Jump to content
Not connected, Your IP: 44.192.129.85

Recommended Posts

Hi, I wonder if there is anyone who can help me with configuring the IPv6 Setup on my pfSense Box ?

 

I'm completely lost on how making it work, now that I got bot IPv4 and IPv6 Addresses assigned.

Share this post


Link to post

I agree.  At some point, I'll probably enable IPv6 and am mostly clueless about how to do it.  In broad terms, I know I'll have to re-enable IPv6 support on Windows 10.  Then, I'll have to at least enable it in pfSense at System > Advanced > Networking.  But, who knows what else pfSense will need (especially with my firewall rules).

Share this post


Link to post

I agree.  At some point, I'll probably enable IPv6 and am mostly clueless about how to do it.  In broad terms, I know I'll have to re-enable IPv6 support on Windows 10.  Then, I'll have to at least enable it in pfSense at System > Advanced > Networking.  But, who knows what else pfSense will need (especially with my firewall rules).

 

It looks like for wan and lan interfaces we'd have to enable IPv6, and do so for the wan gateway too.

 

But, I haven't wrapped my head around how IPv6 works.  I mean, as I understand it there's no NAT?  That makes me feel naked.

Share this post


Link to post
I found a couple of thread talking a bit about this:
 
For Cox Communications as the ISP:  https://forum.pfsense.org/index.php?topic=111465.0
 
They don't touch on any kind of VPN settings.  But, it's a start.  I'd assume we'd have to make similar changes to any VPN WAN or VPN LAN interfaces we have.  I've copied the following from that pfSense/Cox thread and added notes from the Comcast thread (note that neither thread mentions having to turn IPv6 support on in System > Advanced > Networking, but I'm sure it has to be):
 
WAN:
IPv6 Configuration Type: DHCP6
DHCP6 Client Configuration:
X Only request an IPv6 prefix, do not request an IPv6 address  (<== MY NOTE:  Others said this wasn't necessary and was actually counterproductive)
DHCPv6 Prefix delegation size: 64  (<== MY NOTE:  the Comcast thread says he needed to set this to 60.  It depends on what the ISP gives out and his cable modem hardware)
X Send an IPv6 prefix hint
 
LAN:
IPv6 Configuration Type: Track Interface
IPV6 Interface: Wan
IPv6 Prefix ID: 0  (<== MY NOTE:  The Comcast thread said we can choose what we want here -- I don't know what these mean)
 
Services:DHCPv6 Server & RA  (<== MY NOTE:  The Comcast thread said we can set these however we want for our network)
DHCPv6 Server:
X Enable DHCPv6 Server on interface LAN
Range: ::1000 to ::2000 (this can be whatever i'm sure)
 
Prefix Delegation Size: 64
 
Router Advertisements:
Router Mode: Managed
Router Priority: High
 
DNS configuration: Same as DHCPv6 server
 
The Cox thread makes no mention of firewall rules.  But, the Comcast one says:
 

Next go into your firewall rules and add a rule to pass IPv6 traffic on all of your LAN interfaces (but not on your WAN interface). If you miss this step you will be very frustrated when you can’t connect to any IPv6 resources.

 

Share this post


Link to post

This works well if you got one source for getting an IPv6 Address. I've tested this a while ago as my ISP gives me both IPv4 and IPv6 adresses.

 

However the tricky bit is using this plus the 4 AirVPN IPv6 ips and don't leak the public IP.

 

I will take a deeper dive into this in ~ 2 weeks maybe, when I'm back at home. Any further help is much appreciated

Share this post


Link to post

I'd assume that along with changing the vanilla WAN interface to handle what our ISPs give out, we'd have to change each VPN WAN interface we've set up in pfSense to be compatible with what AirVPN gives out.  From:

 

https://airvpn.org/specs/

 

 

Assigned IP

Servers support both IPv4 and IPv6 tunnel (exit-ip), and are reachable over IPv4 and IPv6 (entry-ip). Currently (2018/01) not all servers support IPv6 tunnel yet. 
DNS server address is the same as gateway, in both IPv4 and IPv6 layer.

IPv4 Local Address chosen: 10.{daemon}.*.*, Subnet-Mask: 255.255.0.0 
IPv6 Unique Local Address (ULA) chosen: fde6:7a:7d20:{daemon}::/48.

 

So, I guess the DHCPv6 Prefix delegation size mentioned above would be 48.  I'm almost entirely clueless here.  So, I wouldn't put too much credence in what I say.

Share this post


Link to post

I've done some tests and did not come any close to any solution.

 

I understand, we need to deploy one IPv6 to all clients in our network per VPN connection, but I don't know how to do this.

 

Anyone ?

Share this post


Link to post

I think I just found it on the doku site, but got no time to test this myself. Anyone ?

 

Does anyone know if Air gives us static IPv6 (Private) IPs ? I tested and disconnected from one server and reconnected. Still got the same internal IPv6 IP. So this looks promissing.

