Hetzner has a peculiar way of handling IPv6. They'll point your IPv6 block onto one MAC address and it's up to you how you deal with it. There's numerous examples out there how to do it with KVM based systems, such as just plain Linux installations running KVM virtuals or dedicated KVM distress, such as Proxmox. But what if you run VMWare ESXi, Citrix XenServer or its excellent open source version, XCP-ng?
Hetzner's go-to answer is installing a Linux virtual, pointing the IPv6 block to it and then letting the virtual handle the routing. I'm sure this works just fine, but I saw the whole concept as an overkill as there's dedicated firewall distributions that run with lean resources and are very easy to back up and maintain.
So, I thought PfSense would have been documented in a million places. Nope, just those lone forum posts of "Does anyone know how to do this?" and then either zero replies, or replies that didn't contribute anything. So, here's how I did it and it works just fine. I make the assumption that ESXi or Xen is already installed and you know how to use it.
First, go into Hetzner's Robot interface and get yourself an extra IPv4 address. Once it's set up, request a separate MAC address for it (little network card and screen icon next to the IP). Make a note of the new MAC address you get.
Create a new virtual machine. Set it up for FreeBSD template and install PfSense on it. For WAN interface, use the MAC address you got previously from Robot interface.
Configure the IPv4 address you got from Hetzner, then get decide what'll be the new router PfSense's IP. I'm going to use 123:456:678::1 here. Select 64bit netmask. Use fe80::1 as a gateway for IPv6.
From PfSense's settings, go to Advanced -> Networking and make sure Allow IPv6 is checked.
Next go to Firewall -> Aliases and create a new alias, type "Host(s)". I'll call it HETZNER_VIRTUALS here. Add all the IPs your virtual machines will use here. For this example, I'll use 123:456:678::20.
Next go Firewall -> Rules and create three rules for the WAN interface:
Rule 1: "Block Hetzner virtuals to firewall"
Action: Reject
Address Family: IPv6
Source: Single host or alias -> HETZNER_VIRTUALS
Destination: This firewall (self)
Rule 2: "Allow ANY to Hetzner virtuals"
Action: Pass
Address Family: IPv6
Source: ANY
Destination: Single host or alias -> HETZNER_VIRTUALS
Rule 3: "Allow Hetzner virtuals to ANY"
Action: Pass
Address Family: IPV6
Source: Single host or alias -> HETZNER_VIRTUALS
Destination: ANY
If you're wondering, you could also use the whole block for the rules, but I personally preferred to just route to the machines I have. At this point you should be able to use ping6 to ping hosts outside from PfSense's shell.
Now what PfSense is set up, install your guest OS. I'll use 123:456:678::20 for my example and 123:456:678::1 as its gateway. Note that you may need to create reverse DNS for the IP for it to actually work.
After the installation traceroute6 should show it goes through 123:456:678::1 on its way out and the same thing the other direction.
No comments:
Post a Comment