Starting pfsense for New Users

bert64

Senior Member
Joined
Jan 20, 2020
Messages
544
Reaction score
73
I am actually surprised that this is a hack, because while on my ac66u, I did not need to perform any NAT reflection configuration and it just works when accessing my nextcloud instance with ddns
NAT itself is a hack that causes all kinds of problems, ideally you shouldn't need it at all. Having consistent routable addresses both sides is how IP was always designed to work. NAT was originally described in RFC1631, where it's clearly described as a short term temporary hack suffering from all kinds of detrimental side effects until a proper solution can be rolled out.

The difference you're seeing is a device intended for consumers that hides the details from you and applies the most common use case vs a device aimed at people with more networking knowledge that provides more fine grained control incase you have different requirements. An externally facing service might be intentionally unreachable from the inside on some networks.

Having NAT reflection means the traffic will go from your device to the firewall, then back from the firewall to the target host instead of directly from your device to the target host. Wether you notice a difference is going to depend on the performance of the devices in question, but the fact remains is that it's an inefficient indirect route instead of an efficient direct route.
Assuming your devices are all 1gbps and capable of saturating this rate, then one client downloading direct from the server will consume 1gbps downstream on the switch while the server will consume 1gbps upstream on the switch. Every other port will be unaffected, so another client will be able to download or upload 1gbps through the firewall.
If you add reflection, then the firewall will be transferring 1gbps full duplex on the internal interface receiving data from the server and sending it to the client. If you then have another client trying to access an external site, it is going to be competing with your internal server for the 1gbps of available bandwidth the firewall has on the internal interface.
 
Last edited:

TanKianW

Master Member
Joined
Apr 21, 2005
Messages
3,687
Reaction score
81
I am actually surprised that this is a hack, because while on my ac66u, I did not need to perform any NAT reflection configuration and it just works when accessing my nextcloud instance with ddns

If you are concerned that it is a "hack", then you should use (or try out) the DNS Overrides (Split-DNS). Then fall back on NAT reflection if it does not work for your use case.


NAT itself is a hack that causes all kinds of problems, ideally you shouldn't need it at all. Having consistent routable addresses both sides is how IP was always designed to work. NAT was originally described in RFC1631, where it's clearly described as a short term temporary hack suffering from all kinds of detrimental side effects until a proper solution can be rolled out.

The difference you're seeing is a device intended for consumers that hides the details from you and applies the most common use case vs a device aimed at people with more networking knowledge that provides more fine grained control incase you have different requirements. An externally facing service might be intentionally unreachable from the inside on some networks.

Having NAT reflection means the traffic will go from your device to the firewall, then back from the firewall to the target host instead of directly from your device to the target host. Wether you notice a difference is going to depend on the performance of the devices in question, but the fact remains is that it's an inefficient indirect route instead of an efficient direct route.
Assuming your devices are all 1gbps and capable of saturating this rate, then one client downloading direct from the server will consume 1gbps downstream on the switch while the server will consume 1gbps upstream on the switch. Every other port will be unaffected, so another client will be able to download or upload 1gbps through the firewall.
If you add reflection, then the firewall will be transferring 1gbps full duplex on the internal interface receiving data from the server and sending it to the client. If you then have another client trying to access an external site, it is going to be competing with your internal server for the 1gbps of available bandwidth the firewall has on the internal interface.

bert64 has sum it all up.
 
Last edited:

bert64

Senior Member
Joined
Jan 20, 2020
Messages
544
Reaction score
73
If you are concerned that it is a "hack", then you should use (or try out) the DNS Overrides (Split-DNS). Then fall back on NAT reflection if it does not work for your use case.
IPv6 is the most correct and least hacky way, same address both inside and outside, no nat, straight allow/deny rules on the firewall.

You can dual stack it if you'll be accessing it from external legacy clients. Internal devices will always have working v6 so they will never fall back to v4. If all the external places you access it from have v6, then you can save yourself the hassle and make it v6-only.
For instance i have an owncloud server at home that i only ever access from mobile when i'm outside, it's v6-only because i have working v6 on mobile too.
 

Elijahonli

High Supremacy Member
Joined
Oct 27, 2008
Messages
25,525
Reaction score
18
If you are concerned that it is a "hack", then you should use (or try out) the DNS Overrides (Split-DNS). Then fall back on NAT reflection if it does not work for your use case.




bert64 has sum it all up.

when you say split DNS, does it mean that possibly i set pfsense ( my dns server) to resolve my ddns domain to a private IP of my nextcloud instance ?
 

