Setting up pfSense with IPv6

I recently had the opportunity to redesign my home network (including with dual-stack IPv6). My setup is as follows:

Physical Devices

Logical Setup

  • A “secure” VLAN – for ‘trusted’ devices.
  • A “restricted” VLAN- for devices on my wireless network and ‘untrusted’ wired devices (i.e. smart TV’s).

On the IPv4 side, this is the usual NAT setup, with each network having a separate private /24 subnet. IPv6 was a little different – essentially my ISP provides a /56 prefix of IPv6 address via DHCP. Given IPv6 minimum subnet sizes of /64, this gives me 8 bits to play with (i.e. I can therefore have 256 /64 networks. Therefore, my IPv6 network followed this model:
[ISP 56-Bits]:[My Subnet 8-Bits]:[My Device Address 64-Bits] = 128-bit IPv6 address.

Interesting Findings

  • Chromecast support across multiple VLANs on both IPv4 and IPv6 required:
    • Installing the Avahi pfSense package. The default settings seem to work fine to make the Chromecasts discoverable – but I noticed Avahi can crash every now and then, so I set up the separate Service Watchdog pfSense package to reboot it if it crashes.
    • Ensuring each Chromecast received a static IP address, ensuring no firewall rules block access to the Chromecast devices across subnets and ensuring multicast UDP traffic was allowed to flow freely to IPv4 ( and IPv6 (ff00::/8)
  • To ensure IPv6 works effectively when you’re running in stateless mode (SLAAC), you can no longer set Windows desktops / servers to “block all incoming” connections on the host firewall. If you do this, you’ll end up blocking in the inbound router advertisement (RA) packets that set ups the IPv6 default gateway. E.G.:
  • When I first set up IPv6 DNS servers for IPv6 connections, I noticed that there was a big latency difference between IPv4 Google Public DNS (<4ms from Sydney) and IPv6 Google Public DNS (~200ms latency). Between my first draft of this post and me publishing it, this appears to have been resolved - with Google confirming they’ve extended the geographic range of Google Public DNS out to Australia (my IPv6 DNS pings are now ~4ms, the same as IPv4)
  • When I first tested my IPv6 connectivity, I was using the two major test sites (Exhibit A | Exhibit B). I noticed one generally gave me a 18/20 despite everything looking good. When I did some more reading, I discovered that IPv6 requires you to allow certain types of ICMP traffic inbound from the public internet (which you didn’t need in an IPv4-only world). Most operating-system host firewalls still block it though(!). Based on section 4.3.1 of the IETF spec, I’ve unblocked the 6 types of ICMP traffic that “MUST NOT be blocked”: