
Configure 6in4 Tunnel in pfSense Lawrence E. Hughes 18 November 2017 pfSense is a powerful, Dual Stack (IPv4 + IPv6) open source firewall/router for x86 platforms. You can install it on a variety of platforms, including VirtualBox for building virtual multi subnet networks. It can function as a fully operational dual stack router, but it has sophisticated controls over traffic flows, so it is also a firewall. Free documentation is available online at https://doc.pfsense.org/index.php/Main_Page Features (from website) Firewall with stateful packet inspection Easy to use Web Based Graphical Interface Installation Setup Wizard Configurable Dashboard with many available widgets IPv4 and IPv6 support Wireless Access Point (must install a wireless interface which supports hostap mode), including VAP/MBSS support on certain chips. Wireless Client Support (802.11 and 3G/4G with supported devices) Ability to setup and filter/isolate multiple interfaces (LAN, DMZ, etc.) Traffic Shaping (ALTQ, Limiters, 802.1p match/set, DiffServ/DSCP matching) State Table controls (per-rule / per-host limits, timers, etc.) NAT (Port Forwards, 1:1 NAT, Outbound NAT, NPt) Redundancy/High Availability - CARP+pfsync+XMLRPC Config sync allows for hardware failover. Two or more firewalls can be configured as a failover cluster. Multi-WAN Support Server Inbound Load Balancing Network diagnostic utilities such as ping, traceroute, port tests via the GUI (more with packages, such as nmap) VPN - IPsec (including Phase 2 NAT), OpenVPN, L2TP PPPoE Server RRD Graphs Real-time interface traffic graphs Dynamic DNS Captive Portal DHCP Server and Relay (IPv4 and IPv6) Command line shell access (Via console and SSH) Wake on LAN Built in packet capture / sniffer Ability to backup and restore the firewall configuration via the web GUI Edit files via the web GUI Virtual interfaces for VLAN, LAGG/LACP, GIF*, GRE, PPPoE/PPTP/L2TP/PPP WANs, QinQ, and Bridges Caching DNS Forwarder/Resolver Can be run in many virtualization environments Proxy Server (using packages) * the support for GIF pseudo interfaces includes 6in4 tunneling from Hurricane Electric, which requires a public IPv4 address on the WAN interface of the firewall. This writeup assumes you: Have installed pfSense on your firewall device (once this is done, you can remove any video display, keyboard and CDROM drive used during the install). Have an ISP account with a public IPv4 address Have configured your ISP Customer Premises Equipment (modem, router, etc) in bridge mode (no NAT, no DHCP, no firewalling), where the public IPv4 address is available on the customer side of the interface. Have configured a static IPv4 address on the LAN node of your firewall (e.g. 172.21.0.1/16). No LAN IPv6 address is needed at this point. Have configured a DHCPv4 server on your firewall to allow a client node connected to the LAN interface of your firewall to configure with an address that can access the LAN interface of the firewall (e.g. 172.21.3.1 / 255.255.0.0. The default gateway of the client node should be the LAN address of your firewall (e.g. 172.21.0.1). No DNS configuration is required at this time. You can point it to the LAN interface of the firewall for now. Have connected an Ethernet cable from the customer side of the ISP CPE to the WAN port on your firewall. Have connected another Ethernet cable from the LAN port on your firewall to the Ethernet interface of a client node (e.g. notebook running Windows). The client node should do network configuration via DHCPv4. Can ping the firewall LAN interface from the client node (e.g. ping 172.21.0.1) On my network, the ISP account looks like the following (as documented by ISP). Since my address is static and configured via ISP DHCPv4, I don’t really need to know these things. IPv4 public address: 101.100.162.253/24 configured via ISP DHCPv4 IPv4 upstream gateway (101.100.162.1), configured via ISP DHCPv4 IPv4 addresses of DNS (101.100.188.23, 103.7.200.10), configured via ISP DHCPv4 Verify ISP Network CPE Device Configuration Connect a client node (e.g. notebook running Windows) with an Ethernet cable to the customer side (RJ45) of your ISP CPE. The client node should use DHCPv4 to configure the network interface and DNS. [ISP CPE] ==> Ethernet interface of client node Verify that the client computer configures your public IP address as the node address, the correct subnet mask, the correct upstream gateway as the default gateway, and the DNS addresses provided by your ISP. If your ISP does not use DHCPv4, do manual configuration of your client node as per