More pfsense <-> hurricane IPV6 tunelling screwiness
-
After carefully following the instructions at http://doc.pfsense.org/index.php/Using_IPv6_on_2.1_with_a_Tunnel_Broker and much further screwing around I've finally got IPV6 tunelling working… well sort of!
Get this! After a reboot I get no IPV6 connectivity. From an SSH shell:
[2.1-BETA1][root@srvrrouter.dillobits.lan]/root(1): ping6 ipv6.google.com
PING6(56=40+8+8 bytes) 2001:470:xxxx:xxxx:2::1 –> 2607:f8b0:4002:c03::68
^C
--- ipv6.l.google.com ping6 statistics ---
4 packets transmitted, 0 packets received, 100.0% packet lossBut… If I go to Interfaces->(assign), select the GIF tab, edit the gif interface but don't change anything, then Save. All of a sudden IPV6 tunelling starts working!!!
[2.1-BETA1][root@srvrrouter.dillobits.lan]/root(2): ping6 ipv6.google.com
PING6(56=40+8+8 bytes) 2001:470:xxxx:xxxx::2 –> 2607:f8b0:4002:c03::68
16 bytes from 2607:f8b0:4002:c03::68, icmp_seq=0 hlim=57 time=43.149 ms
16 bytes from 2607:f8b0:4002:c03::68, icmp_seq=1 hlim=57 time=41.297 ms
16 bytes from 2607:f8b0:4002:c03::68, icmp_seq=2 hlim=57 time=42.039 ms
16 bytes from 2607:f8b0:4002:c03::68, icmp_seq=3 hlim=57 time=40.521 ms
^C
--- ipv6.l.google.com ping6 statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 40.521/41.752/43.149/0.969 msI can reproduce this behavior at will, in fact it happens every reboot.
Something tells me that I shouldn't need to re-save the GIF entry at every boot. What information can I provide or how would I proceed to help solve this problem?
2.1-BETA1 (i386)
built on Tue Mar 5 14:57:15 EST 2013 -
Can you show your interface section of config.xml?
together with the gif section please -
"ifconfig -a" when broken and working would also help to see.
-
The only significant difference I see between before and after is that before the GIF setting is saved (immediately after reboot) the ipv6 default route is incorrectly assigned to em1 (the LAN interface), after saving the gif the default route is correctly assigned to gif0.
Ok, here it is. First the requested config.xml stuff:
**<pfsense><interfaces><wan><enable><if>em0</if>
<ipaddr>dhcp</ipaddr>
<dhcphostname><alias-address><alias-subnet>32</alias-subnet>
<spoofmac></spoofmac></alias-address></dhcphostname></enable></wan>
<lan><enable><if>em1</if><blockbogons><spoofmac><ipaddr>192.168.0.1</ipaddr>
<subnet>22</subnet>
<ipaddrv6>2001:470:xxxx:yyyy:2::1</ipaddrv6>
<subnetv6>64</subnetv6></spoofmac></blockbogons></enable></lan>
<opt1><if>gif0</if>
<enable><spoofmac><ipaddrv6>2001:470:xxxx:yyyy::2</ipaddrv6>
<subnetv6>64</subnetv6>
<gatewayv6>HENETV6GW</gatewayv6></spoofmac></enable></opt1></interfaces>
<gifs><gif><ipaddr><if>wan</if>
<tunnel-local-addr>2001:470:xxxx:yyyy::2</tunnel-local-addr>
<tunnel-remote-addr>2001:470:xxxx:yyyy::1</tunnel-remote-addr>
<tunnel-remote-net>64</tunnel-remote-net>
<remote-addr>216.66.22.2</remote-addr><gifif>gif0</gifif></ipaddr></gif></gifs></pfsense>**
Then the if and route tables after reboot (no ipv6 connectivity):
**[2.1-BETA1][root@srvrrouter.dillobits.lan]/root(1): ping6 ipv6.google.com
PING6(56=40+8+8 bytes) 2001:470:xxxx:yyyy:2::1 –> 2607:f8b0:4002:c04::68
