IPv6 cannot connect to Internet

Gertjan

@crazypotato142

How is your WAN IPv6 set up ?
Like :

Check : Status > Interfaces
Did you WAN got an IPv6/128 to work with ?
and way more important : did you get a /64 "prefix" that you've assigned to LAN (using tracking) ?

Did you set up the DHCPv6 server on LAN, and does it show this IPV6 prefix assigned to you by the upstream ISP router or ISP "upstream" ?
Like :

Another check : did you LAN device got an DHCPv6 lease ?
Liken, example (a Windows device, type ipconfig /all) :

crazypotato142

That's my WAN:

Yes, i get IPv6. Here's the status page:

Yes, I set up DHCPv6. It shows the prefix.

And yes, also my device gets an IP with that prefix:

As I mentioned, I don't think there is a problem on my configuration of DHCP. It just blocks IPv6 traffic.

Gertjan

@crazypotato142

Humm, then I don't know what to think.
Consider my first 3 LAN rules as "don't care", look at my 4 & 5 rules :

The last rules is my own 'block all'.

crazypotato142

@Gertjan
It's very interesting it started to do so out of nowhere.

I have these 2 rules as well, you can see on the first post.

On logs it says it is being blocked by a default deny rule but i have no clue what and where it is.

Bob.Dig

@crazypotato142 said in All IPv6 traffic is being blocked:

And yes, also my device gets an IP with that prefix:

Show them completely or do you have static IPv6. That Windows is showing three preferred "IPv6-Addresses" alone shows that here is a problem. Often though the problem is with pfSense itself and you might not be able to fix it. There were already two prefix-changes from your ISP but your Windows doesn't know about those and that is most probably on pfSense.
If the problem is persistent for you, you could deploy ULA on your LAN and then do NPt (tracked from an unused VLAN). That has the benefit that for Windows, the prefix never changes because it only knows about the ULA.

Spoiler

In my example, the ULA-prefix is from my LAN and the tracked prefix is from a VLAN named "TRACK1WAN1".

crazypotato142

@Bob.Dig
No, my IPv6 is not static. They came out when I restarted my WAN multiple times while tryna fix it today. And one seems "Deprecated" right now.

Will NPt really fix it? Because I clearly can see that pfSense blocks whatever I do on my Firewall Logs.

Bob.Dig

@crazypotato142 said in All IPv6 traffic is being blocked:

Because I clearly can see that pfSense blocks whatever

It blocks is probably because it knows that those prefixes are not valid anymore but your Windows doesn't know and still uses those. So the answer is yes.
My prefix is changing daily so I know a thing about this.

JKnott

@Bob.Dig said in All IPv6 traffic is being blocked:

It blocks is probably because it knows that those prefixes are not valid anymore but your Windows doesn't know and still uses those. So the answer is yes.
My prefix is changing daily so I know a thing about this.

I had thought about that too. He could capture the DHCP6 sequence to see if the assigned prefix is what the Windows computers are using.

SteveITS

"ipconfig /all" will show a list:

Ethernet adapter Connection Name:
(...)
IPv6 Address. . . . . . . . . . . : 2603:300a:***:34b(Preferred)
  Temporary IPv6 Address. . . . . . : 2603:300a:***:8b18(Preferred)

I've seen my PC have 10-15 or so, and yes if it changes the old ones have to die off or be removed so Windows will start using the newer ones.

netsh interface ipv6 delete address interface="Connection Name" IPV6HERE

We have a semi-related issue where the prefix changes when Comcast updates our modem but ISC DHCP apparently won't honor "deny unknown clients" for IPv6 and I haven't had a chance to try Kea again after hours. So I've been updating our routers manually, and (my point is) we use a relatively short lease time. But I digress...

crazypotato142

When I checked again all IPv6 addressed were deprecated. I restarted the NIC and now it has a single IP matches with the prefix on pfSense. There is no blocking on logs but it still doesn't connect anywhere over IPv6.

I'm just asking to understand the process: Shouldn't it work this way if it's the thing you guys told about? @Bob.Dig @JKnott

Gertjan

@crazypotato142

If you use / stick with DHCPv6 (server) you can use this :

to make a 'static DHCPv6 lease" :

and from then on, that PC will only get the (one) ::cc IPv6, with the current prefix prepended.

Btw : my ISP IPV6 prefix, used for my LAN, rarely change.

@crazypotato142 said in All IPv6 traffic is being blocked:

again all IPv6 addressed were deprecated. I restarted the NIC

Not needed.
Type :

ipconfig /renew6

@crazypotato142 said in All IPv6 traffic is being blocked:

Shouldn't it work this way if it's the thing you guys told about?

Sure. Just keep in mind : On paper, IPv6 is ready, well defined, and should work well.
The thing is, there are probably a couple of ISPs (the ISP, the upstream router etc) out there that do respect fully the IPv6 guide lines (RFCs). The other 99,9 % make a mess out of it - doing their own 'things'.
Even pfSense isn't probably 'perfect'.

The thing is : 99,+ % clients of all IPSs in the world have just one local LAN after their ISP router.
So pfSense as a LAN device of this ISP router like any other device in this ISP LAN, has to obtain a IPv6 in this ISP LAN. This part works pretty well.
What is fare more rare : pfSense isn't a 'normal' end device. It's a router, and has its own 'sub' LAN or LANs.
So it has to ask 'prefixes', these are blocks /64 or ::1 to ::fffff:ffff:ffff:ffff, for every LAN pfSense has. That part is less well tested, less well implemented. And it all starts with : less well understood.

Bob.Dig

@crazypotato142 said in All IPv6 traffic is being blocked:

Shouldn't it work this way

Yes. So you might (also) have different problems.

JKnott

@crazypotato142 said in All IPv6 traffic is being blocked:

I'm just asking to understand the process: Shouldn't it work this way if it's the thing you guys told about?

My prefix hasn't changed in almost 7 years, so I don't have much experience to work from. However, I would expect the pfSense LAN interface to show the new prefix and the router advertisements should tell other devices on the LAN what the new prefix is.

crazypotato142

I don't know, I still don't think it's a prefix problem because I used it as it is for a long time without a single problem and now I simply can't connect to the internet with it.

But I can't see any problem on my settings and my ISP says there's nothing wrong on their side either. I'll just turn my IPv6 network completely off until I figured it out because it really causes my network go crazy.

Do you have any recommendations to check or solve?

Bob.Dig

@crazypotato142 Check the IPv6-addresses closely, are they really using the same prefix or do they differ. It must be the same prefix as pfSense LAN has.

In Windows use ipconfig /release6 and then ipconfig /renew6 and watch out for problems.

crazypotato142

@Bob.Dig They are like this right now:

Photos deleted for privacy

Note: I can't ping an IPv6 address over pFsense interface either.

Bob.Dig

@crazypotato142 The first address already looks wrong. At least the prefix is the same.

crazypotato142

@Bob.Dig
pFsense itself can't connect to anything over IPv6 either. I can't use IPv6 ping, not even get into the Update page cuz Netgate has IPv6 addresses for their website.

Bob.Dig

@crazypotato142 said in IPv6 cannot connect to Internet:

pFsense itself can't connect to anything over IPv6 either.

That screams for a big problem, might be your ISP at this point.

crazypotato142

I'll test it with their default router and keep here updated. Thank everyone for the help.