6RD not working
-
Hi jimp,
I've been having a similar problem. Using the Jan 22nd snap my 6RD connection to Charter works great. I usually update once a week, but since then (around the end of January) none of the snaps I've tried have worked. I get an ipv6 address on the outside interface but my gateway monitor never comes up and none of my ipv6 traffic seems to pass through the firewall.
There are a couple of other users in a thread in the 2.1 forum reporting the same thing. Honestly I have no idea how to debug this, up till now all my adventures into ipv6 have "just worked", but if there are some specific things you need me to provide I would be happy to update to the current snap and provide the results for you.
-Will
-
Hi guys,
Is there anything I can provide you with that would help get 6RD working again?
Should I open a ticket or something?
-Will
-
There is already a ticket open at http://redmine.pfsense.org/issues/2882 that links back to this and other threads.
-
Hi jimp,
Indeed, I opened it!
Just trying to get all the bases covered as this is the only problem I've had in 2.1 in a very long time.
-Will
-
See edit at bottom of post!
I'm having the same problem as swinn, and possibly many others.
The 6RD BR that I'm using is provided by my ISP (Telia Sweden).My configuration looks sane to me.
ifconfig shows wan_stf using the correct IPv6 address, netstat shows the correct default IPv6 gateway (at least I believe so - 2001:2002:6RD-BR-IPv4-in-hex:: - where 2001:2002 is my ISP's prefix, using wan_stf as Netif).
My LAN interface is tracking WAN and thus recieves the ::1 address of my subnet, which I can ping from computers on my LAN.But, the webui shows the IPv6 gateway as offline. When I try to ping the gateway from my router I get "Network is down".
As mentioned in http://doc.pfsense.org/index.php/Using_IPv6_on_2.1_with_a_Tunnel_Broker I have added a pass ICMP-rule from my 6RD BR to my WAN address, although I'm not sure if it's working.
IPv4 ICMP 217.209.228.xxx * WAN address * * noneYou see, when I run tcpdump -nnvvXi em0 proto 41, I see a lot of traffic.
Almost all of it is ICMP6 echo requests from my 6RD BR to my WAN address, but I never see my pfSense router replying to any of the echo requests.
217.209.228.xxx is my 6RD BR, 2.248.161.xxx is my WAN IP, 2001:2002:02f8:xxxx is my IPv6 subnet/prefix.tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes 20:55:00.709516 IP (tos 0x0, ttl 250, id 3570, offset 0, flags [none], proto IPv6 (41), length 72) 217.209.228.xxx > 2.248.161.xxx: IP6 (hlim 9, next-header ICMPv6 (58) payload length: 12) 2001:0:5ef5:79fd:855:34ba:2a8d:bebb > 2001:2002:2f8:xxxx:a9ce:2fc1:a2d8:62e6: [icmp6 sum ok] ICMP6, echo request, length 12, seq 44549 20:55:01.176129 IP (tos 0x0, ttl 250, id 5480, offset 0, flags [none], proto IPv6 (41), length 72) 217.209.228.xxx > 2.248.161.xxx: IP6 (hlim 14, next-header ICMPv6 (58) payload length: 12) 2001:0:4137:9e76:182e:2a58:35b6:dbec > 2001:2002:2f8:yyyy:a9ce:2fc1:a2d8:62e6: [icmp6 sum ok] ICMP6, echo request, length 12, seq 50535From what I understand, the 6RD BR's ability to ping my router, decides whether or not I will be granted a 6RD tunnel or not.
Now, since it seems like my pfSense router isn't responding to the ping requests sent by the BR, can this be why I'm not able to connect through it and get IPv6 access to the Internet?
If so, how come my router doesn't respond to the requests sent by my BR? I think this is strange, since I've explicitly allowed ICMP traffic from its IP address.If I add another explicit ICMP pass rule for another IP address, and try to ping my router from that IP, it works without a sigh.
Any suggestions? If you need more information to better track down my problem, just let me know and I'll post it.
EDIT:
Erhm. I took another look at the output from tcpdump.
