The pfSense Store

Author Topic: IPv6 hosting website  (Read 560 times)

0 Members and 1 Guest are viewing this topic.

Offline Exocomp

  • Newbie
  • *
  • Posts: 18
  • Karma: +1/-0
    • View Profile
IPv6 hosting website
« on: October 21, 2017, 04:55:10 pm »
I have a simple website that currently is only enabled for IPv4, is it possible to have IPv6 on the WAN interface in pfSense and then route the traffic to the servers on the LAN using IPv4?

Online JKnott

  • Hero Member
  • *****
  • Posts: 1089
  • Karma: +43/-8
    • View Profile
Re: IPv6 hosting website
« Reply #1 on: October 21, 2017, 08:08:02 pm »
If you have IPv6 on the WAN side, why not extend it to the LAN?  While it's possible to convert between IPv4 & IPv6, it's better to do it properly.  I assume you have at least a /64 prefix.  If your ISP is not providing IPv6, you'll have to use a tunnel to get IPv6.  One popular tunnel broker is Hurricane Electric.


Offline Exocomp

  • Newbie
  • *
  • Posts: 18
  • Karma: +1/-0
    • View Profile
Re: IPv6 hosting website
« Reply #2 on: October 21, 2017, 08:16:30 pm »
Hi there thanks for the reply.  If I got the terminology right (I've been doing a little reading on the subject) you are stating I should implement a "dual stack" network ?

My thoughts on the subject are still a jumble.  So if I understand it right with IPv6 there is no need to do NAT right?  But wouldn't I need to do IPv6 NAT between the IPv6 global IP and my internal IPv6 network?

What I mean is the global IPv6 is added to DNS and when the request reaches the edge router it is then forwarded to the right internal box hosting the website ?

Online JKnott

  • Hero Member
  • *****
  • Posts: 1089
  • Karma: +43/-8
    • View Profile
Re: IPv6 hosting website
« Reply #3 on: October 21, 2017, 09:04:43 pm »
Dual stack will provide both IPv4 and IPv6 addresses.  The main reason for using NAT on IPv4 is the lack of addresses.  There is no similar need on IPv6, as the smallest block an ISP is supposed to provide is a /64 prefix, which will give you 18.4 billilon, billion addresses.  Many ISPs provide an even larger block.  Mine gives me a /56, which is 256 /64s.  So, as you can see, there's no need to use NAT on IPv6.  The big question right now is does your ISP provide IPv6?  If not, you'll have to use a tunnel to get it.  You can't add an IPv6 address to DNS, if you don't actually have an IPv6 address!

PfSense supports both native IPv6 and via tunnels over IPvr.

BTW, please forget about NAT.  It was a hack to get around a specific problem and that problem does not exist on IPv6.

Offline Exocomp

  • Newbie
  • *
  • Posts: 18
  • Karma: +1/-0
    • View Profile
Re: IPv6 hosting website
« Reply #4 on: October 21, 2017, 09:22:47 pm »
So it appears my ISP does provide IPv6 and I made some progress where I was able to enable IPv6 on pfSense and got an IPv6 address on my WAN on pfSense - yay!

Ok, what I'm having a hard time understanding now is how do I use pfSense as a firewall in front of my web server?  What would I set the LAN IPv6 interface to on pfSense? And on my web server what would I enter for the address and default gateway?

Online JKnott

  • Hero Member
  • *****
  • Posts: 1089
  • Karma: +43/-8
    • View Profile
Re: IPv6 hosting website
« Reply #5 on: October 22, 2017, 08:06:36 am »
Most ISPs use DHCPv6-PD to assign a block of addresses.  The smallest prefix or block is a /64, which is 18.4 billion, billion addresses.  With this you should have an IPv6 address on the WAN side as well as addresses within your prefix on your LAN.  The address prefix, along with router and DNS addresses are sent by pfSense to the devices on your network.  Each device will create it's own address, using the prefix and the MAC address or a random number.

Also, an ISP may provide more than one /64 prefix.  Mine gives me a /56, which is 256 /64s.  I can assign these to other interfaces, VLANs etc.

Offline Exocomp

  • Newbie
  • *
  • Posts: 18
  • Karma: +1/-0
    • View Profile
Re: IPv6 hosting website
« Reply #6 on: October 22, 2017, 08:53:28 am »
Thanks for your assistance, I'm up and running on IPv6.  Woohooo!

