Jump to content

Ipv6 Tunelling With Pfsense


Morpheus

Recommended Posts

Well the title says by itself.. i have a home network setup with pfsense, a static ipv4 and i'd like to have a ipv6 tunnel in my network so i could have ipv6 traffic as well as ipv4, the problem is i have NO IDEA what to do.. i have no idea how to setup or even how to start.. i know ipv6 works completely different than ipv4 and i'm concerned about it because it looks like every machine would be completely exposed to the web making the firewall pointless that way, if thare's no NAT going on in the network how is the firewall able to protect anyway?

Well.. considering that we are running out of ipv4 i need to do something about it.. a couple of tutorials about ipv6 EASY ONES would be fully appreciated, and i also should mention that i use this network for hosting and i have a lot of servers behind this firewall so there's a whole bunch of ports being forwarded through pfsense.

So what i'd like to have is just the same as i have with my ipv6 (i wish we would never run out of ipv4 i still hate the idea that i'll be forced to migrate everything like that..) and still be able to browse both, as u can see i have no idea what i'm doing about ipv6, when it comes to ipv6 it looks lime all i've learned in the past is gone, it feels like i'm a dumb newbie again

HELPPPP!!!!!

Darren i think you should make a series of episodes about ipv6, starting from the beginning cause that's probably something we need to think about it right now and we are avoiding the fact that someday we'll have to deal with it.. sooner or later we'll end up having to.

Edited by Morpheus
Link to comment
Share on other sites

At its current version, PFsense does not support IPV6. They are planning to support it, on the next version.

http://doc.pfsense.org/index.php/Is_there_IPv6_support_available

Edited by Infiltrator
Link to comment
Share on other sites

At its current version, PFsense does not support IPV6. They are planning to support it, on the next version.

http://doc.pfsense.org/index.php/Is_there_IPv6_support_available

I see that's why maybe i shouldn't be using pfsense after all.. maybe i should change to another distro or some workaround.. Anyways.. it still really complicated to implement, considering that i have to do it someday i rather start doing it now..

Link to comment
Share on other sites

I see that's why maybe i shouldn't be using pfsense after all.. maybe i should change to another distro or some workaround.. Anyways.. it still really complicated to implement, considering that i have to do it someday i rather start doing it now..

I checked the other Linux Firewall distros too and unfortunately none of them supports IPV6 as of it. As for now, I am very happy with IPv4 in my network and NAT is doing a great job.

Link to comment
Share on other sites

To go native IPv6 your router needs to support it as well as the OS of the node using the protocol. What are you connecting to at the other end that requires IPv6 at your end?

6to4 tunneling is just a way for IPv6 nodes to speak to each other over existing IPv4 networking.

As far as security concerns, unless you are using Toredo or some other IPv6 setup that can see the outside world through IPv6, you should be fine from attacks. Personally I have Ipv6 disabled on everything I can configure it on except my Modem, which has no controls for me to mess with short of jtag hacks, its all set by the ISP.

Linux based:

http://tldp.org/HOWTO/Linux+IPv6-HOWTO/configuring-ipv6to4-tunnels.html

Windows looks like its all automatic configurations (short of disabling the services and device drivers):

http://technet.microsoft.com/en-us/library/cc756770(WS.10).aspx

Edited by digip
Link to comment
Share on other sites

To go native IPv6 your router needs to support it as well as the OS of the node using the protocol. What are you connecting to at the other end that requires IPv6 at your end?

6to4 tunneling is just a way for IPv6 nodes to speak to each other over existing IPv4 networking.

As far as security concerns, unless you are using Toredo or some other IPv6 setup that can see the outside world through IPv6, you should be fine from attacks. Personally I have Ipv6 disabled on everything I can configure it on except my Modem, which has no controls for me to mess with short of jtag hacks, its all set by the ISP.

Linux based:

http://tldp.org/HOWTO/Linux+IPv6-HOWTO/configuring-ipv6to4-tunnels.html

Windows looks like its all automatic configurations (short of disabling the services and device drivers):

http://technet.microsoft.com/en-us/library/cc756770(WS.10).aspx

isn't disabling ipv6 to ignore the fact?

Will i have to wait till we run out of ipv4 to have more network compatibility and be able to setup everything properly? Cause really i don't know how ipv6 works with ipv4 networks, it just messes everything in my mind, that's why i wish there could be a more detailed explanation.. maybe as i mentioned a series of episodes of hak5

Link to comment
Share on other sites

isn't disabling ipv6 to ignore the fact?

Will i have to wait till we run out of ipv4 to have more network compatibility and be able to setup everything properly? Cause really i don't know how ipv6 works with ipv4 networks, it just messes everything in my mind, that's why i wish there could be a more detailed explanation.. maybe as i mentioned a series of episodes of hak5

IPv6 only speaks to IPv6. IPv4 only speaks to IPv4. However, you can tunnel IPv6 through IPv4 with encapsulation of 6to4, so IPv4 networks look at it as just data sent over IPv4 wrapped about the IPv6 payload. The end node, it will decapsulate it back to IPv6 so the node at the end who speaks IPv6 can receive the message and reply. The sending node in question has to be setup to encapsulate 6to4 in order for this to reach a native Ipv6 destination or other 6to4 node at the other end. At least this is my understanding of it, but I could be way off base since I've not had to implement this in any way shape or form. I've only taken the steps to disalbe all services for Toredo, ISATAP, and any other TCIPv6 services and drivers on my machines, from XP through 7.

http://en.wikipedia.org/wiki/6to4

Link to comment
Share on other sites

If you are using cisco routers, you can achieve what digip stated above.

http://www.cisco.com/en/US/tech/tk872/technologies_configuration_example09186a00800b49a5.shtml

Link to comment
Share on other sites

If you are using cisco routers, you can achieve what digip stated above.

http://www.cisco.com/en/US/tech/tk872/technologies_configuration_example09186a00800b49a5.shtml

No i barely use cisco, right now i don't even own any, i was thinking about buying a cisco N wifi router but that's just for home network no big deal, and for the servers i don't think i'd be speding more money to implement ipv6 with cisco, just wondering something, will there be some time where i will have to replace all my old routers or even my switches because of ipv6? i don't see the need to replace switches cause as far as i know ipv6 still uses the old OSI and Ehternet standards.. but maybe i'm wrong i never had the patience to dig deep enough on ipv6, the thing is i use always a pc as a router, besides wifi of couse, so there's no router acting as a gateway in any of my networks, there's only pfsense, clearos and those distros.. so all i need is a pc firewall and a switch.. that makes my life a lot easier for me..

So, i won't be able to implement ipv6 for now as far as i can see and i will have to wait till some firewall distro makes it possible to make the 4to6 thing, i just wonder if there will be modems out there NATIVELY ipv6, because right now i'm charged to have my static ips, and it's not cheap btw.. but i still need them.

Hope what i think is right.. cause that's how i see:

Valid IP adresses provided by ISP's in ipv6 and internal network ipv4 or ipv6

So you can't actually have a valid ipv4 adress any longer but you'll still be able to connect the old ipv4 devices as long as u have an ipv6 internal network

Link to comment
Share on other sites

I know of a few consumer based routers, like Dlink, Netgear or Cisco that supports IPv6 out of the box. Can't remember from the top of head which ones but can find out.

Furthermode, its only a matter of time until they release new firmwares that support IPV6.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...