Search the Community
Showing results for tags 'vlan'.
Found 2 results
I just added in IPv6 support on my pfSense box, using AirVPN and a VLAN. Note that I already had the VPN VLAN setup and working correctly with IPv4, so this guide is only about what needed to be changed to add in IPv6 support. Recently, AirVPN has implemented IPv6 across their servers. Provided you are running a recent version of OpenVPN (>= 2.4), and you adjust your client configuration properly, you will be assigned an IPv6 address along with the typical IPv4 address. In my setup, I’m using pfSense as my firewall / router, and have several VLANs configured for various purposes. One of these VLANs is specifically for VPN usage. So the question becomes, how to take the single IPv6 address assigned from AirVPN and make it usable on a VLAN, for multiple hosts. This setup is severely sub-optimal, as IPv6 was designed to avoid NAT (there are what, 3.4x10^38 available addresses?). Given that the design of the protocol and AirVPN’s implementation are at odds, there are some problems that you will encounter. The most annoying being that browsers don’t want to use your IPv6 address, and you will continue to use IPv4, despite having everything setup “correctly.” It may be possible to overcome this with some per-host modifications (on Linux, look to /etc/gai.conf), but that is perhaps not maintainable in the long run. This problem stems from the fact that the address Air is providing is a Unique Local Address (ULA), which, by definition, is not globally routable. This address gets translated at Air’s servers into a normal, globally routable, address. But what the software on your machine sees is a ULA, and since that isn’t a globally routable IP address, the software will prefer the IPv4 address, where it is understood that NAT will probably be used. Given this implementation, I am not convinced it is worth it to setup IPv6 in this type of configuration. Having said all that, here is how I configured things to get IPv6 “working” with AirVPN on a pfSense VLAN: 1: Get an IPv6 address from AirVPN Assuming you are running a recent release of pfSense, you should have the necessary OpenVPN version for this to work (I’m on pfSense 2.4.4, which is using OpenVPN 2.4.6). Go into your OpenVPN client configuration and set “Protocol” to “UDP IPv4 and IPv6 on all interfaces (multihome)” scroll down to “Custom options” and make sure you have these 2 lines: push-peer-info; setenv UV_IPV6 yes; Save, and possibly restart the service. You should now have both IPv4 and IPv6 addresses assigned to your VPN connection 2: Create a new Gateway I can’t remember if the gateway was automatically created at this point. If not, Add a new gateway. If one was auto created, edit it. Then Make sure Interface is set to the VPN Address family is IPv6 Give it a name (VPN1_WAN_IPv6 in my case) I’ve left everything else at default settings, then set a description, and Save and reload 3: Modify your VPN VLAN From the “Interfaces” menu, select your VPN VLAN entry, then Set “IPv6 Configuration Type” to “Static IPv6” Scroll down to the “Static IPv6 Configuration” section and set an address and prefix. I chose a “random” ULA (FDxx:xxxx:xxxx:10::1). Obviously, choose hex characters in place of the “x”s and the “10” matches my vlan number. Set the prefix to /64 Leave the “use IPv4 connectivity” unchecked and the gateway set to “None” Save and reload 4: Configure Router Advertisements and/or DHCPv6 From the “Services” menu, select “DHCPv6 Server & RA” - then choose your VLAN. In my setup, I’m not bothering with DHCP, just using SLACC, so I go directly to the “Router Advertisements” tab. Set Router Mode to unmanaged Priority to Normal You may choose to put your IPv6 DNS server into the DNS configuration section (I believe Air’s server is fde6:7a:7d20:4::1 Leave everything else as is (blank) Save and reload 5: Set NAT Rules From the “Firewall” menu, select “NAT”, then go to the “Outbound” tab Click the second “Add” button Set “Interface” to your VPN gateway “Address Family” is “IPv6” Source type is “network” Source network is the ULA you setup earlier (“Fdxx:xxxx:xxxx:10::/64”) I did this using an alias. Note that the subnet drop down doesn’t list anything above a /32 (it’s meant for IPv4), so I left it at /32. Seems to work anyway. The Translation Address should be set to “Interface Address” Add in a description, if you wish, and Save and reload 6: Set Firewall Rules From the “Firewall” menu, select “Rules” and then the appropriate VLAN tab Click the second “Add” button “Action” is “Pass” “Interface” is your VLAN “Address Family” is “IPv6” Set the rules appropriately for your situation. In my case, just to get things working, I set “Protocol” to “Any” “Source” to “[VLAN] net” Click the “Display Advanced” button Scroll down to “Gateway” and select your previously configured VPN IPv6 gateway Save and reload NOTE: Be sure to move the rule you just created into the correct spot in your rules list! Remember, the rules are checked in order, so if you have a deny rule above your new pass rule in the list, it won’t work. At this point I rebooted pfSense and my VPN client machine. I now have an IPv6 address, assigned from the ULA block I setup. Visiting https://ipleak.net shows I have both IPv4 and IPv6 connectivity. Going to https://test-ipv6.com gives me a 10/10, but with the note that the browser is avoiding using the IPv6 address. See the note from AirVPN Staff about this: https://airvpn.org/topic/25140-the-issue-your-browser-is-avoiding-ipv6/ Hopefully this is helpful to someone out there. MrFricken
Currently, I divide my wireless SSID into two sets. I bridge WAN, LAN1, LAN2, LAN3, eth1 and eth2 as br0. br1 is set as wl1.1 and vlan3. If I want to force br0 to use OpenVPN, br1 uses outside tunnel network, how can I set it up? Right now I write iptables as following. #Enable NAT on the WAN (Correct a BUG) iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr` #Restrict br1 from accessing br0 iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j logdrop iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j logdrop #Restrict br1 from accessing tun1 iptables -I FORWARD -i br1 -o tun1 -m state --state NEW -j logdrop #Restrict br1 from accessing the router #iptables -I INPUT -i br1 -m state --state NEW -j DROP #Allow br1 to access DHCP on the router iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT #Allow br1 to access DNS on the router iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT #Allow br0 to access DNS on the router iptables -I INPUT -i br0 -p udp --dport 53 -j ACCEPT iptables -I INPUT -i br0 -p tcp --dport 53 -j ACCEPT Device : R7000 using Firmware: DD-WRT v3.0-r29440M kongac (04/19/16) with YAMON