1.
IPv6 Basics
July 2015 Hangout
Jim Pingle

2.
Project Notes
● 2.2.4 today/this weekend (in final testing)
– Beneficial improvements, security enhancements
– Permanent fixes for FS corruption on power loss or crash
– Fixes for IPsec (AES, ID issues, CA/Cert/CRL and more)
– https://doc.pfsense.org/index.php/2.2.4_New_Features_and_Cha
nges
● Book is being actively updated, new online HTML format,
downloads in PDF, ePub, Mobi still available
● SG-4860 1U now shipping
– Same as the existing SG-4860 but in a 1U chassis
● SG-4860 HA Bundle
● SG-2220 shipping next month

3.
About this Hangout
● IPv6 Basics / Crash Course
– May have to (over)simplify in places
● IPv6 Addressing, Subnetting, Allocation
● IPv6 WAN/Interface Types
● DHCPv6 / SLAAC
● IPv6 via Tunnel Broker (Hurricane Electric)
● Gotchas

4.
IPv6 Overview
WAN /64
ISP: x:x:x:x::1/64
FW1 WAN: x:x:x:x::2/64
Gateway: x:x:x:x::1
LAN Routed /64
FW1 LAN:
y:y:y:y::1/64
DMZ using /64
from routed /48
FW1 DMZ:
z:z:z:1::1
RDMZ using /64 from routed /48
FW1 RDMZ:
z:z:z:2::1
Prefix Delegation (chunk of /48):
z:z:z:F000:: to z:z:z:FF00::
Size: 60
FW2 WAN: z:z:z:2::feed/64 (DHCP)
Delegation: z:z:z:FF00::/60
FW2 LAN: z:z:z:FF00::/64
FW2 Voice: z:z:z:FF01::/64
Three Subnets:
1. WAN /64 (Transport)
2. Routed /64 (LAN)
3. Routed /48 (Misc uses)
Client 1:
y:y:y:y::7ac0
DMZ Server 1:
z:z:z:1::beef
Client 2:
z:z:z:FF00::c0de
Phone 1:
z:z:z:FF01::dead
AP 1:
y:y:y:y::cafe

5.
IPv6 Basics
● In many ways, similar to IPv4, though there are significant differences. Be aware, not afraid!
● End-to-End must all support IPv6
– Client OS, Client software, firewalls, routers, ISPs, server OS, daemons, etc
● Dual Stack (IPv4 and IPv6) is common
– Clients will prefer IPv6 by default if present
– DNS can return an A for IPv4 and AAAA for IPv6 and the client will pick IPv6 if it is capable
● Elimination of NAT (well, almost)
– Clients all have “public” routable addresses and do not need NAT
– Port forwards are still possible, NPt is similar to 1:1 NAT
● Needs more care at firewall level to prevent unintended access to LAN (especially with VPNs)
– NAT was never a “firewall”, though some relied on it as a crutch!
● 128-bit address, 2128 or 3.403 * 1038 addresses
– https://samsclass.info/ipv6/exhaustion.htm
● Standard subnet size is a /64 which contains 18.4 quintillion addresses
– /64 required for SLAAC
● ICMP is required/necessary – don't needlessly filter it or you'll break things!
● Most areas of pfSense are IPv6 aware and capable, but watch for edge cases

6.
IPv6 Addressing
● 32 hexadecimal digits (0-f!), in 8 sections of 4 digits each, separated
by colons.
– 1234:5678:90ab:cdef:1234:5678:90ab:cdef
● Leading zeros in a section may be omitted
● “::” can be used to represent multiple sections containing only zeros,
but may only be used once, usually the first occurrence.
● 0001:0001:0001:0001:0001:0001:0001:0001 → 1:1:1:1:1:1:1:1
● 0000:0000:0000:0000:0000:0000:0000:0001 → ::1
● 1234:5768:0000:0000:0000:0000:90ab:cdef → 1234:5678::90ab:cdef
● 1234:0000:0000:5678:0000:0000:90ab:cdef →
1234::5678:0:0:90ab:cdef
● As you can see, DNS is important unless you have a great memory!