Online JKnott

  • Hero Member
  • *****
  • Posts: 1089
  • Karma: +43/-8
    • View Profile
Re: IPv6 hosting website
« Reply #7 on: October 22, 2017, 09:27:26 am »
Thanks for your assistance, I'm up and running on IPv6.  Woohooo!

Don't forget to update the DNS with the IPv6 address.  Also, one thing to be careful of.  IPv6 has something called "privacy addresses", which change regularly.  After a while, you'll see several of these.  You do not want to have the DNS pointing to one of those.  You need to use the MAC based address or, on Windows, the permanent random number.  Windows can also be configured to use the MAC address.

Offline Exocomp

  • Newbie
  • *
  • Posts: 18
  • Karma: +1/-0
    • View Profile
Re: IPv6 hosting website
« Reply #8 on: October 22, 2017, 05:45:41 pm »
Quote
IPv6 has something called "privacy addresses", which change regularly.

I saw those and disabled them, :)

Offline bigtfromaz

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: IPv6 hosting website
« Reply #9 on: November 19, 2017, 01:37:44 pm »
I have a similar situation. I want to allow inbound traffic to a specific IPv6 host on my LAN.  I read this post and it all made sense to me but there are some things I don't understand.

Here is some background:
  • My ISP does not provide a static delegated prefix, I receive it dynamically by "Tracking" the WAN from the LAN.  At least one of my target hosts will only use auto configuration and I can't change it.
  • For dynamic DNS, I wrote a PowerShell script that runs on the hosts. It updates my web-facing DNS server whenever the host's addresses change.  That was the easy part for me.
  • The pfSense firewall is configured to block all inbound IPv6 connections by default.
Is there a way to write a firewall rule allowing inbound connections to pass through to a specific host when dynamic prefix delegation is in play?  What happens when my ISP changes the prefix for whatever reason?  Will pfSense alter the rules accordingly when the prefix changes? 

As a Gold supporter, I have access to The pfSense Book.  Hopefully this isn't a RTFM question but please feel free to point me to the right pages in book.

Online JKnott

  • Hero Member
  • *****
  • Posts: 1089
  • Karma: +43/-8
    • View Profile
Re: IPv6 hosting website
« Reply #10 on: November 19, 2017, 01:48:48 pm »
ISPs generally don't provide static prefixes, but with DHCPv6-PD and DUID, you will likely always get the same prefix.  It's similar to what happens on IPv4, where you can request a previous address and get it if it's available.  With an almost static prefix, you don't need a dynamic DNS, as a regular one will work fine.

Offline bigtfromaz

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: IPv6 hosting website
« Reply #11 on: November 19, 2017, 01:57:17 pm »
Thanks for the reply.  I understand what you say but my ISP (Cox) has changed mine, and I wasn't around to make adjustments.

Are you saying that I pfSense has no to do this without manual intervention?

Online JKnott

  • Hero Member
  • *****
  • Posts: 1089
  • Karma: +43/-8
    • View Profile
Re: IPv6 hosting website
« Reply #12 on: November 19, 2017, 02:05:12 pm »
Thanks for the reply.  I understand what you say but my ISP (Cox) has changed mine, and I wasn't around to make adjustments.

Are you saying that I pfSense has no to do this without manual intervention?

When I first started using pfSense, my prefix would change for something as little as disconnecting & reconnecting the Ethernet cable.  Then an option "Do not allow PD/Address release", on the WAN tab, was added.  With that selected, my prefix does not change.

Offline bigtfromaz

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: IPv6 hosting website
« Reply #13 on: November 19, 2017, 02:25:59 pm »
Already did that but still got a new prefix on a reboot.  No idea why but it's their address and they can do what they want.

Note that I am not looking for ways to avoid the change.  I am looking for ways to manage or accomodate the change without manual intervention.  This way any outage, no matter how rare, could be managed without manual intervention.

I was hoping that pfSense would have an ability to define a firewall rule Destination something like this: "PD::aaaa:bbbb:cccc:dddd" where "PD" is a variable whose value is the prefix.  This would be similar to the way they prepend the delegated prefix to the host range in the DHCPv6 server.

I would like to avoid writing a dynamic prefix change detection script.  I am not a UNIX expert, nor do I have any experience managing firewall rules from a script.  The learning curve would be substantial.



Online JKnott

  • Hero Member
  • *****
  • Posts: 1089
  • Karma: +43/-8
    • View Profile
Re: IPv6 hosting website
« Reply #14 on: November 19, 2017, 02:45:07 pm »
I don't know if pfSense can filter on a partial IP address, but the lower 64 bits of the address are determined by the MAC address and so will not change, unless you change hardware.