Elijahonli

High Supremacy Member
Joined
Oct 27, 2008
Messages
25,525
Reaction score
18
IPv6 is the most correct and least hacky way, same address both inside and outside, no nat, straight allow/deny rules on the firewall.

You can dual stack it if you'll be accessing it from external legacy clients. Internal devices will always have working v6 so they will never fall back to v4. If all the external places you access it from have v6, then you can save yourself the hassle and make it v6-only.
For instance i have an owncloud server at home that i only ever access from mobile when i'm outside, it's v6-only because i have working v6 on mobile too.
wait I dont quite understand.. so you assign a private IPv6 address to your owncloud server and it can be accessed via the public internet?
Sorry still pretty weak in IPv6
 

bert64

Senior Member
Joined
Jan 20, 2020
Messages
544
Reaction score
73
wait I dont quite understand.. so you assign a private IPv6 address to your owncloud server and it can be accessed via the public internet?
Sorry still pretty weak in IPv6
The ISP assigns a public block of IPv6 addresses via DHCPv6-PD (or some ISPs will give you a static assignment). The firewall distributes addresses within the public block to your individual devices.

Owncloud has a proper routable IPv6 address as do all of my devices - every device gets its own unique routable address(s).
The firewall controls wether it can be reached globally, or wether it can only be reached internally. In the case of owncloud, i configure the firewall to allow access to the HTTPS service so it can be accessed externally.

There is no "private" network, my network is simply part of the Internet as a whole. The firewall still controls what access is allowed in or out of it.
 

Elijahonli

High Supremacy Member
Joined
Oct 27, 2008
Messages
25,525
Reaction score
18
The ISP assigns a public block of IPv6 addresses via DHCPv6-PD (or some ISPs will give you a static assignment). The firewall distributes addresses within the public block to your individual devices.

Owncloud has a proper routable IPv6 address as do all of my devices - every device gets its own unique routable address(s).
The firewall controls wether it can be reached globally, or wether it can only be reached internally. In the case of owncloud, i configure the firewall to allow access to the HTTPS service so it can be accessed externally.

There is no "private" network, my network is simply part of the Internet as a whole. The firewall still controls what access is allowed in or out of it.
Interesting, which ISP are you using?
 

Elijahonli

High Supremacy Member
Joined
Oct 27, 2008
Messages
25,525
Reaction score
18
I tried calling m1, but they seem to say that only 1 IPv4/IPv6 will be assigned and there is no block of IPv6 address will be assigned.

Let me try setting it up first then shall see haha
 
Last edited:

Mach3.2

Great Supremacy Member
Joined
Apr 8, 2011
Messages
69,745
Reaction score
140
I tried calling m1, but they seem to say that only 1 IPv4/IPv6 will be assigned and there is no block of IPv6 address will be assigned.

Let me try setting it up first then shall see haha
M1 does assign a block of /64 via DHCPv6-PD. You can't get any blocks larger than a /64 though, so you can only assign it to a single LAN interface if you have multiple LAN interfaces.

EQ54tKY.png


3ud80ql.png
 

bert64

Senior Member
Joined
Jan 20, 2020
Messages
544
Reaction score
73
I tried calling m1, but they seem to say that only 1 IPv4/IPv6 will be assigned and there is no block of IPv6 address will be assigned.

Let me try setting it up first then shall see haha
Yeah M1 will give you 1 wan address which will be assigned to your router/firewall, and one /64 block which you can assign to your own devices. It seems that not all of their support staff are fully clued up on IPv6.
It's enabled on the network by default so no need to call them, just need to enable it on your own device.

A single /64 is the minimum providers typically assign, ideally they would assign a /56 as that's the RFC/APNIC standard, but for some reason they don't.

They also fully support IPv6 on mobile, you will get a /64 assigned to your phone, and your phone will use random addresses from within the /64 for making outbound connections. If you tether your phone, your tethered devices will also get addresses within your /64.
Unlike IPv4, you get proper routable IPv6 on your phone and can actually connect to your phone and tethered devices from outside.

The one caveat with pfsense is that you need to change the DHCP6 DUID type from the default (DUID-LLT) to DUID-LL, which you can do under advanced/networking, other than that copy the settings Mach3.2 posted earlier.

You will then need to enable RA and optionally DHCPv6 to make the firewall autoconfigure addresses for your client devices.

Something i haven't tried, but *should* theoretically work... M1 only give you a /64 block, but they don't restrict how many such blocks you can request. If you connect multiple routers with a switch, or multiple virtual interfaces each with their own MAC you should in theory be able to get multiple /64 assignments. It would be much better if they'd just assign a /56 tho.

