Alternate gateway monitoring and IPv6

BigTulsa

@GeorgePatches Status > Gateways, then select the related settings icon at the top right, then select the edit icon in the IPv6 gateway. Then as shown, change the monitor IP and save.

GeorgePatches

@BigTulsa OOOOO, you have an IPv6 address on your WAN, don't you? Mine only has a link-local and the IPv6 address goes on the LAN interface. How did you get an address on the WAN? I thought it only did prefix delegation.

JKnott

@GeorgePatches said in Alternate gateway monitoring and IPv6:

Mine only has a link-local and the IPv6 address goes on the LAN interface.

What happens when you try a public address? I don't know what subnet is used when the WAN has only a link local address. Perhaps the LAN subnet? Give it a try and see what happens.

Gertjan

@GeorgePatches said in Alternate gateway monitoring and IPv6:

OK, but how did you do that?

Like always ^^

Question : how to find the closest IP on the way out ?
Easy : (Windows IPv6 solution) :

tracert -6 ipv6.google.com

where the destination can be 'anything out there'.

I got :

  1    <1 ms    <1 ms    <1 ms  pfSense.bhf.tld [2a01:dead:beef:a6e2:92ec:77ff:fe29:392c]
  2     1 ms     1 ms    <1 ms  2a01:dead:beef:a600:46d4:54ff:fe2a:3600
  3     4 ms     3 ms     2 ms  2a01cb08a00402060193025300740223.ipv6.abo.wanadoo.fr [2a01:cb08:a004:206:193:253:74:223]
  4     *        *        *     Délai d’attente de la demande dépassé.
  5     *       19 ms     *     2a01:cfc4:0:d00::3
  6    17 ms    17 ms    16 ms  par21s11-in-x0e.1e100.net [2a00:1450:4007:80c::200e]

1. is my pfSense LAN IPv6 - so not valid.
2. is my ISP router's IPv6 - so not valid.
   The test starts with 3) - ping6 to it, see if it answers. it did not.
   So, continue with 4), and so on.
   The very first one that replies, for me it was the last "hop" : 6) that replied to my "ping -6" ... so, so be it, that is the closest IPv6 that I could / should use to monitor.
   The thing is "par21s11-in-x0e.1e100.net [2a00:1450:4007:80c::200e]" is .... a Google owned server.

So, for me, no ISP IPv6 nearby that answers to IPv6 ICMP, so "Google" it will be.

Always keep in mind that the day the IP(v6) that you use for monitoring stops replying, this, by pfSense's default settings, brings down your WAN connection.
For example, I'll open a good bottle of champagne when 8.8.8.8 or the IPv6 equivalent : 2001:4860:4860::8888 stops replying to ping.
That simple, minor action will take down the internet connection of half the planet ^^
8.8.8.8 or 2001:4860:4860::8888 exists for DNS, and the ICMP & ICMPv6 reply are offered for free.
Free, so I'm ... dono, no assured.
Google is controlled and owned by humans, they can decide to change their mind.

Btw : I actual do not use this Google 2a00:1450:4007:80c::200e as the IPv6 I use for monitoring.
I've have my own dedicated "big iron" server in a data center nearby (Paris). That's the one I use for pfSense WAN IPv4 and IPv6 monitoring. I control that server. If something goes wrong, I'll know who to call, and what to do ^^

BigTulsa

@GeorgePatches my ISP issues a /64 address to my gateway. AT&T typically issues /60 but that's only if you use their gateway. In order to make it work on mine I have to set the DHCP client as /64 and set Router Advertisement to Managed. But that limits you to one subnet getting a v6 block.

GeorgePatches

@BigTulsa Oh, yes I see how that would work. I get a /56 delegation and I'm using more than one. I don't really have to have more than one, but I like it.

@JKnott said in Alternate gateway monitoring and IPv6:

What happens when you try a public address? I don't know what subnet is used when the WAN has only a link local address. Perhaps the LAN subnet? Give it a try and see what happens.

So with IPv6, point to point links don't need a public address. If you look at your laprop/desktop ip config you'll see that it lists your gateway as a fe80 address of some kind...usually.

However, monitoring a global address with a link-local is...not possible. So when I set the v6 gateway interface to monitor a public address it just doesn't go anywhere.

JKnott

@GeorgePatches said in Alternate gateway monitoring and IPv6:

So when I set the v6 gateway interface to monitor a public address it just doesn't go anywhere.

Have you tried? You can ping from any interface and it works fine. Perhaps pfSense uses another interface when the WAN doesn't have a public address. I can't try here because I have a public address on WAN. Any public address on the pfSense box is routeable through the link local WAN address.

GeorgePatches

@JKnott I have tried and it doesn't work. :(

JKnott

@GeorgePatches said in Alternate gateway monitoring and IPv6:

@JKnott I have tried and it doesn't work. :(

Then just turn off monitoring. It doesn't do much anyway.

BigTulsa

@JKnott this is what I did initially until I found out about changing the monitoring address.

BigTulsa

@GeorgePatches said in Alternate gateway monitoring and IPv6:

@BigTulsa OOOOO, you have an IPv6 address on your WAN, don't you? Mine only has a link-local and the IPv6 address goes on the LAN interface. How did you get an address on the WAN? I thought it only did prefix delegation.

If you're only getting a link local on WAN then it's likely your ISP is either not configured for IPv6, or, you don't have the DHCP6 server configured on the WAN interface properly. It can be very specific for different ISPs.

My interface details on the dashboard look like this:

JKnott

@BigTulsa said in Alternate gateway monitoring and IPv6:

If you're only getting a link local on WAN then it's likely your ISP is either not configured for IPv6,

Some ISPs provide IPv6 with only a link local address on the WAN interface. On IPv6, routing is normally done via link local addresses.

BigTulsa

@JKnott said in Alternate gateway monitoring and IPv6:

@BigTulsa said in Alternate gateway monitoring and IPv6:

If you're only getting a link local on WAN then it's likely your ISP is either not configured for IPv6,

Some ISPs provide IPv6 with only a link local address on the WAN interface. On IPv6, routing is normally done via link local addresses.

I'll take your word for that as my knowledge of IPv6 and how it works is limited for now.

GeorgePatches

@BigTulsa said in Alternate gateway monitoring and IPv6:

I'll take your word for that as my knowledge of IPv6 and how it works is limited for now.

Just a suggestion, look up like the beginning of a current Cisco CCNA course. They cover IPv6 stuff in great detail before they start to get into the specific Cisco stuff. Really good way to get spun up on all the settings.