IPV6 Neighbor Solicitation Not answered !?? => No IPV6 :(
-
@louis2 said in IPV6 Neighbor Solicitation Not answered !?? => No IPV6 :(:
pfSense would respond on the NS — Neighbor Solicitation (ICMPv6 type 135) as send by TrueNAS
And does pfsense see this solicitation? Your sniffing on pfsense and see this NS and your saying pfsense is just not answering?
simple sniff on one of pfsense vlan interfaces where I have ipv6 enabled - and looks normal to me.
-
Yep I am using pfSense its capture function, since it is the simple way to do that.
And yep I absolutely see no reaction form pfSense and also not a RA.
{At least not as long I do not try to access TrueNAS via the network (the opposite direction).}The simple test I use to check is to start a ^ping6 www.google.com^ on the command line of either TrueNAS-host or one of the jails
Here a screenshot of the pfSense screen and also more detail from a downloaded capture using wireshark
-
@louis2 what are the firewall rules on this interface?
-
It all ready was a very open rule-set (just for testing at the moment), above which I just added a line ^permit all^. Which did not change any thing
For further info, initially I was testing with DHCP and RA off. However because I could not and can not get things working, today I did expiriment with dhcp on and of and all kind of RA settings ....... nothing worked .... so far
Also note that I am using pfSense 2.6.0 development release (already for months, in fact without any recent issues.
-
@louis2 said in IPV6 Neighbor Solicitation Not answered !?? => No IPV6 :(:
I am using pfSense 2.6.0 development release (already for months, in fact without any recent issues.
This really should be brought up in the dev section then with specific version your running - quite possible some sort of issue was introduced. I will move this to the dev section. If you could post the snapshot your running prob be helpful
-
J johnpoz moved this topic from L2/Switching/VLANs on Jan 7, 2022, 3:05 PM
-
John two things:
-
I did create a jira ticket yesterday expressing my concern, asking jim to think about it (I could just express, my doubts without a hard proof that it is a pfSense issue). Jim closed it intermediately. Please have a look Issue #12663
-
I do not understand what I should additionally post if you could clarify
-
-
@louis2 said in IPV6 Neighbor Solicitation Not answered !?? => No IPV6 :(:
12663
While as Jim mentioned there - redmine is for reporting actual issue, and they should be able to be duplicated or multiple users seeing the issue.. Redmine is not for discussion or troubleshooting a problem.
Now if there is something discovered, and other users are seeing the same problem, etc. Then you could report what the issue is in redmine for correction, etc.
what I should additionally post if you could clarify
What specific snapshot are you running? Did this work on snapshot X, and stop working on Y.. etc.. Normally snapshots come out every day, what day version are you running. Should show those details right on the systeminfo widget on pfsense gui.
-
John, I do understand jim ... to a certain extend ..... however IMHO it is serious enough to check .. What ever
Related to the build:
- I am refreshing my system to the latest build every couple of days (lets say a week).
- I am currently running
2.6.0-BETA (amd64)
built on Mon Jan 03 06:18:19 UTC 2022
FreeBSD 12.3-STABLE - the problem was already there when I did my first new truenas system trails with IPV6 and I do not now the exact date, however I was already desperate when I started this "post" a month ago. So the first time I became aware of the problem should be late November early December or so
-
@louis2 I haven't noticed any other reports of such an issue.
If you take truenas and your jails out of the equation are you seeing the same problem.. So your saying IPv6 isn't workable on pfsense 2.6.. I find that hard to believe, or you would think there would be multiple threads/posts about it not working.
IPv6 is pretty hard to work if RAs don't function, or client can not discover pfsense via NDP..
-
John, In first instance I mainly verdict TrueNas-core which is based on FreeBSD 12.3 just like pfSense. However I was not sure as well, so I opened this blog.
However since I had severe issues with TrueNAS-core, I did decide to try TrueNAS scale with is their linux based release candidate (I think it is not jet RC but that apart). And up to my surprise the IPV6 behavoir or that linux version was identical to the FreeBSD version. And that did my doubts related to pfSense increase ! .... and I started again testing with all kind of dhcp and RA settings on pfSense.
