@Tux0ne Yup, /56…
@Anonymhmm everyone has their own opinion… but I’m not sure if I can understand your reasoning….
I currently understand that you want to take your own ipv6 subnet with you to a provider, with as much bandwidth as possible, right?
Swisscom Network Engineer IP+ AS3303,
So I would start the experiment simpler.
Since the prefix here is not static. You then have to track the WAN interface in the local interfaces. So with a 56 prefix you have 8 bits (2 digits after the prefix) left to make 64 nets. So you can go from 00 to ff.
I saw that the Internet Büx makes a 00.
So configure WAN and locally. Restart the interface. Then you can also look in the firewall log to see if anything on the WAN was blocked with UDP 546. You would then have to activate that.
If that doesn’t work. Otherwise I have a referral code ready 😂
Thanks Tux0ne
With the option “Request only an IPv6 prefix” I now at least get an IPv6 on the WAN interface: xxxx::xxx:xxxx:xxxx:xxxx%igb2 (I don’t know whether the “%igb2” suffix should be 😉 )
And apparently I got a new IP on the IPv4 interface… 🙄
On the LAN interface, Track Interface is on:
No blocks on UDP 546 appear in the firewall logs:
Nevertheless, I get a message on IPv6 test pages that says IPv6 is not supported:
Exactly as much throughput as possible with my own IPv6 addresses, which I can take with me if I change provider. That makes more than just sense.
It doesn’t help me much if my Pfsense has an IPv6 address with a Swisscom prefix or In my opinion it has nothing to do with IPv6. In my opinion, anyone who only cares about this principle has not understood the concept and idea behind IPv6.
Since IPv6 cannot communicate with IPv4, I have to activate and configure IPv6 on every device and there is no NAT with IPv6, which is exactly where the catch comes. Now I have to assign an IPv6 address to every device, for example my printer.
If I now give my printer an IPv6 which has a prefix from Swisscom, I have to reconfigure the printer when I change provider.
Please correct me if this is wrong, then I haven’t done my homework?
My problem (and everyone who has a NAS or a camera) is affected by this and will really be in trouble if I change provider. This means having to reconfigure the entire network every time is unthinkable for companies and if you still have documentation then you can forget about it anyway.
Therefore, there would have to be a Federal Court decision that clearly regulates this, namely that every provider must also allow and provide independent IP addresses. The only alternative I see is that the provider then takes over the reconfiguration including updating the documentation, so I have no problem with that. Access to my apartment would of course be granted but of course there is only a certain predefined maintenance window and that will not be a week. By the way, in this case the firewall rules would probably have to be adjusted as I also have to assign fixed IP addresses. I assume the rest should be clear that any reverse proxy and DNS stories also need to be adjusted.
I’m not talking about an acute problem here (unless you already have IPv6 running and haven’t taken that into account). But I can’t understand why marketing reasons make it so difficult. By the way, I would like to see the providers when RIPE says you’re all getting new prefixes because we have to reorganize something.
Yes, you don’t see that entirely realistically @Anonymous
Even if you change your ISP and the associated prefix change, you don’t have to reconfigure everything.
Basically you have slaac, so everything is addressed in a new way. And for server services you can make static leases using DHCP6.
DHCP6 in pfsense takes over this again if there is a dynamic prefix. Only the range and the static client identifier are defined. The prefix is taken over again based on the tracking from the WAN. You should configure it like this.
With the local DNS resolution there is also the option of adopting the names based on the DHCP6 lease.
So just because you have IPv6 doesn’t suddenly tie you to the ISP because addressing the clients should present insurmountable hurdles.
I think my ISP change took less than half an hour and I had some static configurations in there.
@Anonymous wrote:
there is no NAT with IPv6,
IPv6 also supports NAT. However, using NAT with IPv6 is not recommended:
[https://security.stackexchange.com/questions/44065/with-ipv6-do-we-need-to-use-nat-any-more](https://security.stackexchange.com/questions/44065/ with-ipv6-do-we-need-to-use-nat-any-more)
@Anonymous wrote:
Please correct me if this is wrong, then I didn’t do my homework?
My problem (and everyone who has a NAS or a camera) is affected by this and will really be in trouble if I change provider. This means reconfiguring the entire network every time, which is unthinkable for companies
There are also mechanisms for fully automatic distribution of global IPv6 addresses for IPv6. For example: DHCPv6 and SLAAC. Anyone who manually assigns a global IPv6 address to every network participant in the home network or company network is doing something wrong:
https://www.elektronik-kompendium.de/sites/net/2004011.htm
https://www.elektronik-kompendium.de/sites/net/1902141.htm
https://www.elektronik-kompendium.de/sites/net/1902131.htm
@Anonymous wrote:
My problem (and everyone who has a NAS or a camera) is affected by this and will really be in trouble if I change provider.
