LAN devices can ping IPv6 site but pfSense itself cannot
-
@johnpoz said in LAN devices can ping IPv6 site but pfSense itself cannot:
Talking to pfsense update servers to check for updates, packages, that sort of thing.
Does that actually require a global WAN address? Or can the LAN address be used? You can use either for accessing pfSense from elsewhere. With the ping command, you can specify which interface to use as the source address.
-
Yes, it can just use the LAN address as source. If you have a functioning routable /64 on the LAN then just use that for pfSense. There's no need to add an address on WAN and putting an address on WAN that isn't routing correctly will only break it.
-
@stephenw10 So why would pfsense use its lan IPv6 address to talk to the internet, it wouldn't have a gateway set - it is the gateway for the devices using the PD network..
I am missing something? I haven't played with using a tracked interface in years and years. And my wan always got a gua on its wan when I did. And pfsense used that when pfsense itself wanted to talk to something out on the internet via ipv6.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
It's default route would have to be the link-local address on WAN. My own WAN is like that, the ISP only supplies a PD, I have no routable address on the WAN so pfSense uses the LAN address (or whatever interface it's on).
-
@johnpoz said in LAN devices can ping IPv6 site but pfSense itself cannot:
So why would pfsense use its lan IPv6 address to talk to the internet, it wouldn't have a gateway set - it is the gateway for the devices using the PD network..
It can use any valid global address on the box. With ping, you force the source with the -I option. As @stephenw10 mentioned, the gateway is usually the link local address for it.
One thing to bear in mind is all interfaces are on the same box and it generally doesn't matter which one you use.
-
@stephenw10 ok that makes sense once you state it and think about it for a second. Thanks.
So which one does pfsense use if say you have 3 interfaces with PD on them as source IP when it wants to say check if updates from netgate? Lets say there isn't tracked on the lan but like opt3 and opt4.. What method is used to determine the source IP when no gua on the wan?
What if those interfaces are like em2 on 4 and em3 on 3 - does it use the opt number the lower interface, is there doc on how that is selected? I don't recall running across where this is talked about?
Does it use the lower prefix no matter what interface its on? I can't believe its random where it would use say opt1 for some traffic and opt3 for other traffic - there has to be a selection process?
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
My understanding is that it will use the closest interface to the Internet, if available. I really haven't tested this much, other than with ping. It's also easier to understand on incoming connections, as you specify which you want to connect to. On my notebook computer, there is the metric which is used to choose between LAN and WiFi, when both are connected. When it's running Linux, I can connect to either port, but not with Windows.
One thing those is all the LAN addresses that use the IPv6 prefix are reachable from outside, as all the Internet worries about it the route to the destination address, which passes through the WAN interface to the pfSense system. Another thing, which trips up a lot of people, is the WAN interface does not need a global address.
-
@JKnott but what is the method it uses to determine which is "closer" to the internet?
if say on opt3 I have the 3rd prefix out of a /56 and on opt4 I have the 2nd prefix out of that /56.. Does it always use the lower prefix? does it use the lower interface.. What is the method used to determine the source IP?
Neither of those is "closer" to the internet.. Unless your saying it does some math and say oh this IP is "closer" to my destination address so use opt3, but this other destination address is closer to my opt4 so use that?
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
@johnpoz said in LAN devices can ping IPv6 site but pfSense itself cannot:
So which one does pfsense use if say you have 3 interfaces with PD on them as source IP when it wants to say check if updates from netgate? Lets say there isn't tracked on the lan but like opt3 and opt4.. What method is used to determine the source IP when no gua on the wan?
In my case, the first one. But I'm not sure if that's because it's the first interface or the lowest IP address numerically.
-
@johnpoz said in LAN devices can ping IPv6 site but pfSense itself cannot:
f say on opt3 I have the 3rd prefix out of a /56 and on opt4 I have the 2nd prefix out of that /56.. Does it always use the lower prefix? does it use the lower interface.. What is the method used to determine the source IP?
Couldn't tell you, other than specifying the interface in ping. You'll have to ask someone who knows the FreeBSD internals.
-
The important thing is that it uses a globally routable address rather than the WAN link-local address automatically. So you only need a public address on any interface for pfSense itself to have IPv6 connectivity.
