Right now I have pfSense running on Proxmox (on Hetzner). I have ordered an additional IP address, gave it a separate MAC address for virtualization purposes, and set the MAC address on the pfSense VM on Proxmox to the MAC address given to me by Hetzner. This works well, I just set my WAN interface to DHCP, and it grabs the addtional IP.
Now, I want to start using IPv6. I have tried before and could not get it working. My goal here is to have each VM have it’s own IPv6 address from my Hetzner range, and I’ll just keep NATing IPv4 until I fully understand IPv6.
Here is the guide from Hetzner:
Knowing my goals, would I be better off with Routed or Bridge? Any Tips?
It sounds like your using /32’s (max of 6) from the Hetzner UI which allows you to have “custom” MAC’s which you can add/assign to your VM’s. Going down this route like you have, will allow you to route the whole /64 IPv6 which Hetzner gives you directly to your pfSence firewall. If you did go down routed option (i.e. grab a /29 etc) then hetzner doesn’t allow you to remap to a VM NIC’s MAC address (has to be to core) and them the core/host would have to become your IPv6 gateway.
If my memory serves me right, you would need to assign a /128 (single IP address in IPv6 terms) to the NIC interface on the pfSence fw (your WAN NIC). Use the gateway provided which is fe80::1 as your v6 gw in pfsence (this will only work if you remap the MAC for the IPv6 to the pfSence VM MAC’s) if my memory serves me right (its been a while). Then you will need to then add the /64 they provide on top but assign this time assign the same /128 IP you used for the WAN but this time on your LAN but use your /64 subnet/mask instead. Then on your LAN NIC use radvd or assign the IPv6 manually on your VM’s using the pfsence as your VM IPv6 gateway i.e. that /128 address you added.
This works because the smaller the subnet (/128 in this case) is preferred and the router (your pfsence) knows how to route/get out where your VM’s wont see that but will the other interface on the LAN.
Its been a while since i’ve played with v6 with Hetzner and this is purely from memory the last time I did it.
Thanks for all the help!
I am getting this error:
IPv6 address 2a01:4f9:4a:44b7::/64 is being used by or overlaps with: WAN (2a01:4f9:4a:44b7::1/128)
When I assign 2a01:4f9:4a:44b7::1/128 on the WAN, and it pings back, so that’s a start.
Now we just have to figure out how to get the LAN setup.
Technically it does overlap, however, it should allow each interface added as one has higher priority and are Independent.
Iv’e not used pfsence for my firewalling need’s, I usually use vyetta (router OS) which is what I did my setup for (mostly for NAT for VM’s with v6+v4) but it should be the same. There might be a flag to allow it in pfsence. Ile see what I can quickly find.
In about a week or two a new AX51-NVME should be delivered which i’m waiting for (12-14 day delays for custom at the moment). Its also proxmox (or will be) for a load of projects I got coming up as my co-los are full/used currently. If you are still experiencing issues by time mines setup, ile yell/share the config you need.
My estimation is should be here best case on Friday (coming up) or by the following Wends.
Hum, done differently but have a read here and try. Your mileage may very.
Looks like local link address if i’m not mistaken on the WAN side.
p.s. OpenSence is a fork of pfSence (has more goodies on) – have used before its nice but should be same on yours.
It seems to be working! I’ll keep testing!
No. of host: 18446744073709551616
You might want to read up on Stateless address autoconfiguration (SLAAC) and privacy extensions to understand a little more.
While generally though for a server they be static, it will give you more of an understanding if you are not aware.
Yeah, trying to wrap my head around it. Does Hetzner support SLAAC?
AFAIK, no, but you can run like RADVD (think its built into pfsence behind the scenes) and do it yourself.
Generally speaking most people who use IPv6 on servers usually statically assign.
For IPAM db, if you don’t have one I would highly suggest PHP IPAM (https://phpipam.net/) best IMHO.
So it seem like there is No NAT, and to expose a port, I just allow it in the firewall?
One of the main reason for IPv6 is to get away from NAT and the troubles it can cause. However, it is still possible to NAT but its generally frowned upon.
If you go down the IPv6 route and use NAT v4 and LIVE/REAL IPv6 address, please don’t forget to setup firewalls on the machines or use a transparent one on your router/firewall (in your case pfsence) and then only allow X port though.
I personally don’t use pfsence so I can’t say – what I would suggest is nmap it from another IPv6 enabled machine outside of your hetzner network. Make sure your seeing what you expect and not anything else.
I used this and it does ping back:
Now I just have to figure out how allow connections to port(s)
Just make sure you also not seeing something you shouldn’t
You mean like another port open?
Yeah, i.e. firewall really doing its job aka you didn’t mess up the rules