@dem 2.5.2

@jknott
On the interface status page it is showing the link local and an IPV6 address. So, I am assuming so.

If some sites work, but others don't, it's not likely a pfSense issue. What comes to mind is the site has an IPv6 address, but it's not working properly. However, in that case, it should time out and switch to IPv4.

Can you do a packet capture of what happens when those sites fail?

***Edit: About 30-some hours later IPv6 came back, on it's own. Guessing some local oddity or something....

Anyone having any oddities with IPv6 today? My wife mentioned today that "the internet started running like crap" around 11am-ish. I'm assuming around that time is when the IPv6 issue happened, and devices ran bad until they realized that IPv6 was dead and fell back to IPv4. I've had IPv6 for weeks now w/o issues, and no recent config changes so it's unexpected.

Nothing really jumps out at me in the log. I connected to my neighbor's Verizon-provided router, and they don't seem to have IPv6 connectivity either, when they also have previously had it like me. Looks like pfsense is keeping the prefix, and the WAN link-local address is showing as online as well, so that part of the connection is working...

Maybe locally (Newport News, VA) there's some sort of work, or IPv6 outage for some reason.

Verbose log below if anyone sees anything interesting!

Jun 30 20:24:28 dhcp6c 73904 got an expected reply, sleeping. Jun 30 20:24:28 dhcp6c 73904 removing server (ID: 00:02:00:00:05:83:66:34:3a:62:35:3a:32:66:3a:30:34:3a:65:30:3a:63:30:00:00:00) Jun 30 20:24:28 dhcp6c 73904 removing an event on igb0, state=REQUEST Jun 30 20:24:28 dhcp6c 73904 script "/var/etc/dhcp6c_wan_dhcp6withoutra_script.sh" terminated Jun 30 20:24:28 dhcp6c 84659 dhcp6c REQUEST on igb0 - running rtsold Jun 30 20:24:26 dhcp6c 73904 executes /var/etc/dhcp6c_wan_dhcp6withoutra_script.sh Jun 30 20:24:26 dhcp6c 73904 add an address 2600:4040:13e5:1a35:21b:21ff:fe73:d35d/64 on igb3 Jun 30 20:24:26 dhcp6c 73904 add an address 2600:4040:13e5:1a20:21b:21ff:fe73:d35c/64 on igb2 Jun 30 20:24:26 dhcp6c 73904 add an address 2600:4040:13e5:1a10:21b:21ff:fe73:d359/64 on igb1 Jun 30 20:24:26 dhcp6c 73904 create a prefix 2600:4040:13e5:1a00::/56 pltime=7200, vltime=7200 Jun 30 20:24:26 dhcp6c 73904 make an IA: PD-0 Jun 30 20:24:26 dhcp6c 73904 dhcp6c Received REQUEST Jun 30 20:24:26 dhcp6c 73904 IA_PD prefix: 2600:4040:13e5:1a00::/56 pltime=7200 vltime=7200 Jun 30 20:24:26 dhcp6c 73904 get DHCP option IA_PD prefix, len 25 Jun 30 20:24:26 dhcp6c 73904 IA_PD: ID=0, T1=3600, T2=5760 Jun 30 20:24:26 dhcp6c 73904 get DHCP option IA_PD, len 41 Jun 30 20:24:26 dhcp6c 73904 DUID: 00:02:00:00:05:83:66:34:3a:62:35:3a:32:66:3a:30:34:3a:65:30:3a:63:30:00:00:00 