Overclock.net › Forums › Software, Programming and Coding › Networking & Security › How-to: Using pfSense 2.1+ as a "Tunneling Appliance" to Enable IPv6 on an Existing Network.
New Posts  All Forums:Forum Nav:

How-to: Using pfSense 2.1+ as a "Tunneling Appliance" to Enable IPv6 on an Existing Network.

post #1 of 2
Thread Starter 
Using pfSense 2.1+ as a "Tunneling Appliance" to Enable IPv6 on an Existing Network.

Introduction

In September of 2013, pfSense received an update and IPv6 got a major overhaul. It can now run IPv6 natively with many options to maintain a tunnel from brokers such as Hurricane Electric, and most importantly, the IPv6 firewall rules are now fully supported. This is a guide on how to use pfSense 2.1 as an IPv6 "tunneling appliance" to provide IPv6 service on your existing network. What sets my guide apart compared to the IPv6 guide on pfSense.org is that pfSense will be running along the existing IPv4 router.

I developed this idea out of necessity because Verizon FiOS requires the MI424WR as the main router in order to properly pass VoD, Guide and DVR traffic to the TV STBs. In practice, this configuration will perform and behave as if the tunnel is on your main router but the main advantage here is modification or replacement of the existing WAN router will not be required. The only disadvantage this configuration presents is that it requires pfSense to run. I run it inside my ESXi server as a VM but running it on physical hardware works just as well.

There are some pitfalls in doing it this way. 1) The existing WAN router must be able to either: pass Protocol 41 or support specifying a DMZ. This is usually not a problem since Protocol 41 been a standard for over 10 years(rfc. 2473) and even the basic routers will support DMZ. 2) You must find a tunnel broker with an endpoint near your location since latency will creep up and present weird problems.

Things you'll need

  1. An existing IPv4 internet service
  2. pfSense 2.1+ - [Get it free here]
    Note: Preferably the plain full x86 version (Live CD i386). This can work on embedded routers but I don't recommend it.
  3. An x86 PC with at least two network interfaces. This can either be a VM or dedicated hardware.
  4. A Hurricane Electric IPv6 Tunnel account - [Sign up for free here]

Basic configuration



This is called a "Dual-Stack" network since both protocols will be running on the same physical layer. This will present no problems since IPv6 is designed to coexist with IPv4.

Procedure:

During this guide, I will use the following values. Replace with your own.

Local Network:
Main Router IP: 192.168.10.1
pfSense WAN IP: 192.168.10.2

Tunnel Details from Hurricane Electric:

Server IPv4 Address: 209.51.161.14
Server IPv6 Address: 2001:470:1f06:1234::1/64
Client IPv4 Address: Your WAN IP
Client IPv6 Address: 2001:470:1f06:1234::2/64

Routed /64: 2001:470:1f07:1234::/64 [note that it has a different subnet from the server]

Part I: Pre-requisites

The following list are steps I will not cover. I am assuming you can do these things.
  1. Set the existing WAN gateway to respond to ICMP pings.
    Source IP is from 66.220.2.74 (Hurricane Electric) but most home routers aren't explicit.
  2. Set the existing WAN gateway to either:
    • Pass Protocol 41 to the local IP pfSense is going to use
    • (or) Specify the local pfSense WAN IP as DMZ.
      Note: It can be any IP must be outside the router's DHCP range.
  3. You have registered for an account with Hurricane Electric and got your first /64 IPv6.

Part II: Initial configuration

Install pfSense on a PC/VM and allow login from its WAN interface so it can be administered from the local IPv4 network. If running from a VM, 1 processor/core, 2GB disk space and 256MB RAM is my recommended setting. There's nothing special about the installation so just select quick/easy install.

The first time pfSense boots up it will ask you to assign the interfaces. Just go for the basic setup with no VLAN or OPTs but don't connect the WAN ethernet port yet. After it starts up, hookup a computer to the LAN interface and point your browser to https://192.168.1.1. Login using "admin" and "pfsense" as user name and password and It will start a configuration wizard, skip this by clicking on the pfSense logo on top. Change the default administrator password through the top menu bar System > User Manager and click the "e" button to the right of the admin account.

Part III: WAN configuration

On the top menu bar, head to Interfaces > WAN. Change "IPv4 Configuration Type" to "Static IPv4" and "IPv6 Configuration Type" to "None". Scroll down to Static IPv4 Configuration and enter the IP address where the existing router passes DMZ or Protocol 41 on and choose /24 as your subnet. Add a new gateway and use the Main Router's IP here, stick with WANGW as a name. Untick "Block private networks". Click save then apply on top of the page.

