Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Switched to AT&T fiber, IPv6 tunnel broken

    Scheduled Pinned Locked Moved General pfSense Questions
    44 Posts 6 Posters 9.8k Views 5 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      marcg @johnpoz
      last edited by marcg

      @johnpoz said in Switched to AT&T fiber, IPv6 tunnel broken:

      Do you have anything in this devices settings saying to disable IPv6? The OP stated he disabled IPv6 in his bgw320 - just curious if that somehow could cause issue even when in bridge mode.

      There's an option to enable/disable v6 on the BGW's LAN side, under HomeNetwork>IPv6. Mine is set to On as I want pfSense to receive RAs, DHCPv6 PDs, etc. That's the only BGW320 v6 enable/disable option I know of.

      pfSense is the only thing connected to the BGW in my case. If that's the same for the OP, I don't understand how that setting would affect the HE tunnel since it's v4 from the BGW perspective.

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator @marcg
        last edited by johnpoz

        @marcg while I agree it shouldn't have any effect - but its possible with disable IPv6 setting on his device it blocks protocol 41?

        If he is unable to setup a tunnel.. I would for sure as a test not disable IPv6 on att device and see if the tunnel then comes up.

        On a bit of side note - personally I would still run a HE tunnel, vs native IPv6 unless I could get a delegation that doesn't change. And would allow for dns settings on the that prefix - don't really need a full /48 but something like a /56 should be available.

        I would rather live with a slight bump in latency to have a prefix that never changes, and ability to modify PTR for this prefix. Than some prefix that is changing all the time and no ability to edit the PTRs

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

        1 Reply Last reply Reply Quote 0
        • JKnottJ Offline
          JKnott @BiloxiGeek
          last edited by

          @BiloxiGeek said in Switched to AT&T fiber, IPv6 tunnel broken:

          I'm trying to find a way to get my tunnel working without paying AT&T for their native IPv6.

          They charge for it? Very unusual. Rogers doesn't. In fact, it's to an ISPs advantage to have customers use IPv6, because there aren't anywhere near enough IPv4 addresses to go around.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 0
          • JKnottJ Offline
            JKnott @BiloxiGeek
            last edited by

            @BiloxiGeek said in Switched to AT&T fiber, IPv6 tunnel broken:

            But since it's AT&T I suspect they are gonna want to charge me extra for the additional service.

            I bet it's already available. With my ISP, I just had to enable it and it works. Configure pfSense for IPv6 and see what happens.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • JKnottJ Offline
              JKnott @johnpoz
              last edited by

              @johnpoz said in Switched to AT&T fiber, IPv6 tunnel broken:

              I thought back when they first rolled out ipv6 they were using 6rd and were blocking 41 because they were using it

              My ISP was offering 6to4 and 6rd before going native. I had no problem using 6in4, back then. There should have been no conflict with protocol 41.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              johnpozJ 1 Reply Last reply Reply Quote 0
              • JKnottJ Offline
                JKnott @johnpoz
                last edited by

                @johnpoz said in Switched to AT&T fiber, IPv6 tunnel broken:

                I would think putting it into bridge mode would disable any sort of firewalling

                Given the firewall in those modems, is that a bad thing? 😉

                Since this is a pfSense forum, I expect people here will be running pfSense for their firewall.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                1 Reply Last reply Reply Quote 0
                • johnpozJ Offline
                  johnpoz LAYER 8 Global Moderator @JKnott
                  last edited by

                  @JKnott said in Switched to AT&T fiber, IPv6 tunnel broken:

                  There should have been no conflict with protocol 41.

                  I agree - just what I read some places, doesn't mean its true. Some thread somehwere was stated that att was blocking protocol 41 for anything other than their network, and when they moved to dual stack vs 6rd for their IPv6 rollout they remove the 41 block.

                  I am leaning towards the disable ipv6 in his att device to be honest, since if you are using the device as passthru and wanted to disable IPv6 blocking protocol 41 would be a way to stop a client connected from creating a tunnel and using IPv6 that way, etc.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                  1 Reply Last reply Reply Quote 0
                  • BiloxiGeekB Offline
                    BiloxiGeek
                    last edited by

                    Is there a difference between bridge mode and passthrough? I've set passthrough already and didn't get the tunnel up. If there's a separate bridge mode I'm more than willing to give it a try but I've not seen that setting anywhere in the BGW320 config.

