No IPv6 WAN connectivity on pfSense box itself -- LAN works fine.

displaced

Hi,

I've recently switched to an ISP with full native IPv6.

It's a pretty straightforward config -- DHCP6 on the WAN, with a /56 prefix. LAN set to 'track interface'.

All's working well -- LAN clients pick up their GUAs and have full v6 connectivity just fine. The LAN and WAN both have GUA and link-local v6 addresses.

But, the pfSense box itself can't ping v6 addresses out on the internet, although it can ping GUA v6 addresses on the LAN.

The following:

[2.6.0-RELEASE][admin@pfsense.home]/root: ping6 google.com
PING6(56=40+8+8 bytes) 2a0e:xxxx:0:xx::xxx --> 2a00:1450:4009:821::200e

just hangs at that point, until Ctrl+C'd.

This is a fresh install, with literally just the bare WAN/LAN configured for standard routing -- no non-default firewall rules or other changes.

Any thoughts on what the issue might be, or what to look into to help diagnose further would be appreciated!

Cheers,
Chris

JKnott

@displaced

Does your WAN interface have a GUA or just a link local address? If link local, you may have to ping from a different interface that has a GUA.

displaced

@jknott hi! It does have a GUA, yes — that 2a0e:… address which the ping is originating from.

(at least to my understanding… I’m still picking up v6 knowledge as I go, so apologies if I’m getting anything wrong here!)

Bob.Dig

@displaced Maybe try it via the webinterface and show your "settings".

JKnott

@bob-dig

Also a packet capture on the WAN interface might help.

JKnott

@displaced

Yeah, that would be a global address. Global Unique addresses start with 2 or 3, but I haven't seen one starting with 3 yet. Try running Packet Capture on the WAN interface, filtering on ping, to see what's happening.

displaced

Okay, so...

I've run a capture, and I see packets going out, but nothing coming back:

21:04:11.156914 IP6 2a0e:xxxx:0:65::299 > 2606:4700:4700::1111: ICMP6, echo request, seq 1440, length 9
21:04:11.680851 IP6 2a0e:xxxx:0:65::299 > 2606:4700:4700::1111: ICMP6, echo request, seq 1441, length 9
21:04:12.193973 IP6 2a0e:xxxx:0:65::299 > 2606:4700:4700::1111: ICMP6, echo request, seq 1442, length 9
21:04:12.705116 IP6 2a0e:xxxx:0:65::299 > 2606:4700:4700::1111: ICMP6, echo request, seq 1443, length 9
21:04:13.219222 IP6 2a0e:xxxx:0:65::299 > 2606:4700:4700::1111: ICMP6, echo request, seq 1444, length 9

And I've kept an eye on the firewall logs whilst that was running. Nothing was being logged.

Here's the info from my Status > Interfaces page. I think it all looks fine, but would appreciate another pair of more-IPv6-savvy eyes on it if someone wouldn't mind!

WAN
IPv6 Link Local        fe80::xxx:xxxx:xxxx:xxxx%igb0 
IPv6 Address           2a0e:xxxx:0:65::299



Subnet mask IPv6       128
Gateway IPv6           fe80::xxx:xxxx:xxxx:xxxx%igb0

LAN
IPv6 Link Local        fe80::1:1%igb1
IPv6 Address           2a0e:xxxx:402:f900:2xx:xxff:fexx:xxcb 
Subnet mask IPv6       64

Now, this might be a clue to what's going on... but I'm not clued-up enough just yet to know for sure...

When I traceroute6 google.com from the pfSense shell, I get:

[2.6.0-RELEASE][admin@heimdall.home]/root: traceroute6 google.com
traceroute6 to google.com (2a00:1450:4009:815::200e) from 2a0e:xxxx:0:65::299, 64 hops max, 20 byte packets
 1  2a0e:xxxx:0:65::1  1.812 ms  1.986 ms  1.592 ms
 2  * *^C

Now, that first hop - 0:65::1 - that's a gateway address I think, but I'm unsure about what mechanism's providing it. It seems that pfSense doesn't know what to do when a packet arrives there, whatever!

Again, apologies if this is all basic stuff -- I'm still at the "knows enough to be dangerous" stage, trying to map what I'm seeing to what I've learned so far!

JKnott

@displaced

That /128 mask simply means that address is an identifier and can be used for things like VPNs. However, it also means it can't be used for routing. What happens if you use the LAN address to ping from? You have to use the -I <interface> option to do that.

What do packet captures of pings from other addresses or devices show?

displaced

@jknott Thanks for your help!

So, pinging from the LAN interface gives:

[2.6.0-RELEASE][admin@heimdall.home]/root: ping6 -I igb1 google.com
PING6(56=40+8+8 bytes) 2a0e:xxxx:402:f900:2e0:67ff:fe2d:90cb --> 2a00:1450:4009:81f::200e
ping6: sendmsg: No route to host
ping6: wrote google.com 16 chars, ret=-1
ping6: sendmsg: No route to host
ping6: wrote google.com 16 chars, ret=-1

I'll run the captures this evening once I'm done at work!

senseivita

@jknott What could you do if all you have is an LL or UL address if there weren't global addresses for the firewall itself? :O

My ISP only handles out delegations it seems, and on its interface the firewall only gets a link-local address if DHCP6 is used, and a unique local if SLAAC is used.

But in the past, pfSense has gotten a global address on that interface, and the ISP-loaned ONTs and modems do get a global address in addition to a delegated prefix. Maybe there's some special config. :/

JKnott

@skilledinept

If you want to connect to the firewall with a VPN, etc., you can use another interface address, such as the LAN.

Perhaps if you mentioned your ISP, someone else might be able to help.