Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 
353 posts

Ultimate Geek
+1 received by user: 85


  Reply # 2122122 8-Nov-2018 12:39
Send private message quote this post

Hmm my static IPv6 seems to be not working, looks like it stopped around 25/10 (judging by the inbound rules last used). 


273 posts

Ultimate Geek
+1 received by user: 212

Trusted
2degrees

  Reply # 2122126 8-Nov-2018 12:45
Send private message quote this post

vulcannz:

 

Hmm my static IPv6 seems to be not working, looks like it stopped around 25/10 (judging by the inbound rules last used). 

 

 

 

 

PM me your customer account number so I can investigate.


 
 
 
 


353 posts

Ultimate Geek
+1 received by user: 85


  Reply # 2122525 9-Nov-2018 08:26
Send private message quote this post

Spent some time on it last night, it was simply needing stateless autoconfig enabled.

 

Here's what I don't understand, and maybe somebody more experienced in v6 can school me. My configuration was completely static. I had static IP/subnet/gateway/DNS assigned. LL addresses were all the same. I could see the router in the NDR list. I could see traffic routing internally, but nothing was going out over the WAN. Once I enabled stateless address autoconfig (still with static settings) it just worked.


353 posts

Ultimate Geek
+1 received by user: 85


  Reply # 2122568 9-Nov-2018 10:02
Send private message quote this post

Looks like I jumped the gun a bit. Rebooted my box as I was updating the firmware, and I lost the static v6 connectivity.

 

I can get DHCPv6 going, but my WAN interface doesn't get assigned an autonomous IP.

 

When I had static configured I was using

 

WAN IP: 2406:e001:2:3900::2  (/56)

 

WAN Gateway: 2406:e001:2:3900::1

 

This is my v6 config (yes a Sonicwall)

 

 

 

 

Everything internally sits on a 2406:e001:2:3901::: subnet and is NAT'd outbound, with NAT's inbound for web and mail. Yes I know the v6 puritans hate NAT but it makes multiple WAN connections easier, as well as DNS records for services.

 

I don't mind admitting I got something wrong as I'm primarily running v6 to educate myself on it more.


388 posts

Ultimate Geek
+1 received by user: 79


  Reply # 2122840 9-Nov-2018 16:14
Send private message quote this post

vulcannz:

 

I can get DHCPv6 going, but my WAN interface doesn't get assigned an autonomous IP.

 

 

There is no need for the router WAN port to have a global unicast IPv6 address.  It normally does not use that address anyway - it uses its link-local IPv6 address to route IPv6 packets to and from 2D's next hop router.  The only reason to have a global unicast IPv6 address on your WAN port is if the router itself needs to be able to send IPv6 packets further than the local subnet.  So if you log into your router and want it to be able to do IPv6 pings and traceroutes to the wider Internet, or to be able to download a new version of firmware for itself via IPv6, then you would want it to have a global unicast IPv6 address.  And routers are often able to use a global unicast IPv6 address from one of their LAN ports as the source address anyway if they need to connect beyond the local subnet.


353 posts

Ultimate Geek
+1 received by user: 85


  Reply # 2123195 10-Nov-2018 11:24
Send private message quote this post

fe31nz:

 

vulcannz:

 

I can get DHCPv6 going, but my WAN interface doesn't get assigned an autonomous IP.

 

 

There is no need for the router WAN port to have a global unicast IPv6 address.  It normally does not use that address anyway - it uses its link-local IPv6 address to route IPv6 packets to and from 2D's next hop router.  The only reason to have a global unicast IPv6 address on your WAN port is if the router itself needs to be able to send IPv6 packets further than the local subnet.  So if you log into your router and want it to be able to do IPv6 pings and traceroutes to the wider Internet, or to be able to download a new version of firmware for itself via IPv6, then you would want it to have a global unicast IPv6 address.  And routers are often able to use a global unicast IPv6 address from one of their LAN ports as the source address anyway if they need to connect beyond the local subnet.

 

 

It is a nice to have, and I also like to have a well defined border. I did workaround the issue simply using some NAT66 policies.

 

I must say IPv6 seems to have had very little thought put into it for practical security purposes (enterprise security and below) especially when it comes to windows (temporary v6 addresses are just silly). It's going to be very hard for enterprise, medium and SMB to move to v6 without encountering a bucketload of problems.




407 posts

Ultimate Geek
+1 received by user: 212

Subscriber

  Reply # 2123361 10-Nov-2018 17:28
Send private message quote this post

I'm no IPv6 expert, but temporary IPv6 addresses only appear when using SLAAC. If you run a DHCPv6-only network, all clients will only have a single address, the one which is assigned. Except Android clients, which won't get an address at all. Thanks google.


388 posts

Ultimate Geek
+1 received by user: 79


  Reply # 2123458 11-Nov-2018 00:13
Send private message quote this post

ripdog:

 

I'm no IPv6 expert, but temporary IPv6 addresses only appear when using SLAAC. If you run a DHCPv6-only network, all clients will only have a single address, the one which is assigned. Except Android clients, which won't get an address at all. Thanks google.

 

 

If you have rooted your Android devices, install the DHCPv6 app.  Otherwise you will likely need to run a separate SSID with SLAAC on it for your Android devices to get IPv6.

 

As for temporary IPv6 addreses, I would think that sane business networks would be installing a group policy that turns them off.  If you want to do it yourself, see this page:

 

https://knowledge.zomers.eu/misc/Pages/How-to-disable-temporary-IPv6-address-allocation-at-a-Windows-PC.aspx


353 posts

Ultimate Geek
+1 received by user: 85


  Reply # 2123469 11-Nov-2018 06:23
Send private message quote this post

Cheers for that, I've tried disabling SLAAC to see how it goes. Unfortunately I've already manually disabled the temporary IPv6 addresses, so need to wait for the next windows patch to see if it works (everytime they patch it seems to turn back on).

 

The other problem I'm encountering is Windows 10 will happily be on v6 but my browsers (chrome/firefox/ie/edge) will stick to v4 on some machines. It's quite odd. I checked nslookups, pings, everything under the hood is fine. Older Windows versions like 2008r2 are completely fine, iirc 2008r2 has a different network stack to Windows 10.


303 posts

Ultimate Geek
+1 received by user: 32


  Reply # 2124415 12-Nov-2018 19:48
Send private message quote this post

Does anyone have setup for WAN/LAN for IPv6 on pfsense?


1 | 2 
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Geekzone Live »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.