IPv6 testing
-
Quick question, under System: Advanced: Networking: IPv6 Options, do we need to have 'Allow IPv6' checked? I noticed when its check, I see local-link IPv6 addresses are being blocked by my LAN rule(Allow LAN Subnet only). When its unchecked, I dont see them being blocked.
-
I just committed a filter rule fix for a typo.
That setting should be checked to have any hope of getting somthing ipv6 through pfsense. If it is unchecked all ipv6 traffic will be blocked without being logged
-
Is it correct that with the smos IPv6 getsync, static routes al only possible with ipv6 routes?
I'm trying to add a ipv4 static route and it is not working, it stays blank.Maybe for the buglist?
thnx.
-
Well, I figured it was broken. But Apple OS X does not have a dhcp v6 client. So testing that is … awkward.
OSX does have a dhcp v6 client, right? When I go into the advanced options in the interface settings, there's a spot for ipv6. Or, is it something else you were talking about?
-
Is it correct that with the smos IPv6 getsync, static routes al only possible with ipv6 routes?
I'm trying to add a ipv4 static route and it is not working, it stays blank.Maybe for the buglist?
thnx.
Found and fixed
-
Is it correct that with the smos IPv6 getsync, static routes al only possible with ipv6 routes?
I'm trying to add a ipv4 static route and it is not working, it stays blank.Maybe for the buglist?
thnx.
Found and fixed
confirmed fixed! Thanks!
-
Is it normal to see link-local addresses in the dhcp log? I don't think i noticed it before but I just had a major issue after a git sync an hour ago. The DHCPd service hang while it was trying to read the /var/dhcpd/var/db/dhcpd6.leases file. I deleted the file and that seem to fix the issue.
If i change my LAN firewall rule to LAN subnet only from any any, I don't see the dhcp messages anymore but now they end up in the firewall log.
Thinking of blocking fe80:: on the LAN so I dont see it in the firewall log but I dont want to break autoconfig of ipv6(not sure if it would or not)
dhcpd: Sending Advertise to fe80::51f3:b81e:bcf1:6fb5 port 546 Feb 10 14:14:16 dhcpd: Unable to pick client address: no addresses available Feb 10 14:14:16 dhcpd: Solicit message from fe80::51f3:b81e:bcf1:6fb5 port 546, transaction ID 0x12F3B600 Feb 10 14:13:44 dhcpd: Sending Advertise to fe80::51f3:b81e:bcf1:6fb5 port 546 Feb 10 14:13:44 dhcpd: Unable to pick client address: no addresses available Feb 10 14:13:44 dhcpd: Solicit message from fe80::51f3:b81e:bcf1:6fb5 port 546, transaction ID 0x12F3B600 Feb 10 14:13:36 dhcpd: DHCPACK to 192.168.0.104 (00:1e:c9:2f:a0:fe) via em0 Feb 10 14:13:36 dhcpd: DHCPINFORM from 192.168.0.104 via em0 Feb 10 14:13:28 dhcpd: Sending Advertise to fe80::51f3:b81e:bcf1:6fb5 port 546 Feb 10 14:13:28 dhcpd: Unable to pick client address: no addresses available Feb 10 14:13:28 dhcpd: Solicit message from fe80::51f3:b81e:bcf1:6fb5 port 546, transaction ID 0x12F3B600 Feb 10 14:13:20 dhcpd: Sending Advertise to fe80::51f3:b81e:bcf1:6fb5 port 546 Feb 10 14:13:20 dhcpd: Unable to pick client address: no addresses available Feb 10 14:13:20 dhcpd: Solicit message from fe80::51f3:b81e:bcf1:6fb5 port 546, transaction ID 0x12F3B600 Feb 10 14:13:16 dhcpd: Sending Advertise to fe80::51f3:b81e:bcf1:6fb5 port 546 Feb 10 14:13:16 dhcpd: Unable to pick client address: no addresses available Feb 10 14:13:16 dhcpd: Solicit message from fe80::51f3:b81e:bcf1:6fb5 port 546, transaction ID 0x12F3B600 Feb 10 14:13:14 dhcpd: Sending Advertise to fe80::51f3:b81e:bcf1:6fb5 port 546 Feb 10 14:13:14 dhcpd: Unable to pick client address: no addresses available Feb 10 14:13:14 dhcpd: Solicit message from fe80::51f3:b81e:bcf1:6fb5 port 546, transaction ID 0x12F3B600 Feb 10 14:13:13 dhcpd: Sending Advertise to fe80::51f3:b81e:bcf1:6fb5 port 546 Feb 10 14:13:13 dhcpd: Unable to pick client address: no addresses available Feb 10 14:13:13 dhcpd: Solicit message from fe80::51f3:b81e:bcf1:6fb5 port 546, transaction ID 0x12F3B600 Feb 10 14:13:13 dhcpd: DHCPACK on 192.168.0.104 to 00:1e:c9:2f:a0:fe (dellbox-win7) via em0 Feb 10 14:13:13 dhcpd: DHCPREQUEST for 192.168.0.104 from 00:1e:c9:2f:a0:fe (dellbox-win7) via em0 Feb 10 14:11:37 dhcpd: Sending on Socket/14/em0/2001:470:XXXX:XXXX::/64 Feb 10 14:11:37 dhcpd: Listening on Socket/14/em0/2001:470:XXXX:XXXX::/64
-
without link local addresses you can not connect to the dhcp server. What is most likely here is that I am missing a rule that allows access to the dhcp server.
