ipv6 over pppoe, openwrt works but pfsense doesnt

trumee

Hello,

My ISP uses pppoe for authentication. The modem they given is bridged to my pfsense router. Unfortunately, i dont get an ipv6 address when using pfsense. On the other hand I do get ipv6 when i use openwrt instead of pfsense.

The ISP uses dhcpv6 and following is my configuration of openwrt (TPlink Archer C7),

# cat /etc/config/network 

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd2e:f3f7:1a7d::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '172.20.1.1'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'pppoe'
        option password 'mypassword'
        option ipv6 'auto'
        option username 'myusername'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 6t'


config interface 'wwan'
        option proto 'dhcp

Using this openwrt shows the ipv6 address,

#ip a s
10: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN qlen 3
    link/ppp 
    inet xx.yy.zz.ww peer xx.yy.64.1/32 scope global pppoe-wan
       valid_lft forever preferred_lft forever
    inet6 2401:xxxx:yyyy:zzzz:8fff::58:4e5f/128 scope global dynamic 
       valid_lft 85739sec preferred_lft 85739sec
    inet6 fe80::91d3:6cff:be4a:46eb/10 scope link 
       valid_lft forever preferred_lft forever



Protocol: Virtual dynamic interface (DHCPv6 client)
Uptime: 0h 11m 51s
IPv6: 2401:xxxx:xxxx:8fff::58:4e5f/128
IPv6-PD: 2401:xxxx:xxxx:535a::/64

With pfsense the configuration below does not give me an ipv6.

Why does openwrt work but pfSense doesnt?

trumee

I turned on the 'Do not wait for a RA' and now the interface shows an ipv6.

[2.5.2-RELEASE][root@pfSense.localdomain]/root: ifconfig pppoe1
pppoe1: flags=89d1<UP,POINTOPOINT,RUNNING,NOARP,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1492
        description: WAN2
        inet xx.yy.232.42 --> xx.yy.64.1 netmask 0xffffffff
        inet6 fe80::a236:9fff:fe19:8%pppoe1 prefixlen 64 scopeid 0x1e
        inet6 fe80::a236:9fff:fe19:9%pppoe1 prefixlen 64 scopeid 0x1e
        inet6 2401:xxxx:yyyy:zzzz::58:5510 prefixlen 128
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>

However ping to google doesnt work.

[2.5.2-RELEASE][root@pfSense.localdomain]/root: ping ipv6.google.com
ping: cannot resolve ipv6.google.com: Unknown server error
[2.5.2-RELEASE][root@pfSense.localdomain]/root: ping 2001:4860:4860::8888
ping: cannot resolve 2001:4860:4860::8888: Unknown host

Under System>Routing>Gateways a link local address assigned to WAN2 rather than a public ipv6 address,

In openwrt the routing table is,

# ip -6 route
default from 2401:xxxx:yyyy:5f37::/64 via fe80::3e94:d5ff:fec8:b4fe dev pppoe-wan  metric 4096 
default from 2401:xxxx:yyyy:8fff::58:540f via fe80::3e94:d5ff:fec8:b4fe dev pppoe-wan  metric 4096 
2401:xxxx:yyyy:5f37::/64 dev br-lan  metric 1024

Is this a problem of routing now?

JKnott

@trumee said in ipv6 over pppoe, openwrt works but pfsense doesnt:

However ping to google doesnt work.

From pfsense or a computer on the LAN? Do devices on the LAN get an IPv6 address?

Under System>Routing>Gateways a link local address assigned to WAN2 rather than a public ipv6 address

Link local addresses are often used for routing. Entirely normal.

trumee

@jknott said in ipv6 over pppoe, openwrt works but pfsense doesnt:

@trumee said in ipv6 over pppoe, openwrt works but pfsense doesnt:

However ping to google doesnt work.

From pfsense or a computer on the LAN? Do devices on the LAN get an IPv6 address?

Both from pfsense and LAN. The LAN is getting an ipv6

LAN
$ ip a s
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc cake state UP group default qlen 1000
    link/ether ac:1f:6b:91:41:56 brd ff:ff:ff:ff:ff:ff
    altname enp0s31f6
    inet 172.16.1.28/24 metric 10 brd 172.16.1.255 scope global dynamic eno1
       valid_lft 5991sec preferred_lft 5991sec
    inet6 2401:xxxx:yyyy:66cd::ffaa/128 scope global dynamic noprefixroute 
       valid_lft 5993sec preferred_lft 3293sec
    inet6 2401:xxxx:yyyy:66cd:ae1f:6bff:fe91:4156/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 85192sec preferred_lft 13192sec
    inet6 fe80::ae1f:6bff:fe91:4156/64 scope link

$ ping ipv6.google.com
ping: connect: Network is unreachable

Under System>Routing>Gateways a link local address assigned to WAN2 rather than a public ipv6 address

Link local addresses are often used for routing. Entirely normal.