^C
--- ipv6.l.google.com ping6 statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss[2.1-BETA1][root@srvrrouter.dillobits.lan]/root(2): ifconfig -a
em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso>ether 00:50:c2:23:57:1e
inet6 fe80::250:c2ff:fe23:571e%em0 prefixlen 64 scopeid 0x1
inet 24.98.144.135 netmask 0xfffffc00 broadcast 255.255.255.255
nd6 options=1 <performnud>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso>ether 00:50:c2:23:57:1f
inet 192.168.0.1 netmask 0xfffffc00 broadcast 192.168.3.255
inet6 fe80::250:c2ff:fe23:571f%em1 prefixlen 64 scopeid 0x2
inet6 2001:470:xxxx:yyyy:2::1 prefixlen 64
nd6 options=1 <performnud>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
enc0: flags=0<> metric 0 mtu 1536
pfsync0: flags=0<> metric 0 mtu 1460
syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
nd6 options=3 <performnud,accept_rtadv>pflog0: flags=100 <promisc>metric 0 mtu 33200
gif0: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1280
tunnel inet 24.98.144.135 –> 216.66.22.2
inet6 fe80::250:c2ff:fe23:571e%gif0 prefixlen 64 scopeid 0x7
inet6 2001:470:xxxx:yyyy::2 prefixlen 64
nd6 options=3 <performnud,accept_rtadv>options=1 <accept_rev_ethip_ver>[2.1-BETA1][root@srvrrouter.dillobits.lan]/root(3): netstat -rn
Routing tablesInternet:
Destination Gateway Flags Refs Use Netif Expire
default 24.98.144.1 UGS 0 4519 em0
24.98.144.0/22 link#1 U 0 233 em0
24.98.144.135 link#1 UHS 0 0 lo0
75.75.75.75 00:50:c2:23:57:1e UHS 0 127 em0
75.75.76.76 00:50:c2:23:57:1e UHS 0 127 em0
127.0.0.1 link#5 UH 0 22 lo0
192.168.0.0/22 link#2 U 0 9205 em1
192.168.0.1 link#2 UHS 0 0 lo0
216.66.22.2 24.98.144.1 UGHS 0 16 em0Internet6:
Destination Gateway Flags Netif Expire
default 2001:470:xxxx:yyyy::1 UGS em1
::1 ::1 UH lo0
2001:470:xxxx:yyyy::/64 link#2 U em1
2001:470:xxxx:yyyy::2 link#7 UHS lo0
2001:470:xxxx:yyyy:2::1 link#2 UHS lo0
fe80::%em0/64 link#1 U em0
fe80::250:c2ff:fe23:571e%em0 link#1 UHS lo0
fe80::%em1/64 link#2 U em1
fe80::250:c2ff:fe23:571f%em1 link#2 UHS lo0
fe80::%lo0/64 link#5 U lo0
fe80::1%lo0 link#5 UHS lo0
fe80::%gif0/64 link#7 U gif0
fe80::250:c2ff:fe23:571e%gif0 link#7 UHS lo0
ff01::%em0/32 fe80::250:c2ff:fe23:571e%em0 U em0
ff01::%em1/32 fe80::250:c2ff:fe23:571f%em1 U em1
ff01::%lo0/32 ::1 U lo0
ff01::%gif0/32 fe80::250:c2ff:fe23:571e%gif0 U gif0
ff02::%em0/32 fe80::250:c2ff:fe23:571e%em0 U em0
ff02::%em1/32 fe80::250:c2ff:fe23:571f%em1 U em1
ff02::%lo0/32 ::1 U lo0
ff02::%gif0/32 fe80::250:c2ff:fe23:571e%gif0 U gif0
[2.1-BETA1][root@srvrrouter.dillobits.lan]/root(4):</accept_rev_ethip_ver></performnud,accept_rtadv></up,pointopoint,running,multicast></promisc></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></full-duplex></performnud></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso></up,broadcast,running,simplex,multicast></full-duplex></performnud></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso></up,broadcast,running,simplex,multicast>**Then I go to Interfaces->(assign), select the GIF tab, edit the gif interface but don't change anything, then Save. All of a sudden IPV6 tunelling starts working!!!
