@tomsparklabs said in [Solved] Unable to ping pfSense's LAN interface on IPv6:

rebooted the router

Hmm, thanks from the future...I set up an HE tunnel tonight and though the router could get out over IPv6, and PCs got IPv6 addresses, I found the PCs could not ping the router, dig to pfSense DNS over IPv6 to the LAN IPv6 was blocked by the default block firewall rule despite already having a LAN IPv6 to any rule, and new rules I added for DNS.

Restarting pfSense (2.5.1) got IPv6 working fine from the PCs.

Oddly https://test-ipv6.com/ worked...I guess over IPv4? But it showed IPv6 working, 10/10.

@bob-dig

I agree it should be easier to find. As for the name alias, that was even the case with IPv4, before there was IPv6. I assume it's because you have more than one address an interface can use, which is not typical. Also, with IPv6, you have not just mulitple addresses, you have multiple prefixes. Even if you don't have an alias, with SLAAC you can have up to 8 addresses, then there's link local too. By the time you've added a 2nd prefix, you're up to 17 addresses on a single interface.

I can use the IPV6 that are assigned on the USG DHCP to address computers from the internet. It just won't say "Internet" on Network and Sharing Center, or pass any IPv6 tests.

Ping (as well as traceroutes) from local computers to google.com are fine even though it says "No Internet Access".

The traceroutes go from the USG to the pfSense LAN IPv6 out to the internet, even though I have the link-local gateway address of Cox specified in the next-hop on the USG.

I found the problem.

I had IPv6 enabled in pfBLocker-devel 3.0.16 DNSBL:

IPv6 DNSBL
Enable Enable DNSBL for IPv6 DNS Resolution filtering. Default IPv6 Webserver address [ ::10.10.10.1 ] and ports [80/443]

radvd was choking on the ::10.10.10.1 RDNSS line of the config file.

Just in case someone finds this hack useful, the following is the patch I used on 2.5.0. It will only do what is intended (hardcode advertised MTU to 1480) if "Use same settings as DHCPv6 server" is unchecked under the Router Advertisements configuration settings.

src/etc/inc/services.inc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/etc/inc/services.inc b/src/etc/inc/services.inc index a3203aaaf7..1c63272ca1 100644 --- a/src/etc/inc/services.inc +++ b/src/etc/inc/services.inc @@ -130,7 +130,8 @@ function services_radvd_configure($blacklist = array()) { $radvdconf .= "\tAdvDefaultLifetime {$dhcpv6ifconf['raadvdefaultlifetime']};\n"; } - $mtu = get_interface_mtu($realif); + /*$mtu = get_interface_mtu($realif);*/ + $mtu = 1480; if (is_numeric($mtu)) { $radvdconf .= "\tAdvLinkMTU {$mtu};\n"; } else {

https://redmine.pfsense.org/issues/11800

@starcodesystems said in IPV6 ULA LAN to WAN ISP Public IPV4 internet possible?:

you have to know how to do these things

Huh? Why would you need to know how do stuff that makes no sense to do?

Do you have a use case example where anyone would want/need to do such a thing? Where it wouldn't make more sense to just give the device rfc1918 that you nat to your public IPv4..

I don't think its really anything to do with the AP firmware.. So I don't think they will be able to fix it.. From what a few were saying has to do with the different auth that wpa3 uses..

Not sure - have not dug that deep into yet. I was really hoping to just have guest be limited to wpa3.. But I will live with this compromise.. Just thought give you a heads up if you were doing the same thing.. And you had friends come over - and you get hey this qr code thing isn't working ;)

@gertjan

Yep. He was one of my favourite things in that magazine. Incidentally, I have every paper issue of the magazine on my shelves here, going back to Vol 1, #1, Sept 1975. I bought the first three issues in person from the original publisher, Wayne Greene, at an amateur radio convention in Ottawa in 1975. He put the magazine in his wife's name for tax reasons. He then lost it when they divorced.

@fabrizior I didn’t know it was a thing :) Thanks for the information.

@jknott I didn't say reboot. I said save WAN again. Your workflow might be triggering a dhcp6c refresh, but, in general, when you make changes to inside interfaces set to "track interface" you have to save WAN again to pick them up. The dhcp6c client is the mechanism that sets all of the interface addresses. That happens when dhcp6c receives the PD. That happens on WAN. pfSense itself does not do any of that work.