Yes, the request is coming from my 6RD BR to my WAN address. BUT, the ICMP6 request inside is from 2001:0000:: which is the Teredo prefix, so this might be completely unrelated to the problem with 6RD tunneling.Another thing I noticed is this. If I setup a 6RD tunnel using the gif0 interface in the command line, it works without a problem and I can at least ping IPv6 hosts on the Internet from my router.
Of course it doesn't show up in the webui, and I can't use it for DHCPv6 to provide the prefix for my LAN, so it's no good for a long term solution.ifconfig gif0 create ifconfig gif0 tunnel 2.248.161.xxx 217.209.228.xxx ifconfig gif0 inet6 2001:2002::1 prefixlen 32 route add -inet6 default -interface gif0 -
6rd should work with tomorrow's snapshot, my test system is working now.
-
Still not working here with charter's 6rd service.
Version:
2.1-RC0 (amd64)
built on Sun Jul 7 08:43:44 EDT 2013
FreeBSD 8.3-RELEASE-p8After setting up the 6rd on the wan interface, and setting up IPv6 DNS servers, the pfsense unit is unable to ping or trace route any ipv6 address.
-
Hi guys,
Same here, Charter's 6RD isn't working.
Tried both updating my pfSense VM to the latest snap & installing a fresh new VM with the latest snaps.
As always, please let me know if I can provide anything that would help sort this out.
-Will
-
Logs would be good together with ifconfig and routing table output.
Latest snapshot has some automatic rules removed, due to wide covarge of auto rules, so probably check that your firewall rules are correct.
-
Any specific log file you want dumped?
Updated to 7/11/13 morning snapshot, amd64
I also have a firewall rule to allow icmpv6.ifconfig
em0: flags=8c02 <broadcast,oactive,simplex,multicast>metric 0 mtu 1500 options=4219b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol_magic,vlan_hwtso>ether 00:15:17:82:3d:60 media: Ethernet autoselect status: no carrier em1: flags=8c02 <broadcast,oactive,simplex,multicast>metric 0 mtu 1500 options=4219b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol_magic,vlan_hwtso>ether 00:15:17:82:3d:61 media: Ethernet autoselect status: no carrier igb0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=500bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwfilter,vlan_hwtso>ether 00:1b:21:54:db:58 inet6 fe80::21b:21ff:fe54:db58%igb0 prefixlen 64 scopeid 0x3 inet 10.1.7.1 netmask 0xffffff00 broadcast 10.1.7.255 nd6 options=1 <performnud>media: Ethernet autoselect (1000baseT <full-duplex>) status: active igb1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=500bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwfilter,vlan_hwtso>ether 00:1b:21:54:db:59 inet6 fe80::21b:21ff:fe54:db59%igb1 prefixlen 64 scopeid 0x4 inet 10.1.4.1 netmask 0xffffff00 broadcast 10.1.4.255 nd6 options=1 <performnud>media: Ethernet autoselect (1000baseT <full-duplex>) status: active igb2: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500 options=400bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwtso>ether 00:1b:21:54:db:5c inet6 fe80::21b:21ff:fe54:db5c%igb2 prefixlen 64 scopeid 0x5 nd6 options=1 <performnud>media: Ethernet autoselect (1000baseT <full-duplex>) status: active igb3: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500 options=400b8 <vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwtso>ether 00:1b:21:54:db:5d inet6 fe80::21b:21ff:fe54:db5d%igb3 prefixlen 64 scopeid 0x6 inet 24.159.196.98 