Example Image: (Click to show)

Part IV: Enable webGUI on WAN
Top of the menu bar go into Firewall > Rules. In the WAN tab, add a new rule by clicking on the tiny plus icon at the top of the list. Set source type to "WAN subnet", "Destination Type" to "WAN address", "Destination port range" both to "HTTPS" and enter a description. Click save then click apply settings.

Example Image: (Click to show)

You can now login from your normal LAN (https://192.168.10.2). Hook up pfSense's WAN port into the network but leave LAN unhooked for now.

Part V: Tunnel Configuration

Login using pfSense's WAN IP. Click Interfaces > (assign) and then click the GIF tab. Now take a look at your Hurricane Electric Tunnel Details page and plug them in pfSense.
  1. "Server IPv4 address" goes into the "gif remote address"
  2. "Client IPv6 address" goes into the "gif tunnel local address"
  3. "Server IPv6 address" goes into the "gif tunnel remote address"

Example Image: (Click to show)

Click Save and then click the "Interface assignments" tab. Click the plus sign and add the GIF interface then click save. Now click OPT1 and check "Enable Interface". Set IPv4 configuration to none, IPv6 to static and plug in the rest of the Tunnel Details.
  1. "Client IPv6 address" goes into the "IPv6 address" field
  2. "Server IPv6 address" goes into the "Gateway IPv6" field

Example Images: (Click to show)



Click save and Apply settings. pfSense will now connect the tunnel.

Part VI: LAN interface

Disable DHCP(v4) on the LAN interface by going to Services on the top menu bar then > DHCP Server. Click on the LAN tab and uncheck "Enable DHCP server on LAN interface". Click save and go to Interaface > LAN on the top menu bar.
  1. Set IPv4 Configuration Type to "none"
  2. Set IPv6 Configuration Type to "Static IPv6"
  3. Set IPv6 address to your tunnel's "Routed /64" IPv6 address and append 1 to the end (2001:470:1f07:1234:: > 2001:470:1f07:1234::1). Use /112 as a subnet.
    If you only plan on having one subnet, you can use /64 here. /64 is an unimaginable size though, setting it at /112 creates less headaches later if you want to add another subnet.

Example Image: (Click to show)

Click save and Apply.

Part VII: Enabling DHCPv6

Go to the DHCPv6 Service page. Services on the top menu bar > DHCPv6/RA). Select the LAN tab and go to Router Advertisements tab, set it to "Managed" and click save. Go back to the "DHCPv6 server" tab > Check "Enable DHCPv6 server on LAN interface". Set your ranges. I use ::ff00-::ffff for a total of 256 IPs. If you need more you can adjust it - ::0 to ::ffff gives 65535 public IPs.

Set the DNS servers to 2001:4860:4860::8888 and 2001:4860:4860::8844 (Google IPv6 DNS). You can also use 2001:470:20::2, HE.net's anycasted DNS server which will be faster.
Example Images: (Click to show)



You can now hook your LAN interface up to your IPv4 network and pfSense will start handing out IPs on IPv6 enabled devices.




IPv6 works a bit differently as far as assigning IP addresses go. In the image above, there are three listed IPs under IPv6. The top one is your real Global IP, the 2nd "temporary" is a random IP you are assigned for privacy (kind of like getting a new IP each time you dialed up on 56k). This behavior can be disabled by turning off "IPv6 Privacy" in Windows. The Link-local IPv6 address is used for internal LAN.

Part VIII: Testing Connectivity

http://ipv6.google.com or http://test-ipv6.com



Success? awesome!

Part X: But wait, there's more!

Unless you have a static IPv4 IP, you must let he.net know if your public WAN IP has changed or else the tunnel will fail. You cannot use pfSense's Dyn-DNS service here since it will plug in the 192.168.10.2 local IP as your WAN. Luckily, he.net provides users with an easy to use API. I wrote a script to connect to he.net's API and then I installed a crontab execute it every six hours.