Jun 30 20:24:26 dhcp6c 73904 get DHCP option server ID, len 26 Jun 30 20:24:26 dhcp6c 73904 DUID: 00:01:00:01:2a:47:f1:e8:00:1b:21:73:XX:XX Jun 30 20:24:26 dhcp6c 73904 get DHCP option client ID, len 14 Jun 30 20:24:26 dhcp6c 73904 receive reply from fe80::f6b5:2fff:fe04:d9da%igb0 on igb0 Jun 30 20:24:26 dhcp6c 73904 reset a timer on igb0, state=REQUEST, timeo=0, retrans=955 Jun 30 20:24:26 dhcp6c 73904 send request to ff02::1:2%igb0 Jun 30 20:24:26 dhcp6c 73904 set IA_PD Jun 30 20:24:26 dhcp6c 73904 set IA_PD prefix Jun 30 20:24:26 dhcp6c 73904 set option request (len 4) Jun 30 20:24:26 dhcp6c 73904 set elapsed time (len 2) Jun 30 20:24:26 dhcp6c 73904 set server ID (len 26) Jun 30 20:24:26 dhcp6c 73904 set client ID (len 14) Jun 30 20:24:26 dhcp6c 73904 a new XID (803dba) is generated Jun 30 20:24:26 dhcp6c 73904 Sending Request Jun 30 20:24:26 dhcp6c 73904 picked a server (ID: 00:02:00:00:05:83:66:34:3a:62:35:3a:32:66:3a:30:34:3a:65:30:3a:63:30:00:00:00) Jun 30 20:24:25 dhcp6c 73904 reset timer for igb0 to 0.995807 Jun 30 20:24:25 dhcp6c 73904 server ID: 00:02:00:00:05:83:66:34:3a:62:35:3a:32:66:3a:30:34:3a:65:30:3a:63:30:00:00:00, pref=-1 Jun 30 20:24:25 dhcp6c 73904 IA_PD prefix: 2600:4040:13e5:1a00::/56 pltime=7200 vltime=7200 Jun 30 20:24:25 dhcp6c 73904 get DHCP option IA_PD prefix, len 25 Jun 30 20:24:25 dhcp6c 73904 IA_PD: ID=0, T1=3600, T2=5760 Jun 30 20:24:25 dhcp6c 73904 get DHCP option IA_PD, len 41 Jun 30 20:24:25 dhcp6c 73904 DUID: 00:02:00:00:05:83:66:34:3a:62:35:3a:32:66:3a:30:34:3a:65:30:3a:63:30:00:00:00 Jun 30 20:24:25 dhcp6c 73904 get DHCP option server ID, len 26 Jun 30 20:24:25 dhcp6c 73904 DUID: 00:01:00:01:2a:47:f1:e8:00:1b:21:73:XX:XX Jun 30 20:24:25 dhcp6c 73904 get DHCP option client ID, len 14 Jun 30 20:24:25 dhcp6c 73904 receive advertise from fe80::f6b5:2fff:fe04:d9da%igb0 on igb0 Jun 30 20:24:25 dhcp6c 73904 reset a timer on igb0, state=SOLICIT, timeo=4, retrans=16326 Jun 30 20:24:25 dhcp6c 73904 send solicit to ff02::1:2%igb0 Jun 30 20:24:25 dhcp6c 73904 set IA_PD Jun 30 20:24:25 dhcp6c 73904 set IA_PD prefix Jun 30 20:24:25 dhcp6c 73904 set option request (len 4) Jun 30 20:24:25 dhcp6c 73904 set elapsed time (len 2) Jun 30 20:24:25 dhcp6c 73904 set client ID (len 14) Jun 30 20:24:25 dhcp6c 73904 Sending Solicit Jun 30 20:24:17 dhcp6c 73904 reset a timer on igb0, state=SOLICIT, timeo=3, retrans=8065 Jun 30 20:24:17 dhcp6c 73904 send solicit to ff02::1:2%igb0 Jun 30 20:24:17 dhcp6c 73904 set IA_PD Jun 30 20:24:17 dhcp6c 73904 set IA_PD prefix Jun 30 20:24:17 dhcp6c 73904 set option request (len 4) Jun 30 20:24:17 dhcp6c 73904 set elapsed time (len 2) Jun 30 20:24:17 dhcp6c 73904 set client ID (len 14) Jun 30 