7.
IPv6 Special Addresses
● Localhost
– ::1
● Link Local
– fe80::/10 – only valid inside a broadcast domain
● ULA – Unique local address, “Private”
– fc00::/7 – Similar to RFC1918
– Rarely used in practice. Sometimes as VPN transport networks or with NPt
● GUA – Global Unique Addresses, Routable
– 2001::/16
● Multicast
– ff00::0/8
● Documentation
– 2001:db8::/32 – Similar to RFC 5735

8.
IPv6 Subnetting
● No subnet mask, but prefix length
– Prefix defines how many bits of the address define
the network
– Most commonly used in multiples of four
● Subnets are easy! Add or drop digits and adjust
prefix length by a multiple of four
● No wasted addresses for broadcast/null route
● No need to calculate “usable” addresses or
remember where a block starts or stops

9.
IPv6 Addressing2001:0DB8:0400:000e:0000:0000:0000:402b
XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX
||| |||| |||| |||| |||| |||| |||| # of IP Addresses in Subnet
||| |||| |||| |||| |||| |||| |||128--1
||| |||| |||| |||| |||| |||| ||124---16
||| |||| |||| |||| |||| |||| |120----256
||| |||| |||| |||| |||| |||| 116-----4,096
||| |||| |||| |||| |||| |||112-------65,536
||| |||| |||| |||| |||| ||108--------1,048,576
||| |||| |||| |||| |||| |104---------16,777,216
||| |||| |||| |||| |||| 100----------268,435,456
||| |||| |||| |||| |||96-------------4,294,967,296
||| |||| |||| |||| ||92--------------68,719,476,736
||| |||| |||| |||| |88---------------1,099,511,627,776
||| |||| |||| |||| 84----------------17,592,186,044,416
||| |||| |||| |||80------------------281,474,976,710,656
||| |||| |||| ||76-------------------4,503,599,627,370,496
||| |||| |||| |72--------------------72,057,594,037,927,936
||| |||| |||| 68---------------------1,152,921,504,606,846,976
||| |||| |||64-----------------------18,446,744,073,709,551,616
||| |||| ||60------------------------295,147,905,179,352,825,856
||| |||| |56-------------------------4,722,366,482,869,645,213,696
||| |||| 52--------------------------75,557,863,725,914,323,419,136
||| |||48----------------------------1,208,925,819,614,629,174,706,176
||| ||44-----------------------------19,342,813,113,834,066,795,298,816
||| |40------------------------------309,485,009,821,345,068,724,781,056
||| 36-------------------------------4,951,760,157,141,521,099,596,496,896
||32---------------------------------79,228,162,514,264,337,593,543,950,336
|28----------------------------------1,267,650,600,228,229,401,496,703,205,376
24-----------------------------------20,282,409,603,651,670,423,947,251,286,016
https://stronk.org/ipv6-subnet-cheat-sheet/

10.
IPv6 Allocations
● Typically a /64 on WAN for transport/interconnect, but
may be smaller
– This is NOT used for clients directly!
● Minimum /64 is routed to firewall address in WAN subnet
– This is used for clients on LAN or similar
● Often a larger block, such as /48 or at least /60, is routed
so multiple local networks may be used
●
Some providers give a single large block (e.g. /48) and
use the first /64 of the block as WAN transport subnet

11.
IPv6 Connectivity Basics
● Every interface of every system will have a self-generated
link-local IP address
– In some cases the same link-local address is on multiple
interfaces, but scoped with the interface name
● Instead of ARP, systems find each other using NDP inside a
given broadcast domain
● Router Advertisements and solicitations are used so clients
can locate gateways on a network, and discover how to
obtain addresses (SLAAC or DHCPv6)
● Clients typically contact the gateway using link-local address

12.
IPv6 WAN/Interface Types
● Static IPv6 – ISP allocates a /64 or smaller for WAN, /64 or larger routed for
LAN(s)
●
DHCPv6 – Single WAN address obtained from a DHCP server upstream
– Prefix Delegation is used to allocate a subnet for LAN usage, commonly a /60
(Comcast and others).
● SLAAC (Stateless address autoconfiguration) – Single address, self-generated
– Useful for clients/endpoints but not firewalls
● 6RD (IPv6 Rapid Deployment) – A method of tunneling IPv6 traffic inside IPv4
– ISP gives a defined prefix, border relay, and IPv4 prefix length
● 6to4 – Relayed via ISP and others with 6to4 relays
– No user options
– May not have connectivity to all IPv6 networks
● Tunnel Broker – Tunnels IPv6 over IPv4, typically using GIF
– Non-native, independent of ISP support

13.
DHCPv6 / SLAAC
● Static IP addressing works, of course, but can be cumbersome
● For local automated allocation, two options are DHCPv6 or SLAAC
● SLAAC is simple and more widely supported
– Clients assign their own addresses (based on MAC […]:xxxx:xxFF:Fexx:xxxx)
– Privacy extensions (RFC 4941) to make it dynamic and not based on MAC
– Firewall has no knowledge of total number of clients or their addresses, hostnames, etc.
– Duplicate Address Detection prevents IPv6 address conflicts with SLAAC
● DHCPv6 gives more control and reporting
– DHCPv6 server gives leases, similar to IPv4
– Not all clients have DHCPv6 support (e.g. Android)
– Clients have a DUID (DHCP Unique ID) specific to the host
– Clients typically also have an IAID (Interface Association ID) that varies per interface
– Clients are identified using a combination of DUID and IAID, not MAC

