mapping public to private IPv6 networks when firewalling

Seth Mos seth.mos at dds.nl
Thu Nov 24 10:34:45 CET 2011


On 24-11-2011 10:20, Eugen Leitl wrote:
> On Thu, Nov 24, 2011 at 08:44:42AM +0100, Seth Mos wrote:
>> On 23-11-2011 22:23, Eugen Leitl wrote:

> fc00::/7 addresses will not be routed beyond that, correct?

s/would/should/

Although it is common for ISPs to drop private and documentation space
for IPv4 it is does not appear to apply universally to IPv6 yet.

The "private network" block in pfSense does do this for IPv6 fc00::/7
and 2001:db8:: currently.

> Any recommendations for an *really* affordable (European) ISP who
> allows BGP for customers? What's the annual cost, roughly?

PI space via KPN costs us about 500 a year for a /24 which is the
smallest they will provide. Get it while you can.

The subscription premium is not so much a issue although you need to be
multihomed to qualify which normally means atleast 2 connections roughly
100 euros a piece which are likely snail speed at that price.

> Which IPv6 setup do you recommend currently for pfSense/FreeBSD?
> I want to run carp+pfsync failover. No redundant WAN yet.

The setup procedure is by far the same. I have such a CARP active in at
a Xs4all DC. Assign a IPv6 IP to each interface at the firewall. Then
create IPv6 VIPs on each interface and reference those in all the static
routes and make sure to use those as the gateway.

This means you will need to use static addressing since the router
advertisments would still come from the physical interface instead of
the CARP VIP. There is a open ticket for that in redmine.

Failover takes just as long as in IPv4, 2 seconds while keeping state.

> Unrelated to that, is the procedure for IPv4 still the same
> (mapping e.g. a public /24 to a private /24 1:1) or has this also
> changed?

There is a NPtv6 tab on the NAT page. It's awfully buggy though and good
for some foot shooting. It's not a priority currently.

I dropped work on that when we got PI and didn't need multiwan anymore.

Regards,

Seth



More information about the ipv6-ops mailing list