IPv6 testing
-
That stuff with mounting with sftp is already beyond my level of Linux knowledge
Did you compare your ifconfig gif0 and the ifconfig of your LAN and WAN with my output as seen on the screenshots above? I'm wondering if I'm missing something there.
Could you perhaps compare the settings from your pfSense configuration using the pfSense web GUI?
First a little OT:
Mounting with sftp is something I only know how to do because until recently, it was the only way to work directly on a clients' ftp-server when building websites. It uses a gui-application called Expandrive, but recently it's become possible in the venerable Transmit as well.I did glance at your output, but I don't know what to look for.
As far as I can tell, your output look pretty much the same as mine.The settings from my pfSense configuration in the GUI are as follows, and very much the same as yours.
In fact, the only difference I can see, is the three characters following :1f14:.Interfaces -> WANIPv6 Enable Interface is checked Type: Static IPv6 MAC address: empty MTU: empty MSS: empty IPv6 address: 2001:470:1f14:xxx::2/128 Gateway: HE_NET - 2001:470:xxxx:xxx::1 Both private network blocking options checked. System -> Routing -> Gateways -> HE_NET Interface: WANIPV6 Name: HE_NET Gateway: 2001:470:xxxx:xxx::1 Default gateway is checked Monitor IP: empty Description: HE.NET gateway Interfaces -> (assign) -> GIF Parent interface: WAN gif remote address: 216.66.84.46 gif tunnel local address: 2001:470:xxxx:xxx::2 gif tunnel remote address: 2001:470:xxxx:xxx::1 / 64 Route caching is not checked ECN firendly behaviour is not checked Description: HE.net ipv6 tunnel
-
Thanks for checking it out. Strange. What I'm especially interested at when comparing your ifconfig with my ifconfig output is the following:
1. Does your GIF0 interface also show: tunnel inet <your ziggo="" ipv4="">–> 216.66.84.46</your>?
2. Does your GIF0 interface show a line starting with inet6 comparable to: inet6 2001:470:1f14:xxx::2 –> 2001:470:1f14:xxx::1 prefixlen 128?
3. Does your GIF0 interface only show an inet6 address starting with fe80:: or in other words the MAC based auto generated address and no other IPv6 address?
4. Does your WAN interface only show an inet6 address starting with fe80:: or in other words the MAC based auto generated address and no other IPv6 address?
5. Does your LAN interface show an inet6 address from your assigned HE IPv6 block, like: inet6 2001:470:1f15:xxx::1 prefixlen 64? -
Thanks for checking it out. Strange. What I'm especially interested at when comparing your ifconfig with my ifconfig output is the following:
1. Does your GIF0 interface also show: tunnel inet <your ziggo="" ipv4="">–> 216.66.84.46</your>?
2. Does your GIF0 interface show a line starting with inet6 comparable to: inet6 2001:470:1f14:xxx::2 –> 2001:470:1f14:xxx::1 prefixlen 128?
3. Does your GIF0 interface only show an inet6 address starting with fe80:: or in other words the MAC based auto generated address and no other IPv6 address?
4. Does your WAN interface only show an inet6 address starting with fe80:: or in other words the MAC based auto generated address and no other IPv6 address?
5. Does your LAN interface show an inet6 address from your assigned HE IPv6 block, like: inet6 2001:470:1f15:xxx::1 prefixlen 64?I checked mine and i'm Yes to all 5 questions
-
Thanks for your time and help Cino and iFloris. Guess my config is fine and the problem must be found somewhere in my physical setup. I'll do some experiments with it tonight.
Cino, is your pfSense 2.0 beta5 installation also directly hooked up to an internet connection so not behind NAT?
If anyone knows something else I might check, please do reply to this topic
-
Cino, is your pfSense 2.0 beta5 installation also directly hooked up to an internet connection so not behind NAT?
I'm using the latest build from this morning. I'm hooked directly to the internet via my cable modem, public address on my WAN.
