Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - virgiliomi

Pages: 1 ... 34 35 36 37 [38] 39
2.2 Snapshot Feedback and Problems - RETIRED / Re: DNS Resolver
« on: November 25, 2014, 06:24:26 pm »
I just set up a new 2.2 installation... unbound appears to be running, but these entries appear in the log whenever the service is started. I do have the options to register DHCP leases and static DHCP entries checked.

Nov 25 19:15:29   unbound: [88622:0] error: cannot parse netblock: '/'
Nov 25 19:15:29   unbound: [88622:0] error: cannot parse access control: / allow
Nov 25 19:15:29   unbound: [88622:0] fatal error: Could not setup access control list

Also, the service IS running, but the Status > Services page shows it as stopped.

EDIT: Nope... it's not running. My computer is using the Google IPv6 DNS servers I put into pfSense, not the local resolver. I guess there's no way to have the router specify its own IPv6 address (even if it's link-local) for DNS to DHCP clients? I only know it's not running because my IP phone - which only supports IPv4 - can't resolve my VoIP provider hostname, and the only DNS server it has is the IPv4 LAN address of my box.

This appears to be caused by the fact that I'm not requesting an IPv6 address on my WAN interface, just a prefix. Since there's no address, there's nothing to put in the access_lists.conf file, resulting in a access-control: / allow line.

Bug 4046 created for this...

IPv6 / Re: No LAN side IPv6
« on: November 25, 2014, 05:58:37 pm »
Actually a WAN-side IPv6 address isn't even necessary. I ran an Asus router with Tomato for weeks with no WAN IPv6 address other than link-local, and I'm doing the same as I send this with pfSense.

WAN should be set up for DHCP6, and if you request a prefix smaller than /64, make sure to check the box to send a hint, otherwise you'll likely end up with a /64 anyway. If you don't want a WAN IPv6 address - it's not necessary to have one - you can also check the box to request only a prefix.

With Comcast, residential service customers can request anything between /64 and /60 for the LAN, depending on how many subnets you want for your network. Business customers can likely request more subnets, but I don't know what the limit is for them.

LAN should be set up to Track Interface, then select WAN under the IPv6 section. If you request a /64, the box under that will need to be 0. If you requested additional subnets, then you can make it any value within the limit displayed based on how many subnets you requested (i.e. /60 = 0-F)

IPv6 / Re: Private IPv6 addressing on my LAN?
« on: October 31, 2014, 08:37:22 pm »
Comcast will let you request no more than a /60. 16 /64 subnets on a personal network should be more than enough for most people.

Business class service may be able to request larger allocations, but consumer service can request anything from /64 to /60 only, depending on how many subnets you need (1 to 16, based on number of bits).

Because of pfSense's IPv6 implementation with DHCPv6 on the WAN, there is no way to set up a static IPv6 address for your router on your LAN. You set up "Track Interface", "WAN", then select which subnet you want to use (which will only be 0 if you request a /64, could be 0-F if you request a /60). The LAN interface gets a SLAAC address based on the interface's MAC address.

IPv6 / Re: IPv6 LAN to WAN Difficulties
« on: October 17, 2014, 08:29:16 am »
Make sure your computer (or whatever device you're testing from) doesn't have a firewall that is filtering ICMPv6 as well. Windows Firewall does, by default, except from the LAN (at least in home/work networks; public might filter it in all cases).

For example, I can run the test on my Windows PC and it will show filtered, but I can run it on my iPhone and it will pass.

There is an advanced rule you can create to allow Windows Firewall to respond to ICMPv6. Steps are detailed in this Technet article. Note that instead of opening Group Policy Management Console, you would go to Control Panel > Windows Firewall > Advanced Settings. Also, this may not be available on non-professional versions of Windows (i.e. Home Premium).

There is a checkbox on the DHCP Server settings (and also one on DHCPv6 server settings, if applicable) that allows you to Change DHCP display lease time from UTC to local time. This should fix it so that it displays in your local timezone instead of UTC.

So I have Comcast and get my WAN IPv6 address and LAN prefix via DHCPv6+PD... Nothing odd there. However, anytime I reboot my pfSense box (firmware update or otherwise), I need to manually release/renew the WAN interface when the reboot is done in order for the gateway to appear online and for IPv6 on my LAN to function again.

I don't believe I had to do this with 2.1... but I didn't run 2.1 very long before I got a system that I had to run 2.2 on (newer hardware that had issues with FreeBSD 8).