20:24:17 dhcp6c 73904 Sending Solicit Jun 30 20:24:13 dhcpleases 23855 Could not deliver signal HUP to process 69147: No such process. Jun 30 20:24:13 dhcpleases 23855 Sending HUP signal to dns daemon(69147) Jun 30 20:24:13 dhcp6c 73904 reset a timer on igb0, state=SOLICIT, timeo=2, retrans=3982 Jun 30 20:24:13 dhcp6c 73904 send solicit to ff02::1:2%igb0 Jun 30 20:24:13 dhcp6c 73904 set IA_PD Jun 30 20:24:13 dhcp6c 73904 set IA_PD prefix Jun 30 20:24:13 dhcp6c 73904 set option request (len 4) Jun 30 20:24:13 dhcp6c 73904 set elapsed time (len 2) Jun 30 20:24:13 dhcp6c 73904 set client ID (len 14) Jun 30 20:24:13 dhcp6c 73904 Sending Solicit Jun 30 20:24:11 dhcp6c 73904 reset a timer on igb0, state=SOLICIT, timeo=1, retrans=2083 Jun 30 20:24:11 dhcp6c 73904 send solicit to ff02::1:2%igb0 Jun 30 20:24:11 dhcp6c 73904 set IA_PD Jun 30 20:24:11 dhcp6c 73904 set IA_PD prefix Jun 30 20:24:11 dhcp6c 73904 set option request (len 4) Jun 30 20:24:11 dhcp6c 73904 set elapsed time (len 2) Jun 30 20:24:11 dhcp6c 73904 set client ID (len 14) Jun 30 20:24:11 dhcp6c 73904 Sending Solicit Jun 30 20:24:10 dhcp6c 73904 reset a timer on igb0, state=SOLICIT, timeo=0, retrans=1091 Jun 30 20:24:10 dhcp6c 73904 send solicit to ff02::1:2%igb0 Jun 30 20:24:10 dhcp6c 73904 set IA_PD Jun 30 20:24:10 dhcp6c 73904 set IA_PD prefix Jun 30 20:24:10 dhcp6c 73904 set option request (len 4) Jun 30 20:24:10 dhcp6c 73904 set elapsed time (len 2) Jun 30 20:24:10 dhcp6c 73904 set client ID (len 14) Jun 30 20:24:10 dhcp6c 73904 a new XID (b8cbfb) is generated Jun 30 20:24:10 dhcp6c 73904 Sending Solicit Jun 30 20:24:09 dhcp6c 73904 reset a timer on igb0, state=INIT, timeo=0, retrans=891 Jun 30 20:24:09 dhcp6c 73792 called Jun 30 20:24:09 dhcp6c 73792 called Jun 30 20:24:09 dhcp6c 73792 <3>end of sentence [;] (1) Jun 30 20:24:09 dhcp6c 73792 <3>end of closure [}] (1) Jun 30 20:24:09 dhcp6c 73792 <3>end of sentence [;] (1) Jun 30 20:24:09 dhcp6c 73792 <3>end of closure [}] (1) Jun 30 20:24:09 dhcp6c 73792 <3>end of sentence [;] (1) Jun 30 20:24:09 dhcp6c 73792 <3>[8] (1) Jun 30 20:24:09 dhcp6c 73792 <3>[sla-len] (7) Jun 30 20:24:09 dhcp6c 73792 <3>end of sentence [;] (1) Jun 30 20:24:09 dhcp6c 73792 <3>[53] (2) Jun 30 20:24:09 dhcp6c 73792 <3>[sla-id] (6) Jun 30 20:24:09 dhcp6c 73792 <3>begin of closure [{] (1) Jun 30 20:24:09 dhcp6c 73792 <5>[igb3] (4) Jun 30 20:24:09 dhcp6c 73792 <3>[prefix-interface] (16) Jun 30 20:24:09 dhcp6c 73792 <3>end of sentence [;] (1) Jun 30 20:24:09 dhcp6c 73792 <3>end of closure [}] (1) Jun 30 20:24:09 dhcp6c 73792 <3>end of sentence [;] (1) Jun 30 20:24:09 dhcp6c 73792 <3>[8] (1) Jun 30 20:24:09 dhcp6c 73792 <3>[sla-len] (7) Jun 30 20:24:09 dhcp6c 73792 <3>end of sentence [;] (1) Jun 