editor
698
edits
Router - PFSense: Difference between revisions
m
clean up, typos fixed: etc) → etc.)
m (clean up, typos fixed: etc) → etc.)) |
|||
|
At the time of writing this wiki page, the pfSense version used was 2.1.2 and it is recommended that you use that version (or a later one) as 2.1.0 and 2.1.1 are affected by heartbleed and some PPoE config bugs.
Now, although pfSense 2.1 introduces a lot a very interesting new capabilities, it is admittedly still a bit buggy when it comes to PPoE (which can be a concern in the UK as it is quite common). In that regards, the old 2.0-[[IPv6]] beta range was a lot more stable, however it was its [[IPv6]] support that was in turn rather flaky. This is why the old wiki page (See [[
Finally, please note that this was tested on an A&A ADSL line connected via TalkTalk Wholesale. I would expect it to work the same when behind BT Wholesale, but your mileage may vary.
= Hardware =
As described in the previous version of this document (See [[
It should also work similarly well with other ADSL/VDSL modem as long as you can push PPoE to it (and that it, in turns, pushes it over its own PPoA connection).
= Software =
As, indicated, at the time of writing (
= Addressing =
[[File:
''Note: Interestingly, I tried the RFC1483 mode and it seems to work ok too (although when I do, pfSense then seems to be taking to an Ericsson box instead of the usual Cisco one).''
Now, even in bridge mode, it will still be an idea to change the default admin password and disable management services on the WAN side.
[[File:
''Note: The default LAN address was changed to 192.168.100.1 in order to avoid any potential conflicts with the internal network that is behind pfSense.''
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IPv4 address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you change the password, move the web GUI port to another port and enable SSL.
The default firewall settings do not allow inbound access at all (for any protocol). Previous version of pfSense 2.1.2 also used to just discard [[IPv6]] traffic whatever its direction, but this is not true anymore and it should now be processed similarly to IPv4 (firewall rules, etc.). However, this is not always the case when doing an upgrade, so it is worthwhile to check that setting.
That setting is available in the page "System: Advanced: Networking":
[[File:
Once this is checked, proceed to setup the WAN interface and then update the LAN settings to enable [[IPv6]].
You should get a configuration screen similar to this:
[[File:Interface Setup
You should end up with a configuration screen similar to this one:
[[File:Interface Setup
Finally, click the save button.
So, select "Services -> DHCPv6 Server/RA" and then enter the appropriate information. Once done and saved, the screen should look like this:
[[File:Services
I suspect there will be no real need to reserve a part of this range as if you need to create fancy subnetworks then you just need to use another one of your /64 blocks (and you have been given 65536 of them, that should be enough!). But in any case, pfSense allows to subdivide the block further if you need to (see the "subnets" options).
The configuration screen will be similar to this (don't forget to save!):
[[File:Services
Once this is done, you should see that your machine has now acquired a nice and shinny new routable [[IPv6]] address. In fact, it will often acquire more than one depending of the RA mode you have selected and the privacy modes activated by the client machine.
Yeaahhh!! Victory!
[[File:Client
''Note: On some old hardware/OS it is not impossible you could have to unplug/plug the network cable for the machine to pick up the change.''
If I remember correctly, pfSense will by default create the outgoing rules for the LAN (especially if you used the wizard). But just in case, go into the "Firewall -> Rules" page and check that you have at least the following entries:
[[File:Default
Now, an easy way to fix this is to force pfSense to use specific DNS servers. This is done in the "System -> General Setup" page. Ideally you should set your ISP DNS server in there and/or some public ones like Google (8.8.8.8) or OpenDNS (208.67.220.220).
[[File:
Once this is done, you will just have to go in "System->Routing" and then edit the WAN_DHCP6 gateway settings to make them as follow:
[[File:WAN
If successful in the script and settings changes you will then get a Gateway Status screen similar to this:
[[File:Status
Note: Sometimes, after link failure, the script will still fail to setup apinger properly (especially for [[IPv6]]. IPv4 will typically be ok). This seems to be caused by some timing issues whereby pfSense calls the script too early. Fixing this will probably require a more serious rework of that area in pfSense.
| |||