Guide - Configure pfSense VLAN with IPv6

[MrFricken 1]

I just added in IPv6 support on my pfSense box, using AirVPN and a VLAN. Note that I already had the VPN VLAN setup and working correctly with IPv4, so this guide is only about what needed to be changed to add in IPv6 support.

 

Recently, AirVPN has implemented IPv6 across their servers. Provided you are running a recent version of OpenVPN (>= 2.4), and you adjust your client configuration properly, you will be assigned an IPv6 address along with the typical IPv4 address.

 

In my setup, I’m using pfSense as my firewall / router, and have several VLANs configured for various purposes. One of these VLANs is specifically for VPN usage.

 

So the question becomes, how to take the single IPv6 address assigned from AirVPN and make it usable on a VLAN, for multiple hosts. This setup is severely sub-optimal, as IPv6 was designed to avoid NAT (there are what, 3.4x10^38 available addresses?). Given that the design of the protocol and AirVPN’s implementation are at odds, there are some problems that you will encounter. The most annoying being that browsers don’t want to use your IPv6 address, and you will continue to use IPv4, despite having everything setup “correctly.” It may be possible to overcome this with some per-host modifications (on Linux, look to /etc/gai.conf), but that is perhaps not maintainable in the long run.

 

This problem stems from the fact that the address Air is providing is a Unique Local Address (ULA), which, by definition, is not globally routable. This address gets translated at Air’s servers into a normal, globally routable, address. But what the software on your machine sees is a ULA, and since that isn’t a globally routable IP address, the software will prefer the IPv4 address, where it is understood that NAT will probably be used.

 

Given this implementation, I am not convinced it is worth it to setup IPv6 in this type of configuration.

Having said all that, here is how I configured things to get IPv6 “working” with AirVPN on a pfSense VLAN:

 

1: Get an IPv6 address from AirVPN

Assuming you are running a recent release of pfSense, you should have the necessary OpenVPN version for this to work (I’m on pfSense 2.4.4, which is using OpenVPN 2.4.6).
Go into your OpenVPN client configuration and

1. set “Protocol” to “UDP IPv4 and IPv6 on all interfaces (multihome)”

2. scroll down to “Custom options” and make sure you have these 2 lines:
   push-peer-info;
   setenv UV_IPV6 yes;

Save, and possibly restart the service. You should now have both IPv4 and IPv6 addresses assigned to your VPN connection

 

2: Create a new Gateway

I can’t remember if the gateway was automatically created at this point. If not, Add a new gateway. If one was auto created, edit it. Then

1. Make sure Interface is set to the VPN

2. Address family is IPv6

3. Give it a name (VPN1_WAN_IPv6 in my case)

4. I’ve left everything else at default settings, then set a description, and

Save and reload

 

3: Modify your VPN VLAN

From the “Interfaces” menu, select your VPN VLAN entry, then

1. Set “IPv6 Configuration Type” to “Static IPv6”

2. Scroll down to the “Static IPv6 Configuration” section and set an address and prefix.
   I chose a “random” ULA (FDxx:xxxx:xxxx:10::1). Obviously, choose hex characters in place of the “x”s and the “10” matches my vlan number. Set the prefix to /64

3. Leave the “use IPv4 connectivity” unchecked and the gateway set to “None”

Save and reload

 

4: Configure Router Advertisements and/or DHCPv6

From the “Services” menu, select “DHCPv6 Server & RA” - then choose your VLAN. In my setup, I’m not bothering with DHCP, just using SLACC, so I go directly to the “Router Advertisements” tab.

1. Set Router Mode to unmanaged

2. Priority to Normal

3. You may choose to put your IPv6 DNS server into the DNS configuration section (I believe Air’s server is fde6:7a:7d20:4::1

4. Leave everything else as is (blank)

Save and reload

 

5: Set NAT Rules

From the “Firewall” menu, select “NAT”, then go to the “Outbound” tab

1. Click the second “Add” button

2. Set “Interface” to your VPN gateway

3. “Address Family” is “IPv6”

4. Source type is “network”

5. Source network is the ULA you setup earlier (“Fdxx:xxxx:xxxx:10::/64”) I did this using an alias.

6. Note that the subnet drop down doesn’t list anything above a /32 (it’s meant for IPv4), so I left it at /32. Seems to work anyway.

7. The Translation Address should be set to “Interface Address”

8. Add in a description, if you wish, and

Save and reload

 

6: Set Firewall Rules

From the “Firewall” menu, select “Rules” and then the appropriate VLAN tab

1. Click the second “Add” button

2. “Action” is “Pass”

3. “Interface” is your VLAN

4. “Address Family” is “IPv6”

5. Set the rules appropriately for your situation. In my case, just to get things working, I set

   1. “Protocol” to “Any”

   2. “Source” to “[VLAN] net”

6. Click the “Display Advanced” button

7. Scroll down to “Gateway” and select your previously configured VPN IPv6 gateway

Save and reload

NOTE: Be sure to move the rule you just created into the correct spot in your rules list! Remember, the rules are checked in order, so if you have a deny rule above your new pass rule in the list, it won’t work.

 

At this point I rebooted pfSense and my VPN client machine. I now have an IPv6 address, assigned from the ULA block I setup. Visiting https://ipleak.net shows I have both IPv4 and IPv6 connectivity. Going to https://test-ipv6.com gives me a 10/10, but with the note that the browser is avoiding using the IPv6 address. See the note from AirVPN Staff about this: https://airvpn.org/topic/25140-the-issue-your-browser-is-avoiding-ipv6/

 

Hopefully this is helpful to someone out there.

 

MrFricken

 

 

 

 

 

 

[zhang888 1066]

That's a good approach but is your LAN is large/complex enough to avoid NAT / RFC1918 completely?

Actually I find IPv4 in LAN very easy to assign, monitor and filter, while uplinking WAN with IPv6 just like you can do with Air.

Most admins that I spoke with actually agree with that, unless you want to keep another provisioning server in your LAN.

[MrFricken 1]

Hi zhang888 -

Thanks for the comment, but I'm not sure I understand what you mean. I never said that IPv4 was difficult. If you have another approach to take with IPv6, I'm all ears! Perhaps you can explain more what it is you mean?

Thanks,
MrFricken

[dIecbasC 38]

@Staff with more folks starting to look at IPv6 recently I wondered if this is still the generally optimal setup possible with AirVPN? Is there anyway to avoid the NAT'ing of IPv6 and still retain privacy etc?