When that did not solve any thing, I asked for help here.Do note that:
- the problem only occurs when the server in this case TrueNAS initiates the communication. (The other way around works!)
- I ones did a test connect my windows PC on the truenas host vlan, which seems to work (I can redo that test), however it is for sure that windows behaves different
- I can not go back to pfsense 2.5 to test that, since the config files are not compatible, that would be a too big effort (and error sensitive)
-
I forgot to add that
- if I start a command like "ping6 www.google.com" on truenas, that only results in a lot of the unanswered NS — Neighbor Solicitation (ICMPv6 type 135) messages
- however ... surprise surprise (not) ...... if I start some form of communication from the other side (ping -6 truenas from my pc) then
- As expected I get ping results on my pc AND
- as by magic the pings starting at truenas towards google start working as wel :)
-
@louis2 well first thing I would do is get current on your snapshot.. You are a few days behind..
-
Done! No change
-
@louis2 I don't run dev, and for sure can not duplicate what your seeing on my network - ipv6 working just fine..
As to rolling back to 2.5 - where did you see you could not do that because of issues with xml? I was not aware that was a thing..
This seems odd?
Src: A:B:C:110::1:10, Dst: ff02::1:ff00:1
Did you edit that to obfuscate something.. A:B:C ??
-
John the ABC is edited just to hide my address. Since I try not to share too much.
By the way, I do not mind to share full wireshark traces etc, wich you, however not via the public forum
-
@louis2 Let me see how my afternoon looks for real work ;) if its quiet which I think it is, not seeing any meetings on my cal ;)
I could fire up a 2.6 dev box on a VM and see if I can duplicate your problem.
-
Ok thanks! I will create a drawing from my test setup. That will perhaps help as well.
-
Here two pictures
- a schematic version of the physical setup. Based around a 1G SW, a 10G SW and pfSense. pfSense has a 1G lagg towards the 1G SW and a 10G lagg towards the 10G SW. 1G VLAN's are forwarded to the 1G-lagg, 10G VLAN's to the 10G lagg. There is a trunk between the switches, e.g. to make a slow copy of the 10G vlans available to the test-nas in my "office"
- a schematic version of the vlan-setup. All vlans come together in pfSense and nowhere else. The TrueNas test system is intended to play as NAS but also as "VM-server" as such that TrueNas-machine will have one vlan for the host and jails and vm's will in most cases be connected via their own vlan.
TrueNas host it-self will be in the "GreenZone" where the Jails and VM's will be in more risky zones (e.g. a webserver in "RED")
-
@louis2 so question - your using lag from your switches to pfsense where these vlans run.. Have you tried turn that off and see if working?
I see your 2x1g and 2x10g which looks like uplinks from your switches.
And your saying you only see this problem on stuff coming from your truenas, you show say vl2 and vl3, with some devices on them - are they using ipv6, are they having any issues with seeing RA or using NDP to find pfsense?
-
The LAGG's are the downlinks form pfSense towards the main switches or the uplinks from the switches to pfSense whatever you like :)
If the lags would not work, I could not access any thing, however since I can reach my-wifi, my-server and my nas-systems, I am sure they are working. Apart from that I can of course see that on GUI of the switches.
In principle the whole network is IPV6 and IPV4. And most equipment is using both. Mobiles, my pc. my server etc. Not the printer or the hifi-receiver :)
As far as I know every thing is working, with exception of the TrueNas systems, in case the ipv6 is initiated on/from those systems. Which is of course verdict !
However note that
- Every thing works "As far as I know" because I did not trace the behavoir of most equipment and apart from that a lot of traffic is still IPV4 or incoming IPV6.
- the NAS-systems are, apart form the switches and pfSense, the only machines who are vlan aware. All other devices do not know that their traffic is handled via a vlan
- the new NAS / test system is the first system in the network which will be accessed via multiple vlans (possible as a result of the use of jails and vm's_
- it is clear that the behavoir of freebsd, linux, windows. android differs
- my small server is windows based, and not vlan aware.
But big question is of course, if the TrueNAS systems behave different, is it wrong!? and is the fact that pfSense does not react correct!!??