their information on connecting (e.g. static IPv4 address). Check network configuration on the client node with ipconfig: C:\Users\lhughes>ipconfig /all Windows IP Configuration Host Name . : LEHNB10 Primary Dns Suffix . : hughesnet-sg.org Node Type . : Hybrid IP Routing Enabled. : No WINS Proxy Enabled. : No DNS Suffix Search List. : hughesnet-sg.org ph.sixscape.net Ethernet adapter Ethernet: Connection-specific DNS Suffix . : ph.sixscape.net Description . : Realtek PCIe GBE Family Controller Physical Address. : 54-EE-75-98-A4-BF DHCP Enabled. : Yes Autoconfiguration Enabled . : Yes Link-local IPv6 Address . : fe80::4000:a636:10cb:36a9%11(Preferred) IPv4 Address. : 172.21.3.1(Preferred) Subnet Mask . : 255.255.0.0 Lease Obtained. : Saturday, November 18, 2017 1:36:51 PM Lease Expires . : Saturday, November 18, 2017 3:20:49 PM Default Gateway . : fe80::1:1%11 172.21.0.1 DHCP Server . : 172.21.0.1 DHCPv6 IAID . : 257224309 DHCPv6 Client DUID. : 00-01-00-01-1F-E2-B5-17-54-EE-75-98-A4-BF DNS Servers . : 172.21.0.1 NetBIOS over Tcpip. : Enabled Connection-specific DNS Suffix Search List : ph.sixscape.net Try pinging an external IPv4 address from the client node: C:\Users\lhughes>ping 172.21.0.1 Pinging 172.21.0.1 with 32 bytes of data: Reply from 172.21.0.1: bytes=32 time<1ms TTL=64 Reply from 172.21.0.1: bytes=32 time<1ms TTL=64 Reply from 172.21.0.1: bytes=32 time<1ms TTL=64 Reply from 172.21.0.1: bytes=32 time<1ms TTL=64 Ping statistics for 172.21.0.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms You should also be able to surf to an IPv4 website using any browser on your client node (e.g. http://www.whatismyipaddress.com) Insert the pfSense Firewall Between the ISP CPE and the Client Node Disconnect the Ethernet cable from the Ethernet interface of the client node and insert that cable into the WAN interface of the firewall (e.g. em0). [ISP CPE] ==> [FW WAN Interface] Connect another Ethernet cable from the LAN interface of the firewall to the Ethernet interface of the client node. [FW LAN Interface] ==> Ethernet interface of client node Use ipconfig on the client node to verify that the client node still does valid private network configuration using DHCPv4, e.g. node address 172.21.3.1, subnet 255.255.0.0, default gateway 172.21.0.1, and some DNS addresses. Surf to the pfSense web configurator from the client node: https://172.21.0.1 (or whatever you configured as your LAN IP address). It will complain that the server cert is untrusted (it is self-signed) – connect anyway (how you do this depends on the browser you are using). You should see the login page: Login as admin, using the password configured during pfSense install. You should now see the pfSense dashboard in your browser: View the WAN Interface configuration: Interfaces / WAN: Click Save then Apply Changes Now view the status of all interfaces - Status / Interfaces: If you are using DHCPv4 for WAN configuration, you may need to click the Release button then Renew. You should see your WAN configuration (IPv4 address, subnet mask, gateway IPv4, DNS) appear. The LAN interface should also show the correct configuration. On your client node, you should now be able to ping external addresses right through the firewall: C:\Users\lhughes>ping 4.2.2.2 Pinging 4.2.2.2 with 32 bytes of data: Reply from 4.2.2.2: bytes=32 time=9ms TTL=59 Reply from 4.2.2.2: bytes=32 time=11ms TTL=59 Reply from 4.2.2.2: bytes=32 time=9ms TTL=59 Reply from 4.2.2.2: bytes=32 time=8ms TTL=59 Ping statistics for 4.2.2.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 8ms, Maximum = 11ms, Average = 9ms You should also be able to surf to IPv4 sites (e.g. http://whatismyipaddress.com) Note that this shows the public IPv4 from the outside of your NAT gateway, not the private IPv4 address of your node. The firewall is currently performing NAT44 from your public IPv4 address to the internal LAN block (172.21.0.0/16). You now have basic IPv4 service configured. Let’s move on to implementing the tunneled IPv6 from Hurricane Electric. First we need to add a firewall rule to allow Hurricane Electric to ping your public IPv4 address. This is necesssary as Hurricane Electric will only create a tunnel if it can ping the public IPv4 address. Go to Firewall / Rules / WAN; Click Add rule to End of List (Add with down arrow button): Add rule to allow ICMPv4 Echo Request from anywhere (if you like you can restrict this to just Hurricane Electric, or once the tunnel is created you can disable or remove this rule).
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages29 Page
-
File Size-