Thanks for testing. I'll go build a dhcp6 leases status page and a diag_ndp.php page for neighbour listings. It is now included in the snapshots and can be run from the command page with ndp -a.
-
without link local addresses you can not connect to the dhcp server. What is most likely here is that I am missing a rule that allows access to the dhcp server.
Thanks for testing. I'll go build a dhcp6 leases status page and a diag_ndp.php page for neighbour listings. It is now included in the snapshots and can be run from the command page with ndp -a.
Thank you for building this into pfsense!!! As you build it, we will test it :-)
-
I just committed a filter rule fix for a typo.
That setting should be checked to have any hope of getting somthing ipv6 through pfsense. If it is unchecked all ipv6 traffic will be blocked without being logged
Well this is great I did a fresh install onto my test system synced with the IPV6 git right away and setup my ISP's Native service only took bout 2 hours lol. I did have to change/add a line in interface.inc file as well need to find a place to have it auto run a route command when the connection comes up.
-
Catching back up since you fixed the issues with IPv6 patches working on BETA5…..
I have set the interfaces back up but i get the lovely oddball of the WANIPv6 address showing up in the config screen for the interface but not actually being applied to said interface. If i ping the address from the console on the pfSense box itself i get "ping6: UDP connect: no route to host" and as such cannot get any IPv6 traffic to egress thru the firewall. Internally I am getting DHCPv6 leases and can connect to the LANs IPv6 address just fine.
-
Catching back up since you fixed the issues with IPv6 patches working on BETA5…..
I have set the interfaces back up but i get the lovely oddball of the WANIPv6 address showing up in the config screen for the interface but not actually being applied to said interface. If i ping the address from the console on the pfSense box itself i get "ping6: UDP connect: no route to host" and as such cannot get any IPv6 traffic to egress thru the firewall. Internally I am getting DHCPv6 leases and can connect to the LANs IPv6 address just fine.
Not totally sure where it goes wrong here, but usually in my setup if the default route is gone, I go to System –> Routing --> Edit your IPv6 gateway --> Don't change anything --> Click Save --> Click apply changes and try again. This usually puts the default route back in. Can't really define yet where and why it gets lost.
I'm now using a /48 IPv6 block from Hurricane Electric so I can have pfSense 2.0b5 assign a different IPv6 /64 block to my wifi connected NIC and a different /64 block to my normal LAN. Both my wifi connected devices and my lan connected devices are able to communicate using IPv6 to the internet and towards each other now. Works like a shiny christal ball. Absolutely amazing stuff.
By the way, the captive portal stuff does not work yet in 2.0b5. I'm getting this error when enabling it:
php: /status_services.php: The command '/usr/local/sbin/lighttpd -f /var/etc/lighty-CaptivePortal.conf' returned exit code '255', the output was '2011-02-11 00:08:44: (configfile.c.912) source: /var/etc/lighty-CaptivePortal.conf line: 186 pos: 1 parser failed somehow near here: (EOL)'
Not sure if it's related to this gitsync and/or IPv6 and if I can and should report it somewhere. Does anybody know?
-
its not the route that's missing, I cant hit the IPv6 address of the interface at all even from the firewall.
EDIT: never mind. had wrong subnet in place. I can ping out as far as the gateway for that interface from inside, cant go farther than that though for some reason. still digging thru configs
EDIT2: that problem was related to resaving the default gateway on the interface. 5x5 on connectivity now on IPv6
-
By the way, the captive portal stuff does not work yet in 2.0b5. I'm getting this error when enabling it:
php: /status_services.php: The command '/usr/local/sbin/lighttpd -f /var/etc/lighty-CaptivePortal.conf' returned exit code '255', the output was '2011-02-11 00:08:44: (configfile.c.912) source: /var/etc/lighty-CaptivePortal.conf line: 186 pos: 1 parser failed somehow near here: (EOL)'
Not sure if it's related to this gitsync and/or IPv6 and if I can and should report it somewhere. Does anybody know?