30 20:24:09 dhcp6c 73792 <3>[32] (2) Jun 30 20:24:09 dhcp6c 73792 <3>[sla-id] (6) Jun 30 20:24:09 dhcp6c 73792 <3>begin of closure [{] (1) Jun 30 20:24:09 dhcp6c 73792 <5>[igb2] (4) Jun 30 20:24:09 dhcp6c 73792 <3>[prefix-interface] (16) Jun 30 20:24:09 dhcp6c 73792 <3>end of sentence [;] (1) Jun 30 20:24:09 dhcp6c 73792 <3>end of closure [}] (1) Jun 30 20:24:09 dhcp6c 73792 <3>end of sentence [;] (1) Jun 30 20:24:09 dhcp6c 73792 <3>[8] (1) Jun 30 20:24:09 dhcp6c 73792 <3>[sla-len] (7) Jun 30 20:24:09 dhcp6c 73792 <3>end of sentence [;] (1) Jun 30 20:24:09 dhcp6c 73792 <3>[16] (2) Jun 30 20:24:09 dhcp6c 73792 <3>[sla-id] (6) Jun 30 20:24:09 dhcp6c 73792 <3>begin of closure [{] (1) Jun 30 20:24:09 dhcp6c 73792 <5>[igb1] (4) Jun 30 20:24:09 dhcp6c 73792 <3>[prefix-interface] (16) Jun 30 20:24:09 dhcp6c 73792 <3>end of sentence [;] (1) Jun 30 20:24:09 dhcp6c 73792 <3>[infinity] (8) Jun 30 20:24:09 dhcp6c 73792 <3>[56] (2) Jun 30 20:24:09 dhcp6c 73792 <3>[/] (1) Jun 30 20:24:09 dhcp6c 73792 <3>[::] (2) Jun 30 20:24:09 dhcp6c 73792 <3>[prefix] (6) Jun 30 20:24:09 dhcp6c 73792 <13>begin of closure [{] (1) Jun 30 20:24:09 dhcp6c 73792 <13>[0] (1) Jun 30 20:24:09 dhcp6c 73792 <13>[pd] (2) Jun 30 20:24:09 dhcp6c 73792 <3>[id-assoc] (8) Jun 30 20:24:09 dhcp6c 73792 <3>end of sentence [;] (1) Jun 30 20:24:09 dhcp6c 73792 <3>end of closure [}] (1) Jun 30 20:24:09 dhcp6c 73792 <3>comment [# we'd like nameservers and RTSOLD to do all the work] (53) Jun 30 20:24:09 dhcp6c 73792 <3>end of sentence [;] (1) Jun 30 20:24:09 dhcp6c 73792 <3>["/var/etc/dhcp6c_wan_dhcp6withoutra_script.sh"] (46) Jun 30 20:24:09 dhcp6c 73792 <3>[script] (6) Jun 30 20:24:09 dhcp6c 73792 <3>end of sentence [;] (1) Jun 30 20:24:09 dhcp6c 73792 <3>[domain-name] (11) Jun 30 20:24:09 dhcp6c 73792 <3>[request] (7) Jun 30 20:24:09 dhcp6c 73792 <3>end of sentence [;] (1) Jun 30 20:24:09 dhcp6c 73792 <3>[domain-name-servers] (19) Jun 30 20:24:09 dhcp6c 73792 <3>[request] (7) Jun 30 20:24:09 dhcp6c 73792 <3>comment [# request prefix delegation] (27) Jun 30 20:24:09 dhcp6c 73792 <3>end of sentence [;] (1) Jun 30 20:24:09 dhcp6c 73792 <3>[0] (1) Jun 30 20:24:09 dhcp6c 73792 <3>[ia-pd] (5) Jun 30 20:24:09 dhcp6c 73792 <3>[send] (4) Jun 30 20:24:09 dhcp6c 73792 <3>begin of closure [{] (1) Jun 30 20:24:09 dhcp6c 73792 <5>[igb0] (4) Jun 30 20:24:09 dhcp6c 73792 <3>[interface] (9) Jun 30 20:24:09 dhcp6c 73792 skip opening control port Jun 30 20:24:09 dhcp6c 73792 failed initialize control message authentication Jun 30 20:24:09 dhcp6c 73792 failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory Jun 30 20:24:09 dhcp6c 73792 extracted an existing DUID from /var/db/dhcp6c_duid: 00:01:00:01:2a:47:f1:e8:00:1b:21:73:XX:XX

