• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Trying to use Tunnelbroker on pfSense with an existing dual stack

Started by lethaldev, March 15, 2014, 01:09:54 AM

Previous topic - Next topic

lethaldev

Hello all,

I've got a pfSense (2.1.1) system as my primary router.  Previously I was running IPv4 Comcast and Tunnelbroker for my v6 needs.  No issues.

Recently, I was able to start using Comcast's native dual stack.  My WAN got a /128 v6 address and I was able to get a /64 for the LAN.  I really want to set my OpenVPN server up with IPv6, but Comcast won't give me another /64 or a /60, etc.  I know I can keep the Tunnelbroker tunnel up, but for whatever reason, even with policy-routing firewall rules, traffic meant to go out the tunnel ends up going out the Comcast v6 link.  Obviously, this is breaking routing for my routed /64 and /48 from Tunnelbroker.

Has anyone else attempted this kind of setup? If so, have you been able to get it working properly?

Thanks!

kasperd

Quote from: lethaldev on March 15, 2014, 01:09:54 AMComcast won't give me another /64 or a /60, etc.
Really? Are they using DHCPv6? Have you tried requesting delegation of a /48, /56, or /60 through DHCPv6?

I see no reason for handing out less than a /60 by default.

Quote from: lethaldev on March 15, 2014, 01:09:54 AMI know I can keep the Tunnelbroker tunnel up, but for whatever reason, even with policy-routing firewall rules, traffic meant to go out the tunnel ends up going out the Comcast v6 link.  Obviously, this is breaking routing for my routed /64 and /48 from Tunnelbroker.
And this is why I am opposed to reverse path filtering. Reverse path filtering breaks legitimate use cases such as yours. Anybody with nefarious purposes will most likely be able to perform any spoofing they desire, regardless of reverse path filtering.

Quote from: lethaldev on March 15, 2014, 01:09:54 AMHas anyone else attempted this kind of setup? If so, have you been able to get it working properly?
In principle, what you want is for each routing table entry to be valid only for a range of source IP addresses. If you could have two different default routes - one valid for Comcast sources and one valid for HE sources, then your setup would work.

I have no specific experience with such a setup with pfSense, I have however made such a setup using my own stack, so I know it can work.

Actually it could work even better, if most important hosts have one IPv6 address from each range and then uses MPTCP. But you need to figure out the routing first before you could possibly take advantage of MPTCP.

If you post your current pfSense configs, there might be forum users, who can spot where your problem might be.

BTW. Anybody else noticed the pfSense website is unreachable over IPv6?

lethaldev

Quote from: kasperd on March 15, 2014, 03:07:21 AM
Really? Are they using DHCPv6? Have you tried requesting delegation of a /48, /56, or /60 through DHCPv6?

I see no reason for handing out less than a /60 by default.
Well, initially they were only handing out /128s.  Rumor says you can get a /56 or a /60 in certain "areas."  I always seem to only get a /64, even after zapping the DUID.

Quote from: kasperd on March 15, 2014, 03:07:21 AMIn principle, what you want is for each routing table entry to be valid only for a range of source IP addresses. If you could have two different default routes - one valid for Comcast sources and one valid for HE sources, then your setup would work.
And that's what I thought policy routing was supposed to take care of.  It tells the firewall to send traffic out a specific gateway, but for whatever reasons, it ends up going out the Comcast gateway :-\

I guess I could bring the Tunnel up on the VPN server.  That seems kind of silly, but I figure it'd work?

kasperd

Quote from: lethaldev on March 15, 2014, 08:43:16 AMI guess I could bring the Tunnel up on the VPN server.  That seems kind of silly, but I figure it'd work?
That could work. There is a few gotchas to watch out for.
  • You could end up having two different default routes on the VPN server. If you end up with such a setup, you have to solve the routing problem on the VPN server instead. If the VPN server is running a different OS that might be easier than on the router.
  • If the VPN server is configured with only one default gateway (which is going through the tunnel), then you cannot use any of the Comcast IPs on the VPN server.
  • How are you going to address the VPN servers interface to the LAN? Using an address from the /48 routed from HE? Using an address from the /64 routed from Comcast? Both? Neither and only link-local?
  • You want to make sure your current router has statics route specifying the VPN server as gateway for all the prefixes you got from HE.
  • You want to make sure the VPN server has a static route specifying it is directly attached to the /64 routed from Comcast. (This would happen automatically, if that interface had an IP address from the comcast range, but if it does not, then you have to configure it manually.)
  • If the VPN server does not have a public IPv4 address, you'll need to forward protocol 41 to it.

I can come with more suggestions, if I know a bit more about your current setup.