The pfSense Store

Author Topic: IPv6 Support 400 Euros / $545  (Read 10238 times)

0 Members and 1 Guest are viewing this topic.

Offline shamrock

  • Newbie
  • *
  • Posts: 11
    • View Profile
IPv6 Support 400 Euros / $545
« on: January 24, 2011, 05:43:00 pm »
While databeestje's IPv6 improvements are impressive, they do not quite yet meet the needs of my home network. I am offering EUR 400/USD 545 for an image that does the following:

I have for my home network:
- 8 external, globally routable, static IPv4 addresses. I do not have my own subnet. I am assigned eight
addresses out of a /24 via an ADSL bridge to my ISP.

- one of the IP's is assigned to pfSense, the rest to external boxes.

- several systems are behind the NAT provided by pfSense.

- local DNS is provided by pfSense.

I want:
- all of the above, plus:

- ability for my external boxes to connect out to the Internet and be
connected to from the Internet using static IPv6 in addition to the
static IPv4 addresses they already have.

- ability for my internal boxes to connect out to the Internet from
behind the NAT using both IPv4 and IPv6.

- prevent any connections from the Internet to the internal boxes, be
that via IPv4 (a function of the NAT) or IPv6.

- local DNS for both IPv4 and IPv6 provided by pfSense.

- must work with Hurricane Electric IPv6 tunnels. Should work with similar IPv6 tunnels from other providers.

Deliverables:
- 4GB flash image that does ALL of the above.
- submission of your patches to the pfSense maintainers.

Thanks!

Offline Evgeny

  • Hero Member
  • *****
  • Posts: 1808
    • View Profile
Re: IPv6 Support 400 Euros / $545
« Reply #1 on: January 25, 2011, 09:22:24 pm »
Out of curiosity... is there specific reason you need IPv6 so badly or just for fun?

PS: I wish I could spend $500 on my home network ;-)

Offline shamrock

  • Newbie
  • *
  • Posts: 11
    • View Profile
Re: IPv6 Support 400 Euros / $545
« Reply #2 on: January 26, 2011, 02:55:50 am »
It is really just for fun. I had IPv6 working a couple of years ago using a FreeBSD box as a router, but I ditched the FreeBSD box in favor of pfSense. I made the switch because I touch the numerous config files perhaps twice each year, which means that each time I spent hours relearning what config file to change and how. I simply don't deal with router configs enough to become proficient in it.

pfSense gave me a GUI and it works, which saves me time. But pfSense doesn't have the IPv6 functionality that I want. I suspect that many people will spend $500 on a hobby. I am pretty sure anybody playing golf as a hobby will spend far more than $500 on it.

Soooo, any takers for adding that IPv6 functionality?
« Last Edit: January 26, 2011, 07:48:02 pm by shamrock »

Offline simoncpu

  • Jr. Member
  • **
  • Posts: 28
  • simoncpu was here
    • View Profile
Re: IPv6 Support 400 Euros / $545
« Reply #3 on: January 26, 2011, 04:32:28 am »
Hi,

I worked on IPv6 in the old pfSense-HEAD.  I'll be glad to use the lessons that I've learned to put this feature to the "new" pfSense-HEAD. =)

[ simon.cpu ]

Offline stephenw10

  • Hero Member
  • *****
  • Posts: 8120
    • View Profile
Re: IPv6 Support 400 Euros / $545
« Reply #4 on: January 26, 2011, 06:53:17 am »
I'm quite surprised that none of the features listed are supported already. It can only be a matter of time until IPv6 is going to be required rather than someones hobby.
I think a comment from one of the developers is needed here to make sure no one goes off reinventing the wheel.