Since this is the forum for IPv6 and not the forum for the Development 2.5.1-RC snapshots, you may want to re-post this over there, where the developers would be more likely to see it.

https://forum.netgate.com/category/83/21-02-2-2-5-1-snapshots

I have a similar use case, namely building tenants with their own routers. Can this method (firewall rules) be used to control prefix delegation, or at least restrict access to allowed tenants?

We're doing this (denying) now with IPv4, where we tell them to plug in, see the IPv4 lease request to create a static lease, after which we can create a firewall rule allowing it. Can't get the old Comcast router to give more than a /64 so I was thinking of using Hurricane to get IPv6 for the tenants.

@derelict Of course, it was one of the DHCPv6 messages. That makes a lot of sense. (I thought this was RA-related since as discussed before, the DHCPv6 mode is the only way aside from SLAAC to make pfSense pick the gateway from the RA message.) So we're back to not receiving the DHCPv6 messages at all. I added similar rules for DHCPv6 messages, and we just don't see them at all. But that's not an issue for this thread.

@bob-dig

That's nonsense. First off, we shouldn't avoid IPv6, as that's what the world is moving to and the sooner the better. Also, I gave some suggestions that may help @MrGlasspoole with his problem.

@foo said in Configuring multiple routable IPv6 subnets with multiple routers:

How should I have the router A, LAN A and LAN B interfaces configured to connect to router B and C? Should I use DHCPv6 or RA?

Think about how you'd do it in IPv4. You set up routes to say those addresses go there. Same thing with IPv6. This is basic stuff for anyone setting up networks, whether IPv4 or IPv6.

@jimp said in RA (and therefore SLAAC) not working after updating to 2.5.0:

It still looks like a settings issue.

If your ISP is sending you a /56 then set the delegation size on the WAN settings to match, /56.

It should slice that up into /64 chunks automatically.

Holy cow, really simple to fix, if you just know what to do ;)
Thank you so much, this solved the issue!

Why stop there.. While they are at - let me put a /32 on the interface.. That is the min sized prefix you get from arin ;) so you might as well let me put it on my interface - I might want to route it <rolleyes>

And clearly the only way to route anything is put it on an interface..

Just like you have rule #2 preventing access to the private IPv4 range, create a rule that prevents access to your IPv6 prefix range. I'm assuming that your IPv6 prefix is static (I certainly hope it is if you have 40 VLANs).

For example, if your prefix is 2001:aaaa:bbbb:cd00::/56, create a rule that prevents access to that entire address range. Now your various VLANs won't be able to communicate with each other via IPv4 or IPv6. Of course, if you use pfSense for DNS, NTP, etc., I hope you've allowed those through other rules, because that block would also prevent communication with pfSense.

If you want to allow communication between two VLANs, create a single rule for both IPv4/v6, and use the "[interface] Network" selection for the destination... that will include both the IPv4 and IPv6 subnets for the VLAN that you select.

Well, with apologies for the noise level, I found a "fix" - I enabled "Do not wait for a RA" on the WAN interface, rebooted the modem and now recovery is complete without having to toggle the interface.

I am stumped why this makes any difference as the modem clearly is sending out RAs after its reboot.

I can see from the System logs that dhcp6 client is started without RA mode - consistent with how its now configured! :-) and sends a solicit and gets an advertise back - which then kicks the PD process off.

Stu

Works here as well

Hi guys,

I've followed this conversation quite a while and run into the same issue.
For everyone who would like to have dynamic NPT address to solve this issue please find my repo here: https://github.com/gewuerzgurke84/pfSense-dynamicNptAddress
It's tested it with 1 NPT mapping and 1 "Tracking" Interface with pfSense 2.5.0 and it solves my issue so far. Nevertheless I'd prefer to have this feature as part of the distribution itsself as it is a requirement to get IPv6 running in a reasonable way (at least in Germany)...

Best Regards,
Alex

@yon-0 said in Thank you for the IPv6 NAT capabilities in 2.5:

how config ipv6 nat in pfsense 2.5

You do it exactly as with IPv4 (use ULAs "instead" of private IPs and don't forget outbound NAT).

@thiamata

You can add prefixes on the Router Advertisement page, but if you do that you will also have manually add the original prefix, as for some reason it's no longer automatically added.

@ofloo route get -inet6 default show the correct gateway, .. I've disabled the rule from the firewall that is making it use a this gateway.

Still it uses the wrong interface.

So I removed he.net from that gateway group. And still it uses he.net.

Even when route get -inet6 default shows a different IPv6 gateway. This is not just broken, but seems impossible to me.

@fabrizior Nope, no setting for IAID in static mappings in 2.5.0...Sounds like a good feature request though... assuming dhcp6d has a way to use it...