                    And I too would prefer to deal with any latency issues in order to keep the 6in4 tunnel with the known and expected addresses.

                    johnpozJ 1 Reply Last reply Reply Quote 0
                    • johnpozJ Offline
                      johnpoz LAYER 8 Global Moderator @BiloxiGeek
                      last edited by

                      @BiloxiGeek that might what its called on that device, can you enable IPv6 and leave it passthru?

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                      M 1 Reply Last reply Reply Quote 0
                      • M Offline
                        marcg @johnpoz
                        last edited by

                        @johnpoz There's no true bridge mode on the BGW320 AFAIK. IP Passthrough is bridge-like, but is NAT under the hood. With Passthrough enabled and v6 disabled on the BGW LAN side, I could see how that might prevent ATT's native v6 from working. Disabling v6 might prevent the Passthrough v6 NAT states from being created.

                        @BiloxiGeek, if you haven't already done so, suggest that the BGW's Passthrough Mode be configured as DHCPS-Fixed with the pfSense WAN MAC entered as the Passthrough Fixed MAC Address. If there's ever more than one device on the BGW's LAN side -- wired or wireless -- at boot time, the DHCPS-Dynamic option will cause the BGW to pick whichever device it sees first as the passthrough client, not necessarily pfSense (probably not what you want).

                        johnpozJ 1 Reply Last reply Reply Quote 0
                        • johnpozJ Offline
                          johnpoz LAYER 8 Global Moderator @marcg
                          last edited by

                          @marcg said in Switched to AT&T fiber, IPv6 tunnel broken:

                          isabling v6 might prevent the Passthrough v6 NAT states from being created.

                          concur - I do believe that is his problem.. I don't think those devices do a true bridge, more like a nat with with dmz host sort of thing.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                          M 1 Reply Last reply Reply Quote 0
                          • M Offline
                            marcg @johnpoz
                            last edited by marcg

                            @johnpoz said in Switched to AT&T fiber, IPv6 tunnel broken:

                            I don't think those devices do a true bridge, more like a nat with with dmz host sort of thing.

                            It's similar, but different. In Passthrough mode, pfSense gets the public v4 IP of the BGW. For v6, the pfSense gets a routeable IP via DHCP for its WAN IP, and any delegated prefixes that it requests. pfSense thinks that it's directly on the WAN with routeable addresses and prefixes.

                            The BGW then 1:1 NATs every flow to/from pfSense, keeping the same source/destination address/port on both sides of the NAT. There's a snippet from the BGW's NAT table below. The x's are to obscure my routeable addresses and prefixes.

                            Guessing one reason they don't do a true bridge is to enable the BGW to NAT+route in parallel for its non-Passthrough LAN-side clients (none in my case).

                            Screenshot 2025-09-01 173933.png

                            johnpozJ 1 Reply Last reply Reply Quote 0
                            • johnpozJ Offline
                              johnpoz LAYER 8 Global Moderator @marcg
                              last edited by

                              @marcg well that is good, then it should work for the OP.

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                              BiloxiGeekB 1 Reply Last reply Reply Quote 0
                              • BiloxiGeekB Offline
                                BiloxiGeek @johnpoz
                                last edited by

                                Ran a traceroute yesterday,

                                [25.07.1-RELEASE][root@firewall]/root: traceroute -P 41 184.1.1.1
                                traceroute to 184.1.1.1 (184.1.1.1), 64 hops max, 40 byte packets
                                 1  dsldevice.attlocal.net (192.168.1.254)  0.574 ms  0.472 ms  0.469 ms
                                 2  * * *
                                 3  * * *
                                 4  * * *
                                 5  * * *
                                 6  192.205.32.138 (192.205.32.138)  14.657 ms  15.537 ms *
                                 7  * * *
                                

                                A separate run on that showed a different path but at a similar point I got a response from something and then nothing else.

                                One solution that I keep seeing during my searching is to switch to a business account. Just got a basic price list for that and it's flat out ridiculous. Over a thousand dollars a month to be provisioned at 1Gbps and no idea if I'd still see this problem or not.

