IPv6 static /56 IPv6 prefix behind PFSense Firewall

[box293]

I recently switched ISP's as they provided IPv6 addresses and I want to learn how it all works.

The static /56 IPv6 prefix is: 2001:44b8:3132.

So far I think I'm understanding how it all works, but now I'm getting a bit complicated and I'm not sure what I'm missing.

I've broken the /56 into 256 /64 subnets. I'm using the first available block (2001:44b8:3132:00::/64) to the Billion IPv6 Autoconfig.

You might laugh at the addressing scheme I'm using, it basically mimics IPv4, but personally it's visually easy to understand.

Static LAN IPv6 Address Configuration:
Interface Address / Prefix Length: 2001:44b8:3132:0000:0192:0168:0025:0001/64

I've configured stateful:
Start interface ID: 192:168:25:100
End interface ID: 192:168:25:150

Selection_061.png

From a PC that is connected to the Billion, I can ping the Billion, and the DNS server of my ISP, so far I'm confident it's working.

Selection_062.png

The next step is that I want to use another /64 block (2001:44b8:3132:25::/64) that sits behind a pfSense virtual machine firewall. The details of this are:
WAN IP: 2001:44b8:3132:0:192:168:25:253/64
LAN IP: 2001:44b8:3132:25:10:25:1:253/64

I needed to add a static route to the Billion so it knows how to get to the subnet.

Selection_063.png

I think there is a limit on the number of attachments so I'm continuing into the next post.

[box293]

From the pfSense firewall, I can ping the Billion:

Selection_064.png

I can ping the ISP DNS Server:

Selection_065.png

Those were both from the WAN as the source address (2001:44b8:3132:0:192:168:25:253).

Now trying as the LAN as the source address (2001:44b8:3132:25:10:25:1:253).

I can ping the Billion:

Selection_066.png

[box293]

However I cannot ping the ISP DNS server:

Selection_067.png

Also, from a PC behind the pfSense firewall, same thing, can ping the Billion, can't ping the ISP DNS.

Selection_068.png

I'm not sure what I'm missing. It feels like there needs to be some NATing done on the Billion perhaps?

What are the next steps to take to help diagnose what is going on?

Forgive me if I'm doing something completely wrong, this is my first step into IPv6 so I can learn how it all works.

[aesmith]

No NAT would be involved if you're using Global Unique addressing as it appears. The address physically attached to your PC will be routable over the Internet. Indeed I can ping the inside address of your Billion (2001:44b8:3132:32:192:168:25:1) right from my desk here. Looking at some traceroute results the last few hops to that address are as follows ...

Code: Select all

 14   330 ms   331 ms   330 ms  ae5.cr1.syd7.on.ii.net [2001:4478:1:1::31]
 15   331 ms   329 ms   332 ms  po20.lns20.syd7.on.ii.net [2001:44b8:b070:16::2]
 16   371 ms   369 ms   369 ms  2001-44b8-3132-0000-0192-0168-0025-0001.static.ipv6.internode.on.net [2001:44b8:3132:0:192:168:25:1]

Traceroute to your PC on that subnet, which we know works for outbound ping, fails on inbound (as you'd expect from a sensible firewall at your end), but the two hops before the last are the same as for the working ping ..

Code: Select all

 14   334 ms   335 ms   334 ms  ae5.cr1.syd7.on.ii.net [2001:4478:1:1::31]
 15   336 ms   339 ms   334 ms  po20.lns20.syd7.on.ii.net [2001:44b8:b070:16::2]
 16   374 ms   382 ms   374 ms  2001:44b8:3090:ae8:e7:8fe8:9460:474e
 17     *        *        *     Request timed out.

Is that hop 16 address, 2001:44b8:3090:ae8:e7:8fe8:9460:474e, the WAN address of your Billion? If so then it looks like routing on the Internet is all correct, because a traceroute to your second subnet fails at the same point, which would mean it has reached your premises.

Firewall rules on the Billion, permitting only the directly attached subnet to transmit and/or receive?

Hope this helps, Tony S

[box293]

No NAT would be involved if you're using Global Unique addressing as it appears. The address physically attached to your PC will be routable over the Internet. Indeed I can ping the inside address of your Billion (2001:44b8:3132:32:192:168:25:1) right from my desk here. Looking at some traceroute results the last few hops to that address are as follows ...

Code: Select all

 14   330 ms   331 ms   330 ms  ae5.cr1.syd7.on.ii.net [2001:4478:1:1::31]
 15   331 ms   329 ms   332 ms  po20.lns20.syd7.on.ii.net [2001:44b8:b070:16::2]
 16   371 ms   369 ms   369 ms  2001-44b8-3132-0000-0192-0168-0025-0001.static.ipv6.internode.on.net [2001:44b8:3132:0:192:168:25:1]

Traceroute to your PC on that subnet, which we know works for outbound ping, fails on inbound (as you'd expect from a sensible firewall at your end), but the two hops before the last are the same as for the working ping ..