14.
IPv6 via Tunnel Broker
● For those without access to native IPv6, free options exist
for IPv6 tunneling over IPv4
– Hurricane Electric (Recommended)
– Sixxs
● Tunneling IPv6 over IPv4 will add latency and reduce MTU,
but is typically better than no IPv6 at all
● Most work by using a GIF tunnel
– OpenVPN could also be used, especially if done internally. (IPv6
at DC to give IPv6 to remote office)
● Options vary by provider, this demo uses Hurricane Electric

15.
Register for a Tunnel
● Allow ICMP echo requests to the WAN IP in pfSense
● Visit http://tunnelbroker.net to register and then login
● Click Create Regular Tunnel
● Enter the firewall WAN IP, click outside
● Pick the nearest endpoint (traceroute helps here, fewer hops the better!)
● Click Create Tunnel and then Assign /48
● Note all the details of the tunnel
● Visit Advanced tab
● Adjust MTU if needed (e.g. WAN is PPPoE, 1452)
● If WAN is a dynamic IP address, note the Update Key
● On pfSense, adjust WAN ICMP rule to only pass from the chosen endpoint
● Visit System > Advanced, Networking tab, make sure Allow IPv6 is
checked

16.
Setup pfSense
● Interfaces > (assign), GIF tab, click +
● Select WAN for the Parent Interface
● GIF Remote Address = HE Server IPv4 Address
● GIF Tunnel Local Address = HE Client IPv6 Address
● GIF Tunnel Remote Address = HE Server IPv6 Address /64
● Save
● Assign the new GIF interface, enable, rename, leave IP = None,
Save/Apply
● System > Routing, edit IPv6 gateway, set default, Save/Apply
● Check Status > Gateways

17.
Setup pfSense (Cont'd)
●
Interfaces > LAN
●
Set IPv6 Configuration Type to Static IPv6
●
Pick and enter an address from Routed /64 to use for LAN IPv6 address (Not Tunnel /64!!)
– Ex: x:x:x:x::1/64
●
Save/Apply
●
Services > DHCP Server / RA, enable
●
Set a Range inside the LAN /64
– Ex: x:x:x:x::F000 to x:x:x:x::FFFF
●
Prefix delegation is optional, but since we have a Routed /48, may as well use it. A /56 or /52
size chunk of the /48 is plenty.
– Set delegation as y:y:y:F000:: to y:y:y:FF00::, pick /60 for size
– Each client that requests a delegated prefix will get a /60 chunk of that address range
●
Save
● Router Advertisements tab, pick the mode (e.g. Assisted for DHVPv6 and SLAAAC), Save
●
Firewall > Rules, LAN tab, make sure there are rules to pass out IPv6 from LAN Net and
also from the Routed /48 (as needed)

18.
Try it!
● Connect a client to LAN and try it out!
http://test-ipv6.com
● Ensure that IPv6 is enabled on the client
– On by default on many modern OS installs
● Should show 10/10 if everything is working properly,
and show the tunnel broker allocated IP blocks
● May need to add one of the tunnel broker's IPv6
DNS servers to System > General

19.
DynDNS, Prefix Delegation
● Dynamic IP WAN:
– Services > DynDNS, create new entry
– Select HE.net Tunnelbroker
– For the Hostname, enter the numeric Tunnel ID
– Enter the username
– Enter either the password OR the update key. Update key is better.
● Prefix Delegation
– For a firewall behind DHCPv6
– Set WAN to DHCPv6, select Prefix size to match upstream (e.g. /60)
– Set LAN to Track6, pick WAN, id = 0 (DMZ could use 1, etc)
– DHCPv6 and RA are setup automatically
– Add firewall rules as desired

20.
Gotchas
● Careful of broken IPv6 connectivity!
– If IPv6 IP addresses are present, but routing is broken, IPv6 may still be
selected for use
– Fix IPv6 or change System > Advanced on the Networking tab. Check
Prefer IPv4 over IPv6, then click Save
● Watch out for VPN “leakage”!
– Routing is possible LAN-to-LAN on IPv6
– A VPN tunnel could appear to be working when in reality it's not taking a
tunnel at all! (WAN rules far too relaxed)
– Ensure traffic that should go over a VPN cannot go any other way
● Clients will have multiple IP addresses, in some cases both SLAAC
and DHCPv6, address selection/use is handled by the client.

21.
Conclusion
● http://sophiedogg.com/funny-ipv6-words/
● Planning a follow-up with more advanced
topics: IPv6 and CARP, IPv6 and Multi-WAN,
IPv6 VPNs
● Questions?
● Ideas for hangout topics? Post on forum,
comment on the blog posts, Reddit, etc