Hi Lonnie, wow, what a detailed answer - thank you very much.
I have just tested option 1) successfully on my AstLinux machine. It is exactly what I am looking for in my current state of understanding IPv6. Option 1) is obviously a standard Linux sysctl that I was not aware of. Nevertheless, it would be nice, if this could be done from the WebGUI or otherwise be documented in the AstLinux documentation. This lesson learned I have just compared to the settings of my Debian Stretch machines: # cat /proc/sys/net/ipv6/conf/eth0/accept_ra 1 # cat /proc/sys/net/ipv6/conf/eth0/autoconf 1 # cat /proc/sys/net/ipv6/conf/eth0/forwarding 0 I am still far away from understanding IPv6 concepts but I know already as much, that I have started hating the dynamic prefix sent from my internet provider. One big "advantage" of IPv6 over IPv4: A prefix change gives all my machines new IPv6 addresses while a dynamic IPv4 address just changes the router WAN IP ;-). But to be fair: My prefix only changes when my pfSense machine needs a reboot. I have heard about other providers changing customer prefix even on a daily basis. Due to the dynamic prefix I will have to go into details of the ULA concept. But may be I will come to the conclusion that I need to get a more expensive business contract with my provider ensuring a static prefix even during reboots of my pfSense machine. Thank you very much, Peter On Sat, 2 Sep 2017 10:30:18 -0500 Lonnie Abelbeck <li...@lonnie.abelbeck.com> wrote: > Hi Peter, > > You have many options, here are 5 in no particular order. > > Option 1) > Since you have the AstLinux firewall disabled, you need to create a > short startup script, create the file /mnt/kd/rc.elocal ... > -- /mnt/kd/rc.elocal -- #!/bin/sh > > . /etc/rc.conf > > echo "[rc.elocal] Enabling autoconf SLAAC on $EXTIF" > sysctl -w net/ipv6/conf/$EXTIF/accept_ra=2 >/dev/null > sysctl -w net/ipv6/conf/$EXTIF/autoconf=1 >/dev/null > > exit 0 > -- > > Then make it executable ... > -- > chmod 755 /mnt/kd/rc.elocal > -- > Manually running /mnt/kd/rc.elocal or a reboot will enable the sysctl > settings. Note that it can take awhile before the RA's are received. > > > Option 2) > If you enabled the AstLinux firewall (with a single interface would > need to allow TCP 80,443,22 and such to continue to manage it) then > you could add a firewall related config variable IP_FORWARDING=0 ... > -- add to /mnt/kd/rc.conf.d/user.conf -- IP_FORWARDING=0 -- > This only works if you are using one interface, no AstLinux OpenVPN, > etc. . > > > Option 3) > If you have static IPv6 prefixes from your ISP (not typical except > for Business accounts) you could set static addresses ... > > Network tab -> External Interface: -> Connection Type: [ Static IP ] > and define Static IPv4 and IPv6 addresses Note: if IPv6 Gateway: is > left empty it use a Router Advertisement (RA) to set the default IPv6 > route. > > A /64 prefix gives you a lot of addresses to pick a unique non-SLACC > static IPv6 for your AstLinux box. > > > Option 4) > If you have dynamic IPv6 prefixes from your ISP (typical) you could > set static ULA addresses (fdnn:... addresses) with pfSense doing > Network Prefix Translation (NPTv6) at the edge. > > Same configuration as with "Option 3" but using a ULA instead of a > GUA. ULA's have the advantage they are always static to your > internal network, and can be mapped to GUA's at the router's edge. > > While this documentation applies to AstLinux as the router, the > terminology and references may be helpful: IPv6 ULA / NPTv6 > Configuration > https://doc.astlinux-project.org/userdoc:tt_ipv6_ula_nptv6_config > > > Option 5) > If your pfSense configuration supports DHCPv6 server, you could > enable DHCPv6 client on your external interface. > > Network tab -> External Interface: -> Connection Type: [ Static > IPv4/DHCPv6 ] and define under External DHCPv6 Client Settings: > > DHCPv6 Client Address: [ enabled ] > DHCPv6 Prefix Delegation: [ disabled ] > > Reboot to apply any changes. > > > Summary) > The simplest is probably "Option 1" to answer your question, given > your current configuration. > > Personally I'm a big fan of using ULA's "Option 4" on my internal > network. Use AstLinux's "unique-local-ipv6" command from the CLI, > generate one you like, write it down and use it for all your internal > IPv6, forever. Carve up the /48 into /64's of your choosing. One > drawback is it requires manual documentation keeping track of ULA's > and ULA prefixes you use. On the plus side, ULA's are simple, and > if/when the GUA prefix changes your internal ULA IPv6 will not miss a > beat. > > Hope this was more helpful than confusing. :-) Understanding these > options will help you learn IPv6. > > Lonnie > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
