only ICMP protocol works !!!

SteveITS

@tchello Could be DNS, or firewall rules. Verify DNS is working and if so post your rules for LAN.

tchello

@SteveITS Dear Steve
My DNS is:

And my rules is:

I guess that dns is working:

SteveITS

@tchello FWIW your block rules will not trigger because they are below the allow-to-any rules. Note they are all "0/0 B".

tchello

@SteveITS
Yes, I agree, but I not use this rules, and I forgetd it of erase. My fault

I think it's my provider's problem, my friend. What do you think?

johnpoz

@tchello why do you have a /56 mask on your wan? That is not how delegation works.. Did your isp tell you to but a /56 on the wan interface.. Which overlaps with your lan interface?

a /56 is not a mask you would put on a actual interface, that is a route prefix or delegation prefix not an interface prefix.

JKnott

@tchello said in only ICMP protocol works !!!:

My WAN Static: 2001:XXXX:XXXX:9f00::2/56 - Pfsense

If they provide a WAN address, it normally has a /128 prefix length. You would also have a /64 on a link local address. You'd use the /56 to request the prefix size, if that's what the ISP provides.

tchello

@johnpoz
Thank you John

They gave it to me like this:

The block was configured and the ping is ok. Please validate with the client by providing them with the configured IPs as below.

ipv6 from 2001:xxxx:xxxx:9F00::2/56
IPv6 gateway 2001:xxxx:xxxx:9F00::1
ipv6 dns server 2804:7F4:2002:1005::98
ipv6 dns server 2804:7F4:2002:1005::99”

So am I wrong in the configuration?

Sorry, I'm not experienced in setting IPv6 statically.

tchello

This post is deleted!

tchello

@JKnott

This is what the provider gave me

The following is the return:
“The block has been configured and the ping is ok. Please validate with the client by providing them with the configured IPs as below.

ipv6 from 2001:xxxx:xxxx:9F00::2/56
IPv6 gateway 2001:xxxx:xxxx:9F00::1
ipv6 dns server 2804:7F4:2002:1005::98
ipv6 dns server 2804:7F4:2002:1005::99”

johnpoz

@tchello yeah that is not right at all.. That is fine if they gave you a /56 that they route to you.. But there would be transit network.. You might sometimes see the first prefix out of the /56 as the transit.

Try setting that first prefix as /64 and then use the next prefix of /64 on your lan.

So your lan side interface would be 2001:xxxx:xxxx:9f01::1/64

That info is pretty bad.. Which is typical of ISP that really have no business doing IPv6 because they have no real clue how to do it ;)

edit:
You asked for a /56 I take it and that is the info you got. Which would work if all your devices were directly connected, but still wrong because you wouldn't use a /56 in that scenario. But some level 1 guy plugged the ticket into some ip allocation form and that is what it spit out..

tchello

@johnpoz
Ok John, I will todo tomorrow, I talk to u

Thank a lot

johnpoz

@tchello not saying that will work.. But I have seen this method used before.. Its not really a good way to do it, but maybe it will work for you.. Good luck, let us know.

Gertjan

@tchello said in only ICMP protocol works !!!:

My WAN Static: 2001:XXXX:XXXX:9f00::2/56 - Pfsense
My GW Static :2001:XXXX:XXXX:9f00::1/56 - Pfsense

WAN IPv6 ....:2 and gateway ...:1 Humm, is this a huricane IPv6 tunnel setup ?

tchello

@johnpoz Good day
I did this setup
WAN: 2001:XXXX:XXXX:9F00::2 /64
LAN : 2001:XXXX:XXXX:9F01:f0ca:4 /64

ping OK!
any protocol outside this -> failed

If this setup is what you told me, then the fault is with the provider. I'm trying to contact them.

Thanks a lot brow

johnpoz

@tchello yeah like I said it could work that way.. But then again not sure what they are thinking with just giving you that info.. It is not how you would allow a user to use a /56 behind a router. Their info would be for if that /56 was directly attached, and not behind a router. Which you would never do - because its pointless to be honest.. If your only going to directly attach to the isp, a /64 is more than you would ever need.. And you using a /56 over a /64 gets you nothing. It defeats the whole point of /56 that you could break up into multiple /64s

To be honest since your isp seems clueless, would be just a use a tunnel from HE - they will give you a /48 that never changes, and even allow you to create PTRs for the space - something I highly doubt your isp would allow you to do.

Are they charging you for this /56?

tchello

@johnpoz

Are they charging you for this /56?
I'm client for them, have a LP dedicated a far long time. Then now I need it Ipv6 for many cameras that I cant access because the provider only give me cgnat ip . Then I asked about ipv6 to him. Give me without charge.

Here in Brazil is known Vivo

johnpoz

@tchello What I can tell you is the info they gave you will not work.. They have given you a /56 that is directly attached to them - not routed to you that you can use on prefixes behind a router.

And directly attaching a /56 is borked.. They need to route the /56 to you - so that you can then break up that /56s to use on your networks behind pfsense.

There needs to be a transit network to route to you - be it a /64 or a /128 or even just link-local.. But you can not put a /56 on an interface and expect it to work.

tchello

@johnpoz
Dear John As I suspected, the error was with the provider, after my request they solved the IPv6 problem. I am very grateful to you for your support.