Ip port forwarding for ipv6

  • Hi,

    I would like to do a port forward for ipv6.  Keep reading, I promise it isn't what you think.

    I want to do a port forward for my lan interface, so that I can hijack any external DNS destined packets and redirect them into my dns server running on v6.

    I know this works fine on v4.  It doesnt seem that there's a way to designate this in v6.  I dont need to specify a netmask for my destination, but if I put it into a mode where I can select one, they are 32 bits only.  The other menus in the system will go to 128 if it's for either v4/6.

    We have comcast, and they dont allow PD so we have to camp on their single /64 and do slaac with their dns servers, which work 98% of the time.  Hence, this.  If there's something smarter, I'm all ears.  Thanks for reading!

  • LAYER 8 Global Moderator

    Who says comcast doesn't do PD??

    Example here user is asking for /60 that they say is possible in some areas - so clearly they support PD ;)

    I was running comcast ipv6 for awhile.  And had requested multiple /64 for my different segments that worked.  I just went back to HE because it doesn't change..  My problem with comcast is that delegated /64 would change.  Which was pain for how I am playing/testing ipv6.  I like the HE tunnel better, its much easier to work with from my point of view.  Got a /48 from them and assign my multiple lan side segments the /64 out of that /48 that I want, etc.

    I don't have to worry about anything ever changing.  Makes it easy to use statics on my ipv6 test boxes, etc.

  • Hi,

    Mostly I am interested in the question about ipv6 port forwarding.

    I got to a comcast third level engineer and our area does not support it.  I'd love to continue to fantasize about it being available, but my technical response is to workaround it with this port forward, if possible.  Does pfsense support this arrangement?  Thanks!


  • LAYER 8 Global Moderator

    I don't think there is any functionality built in to pfsense for forwarding ipv6, since its not something that should ever have to be done.

    Now you might be able to forward to ipv6 by just putting n the alias or address based upon dest port of 53..  But that would send all traffic to your ipv6 which would be a problem for ipv4 clients.

    Wouldn't it be easier to just setup your IPv6 to use pfsense dns running on ipv6 and not try and intercept it?  I never like interception of traffic with redirect, I would be more for blocking outbound dns completely which forces users to use your local dns if they want to resolve something.

  • Hi,

    Well, I think that doing a NAT on the unusual LAN interface to redirect traffic is a valid use for v6 NAT.  It gives a local admin an ability to control their network.  I understand the philosophical opposition to v6 NAT being available, hence my original deflection and this retort.

    I have no ability to configure IPv6 on the pfSense because Comcast allocates the single /64 and no prefixes.  I could certainly place the pfSense in that /64 and then allocate a smaller subnet, but as we know, /64 is the smallest network size that accommodates SLAAC.  More than zero of the clients I have to support have SLAAC but not dhcpv6 support, so I am stuck where I am.  Comcast has sized the network such that I can use their subnet but not allocate it further.  They /did/ offer PD during their IPv6 beta trial, but the network is now out of the test phase.

    Which is why, if I could redirect traffic with an outbound NAT rule, I could simply redirect traffic into a local system that knows what to do with it.

    I suspect the short answer to this is simply, 'nope', and is sufficient to move on.  I would love to hear a dev or pfsense expert chime in so I can let go of this, mentally.


  • LAYER 8 Global Moderator

    "so I am stuck where I am"

    How is that - if you don't like the way comcast is doing their IPv6, just use a tunnel HE or Sixxs.  I don't like how comcast PD changes all the time.  I like to keep the same prefixes on my segments thank you very much ;)

    So I just use a HE tunnel..  Get a /48 and go to town on as many /64s you could ever need ;)

  • This is getting back off topic.  I'm interested in only the answer to my original question.  I appreciate your enthusiasm but I have professional restraints to work within.  Thanks though!

  • BTW, Comcast can provide up to a /60 for residential accounts or /56 for business accounts. The trick is that if you've already requested a /64, you need to turn off IPv6 on your WAN for a week (I was told that IPv6 prefix leases are for 7 days) and let the lease expire, or see if you can contact someone at Comcast that can delete your existing /64 lease. As long as pfSense doesn't allow changing the DUID used for DHCPv6 (there's a feature request to allow changing it), we're at the mercy of the ISP.

