pfSense

I've started ipv6 work on pfSense-smos clone and I've started running into the 1st few issues which I'm documenting here and hoping for some code fixes.

Apinger needs to handle icmpv6 and the use of ipv6 addresses for the source and destination address. It appears to accept the destination address without much issue. But the later added srcip functionality logs a message. I am not sure if apinger ever supported the ipv6 type.
Oct 22 16:58:15 apinger: Bad srcip address 2001:470:1f15:daa::2 for target 2001:470:1f15:daa::1
Oct 22 16:58:15 apinger: Bad srcip address 2001:470:1f15:674::2 for target 2001:470:1f15:674::1

The pfSense module which is a binary blob is proving to be causing a few issues here and there as I can't code and setting up a builder just to get the basic functionality is a bit daunting.
A quick look at the C code revealed that adding a case for AF_INET6 should be enough to get the correct subnet information.

I've added a few lines of code that use the old style exec() calls to gather the required information. These are documented and will need to be replaced.
we can have seperate default gateways for IPv4 and IPv6, this should work as expected.
I can not ping the gateway yet, disabling pf gets my replies. Might be related to the global ipv6 disable toggle.
Only static ipv6 is configurable on the interfaces.php at this point and the addresses are succesfully assigned.

I've skipped processing the fe80:: link local addresses at this point.
sysctl net.inet6.ip6.auto_linklocal=0
Disables the link-local addresses for now. Not going there.

Added sysctl to enable ipv6 forwarding.
net.inet6.ip6.forwarding=1 Allow forwarding of IPv6 traffic 1

I've added inet6 icmp rules as it appears the default outbound firewall rules are not good enough. What works fine for ipv4 doesn't for ipv6. http://lists.freebsd.org/pipermail/freebsd-doc/2007-May/012450.html

I've added a barebones rule so that icmp works.
pass quick inet6 proto ipv6-icmp from any to any icmp6-type {neighbradv,neighbrsol,routeradv}
PING6 2001:470:1f15:674::2 --> 2a00:1450:8001::63
16 bytes from 2a00:1450:8001::63, icmp_seq=0 hlim=56 time=11.714 ms

Having a look at userspace now to see if apinger can be fixed.

dhcpv6 and autoconfig not looked at yet.

/usr/sbin/rtadvd is already in the image, needs a config to enable LAN routing for route advertisements.

patch checked in to git that should fix apinger for ipv6. It's now showing both my ipv4 wans up as well as the ipv6 gateways.

For the firewall rules I have added a drop down on the firewall rules edit page which allows selection of ipv4 or ipv6.
This sets the inet or inet6 tag on the firewall rule. With a quick check on a online ipv6 port scan website I've been able to verify the operation of ipv6 icmp and tcp firewall rules to the ipv6 wan address.
I have defined the "ipprotocol" variable on the firewall rule array that defines if it should apply to ipv6 or ipv4 traffic. No existing tag defaults to inet which should have no impact on firewalling. Would this cause issues with all rules?

This is also used to determine if we need to use the ipv6 addresses in the firewall rules over the ipv4 addresses.

The firewall rules page now displays if it applies to ipv4 or ipv6.

gen_subnet() needs to become ipv6 aware
trying to delete a ipv6 state from the traffic states results in an error.
filterdns needs to understand the /128 subnetmask of ipv6 hostnames. It throws a invalid subnet error.

Created a forum topic and added a quick howto to get a /64 routed onto the LAN via a he.net tunnelbroker.
http://forum.pfsense.org/index.php/topic,26469.msg153037.html#msg153037

I can't envision any scenario where you'd need proxy NDP, though maybe something will come up in the future. On the remaining items, I opened individual tickets for those.