Is it me or verizon?
-
Before I go down the route of torture with verizon support. Ipv6 became active on my connection but I can't seem to make it work. I don't know much about ipv6 and started researching but I am at a loss if my setup just needs adjusting or if I need to call support.
My wan address does not acquire any non local-link address but my lan does. This post they say the wan doesn't get an ip:
https://forum.netgate.com/topic/155534/verizon-fios-and-ipv6-which-settings-work/2
I have added a rule to allow all ipv4+ipv6 traffic from lan to anywhere. I have also opened up all icmp for ipv4 and ipv6 on the wan. I can't ping or get anywhere outside my own network. I don't know if I need to have an address on my wan, and/or do I need to add some static route to properly get out of my network?Settings and things I have observed:
WAN:
IPv6 Link Local = fe80::2e2:69ff:fe4e:a45%igb3
Gateway IPv6 = fe80::e86:10ff:feeb:9fc2LAN:
IPv6 Link Local = fe80::1:1%lagg0
IPv6 Address = 2600:4041:2026:bd00:2e2:69ff:xxxx:xxx
Subnet mask IPv6 = 64I have disabled both dhcp6 server and ra server since everyone's mobile devices all try to use the ipv6 and I hear endless complaints about how long it takes to connect to places. Seems the timeout before switching to ipv4 is annoying. I just keep trying to ping from the diagnostics before I re-enable these services.
wan settings:
IPv6 Configuration Type = DHCP6
DHCPv6 Prefix Delegation size = 56
Send IPv6 prefix hint = checked
Do not allow PD/Address release = checked
everything else uncheckedLAN:
IPv6 Configuration Type = Track Interface
IPv6 Interface = WAN
IPv6 Prefix ID = 0When I run this command which I saw from someone checking if they have ipv6, I get this:
rtsol -DF igb3
rtsol: checking if igb3 is ready...
rtsol: igb3 is ready
rtsol: set timer for igb3 to 0s
rtsol: New timer is 0s
rtsol: timer expiration on igb3, state = 1
rtsol: set timer for igb3 to 4s
rtsol: New timer is 4s
rtsol: received RA from fe80::e86:10ff:feeb:9fc2 on igb3, state is 2
rtsol: ManagedConfigFlag on igb3 is turned on
rtsol: Processing RA
rtsol: ndo = 0x7fffffffe300
rtsol: ndo->nd_opt_type = 1
rtsol: ndo->nd_opt_len = 1
rtsol: rsid = [igb3:slaac]
rtsol: stop timer for igb3
rtsol: there is no timerrunning a traceroute6 I see I am doing something but lol idk whats going on with the output.
traceroute6 ipv6.google.com
traceroute6 to ipv6.l.google.com (2607:f8b0:4006:822::200e) from 2600:4041:2026:bd00:2e2:69ff:xxxx:xxx, 64 hops max, 20 byte packets
1 2600:4041:2020::1 0.582 ms 0.840 ms 1.329 ms
2 2600:4000:1:228::192 2.227 ms
2600:4000:1:228::190 4.563 ms
2600:4000:1:228::192 2.748 ms
3 * *
rest of output all *'sping6:
ping6 ipv6.google.com
PING6(56=40+8+8 bytes) 2600:4041:2026:bd00:2e2:69ff:xxxx:xxx --> 2607:f8b0:4006:808::200e
results in 100% packet lossunder settings/system routing my wan_dhcp6
Gateway = fe80::e86:10ff:feeb:9fc2
Monitoring IP = fe80::e86:10ff:feeb:9fc2Under diagnostics/routes for ipv6:
destination = default, gateway = fe80::e86:10ff:feeb:9fc2%igb3, flags UG
destination = ::1, gateway = link#6, flags UH
destination = 2600:4041:2026:bd00::/64, gateway = link#10, flags U
destination = 2600:4041:2026:bd00:2e2:69ff:xxxx:xxx, link#10, flags UHSI don't know what I should try to get this to work. I also don't want to be on call with support if I don't have everything setup appropriately.
Can anyone please help?