I'm still having some issues. I'm unable to ping any IPv6 addresses or be pinged but i'm able to browse to IPv6 websites. But I've i'm able to ping from my clients now after putting in a default route for the IPv6 routing table. I did get a TTL error tho.. I had many issues getting the gateway to take.. If you read back a page or 2 there is a post from me on what I did. I change the subnet to /64 in my gif0 and WANIPv6 interface so I could add the HE_Net IPv6 address to the gateway then was able to select that gateway under the WANIPv6 interface. Link wouldn't come up until I changed the subnet back to /128 on the gif0/WANIPv6 interface pages. Only other difference I think, I didn't select the HE_Gateway as my default gateway. I left my WAN as my default gateway.
-
The manual databeestje provided at his website must contain an error somewhere. It kind of jumps from the left to the right with missing the step in the middle. For example when configuring the WANIPv6 interface he all of a sudden already has a gateway while adding that is dealt with after configuring the interface. And configuring the gateway gives the address not within range error like others already have reported here. Can't believe it did work for some people. They must have done something different. I'm wondering what.
That's true, I mostly slapped it together in a hurry and might have made a mistake here or there or renumberd the pictures wrong.
What's also missing is the reboot step at the end after gitsyncing.
It's also now possible to configure the updater to apply my git branch when performing a firmware update.I've attempted to fix the subnetmask issue but that didn't work. Perhaps configuring the WANv6 as a /64 might be better.I've just checked in a fix so that it always lies for gif tunnels that it's 126 bits. This way the subnet check if satisfied.
-
I've attempted to fix the subnetmask issue but that didn't work. Perhaps configuring the WANv6 as a /64 might be better.dhcpdv6 wont start now. Here is the error i've seeing:
Feb 4 07:54:07 dhcpd: subnet6 / Feb 4 07:54:07 dhcpd: subnet6 / Feb 4 07:54:07 dhcpd: /etc/dhcpdv6.conf line 14: Invalid IPv6 address. Feb 4 07:54:07 dhcpd: /etc/dhcpdv6.conf line 14: Invalid IPv6 address.
Going to see if I can manually fix this when i get a chance if I can.. I noticed in the Dhcpv6 Server tab it doesn't give me the full range of the ip scope anymore.
Is anyone else having the issue? or is just my box..
-
Fixed the compressed subnet back to what it was. DHCPD6 starts again.
-
Fixed the compressed subnet back to what it was. DHCPD6 starts again.
that was quick and confirmed!! Thanks again for all your work on this!!
Quick question. Every reboot, I have to manually enter my IPv4 and IPv6 default gateways. Do you know why this is? I am using another WAN for failover, openvpn site-to-site/road warrior and ipsec.
-
I just set up a pfSense 2.0 beta 5 bridge instance on my colocated server at LeaseWeb which does have native IPv6. Where it took me days of time to get it to work with pfSense 1.2.3, it only took me about an hour with 2.0 beta 5. Great work pfSense developers!
Quick question. Every reboot, I have to manually enter my IPv4 and IPv6 default gateways. Do you know why this is? I am using another WAN for failover, openvpn site-to-site/road warrior and ipsec.
At my colocated pfSense instance, I too experience this problem. The gateways are still listed in the webGUI, but aren't applied for some reason. I now added them to my manual boot script and all works fine. There's still a bug to be fixed in that though.
Another thing I found is that after applying the smos gitsync thus enabling IPv6 functionality, I can no longer create a static IPv4 route via the webGUI since it only accepts IPv6. Via the console using route -n add it works fine.
@Databeestje, if I can assist you in your great work by providing you with a temporary pfSense 2.0 instance at native IPv6 to test with, please let me know and I'll be happy to create one for you at my colocated server at LeaseWeb.
-
Fixed the compressed subnet back to what it was. DHCPD6 starts again.
that was quick and confirmed!! Thanks again for all your work on this!!
Quick question. Every reboot, I have to manually enter my IPv4 and IPv6 default gateways. Do you know why this is? I am using another WAN for failover, openvpn site-to-site/road warrior and ipsec.
Did you select both the v4 and v6 gateway as being the default?
