dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
9
share rss forum feed


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to JoelC707

Re: [IPv6] Seeing two different LAN side ranges

said by JoelC707:

The LAN side of pfSense has an address in one /64 and my desktop has one in another /64.

This is normal.

You will need to add firewall rules to pass IPv6 traffic. Firewall > Rules > WAN.

You will want to check the LAN rules as well to make sure there is an IPv6 rule there (that should have been in-place via defaults)

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
Yeah I have an IPv6 LAN side rule. i originally had it set to "LAN net" as the source but since the subnet for the LAN interface is different from the desktop subnet it was obviously blocking it. i set the source to "any" and it isnt blocking anymore but i still cant ping/surf on IPv6 from my desktop.


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
Interfaces: WAN, DHCP6 client configuration:

Set DHCPv6 Prefix Delegation size to None.

Verify your WAN IPv6 address is now /128.


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to JoelC707
said by JoelC707:

Yeah I have an IPv6 LAN side rule. i originally had it set to "LAN net" as the source but since the subnet for the LAN interface is different from the desktop subnet it was obviously blocking it. i set the source to "any" and it isnt blocking anymore but i still cant ping/surf on IPv6 from my desktop.

You need a WAN one as well. Eg. »willscorner.net/t/wanrule.png

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
Wait, why do i need an allow all "any any" rule on WAN side? i cant imagine why I would need to fully open up the WAN side like that.


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to graysonf
said by graysonf:

Interfaces: WAN, DHCP6 client configuration:

Set DHCPv6 Prefix Delegation size to None.

Verify your WAN IPv6 address is now /128.

Incorrect. The WAN IP address is a single address (hence usage /128) but it is a in a /64 subnet. (How the heck is it going to reach the gateway if it's in a /128 subnet).

The DHCP delegation size (on WAN int) needs to be set to /64 if he wants PD on his LAN.


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
reply to JoelC707
I don't have any such WAN rule here.

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
reply to graysonf
Ill have to wait until I get back home in a couple of hours to try out any changes.


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to JoelC707
said by JoelC707:

Wait, why do i need an allow all "any any" rule on WAN side? i cant imagine why I would need to fully open up the WAN side like that.

FWIW, I lock down my firewall rules via the LAN tab as I have multiple VLANs. In general though, I favor host based security.

You'll need to create several firewall rules if you don't allow all.

Edited for clarify.

1. You need ICMP rule (PMTUD needs to work).
2. Optional rules for UDP or TCP depending on any incoming traffic.

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
Ahhh ok that makes more sense

I do have ICMP enabled for v4 and v6. At the moment I dont have any services i want to open up on the lan for v6 (yet). If youre doing vlan or host based security then that makes more sense. I thought you were saying i needed to open up the network for general browsing over IPv6 to work, but that makes more sense.


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
said by JoelC707:

I do have ICMP enabled for v4 and v6. At the moment I dont have any services i want to open up on the lan for v6 (yet). If youre doing vlan or host based security then that makes more sense.

Yeah, when you're dealing with VLANs, you scoot the rules back to the VLAN interfaces (eg. LAN, Voice) because you don't want traffic passing between the VLANs without rules in place.

For this reason, I've always been taught it's best to put the firewall/ACL as close to the network you want to protect as possible.