IPv6 Issues since upgrading

gregeeh

Hi all,

Just upgraded from 2.6 to 2.7 and I cannot ping IPv6 addresses now.

[2.7.0-RELEASE][admin@pfSense.localdomain]/root: ifconfig -a
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: WAN
        options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
        ether 00:e0:4c:68:1b:b2
        inet6 fe80::2e0:4cff:fe68:1bb2%re0 prefixlen 64 scopeid 0x1
        inet 103.85.39.51 netmask 0xfffffc00 broadcast 103.85.39.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
re1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: LAN
        options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
        ether 00:e0:4c:68:1b:b3
        inet6 fe80::2e0:4cff:fe68:1bb3%re1 prefixlen 64 scopeid 0x2
        inet6 fe80::1:1%re1 prefixlen 64 scopeid 0x2
        inet 192.168.10.1 netmask 0xffffff00 broadcast 192.168.10.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
enc0: flags=0<> metric 0 mtu 1536
        groups: enc
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
        inet 127.0.0.1 netmask 0xff000000
        inet 10.10.10.1 netmask 0xffffffff
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=100<PROMISC> metric 0 mtu 33152
        groups: pflog
pfsync0: flags=0<> metric 0 mtu 1500
        maxupd: 128 defer: off
        syncok: 1
        groups: pfsync
ovpns2: flags=8043<UP,BROADCAST,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet6 fe80::2e0:4cff:fe68:1bb2%ovpns2 prefixlen 64 scopeid 0x7
        inet 10.0.8.1 netmask 0xffffff00 broadcast 10.0.8.255
        groups: tun openvpn
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        Opened by PID 76133
[2.7.0-RELEASE][admin@pfSense.localdomain]/root:

Has something changed that requires attention?

TIA

JKnott

@gregeeh

What address are you trying to ping? According to what I see, you don't have a global address on the WAN interface. This means you will not be able to ping any global address.

gregeeh

@JKnott said in IPv6 Issues since upgrading:

What address are you trying to ping?

2606:4700:4700::1111
2001:4860:4860:0:0:0:0:8888

JKnott

@gregeeh said in IPv6 Issues since upgrading:

2606:4700:4700::1111
2001:4860:4860:0:0:0:0:8888

If you don't have a global address on your WAN connection, you will not be able to ping them from pfSense. However, that won't stop ping from computers on the LAN side.

gregeeh

@JKnott - Thanks for your reply.

Strange that since updating to 2.7 I have no global IPv6 address. Is there anything that might have changed in 2.7?

As you can see from the Monitoring graph it was fine until I updated this morning.

JKnott

@gregeeh said in IPv6 Issues since upgrading:

Strange that since updating to 2.7 I have no global IPv6 address. Is there anything that might have changed in 2.7?

On the WAN page there's a setting Request only an IPv6 prefix. Is that set?

gregeeh

@JKnott said in IPv6 Issues since upgrading:

@gregeeh said in IPv6 Issues since upgrading:

Strange that since updating to 2.7 I have no global IPv6 address. Is there anything that might have changed in 2.7?

On the WAN page there's a setting Request only an IPv6 prefix. Is that set?

Thanks for your reply.
It was not set, so I checked it and still no global IPv6.

JKnott

@gregeeh said in IPv6 Issues since upgrading:

It was not set, so I checked it and still no global IPv6.

You don't want it checked.

Try capturing the full DHCPv6 sequence and posting the capture file here.

gregeeh

@JKnott - File attached.

packetcapture-re0-20230730095819.pcap

JKnott

@gregeeh

There's something really strange there.

Here's what your capture looks like:

login-to-view

And mine:

login-to-view

You have multiple solicits and also a few release XIDs, which is something I've never seen before. You shouldn't have to send 9 solicits. I guess the next question is why is your ISP ignoring all those solicits with 2.7, but not 2.6. Also, why the release?

gregeeh

@JKnott - I really appreciate your time and comments.

What do you think my next step should be? Contact the ISP, if so what should I tell them?

Like you I think it's strange 2.6 worked and 2.7 does not.

JKnott

@gregeeh

It might be worth a reinstall. Back up your config first though. Do you have a recent one from before 2.7?

gregeeh

@JKnott - Yep, I have Auto Backups so there should be one there.

I'm running my pfSense headless, so is it possible to do a reinstall without having to connect up a monitor and keyboard?

Once again, I really appreciate all your time and helping me with this issue.

EDIT: Just noticed that it now looks like I have a global IPv6 address on the WAN:

[2.7.0-RELEASE][admin@pfSense.localdomain]/root: ifconfig -a
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: WAN
        options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
        ether 00:e0:4c:68:1b:b2
        inet6 fe80::2e0:4cff:fe68:1bb2%re0 prefixlen 64 scopeid 0x1
        inet6 2402:7940:f000:200::110 prefixlen 128
        inet 103.85.39.51 netmask 0xfffffc00 broadcast 103.85.39.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
re1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: LAN
        options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
        ether 00:e0:4c:68:1b:b3
        inet6 fe80::2e0:4cff:fe68:1bb3%re1 prefixlen 64 scopeid 0x2
        inet6 fe80::1:1%re1 prefixlen 64 scopeid 0x2
        inet6 2402:7940:f021:2700:2e0:4cff:fe68:1bb3 prefixlen 64
        inet 192.168.10.1 netmask 0xffffff00 broadcast 192.168.10.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
enc0: flags=0<> metric 0 mtu 1536
        groups: enc
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
        inet 127.0.0.1 netmask 0xff000000
        inet 10.10.10.1 netmask 0xffffffff
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=100<PROMISC> metric 0 mtu 33152
        groups: pflog
pfsync0: flags=0<> metric 0 mtu 1500
        maxupd: 128 defer: off
        syncok: 1
        groups: pfsync
ovpns2: flags=8043<UP,BROADCAST,RUNNING,MULTICAST> metric 0 mtu 1500
        options=80000<LINKSTATE>
        inet6 fe80::2e0:4cff:fe68:1bb2%ovpns2 prefixlen 64 scopeid 0x7
        inet 10.0.8.1 netmask 0xffffff00 broadcast 10.0.8.255
        groups: tun openvpn
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        Opened by PID 40817
[2.7.0-RELEASE][admin@pfSense.localdomain]/root:

