A few Ipv6 questions and firewall question



  • I have time warner cable and apparently they have native ipv6 working. I was able to set my WAN interface to 'track' and now i'm able to get to ipv6 sites and IPs from my machines behind the network.

    I understand that clients automatically use SLAAC to generate themselves an IP and then just magically start using it.

    How does it 'magically' give itself an IP? Where does the IP come from? If it's random, isn't there a chance it could generate the same IP already in use by another machine (I know this is extremely unlikely, but still)?

    My WAN interface on pfsense has an ipv6 starting with 2605:a000:ffc0:34: but my LAN interface and all my client computers have an IP starting with 2605:a000:120d🅱
    Why are there two different ranges? And how did my pfsense 'learn' about this second range?

    As far as security, do I need to do anything special to keep myself firewalled? I see that each device on my network gets it's own address that seems to be 'public', but for inbound connections, does pfsense still have the ability to stop them? or do they go right through pfsense?


  • LAYER 8 Netgate

    @Mjennings:

    I have time warner cable and apparently they have native ipv6 working. I was able to set my WAN interface to 'track' and now i'm able to get to ipv6 sites and IPs from my machines behind the network.

    I understand that clients automatically use SLAAC to generate themselves an IP and then just magically start using it.

    How is IPv6 configured on your WAN? It is my understanding that TWC uses DHCP.

    It is also my understanding that you cannot use SLAAC on LAN with track interface, but DHCP servers are automatically configured instead.

    How does it 'magically' give itself an IP? Where does the IP come from? If it's random, isn't there a chance it could generate the same IP already in use by another machine (I know this is extremely unlikely, but still)?

    I haven't read up on it but IPv6 requires devices to respond to ICMPv6. It makes heavy use of them so I assume there is some duplicate detection going on automatically. Even without it, it's a one in 18-billion-billion chance you would collide with another host on your network.

    My WAN interface on pfsense has an ipv6 starting with 2605:a000:ffc0:34: but my LAN interface and all my client computers have an IP starting with 2605:a000:120d🅱
    Why are there two different ranges? And how did my pfsense 'learn' about this second range?

    It negotiated the WAN network using DHCPv6 and requested a prefix delegation the same way.

    Track interface then doles out /64 subnets out of the delegation to each segment.

    As far as security, do I need to do anything special to keep myself firewalled? I see that each device on my network gets it's own address that seems to be 'public', but for inbound connections, does pfsense still have the ability to stop them? or do they go right through pfsense?

    NAT does nothing to keep you secure. Nothing passes inbound without a pass rule on WAN. When you have an inbound port forward, the translation occurs then the rules are checked. When there is no translation, the rules are just checked. If the traffic is not passed it is denied.

    There are some privacy implications to having a public, local address. Using SLAAC, most hosts will derive a main listening address from the interface's MAC address. This can be used to track a computer as it moves around the IPv6 space. Most stacks now periodically generate a completely random address used for outgoing connections. Your host might have several active IPv6 addresses at any one time - even on multiple subnets with multiple routers.

    vlan5: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
    options=3 <rxcsum,txcsum>ether 3c:07:66:0c:21:fe
    inet6 fe80::3e07:54ff:fe0c:2316%vlan5 prefixlen 64 scopeid 0xe
    inet6 2001:470:cafe:999:3e07:66ff:fe0c:21fe prefixlen 64 autoconf
    inet 172.29.99.211 netmask 0xffffff00 broadcast 172.29.99.255
    inet6 2001:470:cafe:999:43f:53f0:2ac8:35ca prefixlen 64 deprecated autoconf temporary
    inet6 2001:470:cafe:999:6d36:6780:36e4:6d93 prefixlen 64 deprecated autoconf temporary
    inet6 2001:470:cafe:999:4d13:8f84:556e:2eb0 prefixlen 64 deprecated autoconf temporary
    inet6 2001:470:cafe:999:792d:7053:f218:ead2 prefixlen 64 deprecated autoconf temporary
    inet6 2001:470:cafe:999:64ec:7dca:87d0:c87 prefixlen 64 deprecated autoconf temporary
    inet6 2001:470:cafe:999:fc35:216c:c03e:fca4 prefixlen 64 deprecated autoconf temporary
    inet6 2001:470:cafe:999:9020:2ca5:e2e9:d4c8 prefixlen 64 autoconf temporary
    nd6 options=1 <performnud>vlan: 999 parent interface: en0
    media: autoselect (1000baseT <full-duplex,energy-efficient-ethernet>)
    status: active</full-duplex,energy-efficient-ethernet></performnud></rxcsum,txcsum></up,broadcast,running,simplex,multicast>



  • @Derelict:

    How is IPv6 configured on your WAN? It is my understanding that TWC uses DHCP.

    It is also my understanding that you cannot use SLAAC on LAN with track interface, but DHCP servers are automatically configured instead.

    Yep… TWC should be DHCP on the WAN.

    When using Track Interface on the LAN, pfSense sends out "Assisted" RA's, which prefer SLAAC, but also allow DHCP if necessary. DHCPv6 server is set up with an address block of ::1000 to ::2000 for hosts that can't/don't use SLAAC.

    @Derelict:

    My WAN interface on pfsense has an ipv6 starting with 2605:a000:ffc0:34: but my LAN interface and all my client computers have an IP starting with 2605:a000:120d🅱
    Why are there two different ranges? And how did my pfsense 'learn' about this second range?

    It negotiated the WAN network using DHCPv6 and requested a prefix delegation the same way.

    Track interface then doles out /64 subnets out of the delegation to each segment.

    If you only request a /64 from your ISP on the WAN, then you'll only have one /64 to use (presumably for your LAN). In order to use other /64's for other networks (i.e. guest, DMZ, etc.), you'll need to request a smaller prefix than /64. I don't know the smallest size that can be requested on TWC though (Comcast allows residental accounts to request as small as a /60, which results in 16 /64 blocks).

    @Mjennings:

    As far as security, do I need to do anything special to keep myself firewalled? I see that each device on my network gets it's own address that seems to be 'public', but for inbound connections, does pfsense still have the ability to stop them? or do they go right through pfsense?

    As far as security goes, unless you create a PASS rule on your WAN connection for IPv6 traffic, nothing's able to make an incoming connection. If you DO create a PASS rule, you'd be wise to give the computer a static IPv6 address (something like 2605:a000:120d🅱:4001 (Like I mentioned above, the DHCPv6 range that is auto-configured is from ::1000 to ::2000, so something above that would be fine). That way you can create the firewall rule to allow traffic to just that single IPv6 address, and you don't have to worry about the address changing randomly on you.



  • @virgiliomi:

    If you only request a /64 from your ISP on the WAN, then you'll only have one /64 to use (presumably for your LAN). In order to use other /64's for other networks (i.e. guest, DMZ, etc.), you'll need to request a smaller prefix than /64. I don't know the smallest size that can be requested on TWC though (Comcast allows residental accounts to request as small as a /60, which results in 16 /64 blocks).

    If you tick the "Send IPv6 prefix hint" box on your WAN interface config page and change the drop down just above it to "56" then TWC will give you a /56 block. This lets you have 256 /64 networks on your LAN.


Log in to reply