                                johnpozJ 1 Reply Last reply Reply Quote 0
                                • johnpozJ Offline
                                  johnpoz LAYER 8 Global Moderator @BiloxiGeek
                                  last edited by johnpoz

                                  @BiloxiGeek said in Switched to AT&T fiber, IPv6 tunnel broken:

                                  traceroute -P 41 184.1.1.1

                                  Protocol 41 is not a port.. Traceroute support tcp and udp I don't think that is going to work.

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                  BiloxiGeekB 1 Reply Last reply Reply Quote 0
                                  • BiloxiGeekB Offline
                                    BiloxiGeek @johnpoz
                                    last edited by

                                    @johnpoz I was given the impression that the traceroute on a pfSense box can use the -P 41 to test protocols. But I will dig into it deeper once I get home from work to doublecheck.

                                    johnpozJ 1 Reply Last reply Reply Quote 0
                                    • johnpozJ Offline
                                      johnpoz LAYER 8 Global Moderator @BiloxiGeek
                                      last edited by

                                      @BiloxiGeek yeah it is possible to do raw and specific protocol - but not sure 41 is an option.. But that might depend on what version of traceroute, etc. I think you can do such things with hping3 as well.. But not sure of all protocols that you can do, etc.

                                      Just wanted to let you know that might want to verify it was doing what you expected it to be doing before you think its reporting a clear failure, etc.

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                      BiloxiGeekB 1 Reply Last reply Reply Quote 0
                                      • BiloxiGeekB Offline
                                        BiloxiGeek @johnpoz
                                        last edited by

                                        @johnpoz I'm gonna setup a linode nanode this afternoon to do some testing from outside AT&T's sphere of influence. See if I can get a better idea of where the 6in4 packets are being dropped.

                                        I did find this a bit ago:
                                        nmap -6 -sO -p 41 <ip>

                                        (That's a capital letter O.)

                                        That appears to probe for protocol 41 specifically. I have to test when I get home to see if I should be testing to the v4 address or the v6. (or both)

                                        johnpozJ 1 Reply Last reply Reply Quote 0
                                        • johnpozJ Offline
                                          johnpoz LAYER 8 Global Moderator @BiloxiGeek
                                          last edited by johnpoz

                                          @BiloxiGeek this is what I get, which I do have he tunnel up.

                                          Starting Nmap 7.97 ( https://nmap.org ) at 2025-09-04 13:56 -0500
                                          Nmap scan report for tserv9.chi1.ipv6.he.net (184.105.253.14)
                                          Host is up (0.010s latency).
                                          
                                          PROTOCOL STATE         SERVICE
                                          41       open|filtered ipv6
                                          
                                          Nmap done: 1 IP address (1 host up) scanned in 0.44 seconds
                                          
                                          

                                          You do understand you should be checking to your HE tunnel IPv4 address for the tunnel endpoint you are using.. For example you see above I am using the chi pop for HE at that 184.105.254.14 address

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                          M 1 Reply Last reply Reply Quote 0
                                          • M Offline
                                            marcg @johnpoz
                                            last edited by

                                            Here's what I see with a BGW320 in Passthrough mode using ATT's native v4/v6 services. No HE tunnel running.

                                            Testing was done from an Ubuntu machine behind pfSense to the HE POP address provided by @johnpoz . First hop is pfSense, second hop is the BGW, and the packet makes it to HE no later than hop 8.

                                            prompt# traceroute -P 41 184.105.254.14
                                            traceroute to 184.105.254.14 (184.105.254.14), 30 hops max, 60 byte packets
                                             1  pfSense.home.arpa (192.168.15.1)  0.136 ms  0.080 ms  0.080 ms
                                             2  192.168.1.254 (192.168.1.254)  0.700 ms  0.373 ms  0.398 ms
                                             3  * * *
                                             4  * * *
                                             5  * * *
                                             6  * * *
                                             7  * * *
                                             8  e0-35.switch1.sjc2.he.net (64.62.171.65)  4.678 ms  5.896 ms  3.869 ms
                                             9  * * *
                                            10  * * *
                                            11  * * *
                                            
                                            johnpozJ 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.