Is it me or verizon?
-
@cyth Looks like a routing issue on Verizon's end. They had one last week that seemed to get resolved late Thursday or Friday for a number of people in NJ. The fact that you're getting responses out to 2600:4000:1:228::... means your IPv6 traffic is getting to and through your local Verizon office (hop 1), and into a regional point in Verizon's network (hop 2).
You're welcome to try and address it with Verizon support... but I don't know that you're going to get very far.
-
That appears to be a routing issue with Verizon. Do you have access to another IPv6 capable site for testing? Or tether to a cell phone? If so, try pinging it and see if the packets arrive and if a response returns. I had a problem with my ISP a while ago due to a problem in my their office.
BTW, using link local addresses on the WAN is entirely normal.
-
@MikeV7896 @JKnott ty you both for your responses. I will give support a try since it seems like they have the issue. Hopefully I'll get through the first level (is your router plugging in??) fast.
I just briefly looked in to your suggestion of tethering but it seems like I have to build a custom kernel?
found that here, but not sure if I can do it another way? -
https://forum.netgate.com/topic/117929/how-to-usb-tether-on-pfsense-2-4-as-routerIs it ok that I have RA and dhpc6 server turned off? Does that have any effect to connectivity from the firewall to the internet? I turned it off to stop everyone's phones from acting sluggish while the phone figures out it can't get out on ipv6. I was thinking I could leave it off till I got the firewall connectivity worked out.
One last question, does ipv6 leave my vm's and pc's fully exposed? Or do I still have to put in wan rules to allow traffic in even though my wan only has a local-link and lan has the global? Does this bypass my wan rules?
Thanks again!
-
@cyth Hi, did you tried this settings? I had the same issue. Now is working fine. Those are my settings.
https://forum.netgate.com/topic/155534/verizon-fios-and-ipv6-which-settings-work/83?_=1659968462969
-
@betapc thanks for the link. I have now checked Request only an IPv6 prefix in the dhcp6 settings. Do I need to disable hardware offloading? I am running on a physical device.
I have Assisted as my Router Advertisement Mode (even though it is disabled at the moment).
I have android phone clients that are slaac and won't use dhcp6. Managed in the help says addresses will be given out by only dhcp6. Assisted in the help says addresses can be assigned by dhcp6 or slaac. When I have this all enabled my android phone picks up the ip addy np.
I am hesitant to change too many settings since, I do get ip addresses and I appear to route outside my network... it just dies in verzion's back-office somewhere.
Thanks again for the link, I will definitely read through this thread carefully.
-
@cyth Yes the hardware checksum offloading need to be turned off, because Verizon introduced a extra package that break things when is on. Micke told us about it.
Also you can try RA stateless option.
Verizon support was not helpful, I was with them for more than 2 hours, their solution was to me to use Verizon router, that didn't work neither.
-
@betapc thanks for your help!
ok I disabled all offloading and enabled altq support. Also enabled dhcp6 server and set RA to managed. Rebooted... still no joy
traceroute6 dies on hop 2 as before.
-
@cyth Did you put your DNS v6 on general settings. I don't use Verizon default, that didn't work for me.
Also I unplugged all the cables from pFSense, FIOS ONT turn off and unplugged from the electricity, turned on without any cables, turned off again, plugged all the cables and turned on again.
-
@betapc I have put my own dns servers in there i.e. 2a09::@853 and ipv4 version of cloudflare and quad9 via DoT.
I'll power down the ont and disconnect and give it a shot, lol back in few.
Really appreciate your help, thanks again.
-
My tether suggestion was to use it as a test site, with a computer connected to it. This way, you can ping the address to see if it arrives and a response is sent. You can also try pinging your network to see if it arrives. This way you have some idea as to which way the routing problem is. A big part of trouble shooting is to see when and where the failure is. When I had the IPv6 problem, I could see the pings were received at the other end and replies sent, but those replies never made it back.
