Multiple IPV6 Tunnels

mdpugh

Here's something else I'd try. Run something like this on a Windows client and reply with your results:

PS C:\Windows\system32> netsh interface ipv6 show int

Idx Met MTU State Name
–- ---------- ---------- ------------ ---------------------------
1 50 4294967295 connected Loopback Pseudo-Interface 1
16 10 1280 connected Local Area Connection
11 50 1280 disconnected IP6Tunnel
13 50 1280 disconnected isatap.ComPughTerWorx.com
18 10 1280 connected Local Area Connection 2

PS C:\Windows\system32> netsh interface ipv6 show int 18

Interface Local Area Connection 2 Parameters

IfLuid : ethernet_9
IfIndex : 18
State : connected
Metric : 10
Link MTU : 1280 bytes
Reachable Time : 34500 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 1
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : enabled
Router Discovery : enabled
Managed Address Configuration : enabled
Other Stateful Configuration : enabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : enabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 64
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled

PS C:\Windows\system32>

joe_cowboy

I am I am running BIND97 package Name Server/DNS. So far it will resolve any IPv6 address and Name using nslookup. Even the local IPv6 address: www6.pfsense.localdoamin or ipv6.pfsense.localdomain. What I put in my zone records.

C:\Windows\system32> netsh interface ipv6 show int

Idx Met MTU State Name
–- ---------- ---------- ------------ ---------------------------
1 50 4294967295 connected Loopback Pseudo-Interface 1
13 64 1500 connected Wireless Network Connection
14 50 1280 disconnected isatap.local
15 5 1500 disconnected Wireless Network Connection 2
12 50 1280 connected Teredo Tunneling Pseudo-Interface
17 50 1280 disconnected isatap.{17833B82-C5E9-4494-B44F-48984733BA06}
19 50 1280 disconnected isatap.{063A2798-F022-487E-A745-DD0A1BDE0E62}

C:\Windows\system32> netsh interface ipv6 show int 13

joe_cowboy

Wire Shark Capture:

12 0.699003 fe80::aac9:adff:fe39:dfb ff02::1 ICMPv6 166 Router Advertisement from aa:c9:ad:39:0d:fb

Frame 12: 166 bytes on wire (1328 bits), 166 bytes captured (1328 bits)
Ethernet II, Src: aa:c9:ad:39:0d:fb (aa:c9:ad:39:0d:fb), Dst: IPv6mcast_00:00:00:01 (33:33:00:00:00:01)
Internet Protocol Version 6, Src: fe80::aac9:adff:fe39:dfb (fe80::aac9:adff:fe39:dfb), Dst: ff02::1 (ff02::1)
Internet Control Message Protocol v6
Type: Router Advertisement (134)
Code: 0
Checksum: 0xec6d [correct]
Cur hop limit: 64
Flags: 0xc0
1… .... = Managed address configuration: Set
.1.. .... = Other configuration: Set
..0. .... = Home Agent: Not set
...0 0... = Prf (Default Router Preference): Medium (0)
.... .0.. = Proxy: Not set
.... ..0. = Reserved: 0
Router lifetime (s): 1800
Reachable time (ms): 0
Retrans timer (ms): 0
ICMPv6 Option (Source link-layer address : aa:c9:ad:39:0d:fb)
Type: Source link-layer address (1)
Length: 1 (8 bytes)
Link-layer address: aa:c9:ad:39:0d:fb (aa:c9:ad:39:0d:fb)
ICMPv6 Option (Prefix information : 2001:470:2d8f:2::/64)
Type: Prefix information (3)
Length: 4 (32 bytes)
Prefix Length: 64
Flag: 0xc0
1... .... = On-link flag(L): Set
.1.. .... = Autonomous address-configuration flag(A): Set
..0. .... = Router address flag(R): Not set
...0 0000 = Reserved: 0
Valid Lifetime: 2592000
Preferred Lifetime: 604800
Reserved
Prefix: 2001:470:2d8f:2:: (2001:470:2d8f:2::)
ICMPv6 Option (Recursive DNS Server 2001:470:2d8f:2::1)
Type: Recursive DNS Server (25)
Length: 3 (24 bytes)
Reserved
Lifetime: 900
Recursive DNS Servers: 2001:470:2d8f:2::1 (2001:470:2d8f:2::1)
ICMPv6 Option (DNS Search List Option pfSense.localdomain)
Type: DNS Search List Option (31)
Length: 4 (32 bytes)
Reserved
Lifetime: 900
Domain Names: pfSense.localdomain
Padding

mdpugh

These seem correct at first glance. Have you captured any of the DHCPv6 messages?

joe_cowboy

What kind of messages do you want? What are you wanting me to capture with WireShark?

