IPV6 + PfSense 2.1 - What's the point
-
I have an IPV6 enabled Comcast WAN connection with the LAN port configured to 'Track interface' and all works well… so to speak. A dumb switch would do just as well!
- I've lost all control of LAN side address assignment. I can't set a fixed V6 address for the LAN interface as required for DHCPV6 and the auto-generated privacy addresses would defeat this anyway.
- I can't use alias anymore since there is no possibility of assigning static IPV6 addresses.
- dummynet rate shaping doesn't seem to work for V6 connections.
What's the point. What value does PfSense add when it comes to IPV6? It 'supports' IPV6... but then so does a dumb switch!
I agree, not being able to set a static V6 address seems like a serious limitation.
Is the firewall bypassed when you are set up for IPv6? -
- I've lost all control of LAN side address assignment. I can't set a fixed V6 address for the LAN interface as required for DHCPV6 and the auto-generated privacy addresses would defeat this anyway.
- I can't use alias anymore since there is no possibility of assigning static IPV6 addresses.
While it is not exactly what you are looking for, you are pretty close.
After your LAN IPv6 prefix gets assigned (Comcast DHCP-PD) take a look at "Status: DHCPv6 leases". Guess what?! PfSense is providing DHCPv6 addresses to the LAN devices out of the assigned prefix.
As long as your assigned LAN IPv6 prefix stays the same, the IPv6 address of the LAN devices is going to stay the same.
Since PfSense is doing this much, I don't understand why it wouldn't be a minor enhancement to allow the user to define the host address portion to the host DUID.
Is the firewall bypassed when you are set up for IPv6?
NO
-
I agree, not being able to set a static V6 address seems like a serious limitation.
Is the firewall bypassed when you are set up for IPv6?I have 2 firewalls setup with static WAN IPv6 and I am able to use DHCPv6. The thing is, the only addresses that are not internet routable addresses are the link local addresses. There is also no NAT for IPv6 (at least there is no reason for one). This would make setting arbitrary IPv6 difficult.
I don't really understand what Comcast is doing. The tracking part of pfSense helps overcome this.Why you are getting the problem of "it doesn't work when I change config" is something I have only had once. A reboot after the config change made everything work and further changes have happened with no problems. Perhaps you can test making a change, seeing that its not working, and then trying it after a reboot.
-
If you really wanted to use static IPV6 addresses with PD it can be done. For Comcast they assign the prefix and its pretty much yours all time. Once you set the LAN interface to track and you know the prefix size the ISP gives you, then after noting the first 64 bits (or whatever) of the ipv6 address on the LAN Interface, you can then change the interface to static and then set whatever static IPv6 address you want to give it (obviously making sure the prefix is the same).
The point is that the LAN Interface doesn't have to be set to 'Track Interface' once you know your prefix (and assuming it doesn't change). The last step would be to enable Router Advertisements on the Services > DHCPv6 Server/RA page so everyone that doesn't have a static will generate one automatically via Stateless Autoconfig.
Its not pointless :(
-
If you really wanted to use static IPV6 addresses with PD it can be done. For Comcast they assign the prefix and its pretty much yours all time.
Not so. Unlike IPV4, the IPV6 address and prefix assigned by Comcast will be different each time it acquired (each time you connect).
-
I have had the same prefix from them for the past 3 months (since I got everything working), after numerous power failures, modem resets, taking interfaces up/down, etc, the prefix has always been the same. We even have an official comcast employee saying his prefix hasn't changed here: http://forums.comcast.com/t5/Basic-Internet-Connectivity-And/IPv6-Network-Prefix-assigned-to-router/td-p/1407185
-
Mine does with every modem reset, or pfSense reboot. I guess your mileage may vary!
-
You know, one time when I was helping out a friend get his pfsense box up and running with residential comcast ipv6, he noticed the prefix changing too after a reboot. Another odd thing was his IPv4 DNS server that was provided via DHCP was not set to the normal 75.75.75.75 address they give you. (some random address starting with 208 from what i can remember). Turns out, that Comcast never provisioned his modem correctly and it was still (attempting) to redirect you to the comcast "please agree to sell your soul to us" ToC captive portal (even though IPv4 had been working for months prior on a different router and SAME modem). So we called up Comcast, and got a hold of someone. Before they pulled the "we'll send a tech on premises to replace the modem" crap, I was able to get it escalated and they fixed the issue. Since that time, his prefix hasn't changed.
Maybe a geographic thing as both instances where in southeastern Michigan? Anyway, this is probably not your scenario but I wanted to share in case it was. ;)
-
I do get the 75.75.75.75 DNS, but my prefix also changes whenever I disconnect or reboot.
-
Having your ipv6 subnet and IPs become dynamic doesn't make it useless - Just much less useful as a server.
Which is probably the intent.
Dump the native IPV6 if it becomes annoying and grab a hurricane electric /48 that never changes.
