IPv6 testing
-
buraglio, thanks for your help. Í surely believe you IPv6 tunneling will be much better in 2.0, so I'm hoping I can get it to work like you guys.
The manual databeestje provided at his website must contain an error somewhere. It kind of jumps from the left to the right with missing the step in the middle. For example when configuring the WANIPv6 interface he all of a sudden already has a gateway while adding that is dealt with after configuring the interface. And configuring the gateway gives the address not within range error like others already have reported here. Can't believe it did work for some people. They must have done something different. I'm wondering what.
My setup indeed lacked a default route. I already tried adding it manually, but to no avail. I also saw a difference between the assigned IPv6 tunnel addresses between my hacked pfSense 1.2.3 setup and this pfSense 2.0b5 setup. Before I could add the default IPv6 route on the command line, I needed to assign the IPv6 tunnel addresses to my GIF0 at the command line first. What I did:
ifconfig gif0 inet6 2001:470:1f14:xxx::2 2001:470:1f14:xxx::1prefixlen 128
after that, I could manually add the default route for IPv6 using:
route -n add -inet6 default 2001:470:1f14:xxx::1
I can send out a ping6 to ipv6.google.com now, but it does not get a reply. Still no working IPv6 tunnel. Is there somewhere where I can look to find out why it can not connect?
Does the Gateway status page (/status_gateways.php) show the HE_NET gateway as online like on the screenshot of databeestje? Here it keeps showing gathering data.
I have attached the output of my interfaces. DE0 is my internet facing NIC. It's on a private range DMZ that connects to the outside world. So it's behind NAT. DE1 is my LAN facing NIC and GIF0 obviously is the bridge. I am able to ping the HE IPv6 gateway from the console and on the border gateway I have enabled ping echo replies. I also already tried setting the pfSense instance as the default DMZ host to see if the problem was NAT related, but no results either. Maybe something is wrong in my ifconfig?
-
Can't believe it did work for some people. They must have done something different. I'm wondering what.
You are right that some people did something different.
I was having the wrong subnet error when trying to add the gateway, so I edited the config.xml file directly using expandrive to mount the sftp as a drive and editing the file directly so I could see whether my edits were having the desired effect.
Having added the gateway manually, the tunnel came online and I was able to add the gateway to the interface WANIPv6 as is shown in the guide.
Lastly, I added the anycasted he.net ipv6 dns server to the dns server list in general.The result is a 10/10 score on http://test-ipv6.com/ and a generally fast IPv6 internet connection (20/8 mbits).
Also, lots of rebooting!
images:
(sorry about the white space)
-
iFloris, your screenshots make me jealous ;D I'm coming from the Microsoft world, so all this Linux stuff is fairly unknown territory for me. Would you be willing to help me troubleshoot? Possibly via MSN contact? In return I will put an updated howto online which will show all the steps to get it to work :)
-
Would you be willing to help me troubleshoot?
Of course I'm willing to help, but I fear that I have may have inadvertently led you to believe that I am rather more proficient at all this than I am.
As I wrote in an earlier post, I simply followed the steps that Databeestje wrote up in his howto but sidestepped the issues I ran into somewhat.
The issue that I had, was that I couldn't get past the part of the howto telling me to edit the gateway as pfSense complained that the v6 address that I entered was outside the chosen interface subnet.
I skipped that step for the time being and finished the howto. Then, I manually edited the gateway in the config.xml file on my pfSense machine and entered the proper v6 address. Having done that I was able to select the gateway in the WANIPv6 interface and the tunnel became operational.Also, I'm coming from the Mac OS X world, so all this Linux (well, BSD Unix really) stuff is fairly unknown territory for me as well!
-
No problem.. two minds always know more than one ;) I appreciate you taking the time to think along.
Where is this config.xml located? Can I simply edit it using vi at the console? Could you show me a sample of what you put in there?
Could you perhaps have a look at the screenshots I posted earlier today with the output of my network interfaces and compare those with yours? Maybe I'm missing something crucial in the interface config.
