12,270
edits
Router - PFSense (beta 2.1): Difference between revisions
m
no edit summary
(→IPv6) |
mNo edit summary |
||
| (18 intermediate revisions by 4 users not shown) | |||
|
This is a short guide on getting a pfSense 2.0-[[IPv6]] and the 2.1 beta to connect to AAISP as a dual stack router and firewall. If you want more detail, pretty pictures and a full step by step guide, then post on the Discussion page and I'll consider it.
Also, there is now a guide for more recent versions of pfSense (2.1.2+) that is also available here: [[Router - PFSense]]
= pfSense with IPv4 and IPv6 =
I recently persuaded [http://www.pfsense.org/ pfSense] running on an ALIX based system with a Draytek Vigor 140 [[ADSL Modem|ADSL modem]] to connect up with IPv4 and [[IPv6]] to AAISP. Here are some notes on how. That there are some minor faults with it but for the use case presented here it works fine and 2.1 is due for release fairly soon. They have a Redmine bug tracker that you can follow and the forums are excellent for support. The developers are on the ball
= Hardware =
A very good alternative is an old PC. Either put several network cards in it or get a switch such as a Netgear 108 and learn about 802.1Q VLANs to make one NIC into several.
'''You need at least two interfaces, one
= Software =
= Addressing =
For [[IPv6]], AAISP supply you with a /48 prefix from which you can create multiple /64 subnets for your use. There are over 65,000 /64 subnets in a /48 each with more addresses than you can eat! Click on the green "add /64" button on your control page to create them.
For IPv4, note down the single /32 address and additional subnet range that you should have been assigned. The single address is the router's external address and the subnet is your LAN.
Follow one of the many guides out there. It can be tricky to work out which interface is which, so plug one in, configure it at the initial console based interface setup stage, give it an IP address from your LAN range and set the mask. Then try and ping it after putting another address from the range temporarily on a PC or whatever. If it doesn't work then move the LAN cable into another NIC and see if that works. Once LAN is sorted, fire up a browser and point it at the LAN address and carry on the configuration from there. Username: admin, password: pfsense. I recommend you move the web GUI port to another port and enable SSL. There's a built in certificate generator so there is no excuse.
Start with IPv4 and then move on to [[IPv6]].
The default firewall set up is no inbound access at all and just IPv4 out from the LAN subnet.
=== IPv6 ===
* Set the [[IPv6 Configuration|IPv6 configuration]] type on your PPPoE interface to DHCPv6
* Set the [[IPv6]] on LAN to <your /64 range>::1 (it doesn't have to be 1) and the mask to 64.
* Services -> DHCPv6 Server/RA.
Have a look at the addresses on your PC ("ip a"/"ifconfig"/"ipconfig /all") and you should find that you now have a global [[IPv6]] address assigned. It will start with the /64 prefix from above.
If you have additional interfaces then simply add another /64 on your AAISP control page and then set the [[IPv6]] address to <another one of your /64s>::1.
Unmanaged really means use "radvd"
Add some [[IPv6]] rules -
Test with something like "ping6 -n www.google.com" (adjust for OS)
= Notes =
*Do not be tempted by the Widescreen package until it has been ported - it removes the web GUI [[IPv6]] related stuff.
A customer noted that Setting 'Request a [[IPv6]] prefix/information through the IPv4 connectivity link' helped him:
[[File:Pfsensev6config.png]]
This causes pfSense to change the interface in /var/etc/dhcpv6_wan.conf from em0 to pppoe0 (obviously dependent on hardware) - although the 'IPv4 connectivity link' description is a bit misleading . The following bug reports sent me in the right direction:
*[http://forum.pfsense.org/index.php?topic=65832.0 forum.pfsense.org/index.php?topic=65832.0]
*[https://redmine.pfsense.org/issues/3097 redmine.pfsense.org/issues/3097]
[[Category:3rd Party Routers|PFSense]]
| |||