Captive portal IPv6 support
Captive portal needs IPv6 support. ipfw fwd doesn't function with IPv6 last I heard, amongst other things that need work here for v6.
#2 Updated by Chris Buechler over 8 years ago
this is, like everything with IPv6, targeted for 2.1. This is likely the single most complex and time consuming piece (actually several pieces directly related to this) of anything outstanding with IPv6. We're seeking donations for IPv6 work in general, and specifically if you could put something towards this that would be very helpful. Please email me to discuss details - cmb at pfsense dot org.
#4 Updated by Chris Buechler about 8 years ago
- Target version changed from 2.1 to 2.2
there is a lot involved here, people will expect to auth both v4 and v6 IPs in a single shot which complicates everything. Our HSIA customers have indicated it's not an important feature in the immediate (or even foreseeable in some cases) future, and we're on too tight a schedule for 2.1 to get this done by then, so pushing to 2.2.
#8 Updated by Cyrill B over 7 years ago
- File CP_speedup.diff added
Yes, I believe there are only partial patches available for ipv6 fwd support for stable/8 such as http://www.freebsd.org/cgi/query-pr.cgi?pr=117214.
I didn't yet put any patches on github as they cannot be applied individually and they would break the current implementation.
So those modifications / patches are just tiny steps until full support. For now I have also modified and attached the CP_speedup.diff to support IPv6. The patch applies after the above 0001-MFC-r232865-r232868-and-r233478.patch (IPv6 tables support) which by the way applies to 8.3 release.
Before any of those patches can be included at least the context switching (CP_multi_instance_ipfw.diff) will have to be migrated and there are also changes required to the pfSense php module (or the ipfw binary will have to be used again). And of course to make everything work ipv6 fwd support will be needed.
#9 Updated by Cyrill B over 7 years ago
I'll just add this here so that it doesn't get lost:
Add IPv6 support to 'pfSense_ip_to_mac' function https://github.com/bsdperimeter/pfsense-tools/pull/57
#12 Updated by Cyrill B about 7 years ago
I assume there won't be any major changes anymore to 2.1 thus this feature will be integrated in 2.2? So I can either upload the patches here in a zip file or on github and create a pull request. What do you prefer?
I could also provide a working iso if someone wants to test it.
Maybe an admin can also cleanup my mess here and remove the files that I have previously attached, some of them required further modifications.
#13 Updated by Chris Buechler about 7 years ago
Go ahead and attach it here for now, though that will almost certainly require some updating to merge cleanly post-2.1, we don't want any v6 CP in 2.1. This likely will require a lot of work to be usable in real world scenarios for a variety of reasons and that's not something we can support for 2.1. I'll remove the files attached to this point.
#19 Updated by Cyrill B about 7 years ago
Attached is the zip file with the required patches. All files except for the patch captiveportal.inc.diff, which applies to the pfsense repository, are part of the pfsense-tools repository. Patches apply to the FreeBSD 8.3 sources and code in the master branch as of 2012-12-31.
If you just want to take a look at the code you can also do so on github on the ipv6_cp branch in my (pfsense)  and (pfsense-tools)  repositories. I also made an iso  for anyone that wants to do early testing of the IPv6 capability.I only tested a few Captive Portal use cases (e.g no radius) which seemed to work quite nicely, however there are still a few remaining issues which include:
- User needs to login / logout for IPv4 and IPv6 addresses
- The ipfw filter rules allow communication between IPv6 link-local addresses
- Captive Portal Settings GUI is not yet fully IPv6 compatible (e.g. only accepts IPv4 addresses under "Allowed IP Addresses")
#21 Updated by Thomas B over 6 years ago
Great work, and Thanks Cyrill.
Unfortunately I found another bug in the code, while setting up the CP for v6 in my network.
Since I'm using a central RADIUS authentication, there is an error shown while going through the captive portal.
There is a response on from the pfsense appliance, which says "Fatal Error: Error in converting address in /etc/inc/radius.inc on line 210"
I'm running the setup with a virtual machine.
Hopefully we can fix that somehow?
Thomas from Munich
#23 Updated by Martin Gollowitzer over 4 years ago
I just stumbled over this ticket after trying to find the reason for IPv6 not working in my guest WiFi. Since IPv6 is becoming more and more important (my ISP has started to switch customers to DS-Lite already), I think this feature would really be a big step towards better IPv6 adoption. I am willing to even through a little bit of money towards anyone who gets this included in one of the upcoming versions. Unfortunately, I am not a developer myself, but I can of course help with testing (and reading code, which is by far easier than writing). Please let me know what else I can do.
#28 Updated by A FL about 1 year ago
PHP RADIUS package (used for RADIUS authentication/accounting) is not IPv6 compatible, which is a captive portal dependency. That is one of the reasons why captiveportal does not support IPv6 yet.
If you want to contribute to this PHP package to implement IPv6, please feel free to do it : https://pear.php.net/package/Auth_RADIUS
#30 Updated by Mantas Mikulėnas about 1 year ago
Flole Systems wrote:
Unfortunately that site is down. However, I've done some additional research and it seems like others simply use string datatype for IPv6 Addresses instead of IP-Address Datatype. Any reason why this wouldn't work here?
Won't that mean the user will need to log in at least twice separately – once via IPv4 and once via IPv6? (Plus again every 10 hours if they have IPv6 tempaddr / 'privacy extensions' enabled.)
#31 Updated by Flole Systems about 1 year ago
If authentication is based on IP Address yes, if it would be based on MAC Address then no.
If it's not MAC based then there are quite a few other issues like pfsense only seeing the IPv4 Address and not the IPv6 or vice versa. Of course when using MAC based authentication you can't have another router between client and pfsense but I think thats a limitation most people won't care about (another option would be to make it configurable to enable IP based authentication and add a note that doing so breaks IPv6 Support).