IPv6 outbound, IPv4 inbound

Hi all,

excuse me for my English, I am Dutch.

At the moment I have a great network, with a couple of subnets, haproxy and OpenVPN, all working from a PfSense box. I get an IPv4 from my ISP and my internal network is also IPv4.

Soon my ISP will support full dual stack, so I can go on using my IPv4 network, but I also know that, if I want it or not, IPv6 will be the future.

Now I was wondering if it is possible with PfSense to have an IPv6 outbound address and everything internal routed through IPv4. That would be the best of both worlds.

Thanks in advance!

I have been hearing “IPV6 IS THE FUTURE!” for years, but I have still not had a need for it.

yes it is doable. That’s what routers do… transfer from one network to another

Hey @LTS_Tom and @dwj7738 , thanks for your replies!

Tom: True, and I hope I don’t need it either for a long time, but I want to be prepared when ISP’s are going to force it.

dwj7738: That sounds like a relief, can you tell me how it’s done with pfsense?

This is not the same as routing, so it’s not possible out of the box. Your router would have to convert outgoing packets from IPv4 to IPv6 and vice versa for incoming packets. AFAIK, pfSense does not have that functionality.

Regarding the necessity of IPv6: It’s true that you don’t need it day to day as all the most popular services are still reachable via IPv4 and will continue to be for years to come. But IPv6 won’t become the more popular version of IP if your attitude is “I don’t need it” (looking at you, @LTS_Tom :stuck_out_tongue_winking_eye:). I personally always encourage people to go dual stack. Because it’s unfortunately also the fact that there are still some major internet players out there (e.g. Amazon) that don’t make their services available via IPv6, so ditching IPv4 altogether is currently not viable.

Enabling IPv6 in your network may bring some benefits to you, though. Since the IPv4 address shortage is very real, more and more ISPs enable CGNAT for residential customers, preventing you from hosting services at your home (like VPN to remotely access your NAS). On the other hand, most ISPs and mobile carriers support some form of IPv6 and have done so for some time now, so the only thing holding you back from using IPv6 for your own hosting is the willingness of network admins to implement it.

@paolo I totally agree with you and if dual stacking is the best option, I’ll go with that!

The problem is that there are not many good beginner tutorials online for the most common services, like dual stack OpenVPN, dual stack HaProxy and so on… or am I missing the secret stack of tutorials?

Ok, got the internet working, but now the weird part… I set my HaProxy to listen to the IPv6 WAN. I applied the same rules as IPv4 on the IPv6 WAN.

When I visit a website with IPv6, i get a PfSense page warning me for DNS bind and if I browse to the public IPaddress of my pfsense device, i get the PFsense login page. Even when I disable the IPv6 rules.

How’s that possible?

Keep in mind that when you go dual stack your IPv4 and IPv6 are two independent networks and they work a bit different. You cant send traffic between them per se. What usually happens is that if you have IPv4 only and if you need to hit something that is only IPv6 then a carrier along the route that is peered with an IPv6 provider will encapsulate the traffic for you for example. PfSense can use some brokering services but is pretty limited last I checked which was earlier this year.

When you enable IPv6 on your WAN interface your router will have two public IP addresses now. If your carrier is assigning addresses to all of your devices, such as when you set your LAN interface as a track interface, then each device on your LAN will have a public IPv6 address now. Really you just want to treat IPv4 and IPv6 each as their own thing and plan for the new architecture of IPv6, in this case not using NAT. You can do NAT, but then why bother using IPv6? Also, some devices such as those running Android do not support DHCPv6 and will have to assign their own addresses via SLAAC.

Overall I have found IPv6 to be a real pain. When I have used it with pfSense and Unifi in a scenario where the carrier assigns the IPv6 addresses (which is how you are “supposed” to do it vs using NAT) then neither Unifi or pfSense can “see” any clients. Sure, the firewall can block stuff, but your client page in Unifi will be blank and even the NDP table in pfSense will often not see your devices, only the IPv6 interfaces on pfSense. Unifi support says this is normal.

IPv6 becoming a thing is a lot like this being the year for the Linux desktop. It would be great, but device manufacturers need to get on board and make it happen and I don’t see that happening right now.

Fun stuff! Here is a good read on the subject of IP versions

@ex1580 Thanks for your reply!

I understand that IPv4 and 6 are completely different. I try to treat them as two different things.

I was trying to get my services that I have outbound through HaProxy (which is running on my PfSense) available via IPv6, by telling HaProxy to listen to the IPv6 WAN address from PfSense. But for some reason, traffic won’t pass to HaProxy and only show the PfSense loginscreen.

I don’t like IPv6 either, but it will be necassary when ISP’s are pushing CG-NAT in the future. Exactly the reason you are pointing out is why I would like to use NAT, just because in a couple of years we have to use IPv6…

I saw that book before… maybe I should buy it…

Banging my head against the wall… 433 is not the same as 443…

1 Like

Some valid points there. IPv6 introduces some new tools and settings that you definitely need to be aware of (like SLAAC).

Concerning doing NAT vs not doing NAT: I would definitely advise against using NAT with IPv6, not from an operational standpoint, but as a matter of principal. IPv6 finally enables us to build networks the way they should be built. IPv4 NAT is great and adds some security, but I’m personally more comfortable with firewall rules.

Where I see a real benefit of NAT is in the fact that you are free to choose your own internal IP addresses. It would certainly be a pain if all your addresses would change everytime your router restarts and gets assigned a different prefix. Luckily, pfSense supports Network Prefix Translation (NPt), which in my opinion (and for my use case) gets you the best of both worlds.


@paolo that’s indeed the reason why I like NAT. Full control over my internal network.

With NPt, I should use A ULA to translate to a GUA?

Yes, NPt translates entire prefixes arbitrarily. But in this case of course you want to convert between local fd00::/8 addresses and the prefix you were assigned by the ISP.

@paolo I’m starting to getting it now, I think. Before I start translating the prefixes with NPt, I need to know the prefix.

My ISP gives my an /56, so at the WAN side I requested an IP address with a /56. That worked, I know have a working WAN IP.

Now is my question: how do I know what my prefix is, are that the first 56 bits from that IP address that was given?

Yes , the prefix is always the first x bits of an address or range. By convention, each individual IPv6 subnet will have a /64 prefix. A network with a /56 prefix is larger than that, meaning you can subdivide that into 2^8 different /64 subnets. That’s important because just as with IPv4, you want to segment your network into differnt subnets (think 192.168.1.x, 192.168.2.x, etc). Some ISPs only give you a /64 network which is fine in theory, since you could split that up into multiple, say, /72 networks. But some tools enforce the /64 convention and don’t let you customize the size of the subnets and you might run into problems there.

Another thing that might still hold you back is that you need to enter static prefixes in the NPt configuration. It cannot yet track the WAN prefix, so each time it changes you’ll have to go into pfSense and adjust the settings. Since my ISP didn’t offer IPv6 in the first place up until 2019 (sigh) and only a dynamic /64 afterwards, I used a tunnel broker by Hurricane Electric which worked quite well.

Thanks @paolo ! I learned a lot from you, thanks!! I can work with this!

The last part is unfortunate, but maybe I can run a script in the background or something to let that change automatically.

Always glad to help. Cheers.