Hi Lonnie,

wow, what a detailed answer - thank you very much.

I have just tested option 1) successfully on my AstLinux machine. It is
exactly what I am looking for in my current state of understanding
IPv6.

Option 1) is obviously a standard Linux sysctl that I was not aware of.
Nevertheless, it would be nice, if this could be done from the WebGUI
or otherwise be documented in the AstLinux documentation. This lesson
learned I have just compared to the settings of my Debian Stretch
machines:

# cat /proc/sys/net/ipv6/conf/eth0/accept_ra
1
# cat /proc/sys/net/ipv6/conf/eth0/autoconf 
1
# cat /proc/sys/net/ipv6/conf/eth0/forwarding 
0

I am still far away from understanding IPv6 concepts but I know already
as much, that I have started hating the dynamic prefix sent from my
internet provider. One big "advantage" of IPv6 over IPv4: A prefix
change gives all my machines new IPv6 addresses while a dynamic IPv4
address just changes the router WAN IP ;-). But to be fair: My prefix
only changes when my pfSense machine needs a reboot. I have heard about
other providers changing customer prefix even on a daily basis.

Due to the dynamic prefix I will have to go into details of the ULA
concept. But may be I will come to the conclusion that I need to get a
more expensive business contract with my provider ensuring a static
prefix even during reboots of my pfSense machine.

Thank you very much,
Peter


On Sat, 2 Sep 2017 10:30:18 -0500
Lonnie Abelbeck <li...@lonnie.abelbeck.com> wrote:

> Hi Peter,
> 
> You have many options, here are 5 in no particular order.
> 
> Option 1)
> Since you have the AstLinux firewall disabled, you need to create a
> short startup script, create the file /mnt/kd/rc.elocal ...
> -- /mnt/kd/rc.elocal -- #!/bin/sh
> 
> . /etc/rc.conf
> 
> echo "[rc.elocal] Enabling autoconf SLAAC on $EXTIF"
> sysctl -w net/ipv6/conf/$EXTIF/accept_ra=2 >/dev/null
> sysctl -w net/ipv6/conf/$EXTIF/autoconf=1 >/dev/null
> 
> exit 0
> --
> 
> Then make it executable ...
> --
> chmod 755 /mnt/kd/rc.elocal
> --
> Manually running /mnt/kd/rc.elocal or a reboot will enable the sysctl
> settings.  Note that it can take awhile before the RA's are received.
> 
> 
> Option 2)
> If you enabled the AstLinux firewall (with a single interface would
> need to allow TCP 80,443,22 and such to continue to manage it) then
> you could add a firewall related config variable IP_FORWARDING=0 ...
> -- add to /mnt/kd/rc.conf.d/user.conf -- IP_FORWARDING=0 --
> This only works if you are using one interface, no AstLinux OpenVPN,
> etc. .
> 
> 
> Option 3)
> If you have static IPv6 prefixes from your ISP (not typical except
> for Business accounts) you could set static addresses ...
> 
> Network tab -> External Interface: -> Connection Type: [ Static IP ]
> and define Static IPv4 and IPv6 addresses Note: if IPv6 Gateway: is
> left empty it use a Router Advertisement (RA) to set the default IPv6
> route.
> 
> A /64 prefix gives you a lot of addresses to pick a unique non-SLACC
> static IPv6 for your AstLinux box.
> 
> 
> Option 4)
> If you have dynamic IPv6 prefixes from your ISP (typical) you could
> set static ULA addresses (fdnn:... addresses) with pfSense doing
> Network Prefix Translation (NPTv6) at the edge.
> 
> Same configuration as with "Option 3" but using a ULA instead of a
> GUA.  ULA's have the advantage they are always static to your
> internal network, and can be mapped to GUA's at the router's edge.
> 
> While this documentation applies to AstLinux as the router, the
> terminology and references may be helpful: IPv6 ULA / NPTv6
> Configuration
> https://doc.astlinux-project.org/userdoc:tt_ipv6_ula_nptv6_config
> 
> 
> Option 5)
> If your pfSense configuration supports DHCPv6 server, you could
> enable DHCPv6 client on your external interface.
> 
> Network tab -> External Interface: -> Connection Type: [ Static
> IPv4/DHCPv6 ] and define under External DHCPv6 Client Settings:
> 
> DHCPv6 Client Address: [ enabled ]
> DHCPv6 Prefix Delegation: [ disabled ]
> 
> Reboot to apply any changes.
> 
> 
> Summary)
> The simplest is probably "Option 1" to answer your question, given
> your current configuration.
> 
> Personally I'm a big fan of using ULA's "Option 4" on my internal
> network.  Use AstLinux's "unique-local-ipv6" command from the CLI,
> generate one you like, write it down and use it for all your internal
> IPv6, forever.  Carve up the /48 into /64's of your choosing.  One
> drawback is it requires manual documentation keeping track of ULA's
> and ULA prefixes you use.  On the plus side, ULA's are simple, and
> if/when the GUA prefix changes your internal ULA IPv6 will not miss a
> beat.
> 
> Hope this was more helpful than confusing. :-)  Understanding these
> options will help you learn IPv6.
> 
> Lonnie
> 

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.

Reply via email to