State of DS-Lite (Dual Stack Lite) support in pfSense
-
Hello folks,
I want to use pfSense as a router behind a TC7200 that is in bridge mode.
My provider (Unitymedia) in Germany only gives me real ipv6 adresses. For ipv4 they use Dual Stack Lite.
When using the TC7200 in bridge mode, the DSLite functionality is turned off so all I am left with is a /64 ipv6 subnet.While researching I came across this feature request for DS-Lite support in pfSense: https://redmine.pfsense.org/issues/2357
It looks to be open and hasn't seen progress for 4 years.
Does this mean pfSense is (currently) unable to tunnel ipv4 traffic over my ISP's DS-Lite?On the configuration page of my router I found those (FQDN and adress removed by me):
DS-Lite AFTR FQDN some.fqdn.at.my.isp
DS-Lite AFTR Addresse 2a….::::From my understanding, a router with DS-Lite support could just use the DS-Lite AFTR adress and send ipv4 packets to it.
Is that correct? -
Does this mean pfSense is (currently) unable to tunnel ipv4 traffic over my ISP's DS-Lite?
Please read this here (german) DS-Light (Dual Stack & VPN)
There is also a in Germany based solution that can be helping out to solve this issue for you.
But it is not free of charge but also in German language Feste-IP.netYou could place this device in the DMZ of your pfSense and all is running well for you.
-
I read the article on elektronik-kompendium (also the one specifically on DS-Lite). So what I read from it is this:
When the TC7200 is operating in router mode, it will act as the B4 node that routes ipv4 packets over ipv6 to their AFTR endpoint where they do CGN.I do understand that a router that does this 4in6 tunneling to unitymedia needs some kind of configuration (like an AFTR adress or maybe a password or more), but I am still unsure if a pfSense box is even capable of tunneling in that way.
Looking at this, it seems like the Feste-ip soultion would be the easiest. I do have some questions left, though.
1. do you mean the FIP-Box easy2connect? (http://www.feste-ip.net/fip-box/easy2connect)
2. which of their services is the correct one? Their offerings all seem to be meant to make devices in my home network accessible over ipv4.
This is also nice. However, my main focus is to get an ipv4 adress that devices in my home network can use to talk to other servers that only have ipv4. This opens the following question: When using such a device, would the pfSense router still be the ipv4 DHCP Server?
3. Is Feste-IP only mapping some of my ports? Or do they also have real tunneling?
4. After looking up DMZ (demilitarized zone) I am still unsure how this is exactly meant to work.Is it meant like this:
Internet –---- TC7200 (bridge mode) -------- FIP-Box ----------- pfSense Router --------- Clients
Or like this:
|---------- FIP-Box
Internet ------ TC7200 (bridge mode) |
|----------- pfSense Router --------- ClientsOr even like this (as Feste-IP.Net seems to suggest):
|---------- FIP-Box
Internet ------ TC7200 (bridge mode) ------pfSense Router--------|
|----------- other ClientsThanks for the help. I really appreciate it!
-
DS-Light with dual-stack will not be able to let you create any kind of VPN from the outside.
Thats it in short, but with that small VPN Server that could be positioned inside of the VPN
it could running. -
Dr All,
I'm really newbie in IPv6 and pfsense too.
But now in Germany I can use my own router with Unitymedia. I would like to ask if I will have Docsis 3.0 compatible 24X8 capable modem and I will connect my the pfsense directly to it can it work?
I mean these are the requirements of the provider:
• DOCSIS 3.0 compatible
• 24 download and 8 upload channels
• Understanding IPv4 and IPv6 as well as Dual Stack Lite
• and support the SIP standard for telephony
So If I find a modem which handle the first 2 and I don't care about telephony the 3rd requirement can be done completly by the pfsense (2.3)?Thanks
cyd -
If your plan access over ipv4 external, right.
It´s smarter and mostly cheaper to use a vserver hoster like hetzner. ( 4,64 Euro per Month )Internet - VServer ( debian ) -> VPN openvpn -> Your DS lite ( pfsense )-> Homenet.
Tunnel must be open by pfsense (homeside) to the vserver .So you don´t user "black boxes" in your home net, and all configs in your Hand.
On the vserver you are able to setup VPN like raacon ( ipsec ) openvpn…
-
Hi Maps,
I know it is just under-usage of the pfsense but the only thing what I want from it at the beginning to work as "home-router" but because my provider forces the ds-lite I want to know if this can connect to my provider's infrastructure.
First I don't want vpn or any fancy stuff just good, safe router firewall.
I have the hardware for the pfsense and it is running already, just right now behind the router of the provider, so I'm double nated.
That's why I want to know how to configure the pfsense if I replace the provider's router to a simple cable modem.
In my theory how should it work:
Internet –> my own simple cable modem --> my pfsense (with ipv6 and ds-lite) --> my home networkThat's all I would like to achieve.
Is it difficult with pfsense for a newbie?Thanks,
cyd -
My Provider "Deutsche glasfaser" use also Dualstack Lite ( Real IP V6 56 Net ) and a private IP non offiicial IPV4.
It´s quite easy setup, only for ipv6 I need to use the develompent Release. "Wait for RA" problem.But I never try to setup TV or phoneservice with pfsense. In this case, for a beginner it could be easyer to use a AVM Produkt.
You are running pfsense, in best case you have to change only your WAN parameters
-
I'm not using phone neither TV on this line, just internet.
Is it difficult to set up this?
I'm on the latest stable community edition pfsense version (2.3.2). -
I read the article on elektronik-kompendium (also the one specifically on DS-Lite). So what I read from it is this:
When the TC7200 is operating in router mode, it will act as the B4 node that routes ipv4 packets over ipv6 to their AFTR endpoint where they do CGN.I do understand that a router that does this 4in6 tunneling to unitymedia needs some kind of configuration (like an AFTR adress or maybe a password or more), but I am still unsure if a pfSense box is even capable of tunneling in that way.
Looking at this, it seems like the Feste-ip soultion would be the easiest. I do have some questions left, though.
1. do you mean the FIP-Box easy2connect? (http://www.feste-ip.net/fip-box/easy2connect)
2. which of their services is the correct one? Their offerings all seem to be meant to make devices in my home network accessible over ipv4.
This is also nice. However, my main focus is to get an ipv4 adress that devices in my home network can use to talk to other servers that only have ipv4. This opens the following question: When using such a device, would the pfSense router still be the ipv4 DHCP Server?
3. Is Feste-IP only mapping some of my ports? Or do they also have real tunneling?
4. After looking up DMZ (demilitarized zone) I am still unsure how this is exactly meant to work.Is it meant like this:
Internet –---- TC7200 (bridge mode) -------- FIP-Box ----------- pfSense Router --------- Clients
Or like this:
|---------- FIP-Box
Internet ------ TC7200 (bridge mode) |
|----------- pfSense Router --------- ClientsOr even like this (as Feste-IP.Net seems to suggest):
|---------- FIP-Box
Internet ------ TC7200 (bridge mode) ------pfSense Router--------|
|----------- other ClientsThanks for the help. I really appreciate it!
-
I know it is just under-usage of the pfsense but the only thing what I want from it
at the beginning to work as "home-router" but because my provider forces the ds-lite I want
to know if this can connect to my provider's infrastructure. -
From my point of view, telekom don´t use DS-List ?!? ( see IP 79.XX in the dokument ).