Kitz Forum
Computers & Hardware => Networking => Topic started by: sotonsam on May 27, 2018, 10:47:55 PM
-
What I'm trying to achieve is probably pretty overkill, but I'm just having a play...
Basically, now that I've got two WAN connections (AAISP and BT Infinity) I've been playing around with pfSense and Multi-Wan setups. This works fine if we're talking IPV4, nothing complicated about it.
However....I'm trying, for my sins, to get ipv6 failover working in conjunction with ipv4 failover. I've got two IPV6 WAN gateways from BT and AAISP respectively. I'm using my allocated addresses from AAISP to distribute IPV6 to my LAN. I’ve got two gateway groups – an IPV4 failover group and an IPV6 failover group, and then the subsequent lan rules to support these.
What I'm finding is when I ditch connection 1 (AAISP) the IPV6 connectivity doesn't fail over. IPV4 works ok, but because I now have an IPV6 presence on my LAN it's still trying to lookup sites like google/bbc etc via their native IPV6 AAA records....and I'm just on a go slow until it gives up and swings to IPV4.
So, my question is......how can I get failover working so ipv6 fails to my second WAN as well as my IPV4 currently does?
I'm still getting my head around ipv6, but I thought it's a decent opportunity to learn some more stuff!
-
I'm unable to help as I don't speak pfsense.
Sincere apologies if the following is not helpful, or is all completely obvious.
There is a Plan B. If it turns out you can't get an answer to your present question, then AA can of course do the failover for you in the downstream direction if you either use their L2TP service or have both lines with AA. A Firebrick can certainly do failover in the upstream direction as part of its normal bonding, and then you would have double speed downstream as well as upstream all the time.
In the L2TP variant of this plan, L2TP costs more money, but you do get some more reliability because you have two ISPs, although there are two single points of failure, one at AA and the other at your local exchange or local cab BT backhaul network or whatever. The other variant of the plan, going for AA both lines saves money on L2TP and gives you double speed. Having a Firebrick costs the cost of a Firebrick obviously.
-
Your IPv6 addresses are public IPs owned by A&A. You cannot reach them directly via a BT connection. All the addresses of all the equipment including the LAN need to change, or you need to use perhaps ULAs and NAT.
Note that NAT is not a part of IPv6 natively. I have no idea if your kit would support it.
The only other route to take here would be the route Weaver mentioned. This is the only way you could keep using the A&A subnet while routing via another ISP.
-
Agree with Ignitionnet. The AA L2TP service lets you use an IP address block you get from AA with any old ISP or with a mixture of several ISPs. Gives you enhanced reliability against equipment failure or link failure if done right, because you don't have any reliance on one ISP at your end, provided the ISPs have completely separate infrastructure at and near to your end of the path to you. One end could be 4G and the other a wired network for example. But it costs money.
That could also be used to get say IPv6 working when you don't have an IPv6 feed from ISP x, or am I wrong?
-
Thanks for the replies guys - amazingly, I've got it to work. It did require an IPV6 form of 1:1 NAT (NPt).
This means that if I pull the plug on my AAISP line, the failover kicks in and the NAT translates the IPV6 requests across to the BT IPV6 prefix.
A very headache inducing solution, but it works like a charm. I never thought I'd be doing NAT equivalent in IPV6...
-
I am wondering if there might be problems with IPv6. Some application designers assume there is no such thing as NAT on IPv6 and so their systems may not work at all - the usual NAT problems where an application sends a packet that mentions its own sender’s address, or eg tells the other end to set up a reverse connection. Indeed, some applications specifically chose IPv6 solely to get away from NAT, Windows Messenger being one example which was IPv6-only post 2006 (if you did not have IPv6 it auto-set up a tunnel using the Teredo mechanism just to get IPv6 going - it needed it that badly).
If it works for a while, then great. But not to be recommended IMHO. Not everyone agrees with me. Some kitizens are big NAT fans, even on IPv6, but it makes me shudder.
-
Not sure if anyone is a fan of NAT, it's a solution to a problem but not something anyone could be a fan of. :D
It's fine. It has a place. Fully routed networks are better. Its main selling point apart from address conservation would be I suppose that it provides inbound security, however any stateful firewall does that.
-
One kitizen whom I shall not name has expressed affection for IPv6 NAT to avoid renumbering, or to allow links to multiple ISPs or both, I forget the details.
-
NAT isnt the ideal mechanism, but the job it does it does well, consider the alternative which is ISP based conservation aka CG-NAT urrrgh.
At the time NAT started been used by consumers inbound firewalls were not common either hence its reputation of also been a security feature.