That's what I did@Databeestje, if I can assist you in your great work by providing you with a temporary pfSense 2.0 instance at native IPv6 to test with, please let me know and I'll be happy to create one for you at my colocated server at LeaseWeb.
I have native connectivity at the Xs4all DC so that's not a issue, and my v4 and v6 gateway stay on reboots. Must have been doing something different, I am using the same code.
Do note that the current kernels freeze or hang with ipv6 when building a carp cluster. I am still using a 18th snapshot in the Xs4all DC for my car cluster there so that failover works. -
Did you select both the v4 and v6 gateway as being the default?
That's what I didMy box will only let me select 1 gateway as default, see screenshots.
-
My box will only let me select 1 gateway as default, see screenshots.
For what its worth, same here.
-
My box will only let me select 1 gateway as default, see screenshots.
For what its worth, same here.
Perhaps we are looking in the wrong place.
Just like both of you have stated, my pfSense reports only one default gateway, even though I manually set the <defaultgw>for both gateways in config.xml.
Even so, routing works fine on my setup.This afternoon I updated to the latest version, which also gitsync'd correctly.
No issues as far as I can tell.</defaultgw>
-
I added <defaultgw>to my WANIPv6 interface via the config.xml and rebooted.. That did the trick!! Under gateways, both interfaces say (Default). I'm able to ping to the IPv6 world from my pfsense box and my clients. I'm also able to be pinged by subnetonline.com. I did try to block pinging via the firewall rules but that didn't work…Using the tools at http://www.subnetonline.com/ i'm able to see the pfsense is blocking their traceroute tool :-) Your also able to scan a port from their website...</defaultgw>
-
I still need to add code that correctly sets a single default gateway tag for single address family. e.g. One for v4 and one for v6.
So yes, I think my broken config I've been developing on is to blame here. Because I have a dhcp wan, and my he.net is set as the default it just happens to work the way it should.
On the fix list it is.
Note that you can not disable icmp6, it is required for operation of ipv6. You can't block it and I made sure of that. I can remove the icmp request type from the allow list, but other then that one I can not delete the other icmp6 allow rules.
icmp6 largely replaces arp. Do not however that ping from the internet to behind the firewall doesn't actually respond. it is specifically the firewall itself you can not block.
See filter.inc and search for icmp6 and echoreq or 128Edit: I've removed icmp6 echo requests and replies from filter.inc in current code.
If you have a static config you can now set a default gateway for IPv6 and IPv4.Below are screenshots from gateways config.
-
Thanks for the default gateway bit Databeestje.
Pretty awesome that CMB and Sullrich are now also committing to your repository.
And is the IPv6 build that SimonCPU is working on also going to be merged with your build or vice versa? -
The SimonCPU build is out of date, it was started, then promptly stopped shortly after. It's just a lot of work, and doing this thing on your own is a bit hard.
I helped Scott load my IPv6 branch on his firewall last night, a gitsync and a firmware update later he had addressing going. This prompted him to make the tinydns package IPv6 capable last night.
So in just a few hours time he both coded the support for IPv6 in the tinydns package and installed and enabled his own domain/webserver with a IPv6 address and published it. From zero to go in 4 hours.
The whole IPv6 scare mongering that it is going to cost the world trillions and that it's undoable is slightly overrated.
-
I remember reading that icmp6 replaces arp a while back but forgot.. Its time to study up on IPv6 and having a working tunnel helps a lot in the learning process.
Thanks again for all your work!!
Edit: ICMP6 Echo Request are denied by default. Played with some rules to allow the WAN and LAN address but not the clients. Works great!!
-
Nice this is great progress. Nice to see the gateway thing fixed. Now one question I see in monowall they have ipv6 enabled up the cahoot! My current ISP has Native IPV6 using a dual stack setup and pppoe thus… needing a simple couple commands added to the mpd5 default config. which I have enabled on another test box and it still seems to be missing something I am thinking it's missing the default ipv6 route perhaps?
Anyways not sure if your able to add this to a future release of your sync but maybe telling mpd5 to listen for ipcp6 requests and set the default route for it. I've gotten the one command line but not sure about the other.