Setting up pfSense with IPv6

I recently had the opportunity to redesign my home network (including with dual-stack IPv6). My setup is as follows:

Physical Devices

Logical Setup

  • A “secure” VLAN – for ‘trusted’ devices.
  • A “restricted” VLAN- for devices on my wireless network and ‘untrusted’ wired devices (i.e. smart TV’s).

On the IPv4 side, this is the usual NAT setup, with each network having a separate private /24 subnet. IPv6 was a little different – essentially my ISP provides a /56 prefix of IPv6 address via DHCP. Given IPv6 minimum subnet sizes of /64, this gives me 8 bits to play with (i.e. I can therefore have 256 /64 networks. Therefore, my IPv6 network followed this model:
[ISP 56-Bits]:[My Subnet 8-Bits]:[My Device Address 64-Bits] = 128-bit IPv6 address.

Interesting Findings

  • Chromecast support across multiple VLANs on both IPv4 and IPv6 required:
    • Installing the Avahi pfSense package. The default settings seem to work fine to make the Chromecasts discoverable – but I noticed Avahi can crash every now and then, so I set up the separate Service Watchdog pfSense package to reboot it if it crashes.
      avahiservice_watchdog
    • Ensuring each Chromecast received a static IP address, ensuring no firewall rules block access to the Chromecast devices across subnets and ensuring multicast UDP traffic was allowed to flow freely to IPv4 (224.0.0.0/4) and IPv6 (ff00::/8)
      multicast_firewall
  • To ensure IPv6 works effectively when you’re running in stateless mode (SLAAC), you can no longer set Windows desktops / servers to “block all incoming” connections on the host firewall. If you do this, you’ll end up blocking in the inbound router advertisement (RA) packets that set ups the IPv6 default gateway. E.G.:
    windows_firewall
  • When I first set up IPv6 DNS servers for IPv6 connections, I noticed that there was a big latency difference between IPv4 Google Public DNS (<4ms from Sydney) and IPv6 Google Public DNS (~200ms latency). Between my first draft of this post and me publishing it, this appears to have been resolved - with Google confirming they’ve extended the geographic range of Google Public DNS out to Australia (my IPv6 DNS pings are now ~4ms, the same as IPv4)
  • When I first tested my IPv6 connectivity, I was using the two major test sites (Exhibit A | Exhibit B). I noticed one generally gave me a 18/20 despite everything looking good. When I did some more reading, I discovered that IPv6 requires you to allow certain types of ICMP traffic inbound from the public internet (which you didn’t need in an IPv4-only world). Most operating-system host firewalls still block it though(!). Based on section 4.3.1 of the IETF spec, I’ve unblocked the 6 types of ICMP traffic that “MUST NOT be blocked”:
    ietfpfsense_wan

5 thoughts on “Setting up pfSense with IPv6”

  1. You don’t actually need to specify those rules to allow the “MUST not block ICMPv6” traffic. By default, pfSense has rules set up that already allow it. You can see these rules by logging into the command line of your pfSense system and inspecting the /tmp/rules.debug file.

    1. I don’t think it’s true that pfSense adds these rules for you (they very proudly add no default rules). I had to add the rules manually, otherwise ICMPv6 was blocked.

      Note, however, that you can include all 6 required/recommended ICMP types in a single rule by selecting multiple rows (using they Command key on a Mac, and I assume the Control key on Linux/Windows.

  2. Great post, Joel! Thank you!

    I haven’t fiddled much with IPv6, but am ready to get my hands & feet ;) dirty with it. You don’t have a Guide for setting up IPv6 properly on pfSense, do you?

    My ISP (Google/US) gives out a /56 and I’ve setup my WAN IPv6 Config Type to be DHCP6 w/ the DHCP Client Prefix delegation size to /56. I have also setup the LAN interface to Track the WAN interface; however, I am not able to pull IPv6 from my ISP.

    Any practical Guide that has step-by-step instruction along with how one would use IPv6 in the Home use case scenario would be awesome!

    1. The only things I normally have to do are:
      – Ensure you have RA’s (Stateless) or DHCPv6 (Stateful) enabled in pfSense – so your clients get addresses.
      – Ensure you have any/any outbound firewall rules set up (to let your clients reach the IPv6 internet).

  3. Well done, Tobias. I believe you are correct on the need for a rule. Especially well done on the multi-select tip avoiding six separate rules. Note that ipv6-test = 17/20 from a Windows desktop is most common outcome due to the Windows Firewall blocking the ICMP ping (filtered). The quick fix to see 19/20 is to add a rule in Windows that allows all IPv6 traffic as described here: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc972926(v=ws.10)

Leave a Reply to ChiliMac Cancel reply

Your email address will not be published. Required fields are marked *