IPv6 testing

Cino

@iFloris:

@Cino:

When I try get the gateway under routing. The box wont let me input the ipv6 address that i got from he.net. It says the subnet is not within the range. If I leave the gateway blank and click save, it puts the ipv6 address that i try to manually enter.

When creating the WANIP6 interface after creating the gateway, I don't get an option to select the gateway.. Only option is none.

Cino, did you manage to solve this before you did a fresh install?
I seem to be running into the same problem, but a fresh install isn't feasible at the moment.

Also, Databeestje: Awesome.

I wasn't able to resolve the issue…

Daboom

I too have a similar situation to the last two posters. The Gateway will not let me put in the correct info and if I leave it blank then it will put in dynamic instead and I get no ipv6 anymore. I had to change it back to the way I had it which never says online or does any of the gateway checks.

databeestje

I have not gotten round to that, I'm doing this as time permits

gnhb

@sullrich:

Custom images built from Seth's REPO:

http://cvs.pfsense.org/~sullrich/ipv6/

Awsome. Thanks.
I had the same experience as Jim P. Git install fails on nanoBSD due to partition size limitations.

GB

databeestje

The subnet check on the gif interface should now properly work again. Have not verified yet, gitsync your install to get it.

You also get (hopefully) working traffic counters for ipv6 traffic.
IPv6 packet counts are logged but not graphed yet.
Menu banner shows IPv6 addresses now too.
ICMP6 rules have been relaxed so that we might have a shot at getting dhcp v6 messages out.
I also added unblockable ICMP6 rules to make sure basic connectivity is never blocked.
Addition of Bogon support for IPv6 prefixes, although a tad large at 30k entries

DSI

I have just freshly installed latest snapshost and had my system synced with pfSense-smos repository.
I did follow this instructions and it still says "The gateway address 2001:470:1f0a:XXXX::1 does not lie within the chosen interface's subnet."

I also noticed interesting behaviour. After gitsyncing with IPv6 repo, automatic checks for new firmware/auto update don't work anymore. It says "Unable to check for updates."

databeestje

did you reboot after gitsyncing?

DSI

Yes, I did reboot.
I will now test on other freshly reinstalled pfSense machine.

Edit: Same issue on other machine :(

Cino

I've been making some progress here. In my last post, I mention I had to go into the WAN interface and save it to route to the internet… The issue with "Unable to check for updates." is related I think. Over the weekend I setup a 3G Wan for failover. Because now I have gateway rules define for the LAN  firewall tab, my clients can route to the internet without having to save the Wan interface config. The pfsense default gateway is getting messed up some how which causes the "Unable to check for updates" error and i'm unable to ping www.yahoo.com from pfsense but i can from the clients. When I save the WAN interface page, the pfsense default gateway is corrected, the IPv6 tunnels comes up, able to ping to ip4 websites from the shell.

The "The gateway address 2001:470:1f0a:XXXX::1 does not lie within the chosen interface's subnet." error: I recieved the same error when I follow the how-to write up. I ended up with the same error. In the how-to, we are using a /128 subnet. The gateway doesn't like this unless you put the subnet as /64. Was I changed the gif/wan interface to /64, I was able to put the gateway address in. But then this error poped up in my syslog

php: /interfaces.php: The command '/sbin/ifconfig gif0 inet6 2001:470:1f06:e7f::2 2001:470:xxxx:xxxx::1 prefixlen 64 ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Invalid argument'

After the gateway was selected in the WANIPv6 interface, i changed the subnet back to /128 and the above error went away. I need to do some more testing to see if either /64 or /128 works… I left it at as /128 becuz i dont see the above error. HE.net tunnel info pages says its a /64 address...

I have to do some futher testing but I can't ping ipv6.google.com but i'm able to browse to the site(test-ipv6.com gave me 9/10, dns dont have ipv6 from my isp) if i ping ipv6.google.com from pfsense, "ping6: UDP connect: No route to host" from Windows 7, "Destination net unreachable"

Also there is a php error on the firewall rules page.. The page works, see screen shot:

Cino

@databeestje:

The subnet check on the gif interface should now properly work again. Have not verified yet, gitsync your install to get it.