netmask 0xfffffff0 broadcast 24.159.196.111 inet 24.159.196.99 netmask 0xfffffff0 broadcast 24.159.196.111 nd6 options=1 <performnud>media: Ethernet autoselect (1000baseT <full-duplex>) status: active pflog0: flags=100 <promisc>metric 0 mtu 33144 enc0: flags=0<> metric 0 mtu 1536 pfsync0: flags=0<> metric 0 mtu 1460 syncpeer: 224.0.0.240 maxupd: 128 syncok: 1 lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384 options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0xa nd6 options=3 <performnud,accept_rtadv>igb1_vlan4: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=3 <rxcsum,txcsum>ether 00:1b:21:54:db:59 inet6 fe80::215:17ff:fe82:3d60%igb1_vlan4 prefixlen 64 scopeid 0xb nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>) status: active vlan: 4 vlanpcp: 0 parent interface: igb1 igb1_vlan5: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=3 <rxcsum,txcsum>ether 00:1b:21:54:db:59 inet6 fe80::215:17ff:fe82:3d60%igb1_vlan5 prefixlen 64 scopeid 0xc inet 10.1.5.1 netmask 0xffffff00 broadcast 10.1.5.255 nd6 options=1 <performnud>media: Ethernet autoselect (1000baseT <full-duplex>) status: active vlan: 5 vlanpcp: 0 parent interface: igb1 igb0_vlan6: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=3 <rxcsum,txcsum>ether 00:1b:21:54:db:58 inet6 fe80::215:17ff:fe82:3d60%igb0_vlan6 prefixlen 64 scopeid 0xd inet 10.1.6.1 netmask 0xffffff00 broadcast 10.1.6.255 nd6 options=1 <performnud>media: Ethernet autoselect (1000baseT <full-duplex>) status: active vlan: 6 vlanpcp: 0 parent interface: igb0 igb0_vlan7: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=3 <rxcsum,txcsum>ether 00:1b:21:54:db:58 inet6 fe80::215:17ff:fe82:3d60%igb0_vlan7 prefixlen 64 scopeid 0xe nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>) status: active vlan: 7 vlanpcp: 0 parent interface: igb0 bridge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 ether 02:94:0a:e6:35:00 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: igb2 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 5 priority 128 path cost 2000000 member: igb3 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 6 priority 128 path cost 2000000 ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500 options=80000 <linkstate>inet6 fe80::215:17ff:fe82:3d60%ovpns1 prefixlen 64 scopeid 0x11 inet 10.1.254.1 --> 10.1.254.2 netmask 0xffffffff nd6 options=3 <performnud,accept_rtadv>Opened by PID 28948 wan_stf: flags=4001 <up,link2>metric 0 mtu 1280 inet6 2602:100:189f:c462:: prefixlen 32 nd6 options=3 <performnud,accept_rtadv>v4net 0.0.0.0/0 v4br 68.114.165.1</performnud,accept_rtadv></up,link2></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></learning,discover,autoedge,autoptp></learning,discover,autoedge,autoptp></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud></rxcsum,txcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud></rxcsum,txcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum></up,broadcast,running,simplex,multicast></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></promisc></full-duplex></performnud></vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwtso></up,broadcast,running,promisc,simplex,multicast></full-duplex></performnud></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwtso></up,broadcast,running,promisc,simplex,multicast></full-duplex></performnud></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwfilter,vlan_hwtso></up,broadcast,running,simplex,multicast></full-duplex></performnud></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwfilter,vlan_hwtso></up,broadcast,running,simplex,multicast></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol_magic,vlan_hwtso></broadcast,oactive,simplex,multicast></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol_magic,vlan_hwtso></broadcast,oactive,simplex,multicast>netstat -rn
Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 24.159.196.97 UGS 0 34681 igb3 10.1.4.0/24 link#4 U 0 72897 igb1 10.1.4.1 link#4 UHS 0 0 lo0 10.1.5.0/24 link#12 U 0 12559 igb1_v 10.1.5.1 link#12 UHS 0 0 lo0 10.1.6.0/24 link#13 U 0 983 igb0_v 10.1.6.1 link#13 UHS 0 0 lo0 10.1.7.0/24 link#3 U 0 10 igb0 10.1.7.1 link#3 UHS 0 0 lo0 10.1.254.0/24 10.1.254.2 UGS 0 0 ovpns1 10.1.254.1 link#17 UHS 0 0 lo0 10.1.254.2 link#17 UH 0 0 ovpns1 24.159.196.96/28 link#6 U 0 233 igb3 24.159.196.98 link#6 UHS 0 0 lo0 24.159.196.99 link#6 UHS 0 0 lo0 68.114.165.1 24.159.196.97 UGHS 0 0 igb3 127.0.0.1 link#10 UH 0 359 lo0 Internet6: Destination Gateway Flags Netif Expire default 2602:100:189f:c462::4472:a501 UGS wan_stf ::1 ::1 UH lo0 2602:100::/32 link#15 U wan_stf 2602:100:189f:c462:: link#15 UHS lo0 fe80::%igb0/64 link#3 U igb0 fe80::21b:21ff:fe54:db58%igb0 link#3 UHS lo0 fe80::%igb1/64 link#4 U igb1 fe80::21b:21ff:fe54:db59%igb1 link#4 UHS lo0 fe80::%igb2/64 link#5 U igb2 fe80::21b:21ff:fe54:db5c%igb2 link#5 UHS lo0 fe80::%igb3/64 link#6 U igb3 fe80::21b:21ff:fe54:db5d%igb3 link#6 UHS lo0 fe80::%lo0/64 link#10 U lo0 fe80::1%lo0 link#10 UHS lo0 fe80::%igb1_vlan4/64 link#11 U igb1_vla fe80::215:17ff:fe82:3d60%igb1_vlan4 link#11 UHS lo0 fe80::%igb1_vlan5/64 link#12 U igb1_vla fe80::215:17ff:fe82:3d60%igb1_vlan5 link#12 UHS lo0 fe80::%igb0_vlan6/64 link#13 U igb0_vla fe80::215:17ff:fe82:3d60%igb0_vlan6 link#13 UHS lo0 fe80::%igb0_vlan7/64 link#14 U igb0_vla fe80::215:17ff:fe82:3d60%igb0_vlan7 link#14 UHS lo0 fe80::215:17ff:fe82:3d60%ovpns1 link#17 UHS lo0 ff01::%igb0/32 fe80::21b:21ff:fe54:db58%igb0 U igb0 ff01::%igb1/32 fe80::21b:21ff:fe54:db59%igb1 U igb1 ff01::%igb2/32 fe80::21b:21ff:fe54:db5c%igb2 U igb2 ff01::%igb3/32 fe80::21b:21ff:fe54:db5d%igb3 U igb3 ff01::%lo0/32 ::1 U lo0 ff01::%igb1_vlan4/32 fe80::215:17ff:fe82:3d60%igb1_vlan4 U igb1_vla ff01::%igb1_vlan5/32 fe80::215:17ff:fe82:3d60%igb1_vlan5 U igb1_vla ff01::%igb0_vlan6/32 fe80::215:17ff:fe82:3d60%igb0_vlan6 U igb0_vla ff01::%igb0_vlan7/32 fe80::215:17ff:fe82:3d60%igb0_vlan7 U igb0_vla ff01::%ovpns1/32 fe80::215:17ff:fe82:3d60%ovpns1 U ovpns1 ff02::%igb0/32 fe80::21b:21ff:fe54:db58%igb0 U igb0 ff02::%igb1/32 fe80::21b:21ff:fe54:db59%igb1 U igb1 ff02::%igb2/32 fe80::21b:21ff:fe54:db5c%igb2 U igb2 ff02::%igb3/32 fe80::21b:21ff:fe54:db5d%igb3 U igb3 ff02::%lo0/32 ::1 U lo0 ff02::%igb1_vlan4/32 fe80::215:17ff:fe82:3d60%igb1_vlan4 U igb1_vla ff02::%igb1_vlan5/32 fe80::215:17ff:fe82:3d60%igb1_vlan5 U igb1_vla ff02::%igb0_vlan6/32 fe80::215:17ff:fe82:3d60%igb0_vlan6 U igb0_vla ff02::%igb0_vlan7/32 fe80::215:17ff:fe82:3d60%igb0_vlan7 U igb0_vla ff02::%ovpns1/32 fe80::215:17ff:fe82:3d60%ovpns1 U ovpns1 -
@ermal:
Logs would be good together with ifconfig and routing table output.
Latest snapshot has some automatic rules removed, due to wide covarge of auto rules, so probably check that your firewall rules are correct.
Hi ermal,
Tell me what you need and I'll fire up the vm & get it for you.