-
@cyth Looks like a routing issue on Verizon's end. They had one last week that seemed to get resolved late Thursday or Friday for a number of people in NJ. The fact that you're getting responses out to 2600:4000:1:228::... means your IPv6 traffic is getting to and through your local Verizon office (hop 1), and into a regional point in Verizon's network (hop 2).
You're welcome to try and address it with Verizon support... but I don't know that you're going to get very far.
-
That appears to be a routing issue with Verizon. Do you have access to another IPv6 capable site for testing? Or tether to a cell phone? If so, try pinging it and see if the packets arrive and if a response returns. I had a problem with my ISP a while ago due to a problem in my their office.
BTW, using link local addresses on the WAN is entirely normal.
-
@MikeV7896 @JKnott ty you both for your responses. I will give support a try since it seems like they have the issue. Hopefully I'll get through the first level (is your router plugging in??) fast.
I just briefly looked in to your suggestion of tethering but it seems like I have to build a custom kernel?
found that here, but not sure if I can do it another way? -
https://forum.netgate.com/topic/117929/how-to-usb-tether-on-pfsense-2-4-as-routerIs it ok that I have RA and dhpc6 server turned off? Does that have any effect to connectivity from the firewall to the internet? I turned it off to stop everyone's phones from acting sluggish while the phone figures out it can't get out on ipv6. I was thinking I could leave it off till I got the firewall connectivity worked out.
One last question, does ipv6 leave my vm's and pc's fully exposed? Or do I still have to put in wan rules to allow traffic in even though my wan only has a local-link and lan has the global? Does this bypass my wan rules?
Thanks again!
-
@cyth Hi, did you tried this settings? I had the same issue. Now is working fine. Those are my settings.
https://forum.netgate.com/topic/155534/verizon-fios-and-ipv6-which-settings-work/83?_=1659968462969
-
@betapc thanks for the link. I have now checked Request only an IPv6 prefix in the dhcp6 settings. Do I need to disable hardware offloading? I am running on a physical device.
I have Assisted as my Router Advertisement Mode (even though it is disabled at the moment).
I have android phone clients that are slaac and won't use dhcp6. Managed in the help says addresses will be given out by only dhcp6. Assisted in the help says addresses can be assigned by dhcp6 or slaac. When I have this all enabled my android phone picks up the ip addy np.
I am hesitant to change too many settings since, I do get ip addresses and I appear to route outside my network... it just dies in verzion's back-office somewhere.
Thanks again for the link, I will definitely read through this thread carefully.
-
@cyth Yes the hardware checksum offloading need to be turned off, because Verizon introduced a extra package that break things when is on. Micke told us about it.
Also you can try RA stateless option.
Verizon support was not helpful, I was with them for more than 2 hours, their solution was to me to use Verizon router, that didn't work neither.
-
@betapc thanks for your help!
ok I disabled all offloading and enabled altq support. Also enabled dhcp6 server and set RA to managed. Rebooted... still no joy
traceroute6 dies on hop 2 as before.
-
@cyth Did you put your DNS v6 on general settings. I don't use Verizon default, that didn't work for me.
Also I unplugged all the cables from pFSense, FIOS ONT turn off and unplugged from the electricity, turned on without any cables, turned off again, plugged all the cables and turned on again.
-
@betapc I have put my own dns servers in there i.e. 2a09::@853 and ipv4 version of cloudflare and quad9 via DoT.
I'll power down the ont and disconnect and give it a shot, lol back in few.
Really appreciate your help, thanks again.
-
My tether suggestion was to use it as a test site, with a computer connected to it. This way, you can ping the address to see if it arrives and a response is sent. You can also try pinging your network to see if it arrives. This way you have some idea as to which way the routing problem is. A big part of trouble shooting is to see when and where the failure is. When I had the IPv6 problem, I could see the pings were received at the other end and replies sent, but those replies never made it back.
