IPv6 Firewalls

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

ttabbal

Active Member
Mar 10, 2016
743
207
43
47
So, I am working with IPv6 via Comcast residential. Like most residential services, the addresses are handed out via DHCP and subject to change any time. In practice, I have seen them stick for long periods, but any detailed firewall rules or other features that need a prefix entered won't work long term. I do not want to deal with adjusting all that manually if Comcast decides the prefix I'm using needs to change. On the up side, they do give out /60 prefixes, which is great for people like us that like to experiment and have VLANs etc..

Just to be clear, changing ISPs is not an option. There are no ISPs to change to. Even getting Comcast required working with my neighbors, which are family, allowing me to run a wire over there. It's my own account, totally legit, but Comcast refuses to provide service as do most ISPs. Just how it is. I would consider paying extra for static prefix, but they only do that for business accounts at about 4x the cost.

I'm currently using pfSense, which works reasonably well for the basics of handing out addresses from the prefix to the LAN. I can also add other prefixes to VLANs. This is alright, and I can even do most firewall rules this way by referencing "LAN Network" etc..

Anything beyond that though, it falls over. I can't even add ULA space, which would be nice for local servers in DNS, as doing so will break routing for the global addresses. There is a bug filed, but the response so far is "change ISPs". Yes, in an ideal world we would all get static /48s from our ISP as it should be. The real world doesn't work that way. And no, HE.net won't do. It adds latency and effectively blocks Netflix and others. Yes, there are ways around that, but it's a ridiculous thing to do when I have IP space. I also doubt HE would appreciate me trying to stuff a gigabit of traffic through them.

I also can't create IPv6 VPNs as those require static entered prefixes. I could use ULA/NPT, but since adding a ULA breaks everything else, that's not an option either. And NAT sucks, but I'd be willing to live with it for this use. I'd be the only one using it and it would only be for accessing internal stuff on occasion anyway. It's more to get practice with IPv6 stuff, so I might set it up on a separate server instance and accept that it might break.

I think I could get an internal server accessible with dynamic DNS and referencing that DNS name in the firewall rules. A bit clunky, but ok I guess.

It would be interesting to try delegating prefixes to another internal router as well, just to work with it. But that's not an option with dynamic either.

I'm just wondering if anyone has experience with other setups that work better with this sort of thing. These sorts of connections are the norm all over the world, from posts from people with similar issues, but there doesn't seem to be much in the way of support for them.
 

ttabbal

Active Member
Mar 10, 2016
743
207
43
47
I found a way to add ULA to the LAN. It does not let you assign an address to the firewall, but it does let you advertise the route so that the clients will assign addresses to themselves.

It's under the RA service tab, subnets. The documentation implies that it lets you advertise a subnet of the host space, but you can put anything you want in there. So now I have addresses for the LAN that don't go away if the internet goes down and stick if Comcast changes my prefix.

I'm not sure how that affects routing for those subnets. I would think that since the interface also has an address on the Comcast prefix that as long as that is up, you could use it for routing. That seems too easy though. Even if it works, it's irritating that it would break if Comcast is down.

I also managed to bring up an HE tunnel on a VLAN that isn't connected to anything at the moment. It was mostly to see if I could without affecting the existing setup. So I have a static /48 now, kind of. It has downsides, but it's fine for lab work. I think it would work fine for VPN as well. My upstream is only 40M. Being on its own VLAN means I would need to add interfaces for everything that I would want to talk to with it. Or route traffic to the others.

It seems like the best option at the moment is to have the main VLAN be "internet clients" and make a new one for more interesting things.
 

Nugget

Member
Jul 13, 2017
32
25
18
Tejas Hill Country
keybase.io
You're not actually very clear in explaining what you are trying to do with ULA and how it's failing, so I'm just sort of spitballing here.

I use ULA locally for my DNS servers, because those addresses need to be static so I can advertise them in the router advertisements. I was never able to get ULA and the ISP-assigned prefixes to coexist in the same network with pfSense, though. Perhaps that's the issue you are facing. You can't give the pfSense interface a ULA range address because then the delegated prefix ID stuff falls over.

It's simple to just create another interface/VLAN for the ULA network(s) though. I have a ULA VLAN and a corresponding interface in pfSense that doesn't need any global address assignments. Then any devices (like my DNS servers) that need to exist in the ULA network are just dual homed. I put them in their "real" network and the ULA network as well. Some devices are ULA only (and do not have routing to the world).

pfSense can cope with ULA just fine you just can't blend ULA and globally-routed on the same network.