@junicast
To whom it may concern.

We just migrated to different hardware and the original problem with reloading firewall rules is now resolved big relief.
Actually it happened again. I suspect the Intel X170 are just bad and the update to pfSense 2.6 triggers this problem.

Jun 30 10:24:05 fw3-rx kernel: ixl0: Interface stopped DISTRIBUTING, possible flapping

The other problem persists. Neighbor discovery fails and the reason is that the primary firewall uses its Global Unicast address in the source field instead of the Link Local address.

At first I though some NAT rules might be the reason for that but after deactivation the problem persists.

I checked that all interfaces have a Link Local address assigned so that also isn't the reason.

Does someone have an idea under what circumstances this might happen?

d97a8679-c393-4c06-ad30-bbd11056ccf7-image.png

@jimp Working fine here too 👍

@vortex21
Hi, Upgraded to 22.05 release today and after reboot the IPv6 WAN gateway monitoring reported 100% packet loss, saving the WAN interface again and applying changes fixed it as before

@hsv I noticed problems with IPv6 too, but for me these are not general but individual to an interface. For example, because mine is virtual and I deleted a "faulty" interface, added a new one and problem was gone (new MAC address etc.). So maybe try this four your installation too, if you can.

@jbattermann I used :1::1/64 as the gateway address and the following in the RA section as I have Apple devices :-

Screenshot 2022-06-24 at 20.00.36.png

Even if there is something that needs to be done upstream in the dhcp6 port, there's still code that needs to be done to add support for the functionality to pfSense... A checkbox to use such option (if desired) in the GUI, logic to exclude the prefix specified in the option from being able to be selected, or send a notification if it's already selected (i.e. the prefix ID specified by the option changed and the new ID is already in use, or a user changes ISPs and is already using the prefix ID that the new ISP is excluding), updating the WAN address if/when the prefix changes... there might even be other stuff I've not thought of.

Also, I'm a pfSense user. If a change needs to be submitted upstream, a pfSense developer would probably be better to be submitting those requests than me. They likely know a lot more about the ports and whatnot than I do (I know nothing about them). Plus, then they'd receive the notification that a change has been made upstream rather than me, and they'd be able to start working on things on their end once they start including the new version of the port with the change. I'd rather not submit an upstream request, only to be told my submission wasn't done correctly for some reason that I know nothing about.

When this used to be a problem for me, I added the 192.168.100.x IP to the dhcp ignorelist so pfSense would not accept it when offered by the ISP CPE. This definitely helped.

@jknott said in fe80::1:1 as static route for ipv6 track interface LAN? also LAN link-local no response?:

There are 256 possible prefixes within that /48. You use the other prefixes for other interfaces.

My mistake. That should be 65536, not 256. Better have another beer. 😉

@bob-dig Thank you, but why the German sub-forum? 🤔

In the end, I will have to try what you suggested. I was hoping to get to know, how to analyse such issues, to learn something and solve future problems by myself.

I just pushed an update to my PR #4595 that attempts to mitigate this issue. Testers wanted!

Well, your title differs from what you say in the post.

While it is quite possible to resolve v4 records. i.e. A records which always return ipv4 addresses compared to AAAA records which are ipv6 records, you will never be able to ping ipv4 domains from an ipv6 network.

These are two completely independent networks.
A ipv4to6 nat device is needed, (or an ipv4 address) having access to both networks to be able to ping v4
This is also known as a nat64 device.

Unfortunately pfsense has this set to a future release, since ipfw is deprecated.

@s_d Think Zen may have had an issue with the DHCP6 DUID.

Changed the DUID type, did a save then changed the DUID type back, effectively creating a new DUID-LLT and its now working as it should with the PD set to /48.

Screenshot 2022-06-07 at 21.10.16.png

@johnpoz

While there is a cost of moving to IPv6, there is also a cost of not moving. For example if a company like Amazon doesn't support IPv6, it will become more difficult to do business in China. Another major ISP and cell carrier is Bell Canada. They don't provide IPv6 to their ADSL connected customers, but they barely provide it to their cell customers (they fail testipv6.com). This means their networks already support IPv6. A reseller that uses Bell's ADSL service, Teksavvy, manages to provide IPv6 where Bell doesn't. It appears most of the work is already done for Bell to provide IPv6 properly and to all customers. Also, years ago, the U.S. government mandated IPv6 for all public facing servers and not too long ago for all network suppliers. So, more and more, those who do not enable IPv6 look like they have their head in the sand.

@joe90

If it is assigning an address from with your prefix, then that address will start with your /56 prefix.

I don't have any experience with IPv6 on PPPoE or with OpenWRT, so I don't know what else to check.