-
@jknott great idea. So I have vps with ipv6, here are results:
vps -> home:
traceroute6 2600:4041:2026:bd00:2e2:xxxx:xxxx:xxx
traceroute to 2600:4041:2026:bd00:2e2:xxxx:xxxx:xxx (2600:4041:2026:bd00:2e2:xxxx:xxxx:xxx), 30 hops max, 80 byte packets
1 2605:a142::b (2605:a142::b) 0.853 ms 0.537 ms 0.485 ms
2 fd43:4f53:4541:50::a (fd43:4f53:4541:50::a) 0.446 ms 0.454 ms 0.290 ms
3 2001:550:2:29::559:1 (2001:550:2:29::559:1) 3.040 ms 2.991 ms 2.837 ms
4 be2804.rcr24.jfk01.atlas.cogentco.com (2001:550:0:1000::9a36:5005) 2.790 ms be2803.rcr23.jfk01.atlas.cogentco.com (2001:550:0:1000::9a36:2de5) 2.751 ms be2804.rcr24.jfk01.atlas.cogentco.com (2001:550:0:1000::9a36:5005) 2.699 ms
5 * * *
6 be3496.ccr31.jfk10.atlas.cogentco.com (2001:550:0:1000::9a36:8e) 2.578 ms * *
7 2600:802:2::a9 (2600:802:2::a9) 1.112 ms 2600:802:3ff::1 (2600:802:3ff::1) 1.001 ms 0.964 ms
8 * * *
...
30 * * *home -> vps:
traceroute6 2605:a142:xxxx:xxxx::x
traceroute6 to 2605:a142:xxxx:xxxx::x (2605:a142:xxxx:xxxx::x) from 2600:4041:2026:bd00:2e2:xxxx:xxxx:xxx, 64 hops max, 20 byte packets
1 2600:4041:2020::1 0.689 ms 0.747 ms 1.180 ms
2 2600:4000:1:228::192 4.584 ms 5.340 ms 3.953 ms
3 * * *
...Does that show anything?
-
This post is deleted! -
@betapc ugh same result :(
verizon support wants me to directly connect my laptop to the ont and see if it works. doubt this will help, but I can't bounce my connection anymore till tonight. I work from home and been missing while bouncing my connection. lol
-
My suggestion was to use ping, not traceroute, so you can easily see where it reaches. For example, from pfSense, ping the tethered device. Do you see the ping there? Do you see a response going out? Do the same again from the other end. When I had the problem, at the pfSense end, I could see the ping go out, but nothing coming back. At the other end, I could see the ping going in and the response leaving. Pinging from the other end showed nothing at pfSense. That told me the problem was in the path to my network and not outgoing.
-
When I had my problem, a tech came and did that with his own modem and computer. The problem persisted. By that time I also had my next door neighbour try and he had the same problem as I did and he didn't have a separate router.
So yes, connecting directly to the modem is often a valid test, as it narrows down the possibilities.
-
@jknott Ok I plugged my laptop straight in to ont. I only get an ipv4 address and no ipv6. The laptop is running solus. Also I put everything back... pings just timeout to vps and home vice-versa.
If the traceroute above from vps to home, they seem to timeout same place when I go from home -> google or vps
-
Thanks again for everyone's input and help. I have a tech scheduled to come out tomorrow now to troubleshoot. I'll let ya know the result. Thanks again all
-
I think they meant plug into the modem, not pfsense. Put the modem in gateway mode and try that. If that works, then you have a problem with pfsense. If it also fails, then there's a problem with Verizon.
BTW, I trust you have been using the modem in bridge mode with pfsense.
-
@jknott thanks for the help. I had them activate the ethernet port on my ont a while back. I just have a cat6 run from the ont to my pfsense box in the basement. To do the test, I just unplugged pfsense and plugged straight in to the laptop. So that be laptop straight to ont. I did get an ipv4 on my laptop, just no ipv6. I'll prob give it another test again tonight after I look to see where I can specify the laptops ipv6 dhcp settings. I do have a win10 laptop, maybe I should try that instead. or both.
@mikev7896 said in Is it me or verizon?:
@cyth Looks like a routing issue on Verizon's end. They had one last week that seemed to get resolved late Thursday or Friday for a number of people in NJ. The fact that you're getting responses out to 2600:4000:1:228::... means your IPv6 traffic is getting to and through your local Verizon office (hop 1), and into a regional point in Verizon's network (hop 2)
I am leaning to what mikev said, I does show me reaching 2 hops from my own network. Wouldn't that mean it is in verizon's hands from that point and hence their problem? Also when I try to come in from an external source they all get stuck in verizon's network.
-
Yes, I also suspect it's Verizon's problem, but I was just trying to help you prove it. Since it fails without pfSense, it's definitely their problem.