IPv6 / Re: IPv6 on pfSense vs others
« on: October 10, 2014, 06:30:02 pm »
And that's something else I've seen in some of the other routers/firmwares... DHCPv6 is also still available in those setups. However, they don't exclusively use DHCPv6... most of them don't even let you change the type of RA that is sent... they hard-set to "Assisted", so that SLAAC-only devices (like Android) still function. But everything I have on my network is capable of using DHCPv6, so I'd much prefer to use that as well.

IPv6 / IPv6 on pfSense vs others
« on: October 10, 2014, 01:02:03 pm »
So a couple of things I've noticed about pfSense's IPv6 implementation compared to other routers' - and I include a number of open-source firmwares in that...

1. If you use DHCPv6+PD on the WAN, pfSense does not allow setting a "static" (I use quotes because technically the prefix could change) LAN IPv6 address for the router. Other router firmwares allow you to set the host portion of the IPv6 address that the router will use (I would usually use [prefix]::1), and then the router applies whatever prefix is designated by the ISP. Is there some reason that pfSense doesn't permit this?

2. Is there a reason that pfSense doesn't register its own LAN IPv6 address in the local DNS [forwarder|resolver] when it does register its IPv4 address? For example, I can ping gw and it will resolve to my pfSense box's LAN IPv4 address. But ping6 gw doesn't resolve. I know other routers do this also.

IPv6 / Re: IPV6 no Gateway ?
« on: October 05, 2014, 08:54:43 pm »
If your ISP supports IPv6 but only provides an IP address and not a prefix to be used on your LAN, then there's no way you can use it to route IPv6 traffic unless you have other services running in your router to do IPv6-based NAT (a HIGHLY uncommon setup at this point since there are so many IPv6 addresses available).

The next best thing to not having native IPv6 from your ISP would be to acquire a tunnel address block from a provider like SIXXS or Hurricane Electric. The tunnel will still operate over IPv4, but will provide you with a /64 or greater quantity of IPv6 addresses to use on your own network. Any IPv6 traffic from your network will go through the tunnel.

As far as who needs IPv6 now... there are parts of the world where IPv4 addresses are no longer available, or providers have gone to carrier-grade NAT (basically doing on a large scale what we at home have been doing for years; using a single public IPv4 address to serve many users with private network addresses).

While you're out seeking info about IPv6, you might also want to check out Hurricane Electric's IPv6 primer. They have info and exercises that you do to learn about IPv6 and some quick basic info on how it works.

Just want to add that this is still occurring...

I caught a glimpse of my console before it rebooted after my latest upgrade and noticed that the interfaces seemed to bounce down/up/down/up before the reboot... wondering if this might have something to do with it. Don't know if it was both interfaces (I only have two) or just one bouncing twice. I didn't get a good enough look at the screen to see what interface(s) it was.

It may have been fixed, but after updating to the latest snapshot, I'm seeing it again in my graph. Not sure if it was a result of the outgoing snapshot (2014-09-19) or the newly installed one (2014-09-23 13:29:41 CDT), but it's definitely there.

IPv6 / Re: Any word on 6RD support?
« on: September 23, 2014, 08:34:00 am »
You might do better asking this in the 2.2 snapshots forum under the Development category... or maybe a mod can move it there.

IPv6 / Re: IPV6 no Gateway ?
« on: September 19, 2014, 01:25:31 pm »
how do I learn my clients now that they can also use the IPv6 Connection to connect to the internet ?
The best way to see all active IPv6 devices on your network is to look at the NDP table under Diagnostics (I think; don't have my web config in front of me right now). Sort that table by MAC address so that the link-local and internet addresses are all together for each device.

Unfortunately there's no way to use DHCPv6 under pfSense without having a static IPv6 address on your LAN interface.* But even if you have a static LAN IPv6 address and you mandate DHCPv6 use (via the "Managed" RA setting), there are some devices (Android especially) that will only use Stateless Auto-config (SLAAC) and simply won't get an IPv6 address.

* It's unfortunate that this is the case in pfSense. I know of two other open-source router firmwares - one manufacturer-supported - that support DHCPv6 on the LAN when using PD, though they seem to force the RA type to be assisted so both DHCPv6 and SLAAC are used.

I've noticed that this artifact has stopped when upgrading, but I did a reboot (not part of an upgrade) and had a similar spike in my RRD graphs when pfSense came back online.

EDIT: After updating to new beta snapshot, it appears this was resolved.

Pages: 1 ... 34 35 36 37 [38] 39