No IPv6 connectivity after upgrade [RESOLVED]

stephenw10

Moved this to general.

What sort of the IPv6 configuration do you have?

Can you connect out from pfSense directly on IPv6? Like ping6 from Diag > Ping?

How are you testing from the LAN? What error do you see?

pra45300

thank you for your reply

i have an internet box (freenbox) with IPv6 2a01:e0a:1ef:7590::1/64
on pfsense i have the IPv6 2a01:e0a:1ef:7590::2/128 for WAN
on pfsense i have the IPv6 2a01:e0a:1ef:7591::1/128 for LAN

ping test from pfsense from WAN to google.fr working fine :

ping test from pfsense from LAN to google.fr not working

LAN interface config :

i can ping all host under the sub network 2a01:e0a:1ef:7591::/64
from LAN i can t ping 2a01:e0a:1ef:7590::1
example :

< [21:46:18] - root@webblog:~ >
 =>ping google.fr
PING google.fr(par10s39-in-x03.1e100.net (2a00:1450:4007:807::2003)) 56 data bytes
^C
--- google.fr ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3075ms

< [21:46:28] - root@webblog:~ >
 =>ping probe.tech.pra.rip
PING probe.tech.pra.rip(probe.tech.pra.rip (2a01:e0a:1ef:7591::8)) 56 data bytes
64 bytes from probe.tech.pra.rip (2a01:e0a:1ef:7591::8): icmp_seq=1 ttl=64 time=0.552 ms
64 bytes from probe.tech.pra.rip (2a01:e0a:1ef:7591::8): icmp_seq=2 ttl=64 time=0.399 ms
64 bytes from probe.tech.pra.rip (2a01:e0a:1ef:7591::8): icmp_seq=3 ttl=64 time=0.331 ms
64 bytes from probe.tech.pra.rip (2a01:e0a:1ef:7591::8): icmp_seq=4 ttl=64 time=0.237 ms
64 bytes from probe.tech.pra.rip (2a01:e0a:1ef:7591::8): icmp_seq=5 ttl=64 time=0.341 ms
^C
--- probe.tech.pra.rip ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 0.237/0.372/0.552/0.103 ms
< [21:46:57] - root@webblog:~ >
 =>ping 2a01:e0a:1ef:7590::1
PING 2a01:e0a:1ef:7590::1(2a01:e0a:1ef:7590::1) 56 data bytes
^C
--- 2a01:e0a:1ef:7590::1 ping statistics ---
9 packets transmitted, 0 received, 100% packet loss, time 8191ms

< [21:48:12] - root@webblog:~ >

info i don t change the LAN or WAN interface config before or after the migration

thank you for your help

stephenw10

How are those subnets routed to you? Everything is statically assigned?

It looks like the 2a01:e0a:1ef:7591/64 subnet just isn't being routed so you see no replies.

pra45300

@stephenw10 said in No IPv6 connectivity after upgrade:

How are those subnets routed to you?
from FAI :

Everything is statically assigned?
yes

for info my pfsense ifconfig

[2.8.0-RELEASE][pra@fw1.pra.rip]/home/pra: ifconfig 
em0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4e120bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWFILTER,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
        ether 00:e0:81:ce:98:6c
        media: Ethernet autoselect
        status: no carrier
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
ix0: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
        description: LAN
        options=4e138bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
        ether a0:36:9f:f8:f3:08
        inet 192.168.123.122 netmask 0xffffff00 broadcast 192.168.123.255
        inet6 fe80::a236:9fff:fef8:f308%ix0 prefixlen 64 scopeid 0x2
        inet6 2a01:e0a:1ef:7591::1 prefixlen 64
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex,rxpause,txpause>)
        status: active
        nd6 options=20<AUTO_LINKLOCAL>
ix1: flags=1008943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1420
        description: WAN
        options=4e138bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG>
        ether a0:36:9f:f8:f3:09
        inet 192.168.2.122 netmask 0xffffff00 broadcast 192.168.2.255
        inet6 fe80::a236:9fff:fef8:f309%ix1 prefixlen 64 scopeid 0x3
        inet6 2a01:e0a:1ef:7590::2 prefixlen 64
        media: Ethernet 10Gbase-T (10Gbase-T <full-duplex,rxpause,txpause>)
        status: active
        nd6 options=20<AUTO_LINKLOCAL>
enc0: flags=0 metric 0 mtu 1536
        options=0
        groups: enc
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
lo0: flags=1008049<UP,LOOPBACK,RUNNING,MULTICAST,LOWER_UP> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 127.0.0.1 netmask 0x0
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
pflog0: flags=100<PROMISC> metric 0 mtu 33152
        options=0
        groups: pflog
pfsync0: flags=0 metric 0 mtu 1500
        options=0
        maxupd: 128 defer: off version: 1400
        syncok: 1
        groups: pfsync
tun_wg0: flags=10080c1<UP,RUNNING,NOARP,MULTICAST,LOWER_UP> metric 0 mtu 1420
        options=80000<LINKSTATE>
        inet 10.0.8.1 netmask 0xffffff00
        groups: wg WireGuard
        nd6 options=101<PERFORMNUD,NO_DAD>

the subnet is linked by FAI perthe local IPv6 fe80::a236:9fff:fef8:f308 : ix0

in 2.7.2 and older was working without gateway
need i add gateway?
if yes which?