Nice trick with the RA announcement of the ULA space as a subnet.
 

ttabbal

Active Member
Mar 10, 2016
743
207
43
47
That's the basic version of the problem. I probably should have included a tl/dr. :)

If you add another static IPv6 address to the interface that has a delegated prefix that you use "Track Interface" on, it breaks. Not immediately, it breaks on reboot or DHCP reset, which is even worse. It's only fair to note that it DOES work fine if you use static addresses. So for their "market" of business customers that are willing/able to pay for static or BGP transit, they are good to go. It's irritating for people who can't get static space from their ISP though. I'd be willing to pay a few bucks for it, but Comcast flat out won't allow it.

My thinking with ULA is to have LAN addresses that work regardless of my prefix from Comcast. So for internal servers, I can continue to use them even if Comcast is down or changes my prefix, as you have to use static addressing in DNS. It would also be interesting to learn about setting up routing and such with them as an experiment.

When you say dual homed, are you running 2 interfaces or sub-interfaces on each machine? One for each VLAN. So one for global delegated prefix addresses and one for ULA? That was the direction I was thinking of heading.

Yes, I have IPv4 locally as well. The idea is that eventually that will go away though, so I'm trying to learn how to set up a decent IPv6 network. :)
 

Nugget

Member
Jul 13, 2017
32
25
18
Tejas Hill Country
keybase.io
When you say dual homed, are you running 2 interfaces or sub-interfaces on each machine? One for each VLAN. So one for global delegated prefix addresses and one for ULA? That was the direction I was thinking of heading.
Yeah, that's exactly how I do it. On the switch I just trunk LAN and ULA to a device and just set up the ULA as an interface alias. It's a little bit unwieldy, but it's stable, straightforward, and works great in practice. All IPv6 devices on other VLANs can reach the ULA resources by routing through pfSense. It works great for stuff like DNS but might not be a great approach if you were wanting to host higher bandwidth services where you'd want to avoid routing through pfSense.
 

ttabbal

Active Member
Mar 10, 2016
743
207
43
47
So, I was trying to do that today and spent hours wondering what I was on. I already have VLANs on the network, the switch and pfSense are setup for it for things like IoT isolation. As well as a couple of containers in my Proxmox server.

I added a new VLAN, got a linux box talking to it after some fussing around. But I couldn't get a container to see it. Weird, as I already have a couple of VLANs set up.

Digging around, I discovered that the Mellanox ConnectX-3 only supports 128 VLANs. I don't have that many, so I tried a few other things, then thought that maybe something weird was up, in the interfaces file for Proxmox, it added this... "bridge-vids 2-4096" ... I think it causes the card to just start at 2 and attach to everything on up. I was trying to use 201. Sure enough, I moved it to 2 and it instantly started working. /facepalm. Mine is a ConnectX-2, but it looks to have the same limitation. The Linux machine also has the same card, but I was only using 2 VLANS there, not a range.

It would be nice not to have to route everything through pfSense. In practice I doubt I'll move enough traffic over that link to cause a problem though.
 

ttabbal

Active Member
Mar 10, 2016
743
207
43
47
One more pfsense weirdness. I figured I have a /60 from Comcast. I have a guest wifi network on a vlan. So I set it to track the wan on another ID.

That interface got a valid address on the ID after release/renew. But when I set up RA/DHCP and plugged a machine into a switch port for that vlan, I got the ipv4 range I expected, but got the same ipv6 subnets I would get on the main network. This didn't happen on the ULA VLAN. So I suspect it is another problem with the track interface stuff.
 

ttabbal

Active Member
Mar 10, 2016
743
207
43
47
So, continuing to try to increase my understanding of IPv6. I set up pfSense to act as a prefix delegation server on a VLAN for my he.net address space. I then set up a VM on my main Proxmox machine to connect to it as a lab network using OPNSense and OpenWRT.

Both are able to get a prefix delegation and traffic works from the firewall. OpenWRT had a weird issue that might well be my fault, where no Router Advertisements were made on the LAN side. I verified with wireshark. Nothing. The ipv4 stuff works fine, so I know the VLAN is working.

I didn't really look at OPNSense much before, as posts on their forums had the same issues pfSense did. However, they released a new version that some reports said were much improved. And they are. The delegated prefix works, I can assign /64s out to multiple VLANs properly, and I can assign ULA space on the same VLAN. You just add an IP alias with your ULA /64 on the LAN, and it advertises it properly. They also fixed the bug that caused the delegated prefix address to stop working when you add a ULA alias.