Thanks again…

mdpugh

Start with a DHCPv6 Solicit and its accompanying DHCPv6 Advertisement. That's probably enough to see what's happening (or not).

mdpugh

On a Windows client type ipconfig /release6 in a Powershell (or command prompt) window. The start Wireshark capturing on an interface that will request an IPv6 address from pfSense. Return to Powershell and type ipconfig /renew6. Stop capture and examine the DHCPv6 messages between machines. Post here if you like or send me the capture file.

mdpugh

Are you positive that the client is getting the IPv6 address from the server? The client you ran ipconfig on should have an address ending in :ebcf provided you haven't released it since running Wireshark. Here is what I'm not seeing: DHCPv6 Request and DHCPv6 Reply. The fact that an Advertise message appears in response to each Solicit proves that your server is hearing your client. The client is then supposed to respond to the Advertise with a Request and, finally, the server answers with a Reply. The absence of the Request indicates to me that your client isn't responding (or responding properly) to the server. But if the client is getting an IPv6 address from the server, then we have a more complicated scenario because it's responding to the Advertise only in part. I'll have to do some digging to see at what point in the message/response sequence the client commits to the address. There is enough information in the Advertise for the client to extract the offered address, but there is also enough for it to get the DNS server address, so why one and not the other? No matter what, though, the client should be sending a Request and it isn't.

joe_cowboy

This is happening to all clients on the network even on LAN. The Wireshark output I sent you was on WLAN.

Thanks again for looking at the Wireshark data.

-Joe Cowboy

mdpugh

Get the client in an identical state to what it was in immediately after the Wireshark capture you sent me (the corrected one). Then run ipconfig /all and netsh interface ipv6 show int where <int#>is the interface that just obtained the IPv6 address from pfSense. You can post the results here, obfuscate addresses if desired, or e-mail them to me. The second Wireshark capture looks like this should be working.</int#>

joe_cowboy

Thank you for all your extensive help mdpugh. Figured out the major foobar from you help…. I had for the interface Bridge the wrong IPv6 address: I didn't have the proper Routed IPv6 Prefixes range of address. So that issue is fixed now. I can get to IPv6 websites now. So the DHCPv6 now hands out the correct Routed IPv6 Prefixes range and also the DNS server IPv6 address but still not the GATWAY IPv6 address. That is still a work on progress from the pfSense team getting that to work.

However the other issue is still happening with the other two tunnels I have set up. The Gateways still show Offline.

-Joe Cowboy

mdpugh

As I understand it, the current specification dictates that the router hand out only its link-local address in the RA (not counting a link-local CARP address, I suppose ;D) and that DHCPv6 not distribute any gateway address. I don't know if providing additional functionality violates the specification per se, but the spec doesn't call for it, and it shouldn't be counted upon. Is that correct? Or would it be outright nonconformance?

joe_cowboy

Has anybody tried setting up two or more HE.net tunnels on their pfSense router with multiple WAN interfaces? Where each WAN has it's own tunnel? If so does your TUNNNEL GATEWAY that is not associated with the main WAN interface show Oneline. Why I say that WAN1 and WAN2 Tunnels show offline. I have deleted the tunnels multiple times and recreating them.

Another thought if you group them aka loadbalance these tunnels would you have to manually add a IPv6 address to the interface the DHCPv6 server sits on "Routed /64" subnet from HE.net tunnel. Then also statically add an IPv6 address on your client machines from each of the "Routed /64" subnet tunnels?

Thanks for your help.

mdpugh

What are your pfSense configurations for all three tunnel interfaces? Show IPv6 address, IPv6 gateway, IPv4 endpoints, etc.

yon

Me too. I have setup Second ipv6 tunnel via Second WAN, but it is show offline. :(

yon

I find once creat second ipv6 tunnel in interface,then all ipv6 tunnel link will offline.

jimp

I've got two tunnels, one on each WAN. Both are online, and thanks to NPt and some gateway groups, I have working IPv6 multi-wan. Not sure why others might be having issues, but the same things apply as usual.

1. Make sure you have a distinct tunnel endpoint for each tunnel. For example, one to Chicago, one to Dallas, one to NY, etc. Don't use the same HE.net endpoint for more than one.
2. Make sure all your WANs allow ICMP from the endpoints
3. Perhaps add a static route to the remote endpoint node to make sure they use the proper WAN

yon

@jimp:

I've got two tunnels, one on each WAN. Both are online, and thanks to NPt and some gateway groups, I have working IPv6 multi-wan. Not sure why others might be having issues, but the same things apply as usual.

1. Make sure you have a distinct tunnel endpoint for each tunnel. For example, one to Chicago, one to Dallas, one to NY, etc. Don't use the same HE.net endpoint for more than one.
2. Make sure all your WANs allow ICMP from the endpoints
3. Perhaps add a static route to the remote endpoint node to make sure they use the proper WAN

I have check its like you said.

1. I am sure. and success creat tunnel in tunnelbroker.net.

2. I think should had do allow ICMP from the endpoints. because tunnelbroker.net endpoint has update.

3. whats add route ?

20120329043720.jpg_thumb

jimp

System > Routing, Routes tab. Add a route for the endpoint IP, pick the WAN you have it attached to, save/apply, repeat for the other endpoints.

yon

@jimp:

System > Routing, Routes tab. Add a route for the endpoint IP, pick the WAN you have it attached to, save/apply, repeat for the other endpoints.

thank you jimp . :-* now it seem is online.

it is should write in your wiki doc. I have no find about this.

then How I do will second ipv6 subnet address add in LAN？ LAN only can an ipv6 address ?

Multiple IPV6 Tunnels

Interface Local Area Connection 2 Parameters

Interface Wireless Network Connection Parameters