interface IncomingTunnel0
 ipv6 traffic-filter exterior-in6 in
 ipv6 traffic-filter exterior-out6 out

interface LocalLan0
 ipv6 traffic-filter interior-in6 in
 ipv6 traffic-filter interior-out6 out

ipv6 access-list exterior-in6
 evaluate exterior-reflect sequence 1
 permit ipv6 any host EXTERNAL_ROUTER_ADDRESS sequence 10
 permit tcp any host INTERNAL_ROUTER_ADDRESS eq 22 sequence 11
 permit tcp any host INTERNAL_SERVER_ADDRESS eq 22 sequence 100
 permit icmp any any sequence 800
 deny ipv6 any any sequence 1000

ipv6 access-list exterior-out6
 sequence 10 permit ipv6 MY_ASSIGNED_SUBNET::/48 any reflect exterior-reflect

ipv6 access-list interior-in6
 permit ipv6 fe80::/10 any
 permit ipv6 INTERNAL_LAN_SUBNET::/64 any

ipv6 access-list interior-out6
 permit ipv6 any any

Thank you so much for putting this information in your BLOG. Are you happy with your firewall settings? I’m totally new to the IOS firewall so I used your settings for my IPv6 tunnel on a CISCO 871W. Everything seems to work pretty well except traceroute commands from both clients and the router. Are you able to do a “traceroute ipv6 ipv6.google.com” using your firewall settings?

Paul

If you create configuration files in /etc they will not be recognized by IET. So the paths would be:

/etc/iet/initiators.allow
/etc/iet/ietd.conf

I do not know which release this started with, the last time I built an IET SAN was a few years ago.

Not necessarily. On Centos 5.5, /etc/init.d/iscsi-target was created, but not linked to any runlevel.

chkconfig –add iscsi-target
chkconfig iscsi-target on

i have configured same configuration on my M7i router. but it’s showing error message.

please check the nat configuration

services {
nat {
pool campus-out {
address 192.168.0.53/32;
port automatic;
}
rule nat-out {
match-direction output;
term 1 {
then {
translated {
source-pool campus-out;
translation-type {
source dynamic;
}
}
}
}
}
rule nat-in {
match-direction input;
term all {
then {
no-translation;
}
}
}
}
service-set campus-service-set {
##
## invalid path element ‘ipsec-vpn-rule-sets’ …..(Error message)
##
nat-rules nat-out;
nat-rules nat-in;
interface-service {
service-interface sp-1/2/0.0;
}
}
}

I think you’ve totally missing the point we’re making, when you say “it’s extremely difficult to get ipv6 without using a tunnel”. What PFsense urgently needs (for 1.2.3 and not just the oh-so-mythical-and-long-promised-but-never-finished2.0) is a way to get tunneled IPv6 on it as the endpoint, because that’s the only way that most individuals and businesses are going to be getting v6 for some considerable time.

Only 1 ISP where I live can even offer native IPv6, and they are 120$ a month for basic ADSL. Tunnels, however, are free, functional, available over 15$ a month ADSL, yet appear to have been ignored by the PFsense developers for _far_ too long, giving the impression that pfsense is now a legacy appliance. The situation is much the same worldwide.

I’ve been using (at home) and recommending (to work customers) PFsense for years now, yet all but two of the pfsense boxes at those customers have been ripped out in a purge of v4-only equipment, as the replacement cycle dictates that dual-stack equipment is now required. The irony is, of course, that PFsense is dual-stack but the GUI code screws up attempts to use IPv6 properly.

The gap between PFsense 1.2.3 and the long-awaited 2.0 has been filled by Cisco, much to my dismay, due to the slow response to requests for IPv6 in the GUI.
Those customers will now be PFsense-less for 3-5 years until the Ciscos come up for replacement again, a tragic loss.

Most of these companies (sohos to smb’s) bought the wonderful book about PFsense 1.2.3 but were rather annoyed to find that it’s the “end of the line”.
We can only wonder at how much useful bounty and contributed code has been lost due to abandoning 1.2.3 and ignoring IPv6 for so long.

……sometimes you have to hear it from your nearest and dearest, but it had to be said, sorry