If you're going to spend $500 on your hobby this seems like a great way to do it.  ;D

Steve

Offline shamrock

  • Newbie
  • *
  • Posts: 11
    • View Profile
Re: IPv6 Support 400 Euros / $545
« Reply #5 on: January 26, 2011, 04:59:20 pm »
Hi,

I worked on IPv6 in the old pfSense-HEAD.  I'll be glad to use the lessons that I've learned to put this feature to the "new" pfSense-HEAD. =)

[ simon.cpu ]


I forgot to mention two minor requirements:
- configuration instructions for the new features. I will provide any desired details about the current network and IP addresses to make this easier.
- WebEx session, not to exceed 30 min, to sanity-check my final config as deployed. I will set up the WebEx.

So, does this mean we have a formal taker for this bounty in simon.cpu and that we should kick off the escrow process?

Offline submicron

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 741
  • I like pie!
    • View Profile
    • BSDPerimeter
Re: IPv6 Support 400 Euros / $545
« Reply #6 on: January 26, 2011, 10:42:46 pm »
For reference, I have used SimonCPU to do pfSense development work for me before and I highly recommend him.  The quality of his work was always very satisfactory. 
I do not respond to PMs demanding help.

Offline shamrock

  • Newbie
  • *
  • Posts: 11
    • View Profile
Re: IPv6 Support 400 Euros / $545
« Reply #7 on: February 19, 2011, 04:01:22 am »
I pinged SimonCPU a couple of times, but so far things aren't really moving forward. Perhaps he is busy. I am still looking for takers for this bounty!

Offline iFloris

  • Full Member
  • ***
  • Posts: 168
  • one layer of information removed
    • View Profile
    • Small personal site
Re: IPv6 Support 400 Euros / $545
« Reply #8 on: February 19, 2011, 11:34:23 am »
There has been quite a lot of activity on the IPv6 build as of the past few weeks.

I was wondering if the build that SimonCPU had started on was going to be merged with Databeestjes' build.
This message pretty much sums it up.
one layer of information
removed

Offline databeestje

  • Administrator
  • Hero Member
  • *****
  • Posts: 1048
  • It just might be your luck day, if you only knew.
    • View Profile
Re: IPv6 Support 400 Euros / $545
« Reply #9 on: February 26, 2011, 06:09:05 am »
[quote author=shamrock link=topic=32591.msg168328#msg168328 date=1295912580

I have for my home network:
- 8 external, globally routable, static IPv4 addresses. I do not have my own subnet. I am assigned eight
addresses out of a /24 via an ADSL bridge to my ISP.
[/quote]
No idea how that works. Sounds a bit odd. I assume I can skip the ipv4 parts of this config.

Quote
I want:
- all of the above, plus:

- ability for my external boxes to connect out to the Internet and be
connected to from the Internet using static IPv6 in addition to the
static IPv4 addresses they already have.
If your isp hands you a v6 /64 netblock for the wan interface and routes you a /56 or /48 v6 networkr for behind pfSense you are good to go. This is more dependent on what the ISP will give you. If they are scrooges you get a /64 for behind pfSense.

Quote
- ability for my internal boxes to connect out to the Internet from
behind the NAT using both IPv4 and IPv6.
Didn't you get the memo that IPv6 has no NAT?

Quote
- prevent any connections from the Internet to the internal boxes, be
that via IPv4 (a function of the NAT) or IPv6.
Same as it always is, unless you create rules on the WAN to allow traffic in, LAN hosts wouldn't be reachable.

Quote
- local DNS for both IPv4 and IPv6 provided by pfSense.
Dnsmasq already works fine on v4 and v6 just fine?

Quote
- must work with Hurricane Electric IPv6 tunnels. Should work with similar IPv6 tunnels from other providers.
Currently only works with Hurrican Electric tunnels. See my howto at http://iserv.nl/files/pfsense/ipv6/

Quote
Deliverables:
- 4GB flash image that does ALL of the above.
- submission of your patches to the pfSense maintainers.
Although I don't build any images, there is no reason why gitsyncing my v6 branch over an existing install wouldn't work. Changes have been made so that you can gitsync on NanoBSD images now as well.

At some point the code tree will be folded and part of the snapshots as usual.