@virgiliomi said in Configuration IPV6:

Easier until you start assigning IP ..........
I don't see any case where DHCPv6-PD would be desirable over a static IPv6 block. But maybe that's just me.

Noop, you got a point.

I have to add that I'm using a static IPv6 setup myself, as my ISP

doesn't know what IPv6 is. and if they do, they come up with a single /64 or a /56 but only the first /64 is routable or ..... (whatever, their BOX has just one LAN so they don't understand the fuzz - not even that some clients are actually companies and they could have more then 1 LAN ....)

with he.net, the one I'm using, the price is : not worlds fastest ISP, but free and rock solid. And very static.

@virgiliomi said in Configuration IPV6:

My prefix was rock solid on my last ISP (Comcast). .....
unplugging the interface or rebooting.

A pretty solid proof that '$$$€€€' and 'Mbits/sec' is just a part of the equation.
Good 'protocol' support is as important. And this one doesn't need the reading of their promises on paper. It will always be "Hands on testing for 6 months" ;)

@virgiliomi said in Configuration IPV6:

But they don't. Because my DUID hasn't changed...

They probably cleared out their DHCPv6 server cache and settings.
As you said : they are probably in the implementing phase.

@pmisch Well that's the thing. More and more the answer is "just use a competing product". What is Pfsense even for anymore if they can't fix years old bugs and they can't do IPv6 under realistic real world scenarios? Pfsense looks like a dying project to me so I've personally been steering people away from it.

No further issues since upgrading to 2.5.0. Looks like the bugs have been squashed!

@viktor_g I have a static IP (via DHCP4/6) from my ISP. The IPv4 works with no problems. IPv6 gets an IP ok, but the resolv.conf.never updates.
Rebooted multiple times.
The other day I was looking at the scripts that update the resolv.conf for IPv6.
If I am not mistaken, they only do so if the IP changes.
Which it won't with a static IP.
Although I could be misinterpreting.
I gave up and added the DNS entries via the General Setup to get around this issue for now.

@tadao I forgot to mention that the WAN Interface Address of the pfSense must be set to DMZ IP on the ISP router/modem.

@jknott Thanks for your help! I am gonna try that when I have the day off. I'll let you know if I got it to work!

I upgraded this morning my main 'company' pfSense to 2.5.0.
I'm using he.net for my my IPv6 'needs'.

I had nothing to do.

Everything came up and was working fine.
( + captive portal using FreeRadius - OpenVPN server for my remote access).

Even a non-native package I installed many years ago was upgraded and kept on running.

@virgiliomi said in Updated to 2.5 everything went smooth except for WAN IPv6 status being stuck on "Unknown" and "Pending" - Have Comcast, despite multiple Cable Modem restarts, and PFSense restarts:

There's a bug in 2.5.0 that has been found that requires a monitoring address to be manually added in the System > Routing settings for the IPv6 gateway. The gateway will show as "Pending" until a monitoring address is manually set. For whatever reason, 2.5.0 is not automatically getting the gateway address and monitoring it. Try adding a monitoring address (you can make it anything valid/reachable for the purpose of testing) and see if that fixes things for you.

If you want to add the exact gateway address as the monitor address, go to Diagnostics > Routes and copy the default gateway from the IPv6 table. Just know that this could change if your ISP does maintenance before the bug is fixed.

Hopefully that helps...

This worked for me, thanks!

@andrew_241 Yeah, those look like "policy routing" rules since you were specifying a gateway (rather than letting pfSense use the default gateway). But if you only have one WAN connection, or you don't want to route specific traffic in a specific way, you don't really need those rules, because everything can just route through the default gateway.

But since you had those rules... there is a deeper issue with the IPv6 gateway behind the scenes, so the IPv6 rule was not functional because of the bug, and was preventing your IPv6 traffic from flowing as a result.

I got it working again, by restoring a previous config.

@virgiliomi does re-saving the interface fix the issue? That seems to be the case with me.

Edit: did some testing and it seems that my interface got corrupted, deleted it and re made it and now its all good, survives reboots, looked in the logs and saw that the dhcp6c precess couldn’t find the interface and then it would quit.

I just did another test with a second LAN Track Interface on WAN2.

There i used Prefix 1 and after a reboot (why is this necessary?) the second LAN also get it's IPv6 prefix.

So it seems you just can use it with increasing values. So why is this the case?

@jefftee
If I unblock private networks and loopback addresses on my WAN, the gateway comes back as up.
Try that