Netgate SG-1000 microFirewall

Author Topic: noob question - ipv6 only on wan side  (Read 286 times)

0 Members and 1 Guest are viewing this topic.

Offline marian78

  • Jr. Member
  • **
  • Posts: 84
  • Karma: +1/-0
    • View Profile
noob question - ipv6 only on wan side
« on: January 15, 2018, 03:43:16 am »
Hi,
i'm very new to ipv6. I need to change ISP. New ISP give me only these two choices:
1. non-public IP address IPv4 on WAN side  :'(
2. IPv6 public IP address on WAN side  ???

Today i use only public IPv4 on WAN and IPv4 on LAN (home network - public web server behind my pfsense andand vpn server on pfsense box).

I have some noob questions:

1. If I get from ISP only public IPv6 address, how do I configure my pfsense box for LAN in ipv4? Or i need to migrate / set all devices to ipv6? If i migrate to IPv6, will be functional these services on pfsense box: suricata, proxy server (transparent only for http + antivirus), proxy filter, pfblocker? 
2. How do I access my web server from internet? Today i use free no-ip ddns.
3. In my work we use IPv4 (and public address is also IPv4), will I be able to connect home - vpn or web server (IPv6 on Wan side)?
pfsense runing in virtual, on HP N54L microserver, 2G RAM, 60G disk, WAN, LAN, DMZ, Wifi, OpenVPN server + client, suricata, pfblocker

Offline JKnott

  • Hero Member
  • *****
  • Posts: 1206
  • Karma: +53/-11
    • View Profile
Re: noob question - ipv6 only on wan side
« Reply #1 on: January 15, 2018, 07:40:44 am »
It appears you've misunderstood something.  I've never heard of an ISP providing only IPv6 addresses, as IPv4 is still needed to access many sites.  Many, such as my own, provide a single public IPv4 address, along with a public IPv6 prefix.  Others, provide a NAT (private) IPv4 adress and a public IPv6 prefix.  The usual way for them to provide IPv6 is via DHCPv6-PD, which not only provides an IPv6 address for the WAN side of your router, but a network prefix for the LAN side.  The minimum LAN prefix is a /64, but often a larger prefix is provided that can be split into multiple /64s.  I have a /56.

Most devices, including Windows since XP SP3 support IPv6, so any computer, tablet or phone you have will likely support IPv6.

The first thing to do is find out exactly what you're being provided.  PfSense can then be configured appropriately.
« Last Edit: January 15, 2018, 08:54:44 am by JKnott »

Offline marian78

  • Jr. Member
  • **
  • Posts: 84
  • Karma: +1/-0
    • View Profile
Re: noob question - ipv6 only on wan side
« Reply #2 on: January 15, 2018, 07:51:10 am »
thx sir for your answer.

i think option "Others, provide a NAT (private) IPv4 adress and a public IPv6 prefix" will be provided by new ISP.
 I will more examine this on their support.  ::)

If this will be my situation, i will must set my web server (behind pfsense box) to IPv6?

pfsense runing in virtual, on HP N54L microserver, 2G RAM, 60G disk, WAN, LAN, DMZ, Wifi, OpenVPN server + client, suricata, pfblocker

Offline JKnott

  • Hero Member
  • *****
  • Posts: 1206
  • Karma: +53/-11
    • View Profile
Re: noob question - ipv6 only on wan side
« Reply #3 on: January 15, 2018, 08:57:59 am »
thx sir for your answer.

i think option "Others, provide a NAT (private) IPv4 adress and a public IPv6 prefix" will be provided by new ISP.
 I will more examine this on their support.  ::)

If this will be my situation, i will must set my web server (behind pfsense box) to IPv6?

You will certainly be able to directly access your web server via IPv6, but if your IPv4 is via NAT from the ISP, you will not be able to access your server with it.  If you had a public IPv4 address, you could use port forwarding to get around your own local NAT.


Offline marian78

  • Jr. Member
  • **
  • Posts: 84
  • Karma: +1/-0
    • View Profile
Re: noob question - ipv6 only on wan side
« Reply #4 on: January 16, 2018, 02:30:44 am »
I will have NAT IPv4. Than, if i will wanting to access my IPv6 web server from internet, all internet clienst must have IPv6 Tunnel Broker like Hurricane Electric Free IPv6 Tunnel Broker?
pfsense runing in virtual, on HP N54L microserver, 2G RAM, 60G disk, WAN, LAN, DMZ, Wifi, OpenVPN server + client, suricata, pfblocker

Offline JKnott

  • Hero Member
  • *****
  • Posts: 1206
  • Karma: +53/-11
    • View Profile
Re: noob question - ipv6 only on wan side
« Reply #5 on: January 16, 2018, 06:07:26 am »
I will have NAT IPv4. Than, if i will wanting to access my IPv6 web server from internet, all internet clienst must have IPv6 Tunnel Broker like Hurricane Electric Free IPv6 Tunnel Broker?

If they don't have IPv6, then yes they'd need something like he.net.  Your situation illustrates why the world must move to IPv6 ASAP.  There are simply not enough IPv4 addresses and haven't been for years.  As a result, many people, like you, are stuck behind ISP NAT, which greatly reduces what they can do, even more than your own NAT does.

Offline marian78

  • Jr. Member
  • **
  • Posts: 84
  • Karma: +1/-0
    • View Profile
Re: noob question - ipv6 only on wan side
« Reply #6 on: January 17, 2018, 01:31:34 am »
Thx for all answers.
pfsense runing in virtual, on HP N54L microserver, 2G RAM, 60G disk, WAN, LAN, DMZ, Wifi, OpenVPN server + client, suricata, pfblocker