What ISP are you on anyway? I was using Alice ADSL before a month ago and my hacked pfSense 1.2.3 IPv6 setup worked like a charm on it. Took me a loooong time to get to work, but when it worked, it worked really well. Ever since I moved to Ziggo Alles in 1 Extra, only 1 out of 100 times the IPv6 tunnel to HE gets built up and then also works without any problems. Only thing is.. the other 99 times I can't get it to connect and I haven't got the slightest idea why. I'm missing some logging that tells me what the problem is.
Are you using pfSense behind NAT or directly attachted to your internet line with a public IP?
-
Where is this config.xml located? Can I simply edit it using vi at the console? Could you show me a sample of what you put in there?
Could you perhaps have a look at the screenshots I posted earlier today with the output of my network interfaces and compare those with yours? Maybe I'm missing something crucial in the interface config.
What ISP are you on anyway?
Are you using pfSense behind NAT or directly attachted to your internet line with a public IP?
Config.xml can be found in /cf/conf/config.xml
As you can see in the picture below, I mounted sftp directly in the Finder because I felt it was easier than using the terminal and especially cp and vi.Then, I edited the xml file directly, did a search for gateway and tried a few different things.
As you can see in the images attached, I ended up with this and it works for me.I've also attached the v6 part of the output of netstat -rn on my pfSense installation, not sure what everything means.
Gif is the tunnel, lo0 is the loopback, reX are my interfaces and I run both an openvpn and a pptp server, so those are mentioned as well.Internet6: Destination Flags Netif Expire default 2001:470:xxxx:xxxx::1 UGS gif0 ::1 ::1 UH lo0 2001:470:xxxx:xxxx::1 2001:470:xxxx:xxxx::2 UH gif0 2001:470:xxxx:xxxx::/64 link#2 U re1 2001:470:xxxx:xxxx::1 link#2 UHS lo0 fe80::%re0/64 link#1 U re0 fe80::290:7fff:fe32:2ef8%re0 link#1 UHS lo0 fe80::%re1/64 link#2 U re1 fe80::290:7fff:fe32:2ef9%re1 link#2 UHS lo0 fe80::%re2/64 link#3 U re2 fe80::290:7fff:fe32:2efa%re2 link#3 UHS lo0 fe80::%re3/64 link#4 U re3 fe80::290:7fff:fe32:2efb%re3 link#4 UHS lo0 fe80::%re4/64 link#5 U re4 fe80::290:7fff:fe32:2efc%re4 link#5 UHS lo0 fe80::%re5/64 link#6 U re5 fe80::290:7fff:fe32:2efd%re5 link#6 UHS lo0 fe80::%lo0/64 link#8 U lo0 fe80::1%lo0 link#8 UHS lo0 fe80::%gif0/64 link#11 U gif0 fe80::290:7fff:fe32:2ef8%gif0 link#11 UHS lo0 fe80::%ovpns1/64 link#12 U ovpns1 fe80::290:7fff:fe32:2ef8%ovpns1 link#12 UHS lo0 fe80::%pptpd0/64 link#13 U pptpd0 fe80::290:7fff:fe32:2ef8%pptpd0 link#13 UHS lo0 ff01:1::/32 fe80::290:7fff:fe32:2ef8%re0 U re0 ff01:2::/32 fe80::290:7fff:fe32:2ef9%re1 U re1 ff01:3::/32 fe80::290:7fff:fe32:2efa%re2 U re2 ff01:4::/32 fe80::290:7fff:fe32:2efb%re3 U re3 ff01:5::/32 fe80::290:7fff:fe32:2efc%re4 U re4 ff01:6::/32 fe80::290:7fff:fe32:2efd%re5 U re5 ff01:8::/32 ::1 U lo0 ff01:b::/32 2001:470:xxxx:xxxx::2 U gif0 ff01:c::/32 fe80::290:7fff:fe32:2ef8%ovpns1 U ovpns1 ff01:d::/32 fe80::290:7fff:fe32:2ef8%pptpd0 U pptpd0 ff02::%re0/32 fe80::290:7fff:fe32:2ef8%re0 U re0 ff02::%re1/32 fe80::290:7fff:fe32:2ef9%re1 U re1 ff02::%re2/32 fe80::290:7fff:fe32:2efa%re2 U re2 ff02::%re3/32 fe80::290:7fff:fe32:2efb%re3 U re3 ff02::%re4/32 fe80::290:7fff:fe32:2efc%re4 U re4 ff02::%re5/32 fe80::290:7fff:fe32:2efd%re5 U re5 ff02::%lo0/32 ::1 U lo0 ff02::%gif0/32 2001:470:xxxx:xxxx::2 U gif0 ff02::%ovpns1/32 fe80::290:7fff:fe32:2ef8%ovpns1 U ovpns1 ff02::%pptpd0/32 fe80::290:7fff:fe32:2ef8%pptpd0 U pptpd0As for my ISP and connection:
A few months now, I've been using Ziggo so at least you know that your ISP isn't the problem.