One other thing you can try, in the advanced DNS resolver settings you can set the DNS64 prefix to 2401:7400:8000:0:3:0::/96, M1 have a NAT64 server which allows ipv6-only devices to access externally hosted ipv4 sites. It seems to be used by default on mobile (at least on ios) but not on fibre. You don't need it as you'll have dual stack too, but you can have a play around to see how things handle an ipv6-only network.
 
Last edited:

Elijahonli

High Supremacy Member
Joined
Oct 27, 2008
Messages
25,525
Reaction score
18
M1 does assign a block of /64 via DHCPv6-PD. You can't get any blocks larger than a /64 though, so you can only assign it to a single LAN interface if you have multiple LAN interfaces.

EQ54tKY.png


3ud80ql.png
thanks for sharing bro.

one confusion I have.

lets say ISP assign 4203:7547:25e1:def5:70bb:ec21:380a:1ac8 to my LAN interface.

does it mean that all my devices connected to my LAN interface will get a random v6 address 4203:7547:25e1:def5:xxxx:xxxx:xxxx:xxxx? and all the addresses are allocated to me or ?
 

bert64

Senior Member
Joined
Jan 20, 2020
Messages
544
Reaction score
73
thanks for sharing bro.

one confusion I have.

lets say ISP assign 4203:7547:25e1:def5:70bb:ec21:380a:1ac8 to my LAN interface.

does it mean that all my devices connected to my LAN interface will get a random v6 address 4203:7547:25e1:def5:xxxx:xxxx:xxxx:xxxx? and all the addresses are allocated to me or ?
No.
You will get a WAN address something like 2401:7400:c002::1234/128
And then you will get a prefix assignment, something like: 2401:7400:c802:aaaa::/64

All of your devices will then be 2401:7400:aaaa:bbbb:XXXX:XXXX:XXXX:XXXX, but the last half of the address is entirely up to you. You can assign them statically (eg ::1, ::2 etc) or you can let them pick their own addresses (random but persistent - eg the 2nd half of the address will never change for that device).

2401:7400: is M1
aaaa is the /48, i think M1 assign a different /48 depending on which geographical node you connect to
bbbb is then your /64, which will be randomly assigned to you by m1.
 

miloaisdino

Senior Member
Joined
Mar 25, 2016
Messages
890
Reaction score
21
this is interesting. singtel issues /32, which is the largest so far i suppose?
 

bert64

Senior Member
Joined
Jan 20, 2020
Messages
544
Reaction score
73
this is interesting. singtel issues /32, which is the largest so far i suppose?
No, singtel allocate a /32 to the 6rd tunnel but each individual user only gets /64.
That's because of the way 6rd is designed, you need to devote an entire /32 because every possible ipv4 address gets a corresponding /64 - the 32 bits of the prefix, plus the 32 bits of the ipv4 address make up the prefix for your /64.
You can use a smaller block if your ipv4 space is small and consistent, but singtel's isnt - its spread over a bunch of different class a networks, so you end up with large amounts of the /32 reserved by 6rd for ipv4 addresses that don't even belong to singtel. 6rd was only ever intended as a temporary hack, so in theory you'd recover the wasted address space once you got rid of whatever ancient equipment was preventing you from deploying native ipv6.

Using 6rd also has some quirks, as it's basically 6to4 with a fixed relay - eg if you send traffic to an address within the /32 your machine will send it direct to the corresponding ipv4, not via the tunnel server - so you can theoretically use this address space in this way to communicate with non singtel customers.

The proper thing to do as per the RFC (RFC6177) and the guidelines from APNIC is to allocate a /56 to residential customers, and a /48 to business customers. There is also a prefix hint feature, so your router can request a block of a particular size - eg some isps will provide a /64 by default, but provide a /56 if the router requests one. Sadly M1 don't support prefix hints.

I know starhub also provide ipv6 by default, but i'm not sure what their delegation policy is.
 

Elijahonli

High Supremacy Member
Joined
Oct 27, 2008
Messages
25,525
Reaction score
18
No.
You will get a WAN address something like 2401:7400:c002::1234/128
And then you will get a prefix assignment, something like: 2401:7400:c802:aaaa::/64

All of your devices will then be 2401:7400:aaaa:bbbb:XXXX:XXXX:XXXX:XXXX, but the last half of the address is entirely up to you. You can assign them statically (eg ::1, ::2 etc) or you can let them pick their own addresses (random but persistent - eg the 2nd half of the address will never change for that device).

