IPv6 cannot connect to Internet

JKnott

@Bob.Dig said in All IPv6 traffic is being blocked:

It blocks is probably because it knows that those prefixes are not valid anymore but your Windows doesn't know and still uses those. So the answer is yes.
My prefix is changing daily so I know a thing about this.

I had thought about that too. He could capture the DHCP6 sequence to see if the assigned prefix is what the Windows computers are using.

SteveITS

"ipconfig /all" will show a list:

Ethernet adapter Connection Name:
(...)
IPv6 Address. . . . . . . . . . . : 2603:300a:***:34b(Preferred)
  Temporary IPv6 Address. . . . . . : 2603:300a:***:8b18(Preferred)

I've seen my PC have 10-15 or so, and yes if it changes the old ones have to die off or be removed so Windows will start using the newer ones.

netsh interface ipv6 delete address interface="Connection Name" IPV6HERE

We have a semi-related issue where the prefix changes when Comcast updates our modem but ISC DHCP apparently won't honor "deny unknown clients" for IPv6 and I haven't had a chance to try Kea again after hours. So I've been updating our routers manually, and (my point is) we use a relatively short lease time. But I digress...

crazypotato142

When I checked again all IPv6 addressed were deprecated. I restarted the NIC and now it has a single IP matches with the prefix on pfSense. There is no blocking on logs but it still doesn't connect anywhere over IPv6.

I'm just asking to understand the process: Shouldn't it work this way if it's the thing you guys told about? @Bob.Dig @JKnott

Gertjan

@crazypotato142

If you use / stick with DHCPv6 (server) you can use this :

to make a 'static DHCPv6 lease" :

and from then on, that PC will only get the (one) ::cc IPv6, with the current prefix prepended.

Btw : my ISP IPV6 prefix, used for my LAN, rarely change.

@crazypotato142 said in All IPv6 traffic is being blocked:

again all IPv6 addressed were deprecated. I restarted the NIC

Not needed.
Type :

ipconfig /renew6

@crazypotato142 said in All IPv6 traffic is being blocked:

Shouldn't it work this way if it's the thing you guys told about?

Sure. Just keep in mind : On paper, IPv6 is ready, well defined, and should work well.
The thing is, there are probably a couple of ISPs (the ISP, the upstream router etc) out there that do respect fully the IPv6 guide lines (RFCs). The other 99,9 % make a mess out of it - doing their own 'things'.
Even pfSense isn't probably 'perfect'.

The thing is : 99,+ % clients of all IPSs in the world have just one local LAN after their ISP router.
So pfSense as a LAN device of this ISP router like any other device in this ISP LAN, has to obtain a IPv6 in this ISP LAN. This part works pretty well.
What is fare more rare : pfSense isn't a 'normal' end device. It's a router, and has its own 'sub' LAN or LANs.
So it has to ask 'prefixes', these are blocks /64 or ::1 to ::fffff:ffff:ffff:ffff, for every LAN pfSense has. That part is less well tested, less well implemented. And it all starts with : less well understood.

Bob.Dig

@crazypotato142 said in All IPv6 traffic is being blocked:

Shouldn't it work this way

Yes. So you might (also) have different problems.

JKnott

@crazypotato142 said in All IPv6 traffic is being blocked:

I'm just asking to understand the process: Shouldn't it work this way if it's the thing you guys told about?

My prefix hasn't changed in almost 7 years, so I don't have much experience to work from. However, I would expect the pfSense LAN interface to show the new prefix and the router advertisements should tell other devices on the LAN what the new prefix is.

crazypotato142

I don't know, I still don't think it's a prefix problem because I used it as it is for a long time without a single problem and now I simply can't connect to the internet with it.

But I can't see any problem on my settings and my ISP says there's nothing wrong on their side either. I'll just turn my IPv6 network completely off until I figured it out because it really causes my network go crazy.

Do you have any recommendations to check or solve?

Bob.Dig

@crazypotato142 Check the IPv6-addresses closely, are they really using the same prefix or do they differ. It must be the same prefix as pfSense LAN has.

In Windows use ipconfig /release6 and then ipconfig /renew6 and watch out for problems.

crazypotato142

@Bob.Dig They are like this right now:

Photos deleted for privacy

Note: I can't ping an IPv6 address over pFsense interface either.

Bob.Dig

@crazypotato142 The first address already looks wrong. At least the prefix is the same.

crazypotato142

@Bob.Dig
pFsense itself can't connect to anything over IPv6 either. I can't use IPv6 ping, not even get into the Update page cuz Netgate has IPv6 addresses for their website.

Bob.Dig

@crazypotato142 said in IPv6 cannot connect to Internet:

pFsense itself can't connect to anything over IPv6 either.

That screams for a big problem, might be your ISP at this point.

crazypotato142

I'll test it with their default router and keep here updated. Thank everyone for the help.

Uglybrian

@Bob.Dig said in IPv6 cannot connect to Internet:

might be your ISP at this point.

Thats what i have been thinking through out this post.

JKnott

@crazypotato142 said in IPv6 cannot connect to Internet:

pFsense itself can't connect to anything over IPv6 either.

I saw in your settings that you request a prefix only, not a WAN address. You might have to specify your LAN interface as the source address. You use the -s option for that.

crazypotato142

@JKnott said in IPv6 cannot connect to Internet:

You might have to specify your LAN interface as the source address. You use the -s option for that.

How do I do that?

Also I didn't do such a thing after we got my IPv6 in this thread
https://forum.netgate.com/post/1217330

JKnott

@crazypotato142 said in IPv6 cannot connect to Internet:

@JKnott
about 2 hours ago

I don't know, I still don't think it's a prefix problem because I used it as it is for a long time

In an earlier post I suggested you capture the DHCP6 sequence to see what prefix you're assigned, to see if it's what's actually being used. Have you tried that?

In the capture you'll see 4 packets:

Then, in the last packet, should be something like this:

Compare the prefix with the one your network is using.

crazypotato142

@JKnott
Package Capture stops when I plug the WAN cable. I'm doing it according to this: https://forum.netgate.com/topic/172514/capture-full-dhcp-or-dhcpv6-sequence

Update:
It doesn't work with the default router my ISP gave either. Prefix and IPs everything seems fine but nope, it still doesn't connect. I also checked Windows ipconfig while on it and it just showed single IP for each, prefix matched as well.

JKnott

@crazypotato142 said in IPv6 cannot connect to Internet:

Package Capture stops when I plug the WAN cable.

I just tried and it works fine here.

Do you have a switch that you can use to make a "data tap"?

crazypotato142

@JKnott I'll try it again later today.

Unfortunately no, I don't have a managed switch.