pfSense is my NAT, so it has a public v4 address.Images:
-
That stuff with mounting with sftp is already beyond my level of Linux knowledge :-[ I used simple vi instead and compared my config with yours. Looks very much similar to eachother. I noticed you also bravely copy/pasted all the exact description and name fields from Databeestje's tutorial to rule out any chance of error ;D
Also the routing table looks like mine. I did have to add the default IPv6 route manually through the console though. You didn't have to do this?
Did you compare your ifconfig gif0 and the ifconfig of your LAN and WAN with my output as seen on the screenshots above? I'm wondering if I'm missing something there.
Are you using pfSense 2.0 beta 5? With all the latest updates? I downloaded all the latest checkins directly from the main tree.
My setup adds an extra complexity because I'm running pfSense 1.2.3 and pfSense 2.0beta5 virtualized under Microsoft Hyper-V on a Windows 2008 R2 x64 box. I am using the legacy network adapters and as said, when still using Alice ADSL it always worked just fine like this. Also with Alice ADSL I used it behind NAT, though using the Alice Copperjet 1616 as the router to the outside world. Now I'm using my DLink DIR655 wireless gigabit access point as the router to the outside world. This has several firewall options in it and I already turned all of them off to be sure that nothing is blocking the signal. But it has worked even in this setup (1 out of 100 attempts/reboots). I don't know why it doesn't anymore. Frustrating. Last night I even tried hooking the pfSense virtual instance directly to the Ziggo Ubee modem to rule out the chance of the DLink DIR655 of causing problems. It didn't work either. I did realise this morning that I recently turned on the firewall at the Windows 2008 R2 host though. I have turned it off again now and it still doesn't work. I could try hooking it up directly to Ziggo again with the Windows firewall being disabled.
Could you perhaps compare the settings from your pfSense configuration using the pfSense web GUI? For clarity, my HE tunnel details are:
Server IPv4 address: 216.66.84.46
Server IPv6 address: 2001:470:1f14:xxx::1/64
Client IPv4 address: 217.123.149.xxx (my public Ziggo IPv4 address)
Client IPv6 address: 2001:470:1f14:xxx::2/64
Routed /64: 2001:470:1f15:xxx::/64And my pfSense config via the web GUI is:
Interfaces -> WANIPv6
Enable Interface is checked
Type: Static IPv6
MAC address: empty
MTU: empty
MSS: emptyIPv6 address: 2001:470:1f14:xxx::2/128
Gateway: HE_NET - 2001:470:1f14:xxx::1System -> Routing -> Gateways -> HE_NET
Interface: WANIPV6
Name: HE_NET
Gateway: 2001:470:1f14:874::1
Default gateway is checked
Monitor IP: empty
Description: HE.NET gatewayInterfaces -> (assign) -> GIF
Parent interface: WAN
gif remote address: 216.66.84.46
gif tunnel local address: 2001:470:1f14:xxx::2
gif tunnel remote address: 2001:470:1f14:xxx::1 / 64
Route caching is not checked
ECN firendly behaviour is not checked
Description: HE.net ipv6 tunnelPlease double check if I made any mistakes in using the routing block (xxx:1f14:xxx) and the assigned block (xxx:1f15:xxx).
-
That stuff with mounting with sftp is already beyond my level of Linux knowledge
Did you compare your ifconfig gif0 and the ifconfig of your LAN and WAN with my output as seen on the screenshots above? I'm wondering if I'm missing something there.
Could you perhaps compare the settings from your pfSense configuration using the pfSense web GUI?