**[2.1-BETA1][root@srvrrouter.dillobits.lan]/root(4): ping6 ipv6.google.com
PING6(56=40+8+8 bytes) 2001:470:xxxx:yyyy::2 –> 2607:f8b0:4002:802::1012
16 bytes from 2607:f8b0:4002:802::1012, icmp_seq=0 hlim=58 time=41.343 ms
16 bytes from 2607:f8b0:4002:802::1012, icmp_seq=1 hlim=58 time=46.513 ms
16 bytes from 2607:f8b0:4002:802::1012, icmp_seq=2 hlim=58 time=44.311 ms
16 bytes from 2607:f8b0:4002:802::1012, icmp_seq=3 hlim=58 time=43.865 ms
^C
--- ipv6.l.google.com ping6 statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 41.343/44.008/46.513/1.836 ms[2.1-BETA1][root@srvrrouter.dillobits.lan]/root(5): ifconfig -a
em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso>ether 00:50:c2:23:57:1e
inet6 fe80::250:c2ff:fe23:571e%em0 prefixlen 64 scopeid 0x1
inet 24.98.144.135 netmask 0xfffffc00 broadcast 255.255.255.255
nd6 options=1 <performnud>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=4209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso>ether 00:50:c2:23:57:1f
inet 192.168.0.1 netmask 0xfffffc00 broadcast 192.168.3.255
inet6 fe80::250:c2ff:fe23:571f%em1 prefixlen 64 scopeid 0x2
inet6 2001:470:xxxx:yyyy:2::1 prefixlen 64
nd6 options=1 <performnud>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
enc0: flags=0<> metric 0 mtu 1536
pfsync0: flags=0<> metric 0 mtu 1460
syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
nd6 options=3 <performnud,accept_rtadv>pflog0: flags=100 <promisc>metric 0 mtu 33200
gif0: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1280
tunnel inet 24.98.144.135 –> 216.66.22.2
inet6 fe80::250:c2ff:fe23:571e%gif0 prefixlen 64 scopeid 0x7
inet6 2001:470:xxxx:yyyy::2 prefixlen 64
nd6 options=3 <performnud,accept_rtadv>options=1 <accept_rev_ethip_ver>[2.1-BETA1][root@srvrrouter.dillobits.lan]/root(6): netstat -rn
Routing tablesInternet:
Destination Gateway Flags Refs Use Netif Expire
default 24.98.144.1 UGS 0 6154 em0
24.98.144.0/22 link#1 U 0 280 em0
24.98.144.135 link#1 UHS 0 0 lo0
75.75.75.75 00:50:c2:23:57:1e UHS 0 140 em0
75.75.76.76 00:50:c2:23:57:1e UHS 0 140 em0
127.0.0.1 link#5 UH 0 24 lo0
192.168.0.0/22 link#2 U 0 15136 em1
192.168.0.1 link#2 UHS 0 0 lo0
216.66.22.2 24.98.144.1 UGHS 1 30 em0Internet6:
Destination Gateway Flags Netif Expire
default 2001:470:xxxx:yyyy::1 UGS gif0
::1 ::1 UH lo0
2001:470:xxxx:yyyy::/64 link#2 U em1
2001:470:xxxx:yyyy::2 link#7 UHS lo0
2001:470:xxxx:yyyy:2::1 link#2 UHS lo0
fe80::%em0/64 link#1 U em0
fe80::250:c2ff:fe23:571e%em0 link#1 UHS lo0
fe80::%em1/64 link#2 U em1
fe80::250:c2ff:fe23:571f%em1 link#2 UHS lo0
fe80::%lo0/64 link#5 U lo0
fe80::1%lo0 link#5 UHS lo0
fe80::%gif0/64 link#7 U gif0
fe80::250:c2ff:fe23:571e%gif0 link#7 UHS lo0
ff01::%em0/32 fe80::250:c2ff:fe23:571e%em0 U em0
ff01::%em1/32 fe80::250:c2ff:fe23:571f%em1 U em1
ff01::%lo0/32 ::1 U lo0
ff01::%gif0/32 fe80::250:c2ff:fe23:571e%gif0 U gif0
ff02::%em0/32 fe80::250:c2ff:fe23:571e%em0 U em0
ff02::%em1/32 fe80::250:c2ff:fe23:571f%em1 U em1
ff02::%lo0/32 ::1 U lo0
ff02::%gif0/32 fe80::250:c2ff:fe23:571e%gif0 U gif0</accept_rev_ethip_ver></performnud,accept_rtadv></up,pointopoint,running,multicast></promisc></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></full-duplex></performnud></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso></up,broadcast,running,simplex,multicast></full-duplex></performnud></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso></up,broadcast,running,simplex,multicast>** -
Can't tell because of what you masked, but your LAN subnet and your Tunnel subnet cannot be the same.
The LAN side is your Routed /64 from HE.net for that tunnel and not the same as the tunnel interconnect /64.
-
Ah ha!!! Of course. Not immediately obvious from the instructions, but makes perfect sense. All good now. Many thanks.
-
Except the part in the instructions that explicitly states it should be the routed /64 and not the tunnel network… :-)
Set Up LAN for IPv6
You can set up the LAN interface for a combined static ipv4 and ipv6 network. What you need to enter on the LAN IPv6 address is a address in the "Routed /64" subnet that you got from HE. You will need to request another /64 from Sixxs after getting your tunnel working. It is important to note that the routed /64 range is different from the tunnel /64!
-
Sure. I guess it pays to not just look at the screen shots.