2401:7400: is M1
aaaa is the /48, i think M1 assign a different /48 depending on which geographical node you connect to
bbbb is then your /64, which will be randomly assigned to you by m1.

thanks for sharing, it clears up some of my confusion. Guess there is alot of reading and learning to do.
 

miloaisdino

Senior Member
Joined
Mar 25, 2016
Messages
890
Reaction score
21
No, singtel allocate a /32 to the 6rd tunnel but each individual user only gets /64.
That's because of the way 6rd is designed, you need to devote an entire /32 because every possible ipv4 address gets a corresponding /64 - the 32 bits of the prefix, plus the 32 bits of the ipv4 address make up the prefix for your /64.
You can use a smaller block if your ipv4 space is small and consistent, but singtel's isnt - its spread over a bunch of different class a networks, so you end up with large amounts of the /32 reserved by 6rd for ipv4 addresses that don't even belong to singtel. 6rd was only ever intended as a temporary hack, so in theory you'd recover the wasted address space once you got rid of whatever ancient equipment was preventing you from deploying native ipv6.

Using 6rd also has some quirks, as it's basically 6to4 with a fixed relay - eg if you send traffic to an address within the /32 your machine will send it direct to the corresponding ipv4, not via the tunnel server - so you can theoretically use this address space in this way to communicate with non singtel customers.

The proper thing to do as per the RFC (RFC6177) and the guidelines from APNIC is to allocate a /56 to residential customers, and a /48 to business customers. There is also a prefix hint feature, so your router can request a block of a particular size - eg some isps will provide a /64 by default, but provide a /56 if the router requests one. Sadly M1 don't support prefix hints.

I know starhub also provide ipv6 by default, but i'm not sure what their delegation policy is.
yea,my bad. i just realised its /64 per user. not yet familiar with ipv6 subnetting :D

however u can select any address in the /32 space you desire for singtel, its sort of "self declaratory". i even tried assigning myself 2400:d803:cafe::1 and it works.

6rd relay implementation by home routers seem to be they assign individual ipv6 addresses to devices based on the /32 determined by the ipv4 wan interface address, but this logic is completely done on the client-side, singtel 6rd relay makes no effort to verify the /32 utilised.

because of this, its also theoretically possible to completely bypass routing over ipv4 by falsely using another /32 space which is not reserved for 6rd.. (ie the ipv4 is not encoded in the ipv6 address)

heck, even i assigned myself 2400:d803::1 for a short while and it worked

Edit: come to think of it, isnt this sort of a security concern as well?
 
Last edited:

bert64

Senior Member
Joined
Jan 20, 2020
Messages
544
Reaction score
73
yea,my bad. i just realised its /64 per user. not yet familiar with ipv6 subnetting :D

however u can select any address in the /32 space you desire for singtel, its sort of "self declaratory". i even tried assigning myself 2400:d803:cafe::1 and it works.

6rd relay implementation by home routers seem to be they assign individual ipv6 addresses to devices based on the /32 determined by the ipv4 wan interface address, but this logic is completely done on the client-side, singtel 6rd relay makes no effort to verify the /32 utilised.

because of this, its also theoretically possible to completely bypass routing over ipv4 by falsely using another /32 space which is not reserved for 6rd.. (ie the ipv4 is not encoded in the ipv6 address)

heck, even i assigned myself 2400:d803::1 for a short while and it worked

Edit: come to think of it, isnt this sort of a security concern as well?
Sounds like a pretty broken setup if you can do that...

It might work for external sites, but will prevent you from being able to communicate with other singtel users (breaking p2p etc).

And yes it does sound like quite a security concern if you can hijack the address space allocated to other users.
 

Elijahonli

High Supremacy Member
Joined
Oct 27, 2008
Messages
25,525
Reaction score
18
sorry just another check, did anyone setup pfsense monitoring like zabbix or anything similar?
 
Last edited:

bert64

Senior Member
Joined
Jan 20, 2020
Messages
544
Reaction score
73
sorry just another check, any did setup pfsense monitoring like zabbix or anything similar?
Both zabbix and nagios agents are available from the package list.. I've used nagios nrpe for monitoring pfsense boxes in the past, but don't have anything like that setup currently.

If it's just a single firewall, you can also configure pfsense to send notifications via email, telegram etc. I would generally use nagios/zabbix if i have a large number of devices/services to monitor.
 
Important Forum Advisory Note
This forum is moderated by volunteer moderators who will react only to members' feedback on posts. Moderators are not employees or representatives of HWZ. Forum members and moderators are responsible for their own posts.

Please refer to our Terms of Service for more information.
Top