The pfSense Store

Author Topic: Welcome to the IPv6 board  (Read 19427 times)

0 Members and 1 Guest are viewing this topic.

Offline databeestje

  • Administrator
  • Hero Member
  • *****
  • Posts: 1048
  • Karma: +0/-0
  • It just might be your luck day, if you only knew.
    • View Profile
Welcome to the IPv6 board
« on: January 23, 2011, 11:42:46 am »
Welcome to the IPv6 board. You can find instructions here for both old (1.2.3) and the development of the IPv6 support in the 2.1 version of pfSense which is not released yet.

You can find some information to get ipv6 working on 1.2.3 installs here http://remcobressers.nl/2009/08/configuring-native-ipv6-pfsense/ another link is this one http://tuts4tech.net/2010/07/18/ipv6-tunnel-on-pfsense/

We already have a feature request in redmine for IPv6 support that is scheduled for 2.1
http://redmine.pfsense.org/issues/show/177

There is a quick, almost complete, howto to get the current IPv6 development branch onto a existing 2.0 full install on the doc wiki here: http://doc.pfsense.org/index.php/Using_IPv6_on_2.0 - this was adapted from the previous howto here: http://iserv.nl/files/pfsense/ipv6/

2.1-DEVELOPMENT Releases are also available: http://files.pfsense.org/jimp/ipv6/
« Last Edit: August 05, 2011, 12:38:08 pm by jimp »

Offline databeestje

  • Administrator
  • Hero Member
  • *****
  • Posts: 1048
  • Karma: +0/-0
  • It just might be your luck day, if you only knew.
    • View Profile
Re: Welcome to the IPv6 board
« Reply #1 on: January 26, 2011, 03:05:51 am »
TODO List for IPv6 support on the pfSense-smos GIT repo. Updated April 25th 2011.

What currently works:
- Static IPv6 addressing on the Interfaces.
- DHCP6 addressing on interfaces
- DHCP6 Prefix Delegation for the LAN or OPT interfaces.
- IPv6 Firewall rules for inbound and outbound traffic.
- Accessing the pfSense machine via the WebUI or SSH on it's IPv6 address.
- Router Advertising for stateless configuration for LAN or OPT clients.
- Carp with IPv6 addresses and config syncing to a IPv6 peer. (kernel hangs snapshots older then jan 18th)
- Static Routes and gateways with IPv6 addresses.
- Network Prefix translation so that people can use a ULA on the LAN and translate to a Global Unicast network prefix.
- RRD graphs show IPv6 traffic
- You can configure IPv6 DNS servers for pfSense.
- IPv6 bogon network blocks and IPv6 reserved ranges blocks (needs documentation range as well?)
- DNS forwarder listens on udp6 socket, should work and resolve? Yes it does.
- IPsec should now work for v6 tunnel over v4 and vice versa, needs testing.
- OpenVPN now has the ability to send a IPv6 network over the link, clients need to be updated to support this. Viscosity does not work, client needs manual updating built from the patched OpenVPN tree.
- Prelimenary DHCP-PD support for the WAN and LAN. (11-05-2011)

What does not work:
- Does not automatically configure the IPv6 DNS servers and domain from the DHCP6 client.
- You can not use IPv6 gateways or groups in firewall rules, it results in filter rule errors if not careful about setting the correct protocol
- The initial console setup does not accept IPv6 addresses. It does show configured IPv6 addresses.
- The firewall logs do not correctly show the IPv6 protocols and ports for blocked or allowed traffic. (Partially fixed, 26-02-2011)
- None of the supported VPN options except IPsec and OpenVPN in pfSense are fixed to accept IPv6 addresses.


What isn't tested:
- A lot really
- WebUI anti lockout rules need testing and/or adjusting
- Check if address spoofing also works for inet6 (firewall rules)

TODO:
- Fix PPtP for IPv6 addresses.
- Fix DynDNS for IPv6
- Fix SNMP for IPv6
- The pfSense PHP module needs support for setting and retrieving ipv6 attributes.
- The rest
« Last Edit: August 19, 2011, 09:16:43 am by databeestje »

Offline databeestje

  • Administrator
  • Hero Member
  • *****
  • Posts: 1048
  • Karma: +0/-0
  • It just might be your luck day, if you only knew.
    • View Profile
Re: Welcome to the IPv6 board
« Reply #2 on: January 27, 2011, 07:29:23 am »
For some introduction to the IPv6 world there are a few great videos from Defcon 18 that explain it in good understandable language.

Part 1. DEFCON 18: IPv6: No Longer Optional 1/4
http://www.youtube.com/watch?v=2clTKh2vFAE
Part 2. DEFCON 18: IPv6: No Longer Optional 2/4
http://www.youtube.com/watch?v=S3i4RRubCvI
Part 3. DEFCON 18: IPv6: No Longer Optional 3/4
http://www.youtube.com/watch?v=0L_9aehQQig
Part 4. DEFCON 18: IPv6: No Longer Optional 4/4
http://www.youtube.com/watch?v=shmt9U4-rTI

And a talk about implementing IPv6
Part 1. DEFCON 18: Implementing IPv6 at ARIN 1/4
http://www.youtube.com/watch?v=N2xXQDLEy40
Part 2. DEFCON 18: Implementing IPv6 at ARIN 2/4
http://www.youtube.com/watch?v=ilbS9LtC3TI
Part 3. DEFCON 18: Implementing IPv6 at ARIN 3/4
http://www.youtube.com/watch?v=aDtZELN1CNo
Part 4. DEFCON 18: Implementing IPv6 at ARIN 4/4
http://www.youtube.com/watch?v=WJ1UaLQYHkE
« Last Edit: January 28, 2011, 06:32:55 am by databeestje »

Offline databeestje

  • Administrator
  • Hero Member
  • *****
  • Posts: 1048
  • Karma: +0/-0
  • It just might be your luck day, if you only knew.
    • View Profile
Re: Welcome to the IPv6 board
« Reply #3 on: June 02, 2011, 03:28:45 am »
Often requested is privacy addressing, note that this is only applicable to the hosts behind pfSense and not the pfSense router itself. pfSense will most likely get the addresses from your ISP so that would not make sense anyhow.

Here is a link to how to enable it for LAN hosts on Windows and Mac OS X. Do note that if DHCPv6 is deployed that your computer might end up with the same address anyway.

http://isc.incidents.org/diary/Enabling+Privacy+Enhanced+Addresses+for+IPv6/10966

Offline databeestje

  • Administrator
  • Hero Member
  • *****
  • Posts: 1048
  • Karma: +0/-0
  • It just might be your luck day, if you only knew.
    • View Profile
Re: Welcome to the IPv6 board
« Reply #4 on: January 04, 2012, 01:41:47 pm »
Although Hurricane Electric have free resolvers available for IPv6, these are often slow and returning results in seconds instead of milliseconds.

Google now has IPv6 DNS servers available too.
2001:4860:4860::8844 and 2001:4860:4860::8888
http://code.google.com/intl/nl/speed/public-dns/docs/using.html

OpenDNS does have resolvers available too:
2620:0:ccc::2
2620:0:ccd::2

But these are as of january 4th 2012 not running the full service including malware filtering.
http://www.opendns.com/ipv6/