Save this as "he-tunnel-update.sh" on your desktop and plug in your he.net credentials.
Code:
#!/bin/sh
# pfSense 2.1 HE-Tunnel WAN Update script

#Your Hurricane Electric Tunnel Info
USER="username" 
PSWD="password"
TUNNELID="123456"  # First item on the Tunnel Details page
LOGFILE=/root/ipv6wanupdate.log

EXECUTE=`/usr/bin/fetch -4 -q -o - "https://$USER:$PSWD@ipv4.tunnelbroker.net/nic/update?name=$USER&password=$PSWD&hostname=$TUNNELID" 2>&1`
echo "$EXECUTE - " `date` >> $LOGFILE

In pfSense go to Diagnostics > Command Prompt and select "he-tunnel-update.sh" on your desktop and upload it.

Copy "he-tunnel-update.sh" into the /root directory and give it permission to execute. Enter and execute this on command line under "Execute Shell command".
Code:
cp /tmp/he-tunnel-update.sh /root/he-tunnel-update.sh && chmod +x /root/he-tunnel-update.sh

Install it as a job in cron by executing this command:
Code:
printf "`crontab -l`\n0 */6 * * * /root/he-tunnel-update.sh" | crontab -

It will now run every 6 hours and he.net will update your WAN IP if it needs to. You can check its behavior by checking /root/ipv6wanupdate.log through Diagnostics > Edit File > Browse.

Things you may want to know:

Opening ports:

Similar to how IPv4 NAT behaves, by default pfSense will block all incoming connections to anything behind it unless an explicit rule is written allowing it. This is important since with IPv6, all your devices have real public IPs assigned to them. If you need to expose a port, this is done by making a firewall rule under the tunnel's gif interface. It looks daunting with the massive options but it's pretty straightforward.

Example firewall rule for a webserver: (Click to show)

This is a real rule I have opening port 80 (HTTP) to my webserver. The important thing to remember here is the interface is the gif tunnel created earlier and protocol is always IPv6 - It is never WAN or LAN or IPv4. Note that "webserver" here is normally an IPv6 address. What you see on the image is an alias (Firewall > Alias) that links to my webserver's IP address. Also, like ipfilter on linux, packet filter in FreeBSD (the "pf" in pfSense) evaluates rules on a first-match basis from top to bottom. The firewall will execute the first rule it will come in contact with and ignore anything below. This means if you have a rule setup allowing port 80 to webserver to be open and have a rule below that blocking port 80 on webserver, the port is open since it came before.


Seeing who's on the router:

There is no such thing as NAT tables or ARP tables in IPv6 but you can determine what hosts are connected to pfSense by going to Diagnostics > NDP Table. Packet filter is also a stateful firewall so you can view connected IPs by looking at Diagnostics > States.

DNS:

You can change DNS servers buy either modifying them on the interface as mentioned earlier or you can go to System > General Setup. In practice, the only real public IPv6 DNS available are Googles. IPv4 DNS servers also return AAAA (IPv6) records so you can continue using IPv4 DNS servers if you'd like.

Adding extra subnets:

This is easy. Just enable your extra interface at Interface > (assign). It's the same as setting up the LAN interface above but you have to change an octet on the IP address you assign. For example, the subnet I distribute to my real physical network is assigned 2001:470:1f07:xxx::1/112 and my second subnet strictly for servers is 2001:470:1f07:xxx:1::1/112

Personal experiences:

I noticed that YouTube and Netflix run better with IPv6 enabled. 720p and 1080p caches almost as fast as my connection can go even during peak hours. This may be due to not many people having IPv6 yet and those content servers might be on dedicated IPv6 links.

I don't recommend running Windows XP dual-stacked because it behaves oddly. Why the heck are you still using Windows XP anyway?

If a game supports IPv6, latency may be higher depending on the route taken (he.net tunnel servers sit on their nationwide backbone). But the main problem is occasionally, the tunnel will lose connection for a fraction of a second and immediately reconnect causing disconnects in games. I recommend disabling IPv6 on games that support it.

I find it easier to remember IPv6 addresses than IPv4 ones. I remember the IP addresses of each of my servers but I cannot remember my single WAN IP. I have no idea why.

When I connect to my FTP server from my apartment to my house on IPv4, it will crawl at about 2-3Mbit upload per file. However, If I connect via IPv6, it goes full speed at 20Mbit (Server's upload is 35Mbit through FiOS). I suspect Time Warner or Verizon FiOS throttle connections to or from residential IPs to limit P2P. IPv6 goes faster because as far as both ISPs are concerned, that FTP traffic originates and is sent to he.net's data centers.


...

See my other IPv6 How-to: http://www.overclock.net/t/1436876/how-to-attain-sage-ipv6-certification-from-hurricane-electric/0_100 (skip the getting connectivity part, obviously)

I hope that wasn't too confusing. If anyone has a question please leave a comment below and I will be happy to try to answer them.