Code: Select all

 14   334 ms   335 ms   334 ms  ae5.cr1.syd7.on.ii.net [2001:4478:1:1::31]
 15   336 ms   339 ms   334 ms  po20.lns20.syd7.on.ii.net [2001:44b8:b070:16::2]
 16   374 ms   382 ms   374 ms  2001:44b8:3090:ae8:e7:8fe8:9460:474e
 17     *        *        *     Request timed out.

Is that hop 16 address, 2001:44b8:3090:ae8:e7:8fe8:9460:474e, the WAN address of your Billion? If so then it looks like routing on the Internet is all correct, because a traceroute to your second subnet fails at the same point, which would mean it has reached your premises.

Hi Tony,
Thanks for the reply.

Yes, 2001:44b8:3090:ae8:e7:8fe8:9460:474e is the WAN address of my Billion assigned via my PPPoE connection.

Your tests would confirm that all the routing on the internet is correct, which is something I was not able to confirm previously.

Firewall rules on the Billion, permitting only the directly attached subnet to transmit and/or receive?

I think it must be something like that. I think I'm going to have to do some packet sniffing to see what is going on. I'll report back here when I have some more information.

[box293]

I've come to the conclusion that while the Billion supports IPv6, it doesn't provide IPv6 in many areas of configuration.

For example, Configuration > NAT >Virtual Servers
Try typing in an IPv6 address in the "Server IP Address" field and you'll see that it only allows for a maximum of 15 characters, which is a full IPv4 address (xxx.xxx.xxx.xxx).

I did a bit of packet sniffing and I could see the traffic coming from the pfSense firewall, or devices behind it, and they were not NAT'ed, so I don't beleive the pfSense is the cause of the issue. I also turned off NAT on it just to be sure but it didn't make a difference.

Looks like I'll just need to buy a more advanced firewall for my needs.

[aesmith]

If you're really going with the full IPv6 idea you wouldn't need virtual servers (which I presume is really NAT for inbound connections). Devices on the Internet should be able to connect directly to your internal devices using their IPv6 global addresses. Firewall role becomes one of blocking or permitting, not creating mappings between public and internal addresses.

Of course in the real world I'm sure we're going to end up using NAT, only in a simple example would an enterprise number their internal LAN using addressing supplied by one ISP, for one thing what if they have more than one Internet connection, or want to change providers? I strongly suspect that NAT will end up being used, except IPv6 world it's called NPT for Network Prefix Translation.

[box293]

If you're really going with the full IPv6 idea you wouldn't need virtual servers (which I presume is really NAT for inbound connections). Devices on the Internet should be able to connect directly to your internal devices using their IPv6 global addresses. Firewall role becomes one of blocking or permitting, not creating mappings between public and internal addresses.

Yes I agree. I used the NAT > Virtual Servers section to demonstrate how the Billion does not provide IPv6 in many areas of configuration.

Of course in the real world I'm sure we're going to end up using NAT, only in a simple example would an enterprise number their internal LAN using addressing supplied by one ISP, for one thing what if they have more than one Internet connection, or want to change providers? I strongly suspect that NAT will end up being used, except IPv6 world it's called NPT for Network Prefix Translation.

I've thought about this too. It's not unusual for a company to change their provides because of costs / take overs etc. It seems illogical that a corporation can simply change their IPv6 to a different scope at the click of fingers ... countless man hours to make a change like that. IPv6 should have been designed so that blocks of addresses can be purchased so that they can be transitioned between providers.


Regardless I've purchased an open source firewall to replace my Billion which is much more advanced. The Billion is a good product, but the model I own is simply not designed for what I want it to do. It'll be a good backup device to keep in the cupboard in case of emergencies.

[aesmith]

I've thought about this too. It's not unusual for a company to change their provides because of costs / take overs etc. It seems illogical that a corporation can simply change their IPv6 to a different scope at the click of fingers ... countless man hours to make a change like that.

Not to mention that an organisation might well have several different Internet connections from different ISPs.

IPv6 should have been designed so that blocks of addresses can be purchased so that they can be transitioned between providers.

You can do that, it's called Provider Independent address space. My own ISP would do this for an upfront fee to get the allocation from RIPE, and £5/month for them to "announce" it. This isn't a new thing, PI addressing existed in IPv4 but became increasingly difficult to obtain and probably run out by now.

The problem with everyone using PI is that it will expand the Internet routing tables. To take a trivial example if an ISP is issued a /32 from RIPE as provider address space, they can then issue /48 subnets to each of 65,000 customers while still announcing only the one prefix. If those customers instead chose to obtain their own PI addressing then that ISP might find itself having to announce up to 65,000 separate prefixes. If all ISPs were doing this, well you get the picture no doubt.

[aesmith]

By the way are you getting RA error messages in the router log?