the LAN interface as required for DHCPV6 and the auto-generated privacy addresses would defeat this anyway.
- I can't use alias anymore since there is no possibility of assigning static IPV6 addresses.
While it is not exactly what you are looking for, you are pretty close.
After your LAN IPv6 prefix gets assigned (Comcast DHCP-PD) take a look at "Status: DHCPv6 leases". Guess what?! PfSense is providing DHCPv6 addresses to the LAN devices out of the assigned prefix.
As long as your assigned LAN IPv6 prefix stays the same, the IPv6 address of the LAN devices is going to stay the same.
Since PfSense is doing this much, I don't understand why it wouldn't be a minor enhancement to allow the user to define the host address portion to the host DUID.
Is the firewall bypassed when you are set up for IPv6?
NO
-
I agree, not being able to set a static V6 address seems like a serious limitation.
Is the firewall bypassed when you are set up for IPv6?I have 2 firewalls setup with static WAN IPv6 and I am able to use DHCPv6. The thing is, the only addresses that are not internet routable addresses are the link local addresses. There is also no NAT for IPv6 (at least there is no reason for one). This would make setting arbitrary IPv6 difficult.
I don't really understand what Comcast is doing. The tracking part of pfSense helps overcome this.Why you are getting the problem of "it doesn't work when I change config" is something I have only had once. A reboot after the config change made everything work and further changes have happened with no problems. Perhaps you can test making a change, seeing that its not working, and then trying it after a reboot.
-
If you really wanted to use static IPV6 addresses with PD it can be done. For Comcast they assign the prefix and its pretty much yours all time. Once you set the LAN interface to track and you know the prefix size the ISP gives you, then after noting the first 64 bits (or whatever) of the ipv6 address on the LAN Interface, you can then change the interface to static and then set whatever static IPv6 address you want to give it (obviously making sure the prefix is the same).
The point is that the LAN Interface doesn't have to be set to 'Track Interface' once you know your prefix (and assuming it doesn't change). The last step would be to enable Router Advertisements on the Services > DHCPv6 Server/RA page so everyone that doesn't have a static will generate one automatically via Stateless Autoconfig.
Its not pointless :(
-
If you really wanted to use static IPV6 addresses with PD it can be done. For Comcast they assign the prefix and its pretty much yours all time.
Not so. Unlike IPV4, the IPV6 address and prefix assigned by Comcast will be different each time it acquired (each time you connect).
-
I have had the same prefix from them for the past 3 months (since I got everything working), after numerous power failures, modem resets, taking interfaces up/down, etc, the prefix has always been the same. We even have an official comcast employee saying his prefix hasn't changed here: http://forums.comcast.com/t5/Basic-Internet-Connectivity-And/IPv6-Network-Prefix-assigned-to-router/td-p/1407185
-
Mine does with every modem reset, or pfSense reboot. I guess your mileage may vary!
-
You know, one time when I was helping out a friend get his pfsense box up and running with residential comcast ipv6, he noticed the prefix changing too after a reboot. Another odd thing was his IPv4 DNS server that was provided via DHCP was not set to the normal 75.75.75.75 address they give you. (some random address starting with 208 from what i can remember). Turns out, that Comcast never provisioned his modem correctly and it was still (attempting) to redirect you to the comcast "please agree to sell your soul to us" ToC captive portal (even though IPv4 had been working for months prior on a different router and SAME modem). So we called up Comcast, and got a hold of someone. Before they pulled the "we'll send a tech on premises to replace the modem" crap, I was able to get it escalated and they fixed the issue. Since that time, his prefix hasn't changed.
Maybe a geographic thing as both instances where in southeastern Michigan? Anyway, this is probably not your scenario but I wanted to share in case it was. ;)
-
I do get the 75.75.75.75 DNS, but my prefix also changes whenever I disconnect or reboot.
-
Having your ipv6 subnet and IPs become dynamic doesn't make it useless - Just much less useful as a server.
Which is probably the intent.
Dump the native IPV6 if it becomes annoying and grab a hurricane electric /48 that never changes.