    I can't help with IPv6 NAT/port forwarding… I have a /60 from Comcast on my home network and will just use firewall rules to allow incoming connections when necessary.

  • Our CMTS is currently configured for /64 allocations for this town's business class connections.

  • Banned


    I'm interested in only the answer to my original question.

    Answer: No. Move on.

  • Perfect answer.  Thanks doktornotor.

  • @digitalsushi:

    Our CMTS is currently configured for /64 allocations for this town's business class connections.

    That seems horribly inconsistent with what Comcast provides elsewhere in the country, especially for business class service. Who told you that that's how your area is set up? You might want to ask about that in either Comcast's forums or in the Comcast HSI forum at DSLReports. There are some Comcast employees - including some of their network engineers - that visit the DSLR forum, so I know that's a good spot to get some info/help.

    Also a note… if you had originally requested a /64, you won't be able to request a different prefix size until that /64 lease expires. So you might try turning off IPv6 on the WAN for a week (their lease length for IPv6 prefixes is 7 days), then turn it back on and request a larger prefix. Or if you can get someone at Comcast to delete your /64 lease info, then you could change to a /60 and you should be good to go.

  • The comcast rep I spoke with told me this.  I had to call many, many times before I started to get people that knew what v6 is.  After I was speaking with v6 aware people, it was still some time before I spoke with one that understood what I was asking for.  He relayed all of my questions to someone sitting near him who I was not allowed to speak with but knew what prefix delegation is.  My rep was told to tell me that our area doesn't support prefix delegation but that sometime after 2015 it was possibly going to be available again. (I'm in new hampshire).

    I have a now-closed comcast business ticket number, with an escalate status and a 72 hour window where they didn't call.  I just kept calling and eventually I got as good as I got.  I'm trying to not summon up how frustrated I got.

    I really feel as though there is quite simply no one there that is able to help us, so we have just tried to work around their technical support.  The longer I put onto that ticket, the more my bosses start to become aware of the time being spent going nowhere.

    So I tried to work around all of it with a technological solution.  This thread's wont suffice, although in theory it was a good fit.  I'm fine that v6 nat doesnt exist - I wouldn't code it up either, knowing what people will do with it.

    edit: Adding this, we have a comcast router we are leasing because we have a static v4 /28 routed to us with a comcast rip client configuration we are not allowed to run on our own hardware.  This router's configuration is locked in place - if we used our own router, we could do the /60 PD req no problem. I should have mentioned this earlier but I didnt want to take my own thread off topic.

  • LAYER 8 Netgate

    Zero other options?  Vote with your $$.  It's all they understand.

  • I'm not the one with the $$ in this scenario, just the one with the problem.

  • LAYER 8 Global Moderator

    So pfsense is behind a comcast router?  And your getting a address in the /64 that routers hands out on pfsense?

    So still trying to understand your actual issue - is that you want more /64s of your own and the ability to use good ipv6 dns?  Why is it that you can not just create a tunnel with HE?  You stated you were looking for tech work around - so why is that solution does not work for you.  Click click and you could be handing out as many /64s you need behind your HE tunnel.  And hand out whatever ipv6 dns you wanted to hand out to clients.

  • @digitalsushi:

    we have a comcast router we are leasing because we have a static v4 /28 routed to us with a comcast rip client configuration we are not allowed to run on our own hardware.  This router's configuration is locked in place - if we used our own router, we could do the /60 PD req no problem. I should have mentioned this earlier but I didnt want to take my own thread off topic.

    This was a critical piece of info.

    Comcast doesn't support more than /64 on their own gateway devices. They don't yet support "sub-delegation", where you would be able to have a /60 or /56 on their gateway (which is required to be used for static IP addressing) and then sub-delegate prefixes to other routers (like pfSense).

    That's why you can't get more than a /64, because you're using Comcast's gateway.

    If the static IPv4 addresses weren't necessary, then you would be fine to use pfSense as your only router (have theirs put into Bridge mode, or buy a modem-only device) and request a /60 or /56 for IPv6.

Log in to reply