JKnott

@trumee

Can you ping between devices on the LAN? What is the default route? It should be a link local address for pfsense. Have you used Packet Capture to see if the pings are leaving from the WAN port?

trumee

@jknott You are onto something. I cannot ping ipv6 between devices on the LAN.

ip address

Desktop
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc cake state UP group default qlen 1000
    link/ether ac:1f:6b:91:41:56 brd ff:ff:ff:ff:ff:ff
    altname enp0s31f6
    inet6 2401:xxxx:yyyy:66cd::ffaa/128 scope global dynamic noprefixroute 
       valid_lft 6873sec preferred_lft 4173sec
    inet6 2401:xxxx:yyyy:66cd:ae1f:6bff:fe91:4156/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 86072sec preferred_lft 14072sec
    inet6 fe80::ae1f:6bff:fe91:4156/64 scope link 
       valid_lft forever preferred_lft forever

NAS
3: vlan100br: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 3e:c7:b3:f8:ef:06 brd ff:ff:ff:ff:ff:ff    
    inet6 2401:xxxx:yyyy:66cd::ff0a/128 scope global dynamic noprefixroute 
       valid_lft 6028sec preferred_lft 3328sec
    inet6 2401:xxxx:yyyy:66cd:3cc7:b3ff:fef8:ef06/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 74937sec preferred_lft 2937sec
    inet6 fe80::3cc7:b3ff:fef8:ef06/64 scope link 
       valid_lft forever preferred_lft forever

Ping to NAS from desktop

$ ping 2401:xxxx:yyyy:66cd:3cc7:b3ff:fef8:ef06
PING 2401:xxxx:yyyy:66cd:3cc7:b3ff:fef8:ef06(2401:xxxx:yyyy:66cd:3cc7:b3ff:fef8:ef06) 56 data bytes
From 2401:xxxx:yyyy:66cd::ffaa icmp_seq=1 Destination unreachable: Address unreachable
From 2401:xxxx:yyyy:66cd::ffaa icmp_seq=2 Destination unreachable: Address unreachable
From 2401:xxxx:yyyy:66cd::ffaa icmp_seq=3 Destination unreachable: Address unreachable
^C
--- 2401:xxxx:yyyy:66cd:3cc7:b3ff:fef8:ef06 ping statistics ---
4 packets transmitted, 0 received, +3 errors, 100% packet loss, time 3159ms

$ ping 2401:xxxx:yyyy:66cd::ff0a
ping: 2401:xxxx:yyyy:66cd::ff0a: Name or service not known

Route on desktop

$ route -6 -n
Kernel IPv6 routing table
Destination                    Next Hop                   Flag Met Ref  Use If
::1/128                        ::                         U    256 2      0 lo
2401:xxxx:yyyy:66cd::/64       ::                         Ue   10  3      0 eno1
fe80::/64                      ::                         U    256 1      0 eno1
fe80::/64                      ::                         U    256 1      0 vmnet1
fe80::/64                      ::                         U    256 1      0 vmnet8
fe80::/64                      ::                         U    256 1      0 enp3s0
::/0                           ::                         !n   -1  1      0 lo
::1/128                        ::                         Un   0   11      0 lo
2401:xxxx:yyyy:66cd::ffaa/128  ::                         Un   0   4      0 eno1
2401:xxxx:yyyy:66cd:ae1f:6bff:fe91:4156/128 ::                         Un   0   3      0 eno1
fe80::202:c9ff:fe4e:2194/128   ::                         Un   0   2      0 enp3s0
fe80::250:56ff:fec0:1/128      ::                         Un   0   5      0 vmnet1
fe80::250:56ff:fec0:8/128      ::                         Un   0   2      0 vmnet8
fe80::ae1f:6bff:fe91:4156/128  ::                         Un   0   4      0 eno1
ff00::/8                       ::                         U    256 10      0 eno1
ff00::/8                       ::                         U    256 1      0 vmnet1
ff00::/8                       ::                         U    256 1      0 vmnet8
ff00::/8                       ::                         U    256 6      0 enp3s0
::/0                           ::                         !n   -1  1      0 lo

JKnott

@trumee

Capture on some router advertisements. Use Packet Capture and filter on ICMP6. Post the capture file here.

JKnott

@trumee

I just noticed something. You're using "ping" That works for IPv6 in Linux, but not FreeBSD which pfsense runs on. You have to use ping6 on it.

trumee

@jknott said in ipv6 over pppoe, openwrt works but pfsense doesnt:

@trumee

I just noticed something. You're using "ping" That works for IPv6 in Linux, but not FreeBSD which pfsense runs on. You have to use ping6 on it.

[2.5.2-RELEASE][root@pfSense.localdomain]/root: ping6 ipv6.google.com
PING6(56=40+8+8 bytes) 2401:xxxx:yyyy:8fff::58:5788 --> 2404:6800:4007:821::200e
^C
--- ipv6.l.google.com ping6 statistics ---
8 packets transmitted, 0 packets received, 100.0% packet loss

stephenw10

Can you ping6 to other internal hosts?

Is pfSense handing out those IPs via dhcpv6? That would imply it's receiving a prefix from the ISP.

Steve