IPv6 connectivity from internal subnet
-
Hi,
I have a pfsense device as my main external router and I'm using a Hurricane Electric tunnelbroker tunnel to provide IPv6 addresses.
On my work machine I'm running a series of virtual machines on Hyper-V. For the Hyper-V subnet I'm using one VM running pfsense as the router to provide external access to the subnet.
I've got a routed /48 from HE. The external router is using one /64 for its LAN and it's delegating /60 networks downstream. The internal router is providing a /64 to the VMs on its LAN side.
Everything was working correctly for me. I was getting IPv6 addresses on both LANs and could access the internet successfully from both LANs. At some point recently the internal Hyper-V LAN IPv6 stopped working externally. It's possible that it was when I upgraded both routers to pfsense 2.7, but I can't say that for sure as I didn't check that IPv6 was working before and after the upgrade.
Now what I'm finding is that the external pfsense router is dropping or filtering all packets for the internal hyper-v LAN ipv6 subnet. I can run tcpdump on the GIF and LAN interfaces of the external pfsense router and can see traffic from the hyper-v LAN on ipv6 go out, I also see the responses on the GIF interface, but those responses do not show on the LAN interface. I was wondering if anyone had an any ideas on what might be going on here?
Here are a series of screenshots showing more of my configuration:
Tunnelbroker
External router
Hyper-V router
Looks like I've reached the limit on attached images, I'll try to add more to a follow up message.
Thanks!
-
Here are some additional configuration screenshots:
Hyper-v router
Tcpdump captures on external router GIF and LAN interfacts
-
I'm hitting the same issue described in
https://forum.netgate.com/topic/180346/dhcpv6-pd-not-installing-route-after-23-05-release-upgrade
The regression bug raised from that post is at https://redmine.pfsense.org/issues/14502
The bug is resolved and it can be installed by modifying two files and installing the dhcpleases6 package, as described in the details of the regression bug. I did that procedure and it addressed the issue.
-
Just to close this out... To avoid any issues at the next upgrade I backed out the two changes in the patch and uninstalled the dhcpleases6 package.
Then I added a new gateway on my external router that points to the hyper-v router's ipv6 address on its WAN side (the external router's LAN side), and added a static route to direct the delegated prefix subnet to that gateway. This configuration also works to allow IPv6 to work from the internal hyper-v router's LAN side. These two configuration items will be easy to back out at upgrade, assuming the issue is addressed in the next release.