Thank you for your help

pra45300

after using the local IPv6 of box as router it s working :

but still same my hosts in the lan can t outgoing to internet
i use the the current default gateway mean the IPv6 of LAN

i can to access to server from outside LAN network
example :

< [06:29:44] - root@ns5:~ >
 =>ip addr |grep inet6
    inet6 ::1/128 scope host noprefixroute 
    inet6 2607:5300:201:3100::5ddf/64 scope global 
    inet6 fe80::f816:3eff:fe84:b28c/64 scope link 
< [06:29:57] - root@ns5:~ >
 =>nc -6vz webblog.tech.pra.rip 9102
Connection to webblog.tech.pra.rip (2a01:e0a:1ef:7591::17) 9102 port [tcp/bacula-fd] succeeded!
< [06:30:39] - root@ns5:~ >
 =>=>nc -6vz bacu-sd.tech.pra.rip 9103
Connection to bacu-sd.tech.pra.rip (2a01:e0a:1ef:7591::220) 9103 port [tcp/bacula-sd] succeeded!
< [06:30:45] - root@ns5:~ >
 =>nc -6vz webblog.tech.pra.rip 22
Connection to webblog.tech.pra.rip (2a01:e0a:1ef:7591::17) 22 port [tcp/ssh] succeeded!
< [06:30:49] - root@ns5:~ >

from host in LAN trying to ping and ssh :
< [06:26:52] - root@webblog:~ >
=>nc -6vz ns5.pra.rip 22
nc: connect to ns5.pra.rip (2607:5300:201:3100::5ddf) port 22 (tcp) failed: Connection timed out
but ok for ping :
< [06:35:28] - root@webblog:~ >
=>ping ns5.pra.rip
PING ns5.pra.rip(ns5.pra.rip (2607:5300:201:3100::5ddf)) 56 data bytes
64 bytes from ns5.pra.rip (2607:5300:201:3100::5ddf): icmp_seq=1 ttl=43 time=90.3 ms
64 bytes from ns5.pra.rip (2607:5300:201:3100::5ddf): icmp_seq=2 ttl=43 time=91.4 ms
64 bytes from ns5.pra.rip (2607:5300:201:3100::5ddf): icmp_seq=3 ttl=43 time=91.0 ms
64 bytes from ns5.pra.rip (2607:5300:201:3100::5ddf): icmp_seq=4 ttl=43 time=90.8 ms
^C
--- ns5.pra.rip ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 90.321/90.886/91.361/0.377 ms

trying to ping WAN IPv6 ip :
< [06:54:56] - root@monitoring:~ >
=>ping 2a01:e0a:1ef:7590::1
PING 2a01:e0a:1ef:7590::1(2a01:e0a:1ef:7590::1) 56 data bytes
^C
--- 2a01:e0a:1ef:7590::1 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time 7131ms

< [06:58:04] - root@monitoring:~ >
trying to ping google ;

=>ping google.fr
PING google.fr(par10s39-in-x03.1e100.net (2a00:1450:4007:807::2003)) 56 data bytes
^C
--- google.fr ping statistics ---
10 packets transmitted, 0 received, 100% packet loss, time 9192ms

< [06:36:50] - root@webblog:~ >

thank you for all help you can give

stephenw10

@pra45300 said in No IPv6 connectivity after upgrade:

after using the local IPv6 of box as router it s working

Yes the upstream nexthop setting for the LAN subnet should be the WAN LinkLocal address (fe80::a236:9fff:fef8:f309) not LAN. That's what you changed?

So ping6 works now from LAN clients but not so all destinations?

TCP connections all fail?

What firewall rules do you have on LAN?

pra45300

@stephenw10 said in No IPv6 connectivity after upgrade:

Yes the upstream nexthop setting for the LAN subnet should be the WAN LinkLocal address (fe80::a236:9fff:fef8:f309) not LAN. That's what you changed?

fe80::a236:9fff:fef8:f309 it s my local ip on ix1 (inet6 fe80::a236:9fff:fef8:f309%ix1 ) on the box
i added fe80::3627:92ff:fe61:3ba6 given by FAI as router :

So ping6 works now from LAN clients but not so all destinations?
correct .....

TCP connections all fail?

not all

What firewall rules do you have on LAN?
too much permissive : )

but i choose to stop all waiting (10 minutes) start thus microsoft method
and it s working fine now can outgoing

probably doing too much change and applying not totally finish (flush some table ....

was not a bug but need to change config

thank you for all your help @stephenw10

pra

pra45300

how you change the title need to add [RESOLVED]

thank you again

stephenw10

@pra45300 said in No IPv6 connectivity after upgrade:

how you change the title need to add [RESOLVED]

Done.

pra45300

Thank you
Have a good evening / night