Offline shamrock

  • Newbie
  • *
  • Posts: 11
    • View Profile
Re: IPv6 Support 400 Euros / $545
« Reply #10 on: March 01, 2011, 04:18:35 pm »
Here are few clarifications that came out of various off-line discussions:

My ADSL ISP provides me with 8 static IPv4 addresses, but does not offer native IPv6 on the WAN interface. My ISP is willing to provide me with with an IPv6 tunnel similar to those provided by HE. databeestje has seen the configuration instructions for the IPv6 tunnel and believes that his HE tunnel code will work with my ISPs IPv6 tunnels. (It it doesn't, I am fine with that as long as it works with an HE tunnel. Sure, having the IPv6 tunnel provided by my ISP is preferable, since that gives me one number to call if something goes wrong).

While implied by the description of my home network in my original post, let me make it explicit that the traffic to my external IPv4 boxes does not currently run though pfSense. Today, pfSense only provides for local DNS/DHCP/NAT for my internal systems. My external boxes and pfSense are presently connected to a switch that in turn is connected to the ADSL modem. Since the external boxes should receive IPv6 connectivity through pfSense, the likely implication is that the external boxes would need to be connected to the DMZ port of pfSense with pfSense simply passing through the existing external IPv4 addresses while adding IPv6 connectivity.

I am happy to provide a copy of the existing XML config file and, if needed, remote access to the developer.

I am happy to designate CMB as the escrow agent and ultimate arbiter if the requirements have been met. We will of course have to agree on a date by which my home network is either up and running with the requirements in this bounty or the escrowed funds will be returned to me. I am sure we can work out a reasonable time frame.
« Last Edit: March 01, 2011, 04:59:50 pm by shamrock »

Offline databeestje

  • Administrator
  • Hero Member
  • *****
  • Posts: 1048
  • It just might be your luck day, if you only knew.
    • View Profile
Re: IPv6 Support 400 Euros / $545
« Reply #11 on: March 02, 2011, 06:09:59 am »
I fully understand that the current v4 traffic for the external network does not flow through your pfSense router.
For properly developing and fixing issues I will need webui access to your pfSense install to debug and fix issues. So that's good. A copy of your XML is very handy for testing and configuring in my lab. This way I can also pre-configure the entire install.

* Setting up a bridged DMZ to WAN interfacemakes it possible to move the external hosts without modifying their configuration. There is a big issue with that. See below.
* Setting up IPv6 on a interface that is part of a bridge with WAN will most likely not work correctly and end up causing issues down the road. This means that 2 IPv6 networks would live on the same broadcast domain, this causes issues with router advertisements breaking a lot of things. Although you currently use only v4 on the WAN interface that could become a issue in the future when the ISP turns on it's native IPv6 access on the WAN interface. With a tunnel broker the actual IPv6 configuration is tied to a gif interface and thus should not conflict.

Switching the external hosts to a DMZ interface with private v4 addresses and 1:1 NAT to the external network address will work the same functionally. This is done by setting up either a IP alias, proxy arp or Carp address on the WAN for the 1:1 NAT. This method supports dual stacking the DMZ interface with ipv6 support. This is the recommended configuration.


Please let me know which setup you prefer.

Depending on the other issues that might pop up and the rather significant amount of code involved I believe I can get initial IPv6 working by the end of the month atleast. Considering the amount of code in pfSense I can probably fulfill other requirements by the end of april.

Just to be clear on this, I can not finish an entire IPv6 port of pfSense before the end of April. It is only reasonable that I facilitate the required operational functionality by then. Work on IPv6 in pfSense will continue regardless of the end date of this bounty.

Offline shamrock

  • Newbie
  • *
  • Posts: 11
    • View Profile
Re: IPv6 Support 400 Euros / $545
« Reply #12 on: March 03, 2011, 09:06:46 pm »
[...]
* Setting up a bridged DMZ to WAN interfacemakes it possible to move the external hosts without modifying their configuration. There is a big issue with that. See below.
* Setting up IPv6 on a interface that is part of a bridge with WAN will most likely not work correctly and end up causing issues down the road. This means that 2 IPv6 networks would live on the same broadcast domain, this causes issues with router advertisements breaking a lot of things. Although you currently use only v4 on the WAN interface that could become a issue in the future when the ISP turns on it's native IPv6 access on the WAN interface. With a tunnel broker the actual IPv6 configuration is tied to a gif interface and thus should not conflict.