If we get changing IPs we're f*cked and it seems that it's not possible to do this with pfSense.

We also need (at least) a /64 subnet from Air, but it looks like this is what we are already getting ?

 

https://www.netgate.com/docs/pfsense/routing/multi-wan-for-ipv6.html

 

I might have some time on the weekend to test myself.

 

https://www.netgate.com/docs/pfsense/nat/using-ipv6-network-prefix-translation-npt.html

Share this post


Link to post

I think I just found it on the doku site, but got no time to test this myself. Anyone ?

 

Does anyone know if Air gives us static IPv6 (Private) IPs ? I tested and disconnected from one server and reconnected. Still got the same internal IPv6 IP. So this looks promissing.

If we get changing IPs we're f*cked and it seems that it's not possible to do this with pfSense.

We also need (at least) a /64 subnet from Air, but it looks like this is what we are already getting ?

 

https://www.netgate.com/docs/pfsense/routing/multi-wan-for-ipv6.html

 

I might have some time on the weekend to test myself.

 

https://www.netgate.com/docs/pfsense/nat/using-ipv6-network-prefix-translation-npt.html

@Staff can you comment on this ?

pfSense Users seems to need this

Share this post


Link to post

...

Does anyone know if Air gives us static IPv6 (Private) IPs ? I tested and disconnected from one server and reconnected. Still got the same internal IPv6 IP. So this looks promissing.

If we get changing IPs we're f*cked and it seems that it's not possible to do this with pfSense.

We also need (at least) a /64 subnet from Air, but it looks like this is what we are already getting ?

...

 

I found this interesting, so I dug into it a bit.

 

In the "PUSH_REPLY" in the OpenVPN log I see "ifconfig-ipv6 ..." being pushed. That just assigns a single IPv6 address (not a subnet) in the same way that "ifconfig ..." assigns a single IPv4 address.

 

There is a post on StackExchange that may be relevant:

 

https://unix.stackexchange.com/questions/305809/how-to-asign-full-ipv6-subnet-to-openvpn-client

 

That mentions using "--iroute-ipv6". But have a look at the OpenVPN man page:

 

https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

 

Under "-iroute " it says "This directive can be used to route a fixed subnet from the server to a particular client, ...".

 

This appears to be only for a static set up. The OpenVPN server is not going to do all of this auto-magically. And if you look at the description of "--push", iroute is not listed as "pushable", and so its IPv6 counterpart iroute-ipv6 won't be.

 

So I think the answer is that AirVPN cannot assign a whole IPv6 subnet to clients using stock OpenVPN software.

 

My experience with the IPv6 address that gets assigned is the same as for the IPv4 address that gets assigned. When you reconnect to the AirVPN server from the same address as before, you get the same address assigned. Note the bit "from the same address as before". If you are using a typical ISP/home router, the IPv6 address assigned to your pfSense box may be done using the "Stateless" option. For me that meant that the IPv6 address changed after 24 hours (and then every 1/2 hour after that!). When the IPv6 address changed, the OpenVPN client had to reconnect (over IPv6 I mean) and since the address was different AirVPN gave me a different local IPv6 address. I changed the option to "Stateful" for IPv6 assignment in my ISP modem/router and that behavior stopped.

 

I am not using pfSense at this time. But I think that your only hope here is probably to use NATv6 on the pfSense box and assign your LAN IPv6 addresses from your own private IPv6 subnet. But although the PF firewall (which pfSense uses) does provide NATv6, it appears that pfSense will not configure it for you. You could try editting the PF rule set yourself. See this:

 

https://www.netgate.com/docs/pfsense/firewall/editing-the-pf-ruleset.html

 

And for info about NAT with PF see this (look closely, IPv6 is supported):

 

https://www.openbsd.org/faq/pf/nat.html

 

EDIT2: I just installed pfSense 2.4.3 on a VM and looked at the GUI. It does seem to support IPv6 NAT and IPv6 DHCP. So no need to write PF rules yourself.

 

EDIT: By the way, has anyone reading this tried getting their ISP provided modem/router to delegate whole IPv6 subnets to devices on your LAN? Mine had a single check box "Delegate to LAN". And that was all. So delegate what subnet to what LAN device? The address the ISP router has cannot be part of that right? Before IPv6, I had a router on my LAN side and used that for my devices at home, because it had much better WiFi. But I dropped that because I thought getting it to do IPv6 for my LAN might end up as a giant waste of effort, and the WiFi on my new ISP router was much better.

Share this post


Link to post

Thanks NaDre,

 

I've already checked with pfSense and they made cleat theat NAT6 or any variant odf it won't be "supported" as it's against the design of IPv6 to do NAT.

 

So, this basically means, Air cant give us a subnet, pfSense can't give us NAT, we're stuck with IPv4 then ?

 

Any alternative firewall which are doing this better ?

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...