First a little OT:
Mounting with sftp is something I only know how to do because until recently, it was the only way to work directly on a clients' ftp-server when building websites. It uses a gui-application called Expandrive, but recently it's become possible in the venerable Transmit as well.I did glance at your output, but I don't know what to look for.
As far as I can tell, your output look pretty much the same as mine.The settings from my pfSense configuration in the GUI are as follows, and very much the same as yours.
In fact, the only difference I can see, is the three characters following :1f14:.Interfaces -> WANIPv6 Enable Interface is checked Type: Static IPv6 MAC address: empty MTU: empty MSS: empty IPv6 address: 2001:470:1f14:xxx::2/128 Gateway: HE_NET - 2001:470:xxxx:xxx::1 Both private network blocking options checked. System -> Routing -> Gateways -> HE_NET Interface: WANIPV6 Name: HE_NET Gateway: 2001:470:xxxx:xxx::1 Default gateway is checked Monitor IP: empty Description: HE.NET gateway Interfaces -> (assign) -> GIF Parent interface: WAN gif remote address: 216.66.84.46 gif tunnel local address: 2001:470:xxxx:xxx::2 gif tunnel remote address: 2001:470:xxxx:xxx::1 / 64 Route caching is not checked ECN firendly behaviour is not checked Description: HE.net ipv6 tunnel -
Thanks for checking it out. Strange. What I'm especially interested at when comparing your ifconfig with my ifconfig output is the following:
1. Does your GIF0 interface also show: tunnel inet <your ziggo="" ipv4="">–> 216.66.84.46</your>?
2. Does your GIF0 interface show a line starting with inet6 comparable to: inet6 2001:470:1f14:xxx::2 –> 2001:470:1f14:xxx::1 prefixlen 128?
3. Does your GIF0 interface only show an inet6 address starting with fe80:: or in other words the MAC based auto generated address and no other IPv6 address?
4. Does your WAN interface only show an inet6 address starting with fe80:: or in other words the MAC based auto generated address and no other IPv6 address?
5. Does your LAN interface show an inet6 address from your assigned HE IPv6 block, like: inet6 2001:470:1f15:xxx::1 prefixlen 64? -
Thanks for checking it out. Strange. What I'm especially interested at when comparing your ifconfig with my ifconfig output is the following:
1. Does your GIF0 interface also show: tunnel inet <your ziggo="" ipv4="">–> 216.66.84.46</your>?
2. Does your GIF0 interface show a line starting with inet6 comparable to: inet6 2001:470:1f14:xxx::2 –> 2001:470:1f14:xxx::1 prefixlen 128?
3. Does your GIF0 interface only show an inet6 address starting with fe80:: or in other words the MAC based auto generated address and no other IPv6 address?
4. Does your WAN interface only show an inet6 address starting with fe80:: or in other words the MAC based auto generated address and no other IPv6 address?
5. Does your LAN interface show an inet6 address from your assigned HE IPv6 block, like: inet6 2001:470:1f15:xxx::1 prefixlen 64?I checked mine and i'm Yes to all 5 questions
-
Thanks for your time and help Cino and iFloris. Guess my config is fine and the problem must be found somewhere in my physical setup. I'll do some experiments with it tonight.
Cino, is your pfSense 2.0 beta5 installation also directly hooked up to an internet connection so not behind NAT?
If anyone knows something else I might check, please do reply to this topic
-
Cino, is your pfSense 2.0 beta5 installation also directly hooked up to an internet connection so not behind NAT?
I'm using the latest build from this morning. I'm hooked directly to the internet via my cable modem, public address on my WAN.
I'm still having some issues. I'm unable to ping any IPv6 addresses or be pinged but i'm able to browse to IPv6 websites. But I've i'm able to ping from my clients now after putting in a default route for the IPv6 routing table. I did get a TTL error tho.. I had many issues getting the gateway to take.. If you read back a page or 2 there is a post from me on what I did. I change the subnet to /64 in my gif0 and WANIPv6 interface so I could add the HE_Net IPv6 address to the gateway then was able to select that gateway under the WANIPv6 interface. Link wouldn't come up until I changed the subnet back to /128 on the gif0/WANIPv6 interface pages. Only other difference I think, I didn't select the HE_Gateway as my default gateway. I left my WAN as my default gateway.