You also get (hopefully) working traffic counters for ipv6 traffic.
IPv6 packet counts are logged but not graphed yet.
Menu banner shows IPv6 addresses now too.
ICMP6 rules have been relaxed so that we might have a shot at getting dhcp v6 messages out.
I also added unblockable ICMP6 rules to make sure basic connectivity is never blocked.
Addition of Bogon support for IPv6 prefixes, although a tad large at 30k entries

databeestje great work so far!! Where can I find the traffic counters you are talking about? Under 'Status: Interfaces' the counters dont increase but 'Status: Traffic Graph' is graphing traffic.. The Interface widget on the main page shows that the WANIPv6 is up but it doesn't show the IPv6 address. 'Status: Interfaces' does sure the IP address tho.

I went to http://ipv6-speedtest.net/ to test the speed of the tunnel, wow its slow! 1m/.5m on a 50m/5m cable modem… But hey we are only testing this out to be ready for ipv6 when we will need it....

buraglio

I'm seeing similar issues with the default route.  I've gotten around it by just throwing the route in the cli. 
I'm also seeing issues with rtadvd not working right, but that could be an artifact of the box having some of my crufty old IPv6 stuff hacked into it, not sure yet.  I'll look more at this tomorrow.

nb

buraglio

It also appears as if soem of the other routing bits are broken.  After a reboot, I had no v4 default route but it clearly showed up as there and "alive" in the status_gateways.  I added that manually in the CLI just to get it working before I sleep.

nb

DSI

Thank you Cino, I've got it working following your instructions.

But yes as buraglio says there must be some issue with IPv4 default route. For example whenever I change something on one of the interfaces page, default IPv4 route gets lost and I have to click "Save" on WAN interface to get IPv4 route working again. Also, after each reboot you also have to click "Save" on WAN interface page to get IPv4 route working.

buraglio

@buraglio:

It also appears as if soem of the other routing bits are broken.  After a reboot, I had no v4 default route but it clearly showed up as there and "alive" in the status_gateways.  I added that manually in the CLI just to get it working before I sleep.

nb

A few other observations, it appears as if (at least on my setup) I'm getting firewall blocking the all routers multicast address, which isn't really a good thing.  I have a rule that allows all ipv6 from any to any on the LAN.  It would also be useful to have ndp on the boxes to view neighbor status.  I can work on adding ndp when I get some time if you're interested.

DSI

I've noticed that with latest Beta Snapshot (built on Wed Feb 2 04:04:51 EST 2011) hitting "Save" button on WAN interface after reboot isn't needed anymore…so it looks like droping default IPv4 route is fixed.

buraglio

Nice.  I'll to an update.

Cino

@|DSI|:

I've noticed that with latest Beta Snapshot (built on Wed Feb 2 04:04:51 EST 2011) hitting "Save" button on WAN interface after reboot isn't needed anymore…so it looks like droping default IPv4 route is fixed.

I just updated my box and I still have hit save. It could because that I have multi-wan (3G USB for backup when i'm home and dont need it for my laptop).

MrKoen

I've been runnning pfSense 1.2.3 with a hacked config to get a IPv6 tunnnel to work for a while. Worked okay, but most of the web GUI wasn't usable anymore with the custom modified config files. Several forums, of which this one, speak joy about 2.0 beta and IPv6 tunnels through HE, so I'm trying to get it to work here. Unfortunately it does not seem to be able to set up a tunnel to HE. I've followed the walktrough exactly and don't see what I'm doing wrong.

Could somebody that did get it to work please post their ifconfig output of the WAN, LAN and GIF0 interfaces here please? Perhaps that shows what's wrong with my setup.

buraglio

It does work with the HE tunnel.  I, too, had hacked in support for it with rudimentary gui bits well over a year ago but this is far superior, even knowing that it is beta. 
My guess is that you don't have a default v6 route.

netstat -rn should look something like this in the v6 section:

Internet6:
Destination                      Gateway                      Flags      Netif Expire
default                          2001:xxx:xxx:xxx::1          UGS        gif0
::1                                ::1                                  UH          lo0
2001:xxx:xxx:xxx::1        2001:xxx:xxx:xxx::2          UH        gif0
2001:xxx:xxx:xxx::/64          link#1                        U          rl0
2001:xxx:xxx:xxx::1            link#1                        UHS        lo0
fe80::%rl0/64                      link#1                        U          rl0
fe80::2e0:4dff:fe83:1569%rl0  link#1                        UHS        lo0

Do you have an entry for "default"?

Cino

@buraglio:

Do you have an entry for "default"?

I dont have a default route. When I reboot, i dont any have defaults. When I save the WAN interface, a default route is added for IPv4. I tried doing the same thing for my WANIPv6 but it doesn't create a default for IPv6.

Did you enter the route manually? If so, how did you add it for IPv6?