October 28, 2013 - Ver 1.0
Edited by Dream Killer - 10/29/13 at 1:56pm
Green Lantern
(18 items)
 
 
The Router 3.0
(14 items)
 
CPUMotherboardGraphicsGraphics
Intel i7 920 3.8GHz 1.25v HT Asus P6T XFX 5870 XFX 5780 
RAMHard DriveHard DriveOptical Drive
Kingston HyperX Intel X25-M 80GB G2 10Tb iSCSI Lite-On 1635S 
CoolingOSMonitorKeyboard
Corsair H50 Windows 7 x64 Ultimate Asus PA246 Logitech G15 v1 
PowerCaseMouseAudio
Corsair 1000HX Lian Li v1000+ Logitech G5 v1 Creative Audigy 2 ZS 
Other
Intel Pro/1000 PT Server Adapter 
CPUCPUMotherboardGraphics
Intel Xeon L5335 Intel Xeon L5335 Intel 5000P ATI ES1000 
RAMHard DriveOSPower
Elpida ECC WD20NPVT SmartOS HP 350W + Hot Spare 
Case
HP Proliant 380 G5 
CPUMotherboardRAMHard Drive
AMD Athlon 64 X2 3800+ nForce 3 250 2 GB 512MB CF To IDE 
OSCaseOtherOther
pfSense 2.0.1 x64 Shuttle XPC Intel PWLA8492MT PRO/1000 MT Dual Port Server A... Verizon FiOS 75/35Mbit 
  hide details  
Reply
Green Lantern
(18 items)
 
 
The Router 3.0
(14 items)
 
CPUMotherboardGraphicsGraphics
Intel i7 920 3.8GHz 1.25v HT Asus P6T XFX 5870 XFX 5780 
RAMHard DriveHard DriveOptical Drive
Kingston HyperX Intel X25-M 80GB G2 10Tb iSCSI Lite-On 1635S 
CoolingOSMonitorKeyboard
Corsair H50 Windows 7 x64 Ultimate Asus PA246 Logitech G15 v1 
PowerCaseMouseAudio
Corsair 1000HX Lian Li v1000+ Logitech G5 v1 Creative Audigy 2 ZS 
Other
Intel Pro/1000 PT Server Adapter 
CPUCPUMotherboardGraphics
Intel Xeon L5335 Intel Xeon L5335 Intel 5000P ATI ES1000 
RAMHard DriveOSPower
Elpida ECC WD20NPVT SmartOS HP 350W + Hot Spare 
Case
HP Proliant 380 G5 
CPUMotherboardRAMHard Drive
AMD Athlon 64 X2 3800+ nForce 3 250 2 GB 512MB CF To IDE 
OSCaseOtherOther
pfSense 2.0.1 x64 Shuttle XPC Intel PWLA8492MT PRO/1000 MT Dual Port Server A... Verizon FiOS 75/35Mbit 
  hide details  
Reply
post #2 of 2
Subbed. Definitely looking into using something like this especially to start on the IPv6 bandwagon.
ESXi Home Box
(6 items)
 
The Workstation.
(16 items)
 
 
CPURAMHard DriveOS
Dual L5630 72GB DDR3 RECC 120GB VERTEX 4 + 6TB RAID5 ESXi 6.0 U2 
Other
Dell PowedgeR710  
CPUGraphicsRAMHard Drive
Intel Core i5 2.4GHZ Intel Iris Pro 16GB DDR3 256GB PCI-e x2 
OSKeyboardMouse
OSX 10.11 + Win 10 Apple Wireless Keyboard Apple Magic Trackpad 
  hide details  
Reply
ESXi Home Box
(6 items)
 
The Workstation.
(16 items)
 
 
CPURAMHard DriveOS
Dual L5630 72GB DDR3 RECC 120GB VERTEX 4 + 6TB RAID5 ESXi 6.0 U2 
Other
Dell PowedgeR710  
CPUGraphicsRAMHard Drive
Intel Core i5 2.4GHZ Intel Iris Pro 16GB DDR3 256GB PCI-e x2 
OSKeyboardMouse
OSX 10.11 + Win 10 Apple Wireless Keyboard Apple Magic Trackpad 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › How-to: Using pfSense 2.1+ as a "Tunneling Appliance" to Enable IPv6 on an Existing Network.