For security reasons, access to such devices from the Internet should only be possible with a VPN tunnel. See “Good Performance Rule #5” at:
[https://community.upc.ch/d/4397-diagnose-tool-der-connect-box-says-your-home-network-hat-derzeit-einige-probl/27](https://community. upc.ch/d/4397-diagnose-tool-der-connect-box-says-your-home-network-has-currently-some-probl/27)
\=> IPv4 can continue to be used for VPN tunnels in the distant future.
In general, you should avoid using IPv6 until the ISP (here Swisscom) supports dual stack:
https://www.elektronik-kompendium.de/sites/net/1904041.htm
The use of any IPv6 tunnel solutions is not recommended. See "Good Performance Rule #26 and:
[https://community.swisscom.ch/t5/Internet-Allgemein/IPv6-6rd-MTU/td-p/641943](https://community.swisscom.ch/t5/Internet-Allgemein/IPv6-6rd- MTU/td-p/641943)
546 would be the local port not the sender port.
Has no address been configured as a gateway on the LAN?
Then you just have to do a bit of trial and error.
You can also try with a config like this. Simply with prefix 56 and not 52!
You don’t have to configure the RA so that local clients can use IPv6. Is that already clear?
> You don’t have to configure the RA so that local clients can use IPv6. Is that already clear?
No, that’s not clear to me, just to out myself as an IPv6 noob. 🙈😄
And I imagined it would be somehow easier with the IPv6 thing.
Actually, I would only want to use IPv6 out of interest anyway, but I have no problem switching it off if (from what I read here) many providers (including Swisscom) still make it more complicated than necessary.
Because I’m still a little bit ambitious, I’d like to make a few more attempts.
And to get closer to the diagnosis: No, no IPv6 address has been configured on the internal (LAN) interface.
The DHCP server doesn’t run on the firewall either, it’s outsourced to internal servers behind it and isn’t configured for IPv6 (if that were necessary), or I see here that RAs seem to be part of the DHCP6 server.
However, before I approach the I Pv6 configuration of local clients, I would like to have the part on the router working correctly.
Tux0ne Even with all the additional options, the WAN interface only has a fe80:: address, which probably corresponds to the link-local and indicates that a “real” IPv6 address is not even obtained. 😞
So I’ve never done this setup that you’re working on on a PF, but I suspect that the second hack is wrong @guybrush82 you don’t want to get the v6 over the v4,….
Swisscom Network Engineer IP+ AS3303,
@ChristianEb This was just to test based on advice from @Tux0ne.
I’ve now taken it out again, but it hasn’t changed anything.
Thank you for your answers from various sides. I still have to do a little bit of my homework. But this becomes more than just complicated with IPv6, as many things as you have to / should / can take into account. A real jumble of possibilities. This also means that 90% of current home network supervisors will lose the complete overview with IPv6 😄 unless you have a lot of time.
But I still have to read up on certain services. I’m familiar with the electronics compendium but I haven’t finished it yet.
“Anyone who manually assigns a global IPv6 address to every network participant in the home network or company network is doing something wrong:”
I will certainly look into this statement in more detail and test it out and read it. That’s exactly the crux of the whole thing.
The rest related Performance and security are different topics and are negligible in the first step because the basic principle must be clear first. This is followed by safety and finally performance.
I’ll find out what SLAAC and autoconfiguration mean. Thank you for the information.
Of course I’m still interested in the settings for the Pfsense. But I haven’t decided yet which Internet will accompany me in the future. But that will still take 2 months until all the cables are in and everything is connected. So I still have time and I still have to order the hardware and evaluate it. But you can see that I’m not the only one and I’m glad 🙂.
XGS-PON 10/10 Giga has been available since yesterday. Now I thought the following:
Ordering Hybrid7 P2MP, the Zyxel AX7501-B0 is also included, which I set in bridge mode. After that comes my Pfsense and there I have my dynamic WAN IPv4? This does not mean an internal address of the Zyxel modem.
Simple question, so I would like a simple answer: works or doesn’t work!
We’re leaving out IPv6 for now. I can configure that later. I just want to have my WAN IP directly on the PFsense, if that’s not possible then I’ll have problems.
I’m a bit confused because of statements like this that I’ve already received:
10G via PPPOE is extremely CPU intensive. Where we actually have direct darkfiber/FTTH, 10G is just routed, PPPOE requires a lot more CPU, and then I only get complaints because it peaks at 2,3,4GBIT/s depending on the situation. We currently do not give a 10G guarantee on BBCS.
My next question:
Hybrid7 P2MP runs via PPPOE, the Zyxel modem does the registration and then simply forwards everything to the Pfsense? Is there really still that kind of performance? Calculation problems?
Yes, if the Zyxel router is in bridge mode, the downstream device receives the public IP.
If the Zyxel is in bridge mode, the downstream router does the registration. If the Zyxel is in router mode, it logs in and with IPv4 you can only do NAT on the downstream router.
Yes, PPPoE is a bit more computationally intensive.
Even 10GE requires strong hardware for pfsense. Whether DHCP or PPPoE doesn’t matter now. Depending on whether you only do NAT and FW. IDS is another story again.
You can look up approaches to what is needed and what is possible from the Netgate Appliances. There are some that reach almost 10GE.