Switching the external hosts to a DMZ interface with private v4 addresses and 1:1 NAT to the external network address will work the same functionally. This is done by setting up either a IP alias, proxy arp or Carp address on the WAN for the 1:1 NAT. This method supports dual stacking the DMZ interface with ipv6 support. This is the recommended configuration.


Please let me know which setup you prefer.

If I understand your post correctly, Option #1 will only become a problem if my ISP starts offering native IPv6 on the WAN interface. (If there might be other problems with Option #1, please do let me know). My ISP has assured me that there is no chance of them offering native IPv6 on the WAN interface since they cannot replace the DSLAM hardware at the particular location that serves my premises. And that their current hardware is physically incapable of providing native IPv6. Also, if my ISP were to offer native IPv6 on the WAN, I would just switch to using their native IPv6 and therefore would no longer need the ability to serve IPv6 from pfSense to the boxes on the WAN. So I think we are safe here. I also like the fact that with Option #1 I can still use the external boxes without configuration changes should my pfSense box have a hardware failure. I asked my ISP and they are assuring me that no harm will come to the other users that share the /24 since broadcasts are filtered between customers sharing a /24. Then again, I suspect I may be the first customer that is placing a radvd on the WAN interface...

Option #2 sounds slick, but involves a variety of features that I have heard of, but never had a reason to use and therefore am not familiar with. Sounds like it might potentially be a pain for me to debug if something goes wrong down the road.

Therefore, I believe my choice would be Option #1 if the *only* downside of Option #1 is that I will have to make changes should my ISP ever offer native IPv6 on the WAN. If I am not correctly understanding the situation, please do educate me.

Thanks!
--Lucky

Offline databeestje

  • Administrator
  • Hero Member
  • *****
  • Posts: 1048
  • It just might be your luck day, if you only knew.
    • View Profile
Re: IPv6 Support 400 Euros / $545
« Reply #13 on: March 04, 2011, 07:14:21 am »
Option #2 sounds slick, but involves a variety of features that I have heard of, but never had a reason to use and therefore am not familiar with. Sounds like it might potentially be a pain for me to debug if something goes wrong down the road.
It is by far the most complicated option, yes. And it can involve a lot of other issues with FTP and the like.

Quote
Therefore, I believe my choice would be Option #1 if the *only* downside of Option #1 is that I will have to make changes should my ISP ever offer native IPv6 on the WAN. If I am not correctly understanding the situation, please do educate me.
You are correct. with #1 you can feel free to either put the external hosts on a pfSense interface "DMZ" which is bridged or straight on the external network switch. Just make sure that the DMZ switch is not directly connected to the WAN switch  ;D

With #1 you can safely provide routed IPv6 on the DMZ and bridge v4 on the DMZ, hopefully I can prevent the v6 advertisements from ending up on your WAN interface by applying a simple firewall rule. That would make it easier as the machines on the WAN switch would never see the broadcast either and attempt to configure a address. I'll have to test such a config ofcourse, but a simple tcpdump should tell me.

Also, with IPv6 the link-local address of the actual interface is part of the router advertisements which should prevent issues.

Let's go with that.

Offline shamrock

  • Newbie
  • *
  • Posts: 11
    • View Profile
Re: IPv6 Support 400 Euros / $545
« Reply #14 on: March 09, 2011, 05:55:08 pm »
To put this thread on pause for the time being, databeestje has begun work on this bounty. Per the FAQ for this forum I placed the amount of the bounty into escrow with CMB, who confirmed receipt of the funds from me.

databeestje already made significant progress towards this bounty in the last few days. If he keeps up this progress (and I have no reason to believe at the moment that he won't), it seems very likely that databeestje will be the one receiving the bounty by completing all the items in the bounty. Keep up the good work!