Verizon Fios and IPV6, Which Settings Work?
-
There aren't any aliases (as in something in Firewall > Aliases), but you could create block rules with a destination of "LAN Network" (or whatever network you want to prevent access to) and if the prefix changes in the future, the rule would automatically update with the new prefix for your LAN network (or whatever network you've selected in the rule).
-
@mikev7896 Thanks for the note. Yeah, what you describe is how I approached blocking "internal" networks before someone tipped me off to how to effectively use the inverse-rules (allow everything except certain networks covered by an alias). I can go back to an implicit allow at the bottom of my rules and then explicit blocks rules above for my internal networks, but I was hoping there was a way to do this without reverting to this approach. I'm spoiled by the inverse rule now and going back to the other mode seems like a step backwards. Oh well. I think I'll stick with the inverse-rule, and hard code the prefix I've been assigned and cross my fingers for a while. Thanks for the input though!
-
I just saw that my Verizon Fios WAN_DHCP6 Gateway came online for the first time after a reboot of my 3100 (version 22.01).
I followed the settings in post 2 above (and rebooted). From pfSense ping, I can IPv6 ping to an external address (google) and I can ping to the pfSense LAN interface IPv6 address (I would hope so). But I can’t IPv6 ping from pfSense to clients on the LAN that have an IPv6 address. And I can’t “ping -6” from Win10 client to pfSense or externally (request timed out).
Also, when I try to run ipv6-test.com I get “IPv6 connectivity Not Supported” and “DNS4 + IP6 Unreachable”, “DNS6 + IP4 Reachable”, and “DNS6 + IP6 Unreachable.”
The routing logs have a warning on startup but nothing else:
radvd 51430 warning: AdvDNSSLLifetime <= 2*MaxRtrAdvInterval would allow stale DNS suffixes to be deleted faster
I did read through this post and Netgate docs multiple times but I don’t know where else to look or other troubleshooting steps I should do.
-
Couple questions for you:
- What settings do you have enabled for your LAN Interface under Services > DHCPv6 Server & RA? Are your LAN clients getting valid IPv6 addresses (not just link local addresses)?
- Are your firewall rules allowing outbound IPv6 traffic from LAN?
Hope this helps.
-
Thank you very much @tman222. I did not have a firewall rule to allow IPv6.
-
Good Morning everybody;
I tried everything, I did all @MikeV7896 setting and I have all the IPV6 address, but I don't have network traffic, I can ping all my internal network IPV6 address and also the one assigned by FIOS but I can ping anything else outside of my network. IPV6 test show my IPV6 address but no connection to any IPV6 servers.
I tried using the default DNS servers and also tried Google's DNS server still not working.
Below are my settings, thanks for the help.
-
@betapc I am skeptical about the "LAN net" alias when it comes to tracked DHCPv6-PD. For shits and giggles add a rule on your LAN side allowing all IPv6 any any...
-
@jeremy-duncan Thanks for the replied. Change, still no working.
IPV6 test result change:
The setting for DHCP6 and Advertisement are correct?
Thanks
-
@betapc no you have to set the router mode to managed on the RA section if you are using DHCPv6.
-
@jeremy-duncan I made the changes still no working, I got all the IPV6 address, DNS server running but no connection outside of my network.
I don't know what else to do. I already did a clean installation of pFSense, still nothing.
-
I actually found out a bit more about what was going on.
Since I have pfsense virtualized with a didcated nic card on pfsense i decided to restore a backup I had from a few days ago. I found out that i had PFBlockerNG installed but for some reason it was not active. ( i must have been messing with some testing and disabled it)
Meaning that for some reason when you have it installed but it's disabled it basically completelly opens holes like this on your firewall (not sure what happens on the IPV4 side though) . This is a major bug ! As soon as i activated pfblockerng I couldnt ping or ssh my VMs anymore same if uninstalled it. As soon i tried to disable it but still have it installed. Boom...everything open.
I only have PFBlocker on WAN interface for inbound and my main Lan and dedicated Homelab Lan for outbout, and everything is configured automatically as floating rules.... basically blocking inbound except for a few IP blocking settings on both inboud and outbound.
I'll report this to pfsense as soon as i have time. -
@jeremy-duncan my set up is pFSense connected directly to ONT. Still not working. I was talking to FIOS customer support and they sent me a new router, I connected to the ONT, same issue, router provided all IPV6 address and getaways but no connection. The ONT is like 9 year old, I don't think that is the problem. I think the problem is more the implementation.
It's frustrating because some services were down and I didn't know why, and then I found because they were trying to connect using IPV6.
Even pFSense wasn't updating or retrieving any packages because of the IPV6. I checked on pFSense only use IPV4 and fixed my network issues.
Any suggestions how to make FIOS to fix this issues?
Thanks.
-
I have IPV6 working 100 % on FIOS network on all my interfaces using pFSense, finally after couple days.
Thanks everybody for the input, with this post I was able to enable IPV6. Thanks to @ jeremy.duncan and @MikeV7896.
These are my setting for future reference. I am using pFSense Plus.
-
@betapc what ended up being your fix?
-
@betapc There had been some IPv6 routing issues in NJ that are believed to have been resolved earlier today... so might've been affected by that?
-
@jeremy-duncan I did what you told me to change Router mode: Managed, and also I unchecked Provide DNS servers to DHCPv6 clients on all the interfaces, then unplugged all the cables from pFSense, FIOS ONT turn off and unplugged from the electricity, turned on without any cables, turned off again, plugged all the cables and turned on again.
Truth to be told I don't really know what made the trick.
Thanks
-
@mikev7896 Anyway, everything is working for now, thank you guys for all information you had provided, because this post was a huge help.
-
Thanks for your posts. I've been having the same issues on my network and your settings helped me to figure out what I was doing wrong.
I'm up and running now also.
Perth Amboy, NJ
-
Just posting this here to save anyone a little time...
@MikeV7896 has an awesome frequently-updated sheet on OneDrive that is tracking the rollout. No sense in banging your head against the wall if your area's CO hasn't been lit up yet.
-