I have not touched captive portal at all, so that likely won't work. I'll see if I can somehow duplicate the static route issue. I'll try and setup a new vm and see where that goes.
@Daboom: what needed changing in interface.inc? The routing issue is known. Oh crap, I just rememberd something about the route. I'll go investigate that likely cause.
-
I needed to add the line "set bundle enable ipv6cp" somewhere in the mpd5 config in order to allow it to accept ipv6cp config from my ISP. Now I have no idea where to stick it so I put it under something else that is commonly used. I wonder if you could get away with just putting that line in there anyways and it shouldn't bother anything else during the pppoe setup so it's always enabled kinda thing. If not you would have to make a special option for it in the pppoe section as a optional option. Also the route issue I am not sure if there is one specific for ipv6 in the config for mpd5.
By the way, the captive portal stuff does not work yet in 2.0b5. I'm getting this error when enabling it:
php: /status_services.php: The command '/usr/local/sbin/lighttpd -f /var/etc/lighty-CaptivePortal.conf' returned exit code '255', the output was '2011-02-11 00:08:44: (configfile.c.912) source: /var/etc/lighty-CaptivePortal.conf line: 186 pos: 1 parser failed somehow near here: (EOL)'
Not sure if it's related to this gitsync and/or IPv6 and if I can and should report it somewhere. Does anybody know?
I have not touched captive portal at all, so that likely won't work. I'll see if I can somehow duplicate the static route issue. I'll try and setup a new vm and see where that goes.
@Daboom: what needed changing in interface.inc? The routing issue is known. Oh crap, I just rememberd something about the route. I'll go investigate that likely cause.
-
I just added that line to the mpd5 config section so that is now in the tree, we'll know soon enough if it breaks anything else. Checking the default route issue next.
-
Another question for who might be able to answer it. My traffic logs are now flooded with local LAN IPv6 traffic. Check the attached screenshot. I wonder why. If I do a trace on any of these machines towards the other (which are both on the same physical network and within the same /64 block), it always reaches it directly and not via the pfSense gateway. How come this pfSense gateway does pick up the packet from the LAN anyway and list it as being blocked in the logs?
-
@Databeestje, another one for the todo list I'm assuming anyway. The interface statistics do not count the IPv6 traffic. The traffic graph does display the traffic though. Check the screenshot.
By the way, does it help you if I (we) report IPv6 issues with pfSense 2.0b5 to you via this forum or is your todo list big enough already and you don't want any more issues on the list? :)
-
Another question for who might be able to answer it. My traffic logs are now flooded with local LAN IPv6 traffic. Check the attached screenshot. I wonder why. If I do a trace on any of these machines towards the other (which are both on the same physical network and within the same /64 block), it always reaches it directly and not via the pfSense gateway. How come this pfSense gateway does pick up the packet from the LAN anyway and list it as being blocked in the logs?
Koen, I think that the blocks that you are seeing, are states that have expired.
The same can be seen in v4 after you have, for instance, logged into dropbox with your browser and then closed your browser window.
As far as I know, it's harmless and expected behaviour, but correct me if I'm wrong! -
Sry for the partial uninteresting post, but i just registered and will test this IPv6 "support" out tonight (first time using pfSense, currently running dd-wrt on a 610N).
My ISP suports IPv6 (Databeesje will know it, UNET) and i've filled a subnet request for a /56 (hopefully it arrives today).
Anyway, i was wondering if IPv6 "support" works with 1:1 NAT ?
Currently i have a PPPoE setup where my IPv4 subnet (/28) is routed over (with use of a helper IP outside of that subnet, so that ip terminates at the WAN port of pfSense) i want to route both IPv4 and IPv6 on OPT1 by something like 1:1 NAT (so pfSense is the only one that has firewall rules, getting sick of DMZ and having to adjust the rules by going into the servers themself and adjust the IP tables).
Thnx alot, and GJ on the support / development on IPv6, i wish more router / firewall distributions were doing this, currently its still a not supported feature on a lot of distributions.
PPS, i think i will be lurking a bit longer, first have to install / test pfSense, cant use it with IPv6 untill its integrated into my current setup, but still ^^,