Hi Peter, Good to hear you got it working. The "accept_ra", "autoconf" and "forwarding" settings are interrelated and can be confusing. Such as to enable "accept_ra" must be 2 if "forwarding" is 1 .
Personally I have a Business ISP account with "static" prefixes, and so far they have been static, but I would not bet that will *always* be true. "Stuff" happens. If you only have a couple server devices like AstLinux that you use a GUA with, it is not a big deal to change them for a ISP hiccup or switching to a different ISP. But in more complex situations, say you want a IPv6 /64 prefix off a LAN on your AstLinux box ... when your GUA prefix changes it effects *all* your internal GUA address. Possibly pfSense supports Prefix Delegation Server where AstLinux could use DHCPv6-PD to autoconfig internal LAN's. Even with a Business ISP account with "static" GUA IPv6 prefixes, I use ULA's for all my internal addresses and prefixes with NPTv6 enabled at the edge. Lonnie On Sep 2, 2017, at 12:06 PM, Dr. Peter Voigt <pvo...@uos.de> wrote: > Hi Lonnie, > > wow, what a detailed answer - thank you very much. > > I have just tested option 1) successfully on my AstLinux machine. It is > exactly what I am looking for in my current state of understanding > IPv6. > > Option 1) is obviously a standard Linux sysctl that I was not aware of. > Nevertheless, it would be nice, if this could be done from the WebGUI > or otherwise be documented in the AstLinux documentation. This lesson > learned I have just compared to the settings of my Debian Stretch > machines: > > # cat /proc/sys/net/ipv6/conf/eth0/accept_ra > 1 > # cat /proc/sys/net/ipv6/conf/eth0/autoconf > 1 > # cat /proc/sys/net/ipv6/conf/eth0/forwarding > 0 > > I am still far away from understanding IPv6 concepts but I know already > as much, that I have started hating the dynamic prefix sent from my > internet provider. One big "advantage" of IPv6 over IPv4: A prefix > change gives all my machines new IPv6 addresses while a dynamic IPv4 > address just changes the router WAN IP ;-). But to be fair: My prefix > only changes when my pfSense machine needs a reboot. I have heard about > other providers changing customer prefix even on a daily basis. > > Due to the dynamic prefix I will have to go into details of the ULA > concept. But may be I will come to the conclusion that I need to get a > more expensive business contract with my provider ensuring a static > prefix even during reboots of my pfSense machine. > > Thank you very much, > Peter > > > On Sat, 2 Sep 2017 10:30:18 -0500 > Lonnie Abelbeck <li...@lonnie.abelbeck.com> wrote: > >> Hi Peter, >> >> You have many options, here are 5 in no particular order. >> >> Option 1) >> Since you have the AstLinux firewall disabled, you need to create a >> short startup script, create the file /mnt/kd/rc.elocal ... >> -- /mnt/kd/rc.elocal -- #!/bin/sh >> >> . /etc/rc.conf >> >> echo "[rc.elocal] Enabling autoconf SLAAC on $EXTIF" >> sysctl -w net/ipv6/conf/$EXTIF/accept_ra=2 >/dev/null >> sysctl -w net/ipv6/conf/$EXTIF/autoconf=1 >/dev/null >> >> exit 0 >> -- >> >> Then make it executable ... >> -- >> chmod 755 /mnt/kd/rc.elocal >> -- >> Manually running /mnt/kd/rc.elocal or a reboot will enable the sysctl >> settings. Note that it can take awhile before the RA's are received. >> >> >> Option 2) >> If you enabled the AstLinux firewall (with a single interface would >> need to allow TCP 80,443,22 and such to continue to manage it) then >> you could add a firewall related config variable IP_FORWARDING=0 ... >> -- add to /mnt/kd/rc.conf.d/user.conf -- IP_FORWARDING=0 -- >> This only works if you are using one interface, no AstLinux OpenVPN, >> etc. . >> >> >> Option 3) >> If you have static IPv6 prefixes from your ISP (not typical except >> for Business accounts) you could set static addresses ... >> >> Network tab -> External Interface: -> Connection Type: [ Static IP ] >> and define Static IPv4 and IPv6 addresses Note: if IPv6 Gateway: is >> left empty it use a Router Advertisement (RA) to set the default IPv6 >> route. >> >> A /64 prefix gives you a lot of addresses to pick a unique non-SLACC >> static IPv6 for your AstLinux box. >> >> >> Option 4) >> If you have dynamic IPv6 prefixes from your ISP (typical) you could >> set static ULA addresses (fdnn:... addresses) with pfSense doing >> Network Prefix Translation (NPTv6) at the edge. >> >> Same configuration as with "Option 3" but using a ULA instead of a >> GUA. ULA's have the advantage they are always static to your >> internal network, and can be mapped to GUA's at the router's edge. >> >> While this documentation applies to AstLinux as the router, the >> terminology and references may be helpful: IPv6 ULA / NPTv6 >> Configuration >> https://doc.astlinux-project.org/userdoc:tt_ipv6_ula_nptv6_config >> >> >> Option 5) >> If your pfSense configuration supports DHCPv6 server, you could >> enable DHCPv6 client on your external interface. >> >> Network tab -> External Interface: -> Connection Type: [ Static >> IPv4/DHCPv6 ] and define under External DHCPv6 Client Settings: >> >> DHCPv6 Client Address: [ enabled ] >> DHCPv6 Prefix Delegation: [ disabled ] >> >> Reboot to apply any changes. >> >> >> Summary) >> The simplest is probably "Option 1" to answer your question, given >> your current configuration. >> >> Personally I'm a big fan of using ULA's "Option 4" on my internal >> network. Use AstLinux's "unique-local-ipv6" command from the CLI, >> generate one you like, write it down and use it for all your internal >> IPv6, forever. Carve up the /48 into /64's of your choosing. One >> drawback is it requires manual documentation keeping track of ULA's >> and ULA prefixes you use. On the plus side, ULA's are simple, and >> if/when the GUA prefix changes your internal ULA IPv6 will not miss a >> beat. >> >> Hope this was more helpful than confusing. :-) Understanding these >> options will help you learn IPv6. >> >> Lonnie >> > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