I did update the ticket here:
http://redmine.pfsense.org/issues/2882
a while back with the info you asked for at the time.
I can also give you remote access to the box if you would like….whatever I can do to help!
-Will
-
Well this is strange… just as a test, I set the WAN interface to 6to4 instead of 6rd, and clicked apply. I now have an ipv6 address, and I am able to properly ping IPv6 hosts from the router, as well as visit IPv6 websites on my LAN vi track interface. Wonder if the new modem I got yesterday has anything to do with this or not.
If it matters, I am a charter business customer.
-
Hi ddggttff3,
Honestly, I'm surprised that worked for you. Following your suggestion I made the same change & it blanked out the 6rd section in the WAN interface config when I changed it, assuming yours did the same, I'm surprised your firewall had any idea where to send your ipv6 traffic! Making the change to 6to4 did not make my ipv6 connection work.
As always, if there's any information I can provide to help sort this out just ask!
-Will
-
Well I just got a new modem, Model is SMCD3GN2-BIZ. I am thinking that's 1/2 the story as my old SMC did not work with 6to4, and the bootup UART log from this device mentions loading a "IPv6 over IPv4 tunneling driver".
Also, when I set it to 6to4, it auto pulled the old IPv6 address I got with 6rd, so yay!
So far, IPv6 6to4 has been working here with 0 issues.
Maybe you should ask charter for a new modem? I used to have the SMCD3G-BIZ, which did not work with 6to4. Is that the modem you use?
-
I'd just like to add "Me, too"
I use CenturyLink's 6rd's Border Relay. I was using a 2.1 Beta snapshot from last August until I upgraded this weekend and lost 6rd functionality.
Same symptoms as Will reports. I didn't have much time to troubleshoot - I just fired up my HE tunnel in the meantime.
However, I did notice this in my logs (I obfuscated my IP):
php: : The command '/sbin/pfctl -b 2602:XX:YYYY:ZZZZ::/32 -b 2602
ab02:4000::/32' returned exit code '1', the output was 'pfctl: illegal option – b usage: pfctl [-AdeghmNnOPqRrvz] [-a anchor] [-D macro=value] [-F modifier] [-f file] [-i interface] [-K host | network] [-k host | network ] [-o [level]] [-p device] [-s modifier ] [-t table -T command [address …]] [-x level]'I'd be happy to provide anything else to help get this squared away.
–Vince
-
Hi vinsomething,
Indeed, I don't really know where to start troubleshooting….for me getting 6rd up & going was a 5 minute affair and it "just worked" for a very long time.
I have a ticket open on this and the last thing I heard from the devs was that this is "seen that on misconfigurations of pfSense". I have no idea what that misconfiguration could be and would love to get a hint to point me in the correct direction.
I spun up my "current" pfsense vm the other day, grabbed the output of "pftop -w 150 -a -b -v rules" via the /status.php page on both my January (working) vm & the latest release as of last Saturday. I took the output from each and stuffed them into notepad++, edited out all the traffic counters & diffed them. There are 3 extra rules in the "current" rules that aren't in my January ruleset:
100 Pass In Q vmx3f1 K 0 0 0 inet from 10.56.56.0/24 to any flags S/SA
101 Pass In Q vmx3f1 K 0 0 0 inet6 from 2602:XXXX:XXXX:XXXX::/64 to any flags S/SA
102 Pass In Q vmx3f1 udp K 0 0 0 inet6 from fe80::/64 to ff02::1:3/128 port = 5355Maybe that's where the problem is, maybe it's not....I have no idea. All the other rules seem to differ only in the change between "wan_st" & "stf0".
It sucks that you updated & lost your 6rd functionality. I sure do hope this gets sorted out before 2.1 rolls out!
-Will
-
Hi guys,
I just updated my pfsense test vm to the Thu Aug 15 build and now I don't even get an ipv6 address on my outside interface.
-Will
-
I get the same on 6 to 4. I had to unconfigure ipv6 for now.
-
Hi podilarius,
Updating to the latest (Fri. 8/16) build has allowed my WAN interface to once again get an ipv6 address.
6RD still doesn't function, sorry to say.
-Will
