OPNsense Forum
English Forums => General Discussion => Topic started by: bunchofreeds on August 17, 2021, 01:33:00 am
-
Hi all,
I recently moved ISP and am now behind CGNAT for IPv4. There were other benefits :)
Rather than obtaining a static IPv4, I thought I'd investigate IPv6 as provided by my new ISP.
I've got what I believe to be a working WAN and LAN setup for IPv6 although have not received any info from the ISP about how to do this...
WAN
DHCPv6 through the same PPPoE connection as IPv4
Request only an IPv6 prefix
Use IPv4 connectivity
Has an IPv6 delegated prefix /56, Gateway and Link local addresses
LAN
Track WAN Interface
IPv6 Prefix ID of 0
Has obtained an IPv6 AND Link local addresses
My devices are obtaining both link-local and IPv6 addresses
I'm a bit stuck now with my understanding of IPv6 and how to proceed with OPNsense.
My goal is to be able to connect back to IPv6 devices on my network from external.
Because I'm on DHCPv6, my ISP can give me a new IPv6 at any time.
I've been able to use Dynamic DNS with Cloudflarev6 to send the updated IP to their DNS, but this is the LAN address and not the address of the host behind the router.
Does anyone know if its possible to update a remote DNS using the host IPv6 address from unbound, then also create associated firewall rules to match?
This is so I can connect back into these devices from outside reliably after an IP change.
Also do I only need to create a WAN firewall rule, allowing for example port 443 to the destination device's IPv6 address. Or do I also need to create a LAN rule?
Thanks for any help with this
-
Because I'm on DHCPv6, my ISP can give me a new IPv6 at any time.
That's not necessarily the case. My /56 is fixed. Your ISP may be a bit averse to you hosting services from your connection - the CGNAT would fit in that pattern.
I'm not sure how you would create an allow firewall rule to an internal host with an IPv6 address that keeps changing.
Bart...
-
My understanding is that there is ongoing work to allow dynamic prefixes to be used in Aliases and therefore FW rules: https://github.com/opnsense/core/issues/4923
In terms of the OP’s query regarding FW rules, yes with IPv6 only a WAN allow rule would be needed, as there is no NAT involved
-
Thanks for the replies and your help.
I'm relatively new to IPv6 so will be misunderstanding some things I'd imagine.
With the /56 I am allocated, I'm not entirely sure how this works. My assumption is that its quite a large range of globally unique addresses that can be assigned to my end devices.
I do not intend to be mass hosting any services however, but would like access back to some over https and without VLAN while I am outside my network.
@bartjsmit
I assumed that DHCPv6 by nature can/will provide new IP addressing as I have no means of reserving this myself. I have not yet tested this against my install however, but I have read that others get a new IPv6 after a restart of OPNsense or a reconnect. I just don't know so thanks for any information you can provide.
The firewall rule would need to be created on demand as part of the IPv6 address of the target being updated.
One way I thought this might be possible with OPNsense is through its awareness of DHCPv6 leases against MAC address. When the IPv6 address changes, a dynamic DNS update task is run, also a firewall rule change is run.
@Greelan
Thanks for the information, I will read into this. Sounds like a problem that has not been resolved yet.
-
I suggest checking with your ISP how static the /56 is.
There is a large spectrum of how ISPs handle them. In some cases a new /56 is allocated daily or on some other regular basis. In my case my /56 is in theory dynamic but in practice it is very unlikely to change unless the ISP is doing some significant backend networking reconfiguration (and so a bunch of customers are renumbered and are given notice of the change beforehand) or I move to another house very far away. In other cases the /56 is static.
Just because you get the /56 by DHCPv6, then, doesn’t mean that the prefix will change, either at all or very often. So in reality this might not present a big issue for you.
-
quite a large range of globally unique addresses
Indeed it is - IPv6 ranges are stupendously large. Every standard /64 subnet has so many addresses that if you wanted to give every square millimeter of floor space in your house its own range, each would get a few dozen times the size of the entire IPv4 internet 8)