Stuck midway through IPv6 implementation
-
Hi, Try checking ( Do not wait for a RA) see if that helps. Also, are you resolving or fowarding your DNS?
Do you have any of these checked?
-
@Uglybrian Both options are checked.
I'm getting a /PD already and I cannot even ping using the IPv6 address, where no DNS is involved.
-
@NickyDoes Since you are using SLAAC, you will not see any activity/leases in your DHCPv6 server service (if you have set that up).
SLAAC is stateless and the client autoprovisions it’s own IPv6 address from the prefix announced by the Router Advertisements (which gets the prefix from the PD assigned by the ISP using DHCPv6-PD on your WAN interface)
You do not necessarily need a public IPv6 address on your WAN side interface - traffic can easily be routed using link-local between the ISP and your pfSense. That all depends on the ISP preferred method of operation.
Make sure to allow ICMPv6 on your WAN interface to WAN itself and any interface containing IPv6 clients.
Make sure to have a allow all IPv6 rule on your experiments interface - if not you specifically need an allow ICMPv6 rule on that interface to allow ping amongst other -
You may want to change this setting
If i remember correctly when i was setting up ipv6 from my isp I also got a PD but no connections.
It wasnt until I checked "do not wate for RA" . As soon as I did that ipv6 started working for me.
-
Of course SLAAC isn't DHCP. IPv6 concepts are slowly making their way into my thinking.WAN ruleset (I just added the ICMP6 allow rule)
Experimental Network ruleset
Are there other rules I should be adding for this test?
-
@NickyDoes hmm should work.
I would rethink allowing all IPv6 to the firewall on WAN - that will expose the web UI, ssh and what not to the world
Other than that it seems Strange that you cannot even Ping the firewall interfaces. Can you Ping the link addresses of the Experimentarium interface?
-
@NickyDoes
as @keyser said...delete that "this firewall rule". :)
do you have your pfsense behind a modem or do you have another router in front of it?
here my internetrouter gets a /56 prefix. It delegates a /57 size chunk to pfsense. This is then used by pfsense for LAN and Vlans (each /64) as recommended with v6.
I do not even need that ICMPv6 rule on WAN for IPv6 to work. If I remember correct then by activating IPv6 those rules are set automatically...as said, could be wrong, still here no probs without THAT rule.So, what is your experimental VLANs interface's IPv6? Does it get one? Can you ping ie google.com from that one (pfsense's experimental VLAN interface)?
Can you ping THAT IP from your ubuntu? Can you ping vice versa (ping from pfsense experimental interface to ubuntu machine)? -
@the-other Back at it, as you saw from [this](link url) post
.Some answers:
pfSense is behind a Google fiber jack 'modem'.
I get a /56 PD per the DHCP6 log.The IPv6_experimental interface does get an IP, which fits within Google's PD.
Running a fresh Ubuntu, I cannot ping the interface IPv6 from Ubuntu. UFW is not active.Confirming my command:
ping6 <pfsense experiemental VLAN IPv6 address>responds with "Destination unreachable: Address unreachable"Note: I triple checked the 128-bit address.
The machine gets the address properly, so VLAN is working.
-
@keyser I removed that one, which I added in error, so thanks.
No, I cannot ping the Expermiental interface from the machine. -
@NickyDoes well,
you DO have a rule to allow ping?
You would need one to test that:
Interface experimental_vlan, allow / source: this exp_vlan subnet / destination: pfsense / protocol: icmpSet that, try again, post results...please. ;)
-
Success! This issue was a layer 2 issue: I hadn't configured one VLAN switch port's VLAN ID, a simple oversight. Return traffic wasn't reaching the pfSense interface.
Whittling away the unknowns.