However, you don't need a WAN GUA. If you want to access pfSense from elsewhere, you can use the LAN interface address.

@jknott I see, i need to take a closer look to the virtual IP settings

@aeminkocal

Is the VM set up as a bridge or NAT connection? If NAT, the IPv4 address will be in a different subnet than the LAN and IPv6 won't work. You need to bridge the interface. Also, it might help to mention which VM you're using.

After I reset pfSense, and did a new setup, the issue still remain. I can't connect to archlinux.org via IPv6.

@johnpoz said in Not able to connect to some website:

I would suggest he moves his lan back to 1500, and then get with his ISP for the proper setup for his wan connection.. A common pppoe mss clamp size is like 1452.. But for optimal working with his ISP he should contact them for proper setup.

I agree, I should consult my ISP for help. I left MTU and MSS default. Will it related to PMTUD no working? The last result might be using pfSense in transparent mode. I've never tested it yet.

Another issue is ICMP req always failed (tested using ipv6-test.com), even I allow it on WAN interface. This didn't happen on my last configuration, which is pretty much the same as this one except I left DHPCv6 enable. I think I disable DHCPv6 last time, MyPC use RDNSS instead. I'm scratching my head off.

I just now found a small config in the bridge advanced setting:
Screenshot from 2022-05-17 21-33-59.png
My local hosts now have an autoconfigured ip in the LAN-range (At least, I assume it's auto-configured, since the dhcp6 server isn't working still)
Routing is still all broken though, so it's only a small boon (And probably isn't helping the hosts in question at all, having to realize ipv6 isn't an option after timeout)
Still - Wanted to keep you guys posted, if this could trigger something

@imesh_

Try allow IPv4+6 ICMP echo request on WAN port. From my understanding, IPv6 needs ICMP to work properly.

@imesh_ said in LAN can't get ipv6 address:

Firewall for Both LANs allow any IPv4+IPV6

Do you mean WAN and LAN, or there are two LANs?

Attached pcaps:

VM2.pcapng

VM1.pcapng

@swtw122 So your provider gave you a /56 on WAN? What provider is this? OVH?

@johnpoz said in IPv6 can not connect to IPv6:

I vpn into my pfsense over their translation setup just fine.. Not saying that couldn't be an issue..

NAT breaks IPSec authentication headers. Other VPNs, such as OpenVPN use plain UDP that passes through NAT. Also, WiFi calling uses IPSec in UDP for the same reason.

@jknott The USB-stick in the default mode is firewalling the traffic, preventing me from listening for connections. The built-in web-UI also doesn't have any option, whatsoever, for port-forwarding.

As for PPP, yeah, it's old. NCM-mode would be faster, but it's apparently not supported by pfSense.

Hi @mrpete
The discussion here may assist you: https://forum.netgate.com/topic/152194/solved-firewall-log-entries-flooded-for-ipv6-5353

@georgemv

You set a unique prefix ID for each interface. You do this in theIPv6 Prefix ID box. With a /56, your choices range 0 - ff.

@marty-mcsly said in IPv6 and StarLink:

wait for Starlink to catch up to the 21st century

Why wait ?
Start by dropping a Tweet on Elon Musk like this : "Hey, can you make these guys work even better : https://he.net/ ? ":

@johnpoz Yeah I was just so into it being an inbound problem I didn’t test outbound for a while. D’oh! My assumption was the data center was good… 😢

@jknott said in Routing IPv6 ULA across interfaces:

@offstageroller said in Routing IPv6 ULA across interfaces:

They appear to create their own ULA addresses that have nothing to do with my router (pfSense), and since I don't run a consumer router that allows all by default and only has a single subnet, things start getting blocked.

Is your modem in bridge or router mode? The modem from my ISP provides both GUA and ULA addresses when in gateway mode.

My modem is in bridge mode.

My pfSense WAN interface has a link local and global address assigned to it. My modem does not appear to be offering a ULA address to that interface.

@tzvia yes Interfaces widget shows the public one. I was using Gateways just as a quick summary for Interfaces -obviously bad idea- because there are many VLANs, much better idea seems to be a second Interfaces widget showing only the WAN interface so that solves my request. I still dont know why I was seeing public IPv6 address as the gateway before but maybe I am confused and remember something else, I dont have 2.5.2 at the moment to check.