-
@jknott great idea. So I have vps with ipv6, here are results:
vps -> home:
traceroute6 2600:4041:2026:bd00:2e2:xxxx:xxxx:xxx
traceroute to 2600:4041:2026:bd00:2e2:xxxx:xxxx:xxx (2600:4041:2026:bd00:2e2:xxxx:xxxx:xxx), 30 hops max, 80 byte packets
1 2605:a142::b (2605:a142::b) 0.853 ms 0.537 ms 0.485 ms
2 fd43:4f53:4541:50::a (fd43:4f53:4541:50::a) 0.446 ms 0.454 ms 0.290 ms
3 2001:550:2:29::559:1 (2001:550:2:29::559:1) 3.040 ms 2.991 ms 2.837 ms
4 be2804.rcr24.jfk01.atlas.cogentco.com (2001:550:0:1000::9a36:5005) 2.790 ms be2803.rcr23.jfk01.atlas.cogentco.com (2001:550:0:1000::9a36:2de5) 2.751 ms be2804.rcr24.jfk01.atlas.cogentco.com (2001:550:0:1000::9a36:5005) 2.699 ms
5 * * *
6 be3496.ccr31.jfk10.atlas.cogentco.com (2001:550:0:1000::9a36:8e) 2.578 ms * *
7 2600:802:2::a9 (2600:802:2::a9) 1.112 ms 2600:802:3ff::1 (2600:802:3ff::1) 1.001 ms 0.964 ms
8 * * *
...
30 * * *home -> vps:
traceroute6 2605:a142:xxxx:xxxx::x
traceroute6 to 2605:a142:xxxx:xxxx::x (2605:a142:xxxx:xxxx::x) from 2600:4041:2026:bd00:2e2:xxxx:xxxx:xxx, 64 hops max, 20 byte packets
1 2600:4041:2020::1 0.689 ms 0.747 ms 1.180 ms
2 2600:4000:1:228::192 4.584 ms 5.340 ms 3.953 ms
3 * * *
...Does that show anything?
-
This post is deleted! -
@betapc ugh same result :(
verizon support wants me to directly connect my laptop to the ont and see if it works. doubt this will help, but I can't bounce my connection anymore till tonight. I work from home and been missing while bouncing my connection. lol
-
My suggestion was to use ping, not traceroute, so you can easily see where it reaches. For example, from pfSense, ping the tethered device. Do you see the ping there? Do you see a response going out? Do the same again from the other end. When I had the problem, at the pfSense end, I could see the ping go out, but nothing coming back. At the other end, I could see the ping going in and the response leaving. Pinging from the other end showed nothing at pfSense. That told me the problem was in the path to my network and not outgoing.
-
When I had my problem, a tech came and did that with his own modem and computer. The problem persisted. By that time I also had my next door neighbour try and he had the same problem as I did and he didn't have a separate router.
So yes, connecting directly to the modem is often a valid test, as it narrows down the possibilities.
-
@jknott Ok I plugged my laptop straight in to ont. I only get an ipv4 address and no ipv6. The laptop is running solus. Also I put everything back... pings just timeout to vps and home vice-versa.
If the traceroute above from vps to home, they seem to timeout same place when I go from home -> google or vps
-
Thanks again for everyone's input and help. I have a tech scheduled to come out tomorrow now to troubleshoot. I'll let ya know the result. Thanks again all
-
I think they meant plug into the modem, not pfsense. Put the modem in gateway mode and try that. If that works, then you have a problem with pfsense. If it also fails, then there's a problem with Verizon.
BTW, I trust you have been using the modem in bridge mode with pfsense.
-
@jknott thanks for the help. I had them activate the ethernet port on my ont a while back. I just have a cat6 run from the ont to my pfsense box in the basement. To do the test, I just unplugged pfsense and plugged straight in to the laptop. So that be laptop straight to ont. I did get an ipv4 on my laptop, just no ipv6. I'll prob give it another test again tonight after I look to see where I can specify the laptops ipv6 dhcp settings. I do have a win10 laptop, maybe I should try that instead. or both.
@mikev7896 said in Is it me or verizon?:
@cyth Looks like a routing issue on Verizon's end. They had one last week that seemed to get resolved late Thursday or Friday for a number of people in NJ. The fact that you're getting responses out to 2600:4000:1:228::... means your IPv6 traffic is getting to and through your local Verizon office (hop 1), and into a regional point in Verizon's network (hop 2)
I am leaning to what mikev said, I does show me reaching 2 hops from my own network. Wouldn't that mean it is in verizon's hands from that point and hence their problem? Also when I try to come in from an external source they all get stuck in verizon's network.