-
The manual databeestje provided at his website must contain an error somewhere. It kind of jumps from the left to the right with missing the step in the middle. For example when configuring the WANIPv6 interface he all of a sudden already has a gateway while adding that is dealt with after configuring the interface. And configuring the gateway gives the address not within range error like others already have reported here. Can't believe it did work for some people. They must have done something different. I'm wondering what.
That's true, I mostly slapped it together in a hurry and might have made a mistake here or there or renumberd the pictures wrong.
What's also missing is the reboot step at the end after gitsyncing.
It's also now possible to configure the updater to apply my git branch when performing a firmware update.I've attempted to fix the subnetmask issue but that didn't work. Perhaps configuring the WANv6 as a /64 might be better.I've just checked in a fix so that it always lies for gif tunnels that it's 126 bits. This way the subnet check if satisfied.
-
I've attempted to fix the subnetmask issue but that didn't work. Perhaps configuring the WANv6 as a /64 might be better.dhcpdv6 wont start now. Here is the error i've seeing:
Feb 4 07:54:07 dhcpd: subnet6 / Feb 4 07:54:07 dhcpd: subnet6 / Feb 4 07:54:07 dhcpd: /etc/dhcpdv6.conf line 14: Invalid IPv6 address. Feb 4 07:54:07 dhcpd: /etc/dhcpdv6.conf line 14: Invalid IPv6 address.Going to see if I can manually fix this when i get a chance if I can.. I noticed in the Dhcpv6 Server tab it doesn't give me the full range of the ip scope anymore.
Is anyone else having the issue? or is just my box..
-
Fixed the compressed subnet back to what it was. DHCPD6 starts again.
-
Fixed the compressed subnet back to what it was. DHCPD6 starts again.
that was quick and confirmed!! Thanks again for all your work on this!!
Quick question. Every reboot, I have to manually enter my IPv4 and IPv6 default gateways. Do you know why this is? I am using another WAN for failover, openvpn site-to-site/road warrior and ipsec.
-
I just set up a pfSense 2.0 beta 5 bridge instance on my colocated server at LeaseWeb which does have native IPv6. Where it took me days of time to get it to work with pfSense 1.2.3, it only took me about an hour with 2.0 beta 5. Great work pfSense developers!
Quick question. Every reboot, I have to manually enter my IPv4 and IPv6 default gateways. Do you know why this is? I am using another WAN for failover, openvpn site-to-site/road warrior and ipsec.
At my colocated pfSense instance, I too experience this problem. The gateways are still listed in the webGUI, but aren't applied for some reason. I now added them to my manual boot script and all works fine. There's still a bug to be fixed in that though.
Another thing I found is that after applying the smos gitsync thus enabling IPv6 functionality, I can no longer create a static IPv4 route via the webGUI since it only accepts IPv6. Via the console using route -n add it works fine.
@Databeestje, if I can assist you in your great work by providing you with a temporary pfSense 2.0 instance at native IPv6 to test with, please let me know and I'll be happy to create one for you at my colocated server at LeaseWeb.
-
Fixed the compressed subnet back to what it was. DHCPD6 starts again.
that was quick and confirmed!! Thanks again for all your work on this!!
Quick question. Every reboot, I have to manually enter my IPv4 and IPv6 default gateways. Do you know why this is? I am using another WAN for failover, openvpn site-to-site/road warrior and ipsec.
Did you select both the v4 and v6 gateway as being the default?
That's what I did@Databeestje, if I can assist you in your great work by providing you with a temporary pfSense 2.0 instance at native IPv6 to test with, please let me know and I'll be happy to create one for you at my colocated server at LeaseWeb.
I have native connectivity at the Xs4all DC so that's not a issue, and my v4 and v6 gateway stay on reboots. Must have been doing something different, I am using the same code.
Do note that the current kernels freeze or hang with ipv6 when building a carp cluster. I am still using a 18th snapshot in the Xs4all DC for my car cluster there so that failover works. -
Did you select both the v4 and v6 gateway as being the default?
That's what I didMy box will only let me select 1 gateway as default, see screenshots.
-
My box will only let me select 1 gateway as default, see screenshots.
For what its worth, same here.