Does init7 now also offer the “10GE” via XGS PON? That was still limited to 1GE. Have you adjusted the connections and contracts?
@Tux0ne wrote:
Already 10GE requires strong hardware for pfsense. Whether DHCP or PPPoE doesn’t matter now. Depending on whether you only do NAT and FW. IDS is another story again.
You can look up approaches to what is needed and what is possible at Netgate Appliances. There are some that reach almost 10GE.
If you want to use your own, self-selected hardware for the firewall with 10Gbit/s or faster Internet connections, you should take a look at the website:
[https://michael. Stapelberg.ch/posts/2021-07-10-linux-25gbit-internet-router-pc-build/](https://michael. Stapelberg.ch/posts/2021-07-10 -linux-25gbit-internet-router-pc-build/)
be inspired. This self-selected hardware is ideally operated with a self-installed Linux or vanilla FreeBSD without web interface bells and whistles like pfSense, OPNsense, IPFire. If you are interested in Linux or vanilla FreeBSD as an operating system for your own hardware firewall, you should continue reading here:
[https://www.lancom-forum.de/fragen-zum-thema-vpn-f14/vpn-mit-16-kleinen-ausenstellen-t18781.html#p106335] (https://www.lancom-forum.de/fragen-zum-thema-vpn-f14/vpn-mit-16-kleinen-ausenstellen-t18781.html#p106335)
[https://www.lancom-forum.de/aktuelle-lancom-router-serie-f41/vdsl-umzug-glasfarben-neuer-router-t17926.html#p101750] (https://www.lancom-forum.de/aktuelle-lancom-router-serie-f41/vdsl-umzug-glasfarben-neuer-router-t17926.html#p101750)
Be careful when using IPerf3 for data throughput measurements in the range > 1 GBit/s. The CPU very quickly becomes a bottleneck at data transfer rates > 1 GBit/s:
https://github.com/esnet/iperf/issues/289
[https://fasterdata.es.net/performance-testing/network-troubleshooting-tools/iperf/multi-stream-iperf3/](https://fasterdata.es.net/performance-testing/network-troubleshooting-tools /iperf/multi-stream-iperf3/)
In the range > 1 Gbit/s, the information and tuning tips should generally be found under:
be taken into account.
And always keep TuxOne’s statement in mind:
You know what. 10gps is currently for the ton. My 95th percentile is 18mbps at a 1Gbps Anschluss and that’s probably very high! Peering, low latency, availability and reliability, these are important and not a speed post that does nothing.
Source: [https://www.tuxone.ch/2021/01/4-nullen-und-die-reisschussel.html](https://www.tuxone.ch/2021/01/4-nullen-und- die-reiskugel.html)
Therefore, the choice of connection technology for the Internet connection should be based on:
[https://community.swisscom.ch/t5/Mobile/Wifi-Calling-scheint-nicht-zu-funktionieren/m-p/662138#M8881](https://community.swisscom.ch/t5/Mobile/Wifi- Calling-doesn’t-seem-to-work/m-p/662138#M8881)
the order listed => AON before PON!
I recommend using standardized and very common open source products such as pfSense or OPNsense that have been specifically developed for use as a firewall, router, next gen firewall, IDS/IPS, VPN gateway, etc. Just pay attention to the instructions and manuals from Netgate (https://docs.netgate.com/pfsense/en/latest/) respectively. pfSense (https://docs.opnsense.org/). The OPNsense and pfSense communities are in no way inferior to any tinkering solutions with iptables. If every user configures a router on their favorite Linux, this won’t work out well. Too many configuration errors can lead to security problems. The FreeBSD or HardenedBSD base of OPNsense and pfSense has also been specially hardened for use as a firewall appliance. They are standardized, commercially supported and very common products that I can recommend to every “advanced user”. The web interface in particular makes the configuration intuitive and reduces possible pitfalls and errors.
OPNsense and pfSense can also be virtualized. I have been running both solutions in a Proxmox VE cluster for years. The suggested optimization measures in the documentation ([https://docs.netgate.com/pfsense/en/latest/recipes/virtualize-proxmox-ve.html](https://docs.netgate.com/pfsense/en/latest /recipes/virtualize-proxmox-ve.html)) should be noted. I also achieve a virtualized routing performance of 10 Gbit/s among the various VLANs. The 1 Gbit/s data rate of my UPC Business Internet 1000 DOCSIS 3.1 WAN uplink is reached.
For CLI lovers: If you are looking for a high-performance software router on “off the shelf” hardware, Netgate also offers TNSR ([https://www.tnsr.com/](https://www.tnsr. com/)) found it. TNSR does not have a WebUI, but can only be configured via the CLI. The barriers to entry are greater, but the performance with the same hardware is better than with pfSense. TNSR is also free for home users.
If you are looking for dedicated hardware, you will find it at Netgate (https://www.netgate.com/appliances). The devices can be ordered via Contria GmbH (https://www.contria.ch/) in Langenthal. The company also has very competent support and good sales advice.