However I have no IPv6 on the Gateway and I cannot ping any IPv6 addresses:

JKnott

@gregeeh said in IPv6 Issues since upgrading:

I'm running my pfSense headless, so is it possible to do a reinstall without having to connect up a monitor and keyboard?

Not that I'm aware of.

You can run without a WAN global address, as it's not used for routing. Does IPv6 work OK on your LAN?

the other

@gregeeh hey there,
I might be mistaken but I recall a bug (?) that prevents from showing the given IPv6 on that GUI screenshot of yours under dashboard view...
My setting here: Fritzbox router gives IPv6 prefix to clients on LAN but no IPv6 to pfsense's WAN (which is connected to pfsense). Also in pfsense WAN IF I selected above mentioned option to only receive prefix but no IPv6 address.
So same here under 2.6: ifconfig -a shows IPv4 and v6, here with locallink, ULA and GUA (both received from fritzbox. It doesn't show WAN's GUA on pfsense GUI. Under dashboard view there is only WAN's locallink under "Gateways", online. Under "Interfaces" it shows WAN's ULA (given by Fritzbox). With ifconfig -a it shows those PLUS it's GUA.
It's the same with 2.7.
In both cases, no successful PING from WAN. All VLAN interfaces with active IPv6 get the correct prefix an can do a Ping. And that is all I need for my little home network...

gregeeh

@JKnott said in IPv6 Issues since upgrading:

You can run without a WAN global address, as it's not used for routing. Does IPv6 work OK on your LAN?

Did a fresh install of 2.7 and even without restoring my config I have the same issue.

As for the LAN clients. They all get a IPv6 address but cannot connect to any IPv6 nor ping any IPv6 address.

jordanp123

I'm in the same boat as everyone here, but I'm on 23.05.1, I found that manually adding a ipv6 route using the link local gateway address will let mine work but any autoconfigured gateway on the ipv6 side fails due to "No route" errors on the linux ping command. 23.05 worked fine.

poppadum

I have what looks to be the same issue - no IPv6 default route since upgrading to 2.7. pfSense does think my IPv6 gateway is up, probably because I've set a monitor address which is pingable from the LAN.

login-to-view

My pfsense is virtualised under Proxmox and I think the link-local address of my pppoe0 interface has changed since upgrading to 2.7.

login-to-view

The gateway IPv6 address shown doesn't seem to be valid for interface pppoe0:

# ifconfig pppoe0
pppoe0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1492
        description: WAN
        inet6 fe80::3421:f898:4e49:5f2b%pppoe0 prefixlen 64 scopeid 0x8
        inet6 fe80::ec5e:b8ff:fe3a:ae7c%pppoe0 prefixlen 64 scopeid 0x8
        inet6 2001:8b0:1111:1111:0:ffff:51bb:1aef prefixlen 128
        ...

I'm not sure where it's getting that gateway address from - it's set to dynamic in the web interface. It is in file /tmp/pppoe0_defaultgwv6 but I thought that was regenerated every boot?

poppadum

@jordanp123 said in IPv6 Issues since upgrading:

I found that manually adding a ipv6 route using the link local gateway address will let mine work

That fix also works for me. In my case if I enter

route -6 add default fe80::ec5e:b8ff:fe3a:ae7c%pppoe0

IPv6 routing starts working fine from inside the LAN.

poppadum

@poppadum said in IPv6 Issues since upgrading:

The gateway IPv6 address shown doesn't seem to be valid for interface pppoe0:

# ifconfig pppoe0
pppoe0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1492
        description: WAN
        inet6 fe80::3421:f898:4e49:5f2b%pppoe0 prefixlen 64 scopeid 0x8
        inet6 fe80::ec5e:b8ff:fe3a:ae7c%pppoe0 prefixlen 64 scopeid 0x8
        inet6 2001:8b0:1111:1111:0:ffff:51bb:1aef prefixlen 128
        ...

I'm not sure where it's getting that gateway address from - it's set to dynamic in the web interface. It is in file /tmp/pppoe0_defaultgwv6 but I thought that was regenerated every boot?

Just spotted this in the ppp log on the date I did the upgrade:

Jul 27 17:07:25	ppp	13981	[wan] IPV6CP: rec'd Configure Request #0 (Ack-Rcvd)
Jul 27 17:07:25	ppp	13981	[wan] IPV6CP: SendConfigAck #0
Jul 27 17:07:25	ppp	13981	[wan] IPV6CP: state change Ack-Rcvd --> Opened
Jul 27 17:07:25	ppp	13981	[wan] IPV6CP: LayerUp
Jul 27 17:07:25	ppp	13981	[wan] ec5e:b8ff:fe3a:ae7c -> 0203:97ff:feba:0900

Anyone know why ppp seems to be rewriting the link-local address?