IPv6 LAN to WAN Difficulties
-
Hello pfsense community!
Short Story:
-I am unable to ping the WAN side of the firewall from my computer
-I can ping the LAN side of the firewall from my computer
-IPv4 works like a charm
-From the firewall I can ping ipv6.google.com
-Side note, DHCPv6 grants leases but the status does not show it up and runningLong Story:
I am pretty new to firewalls in general but I have been learning a ton about them very quickly. I am already quite proficient with IPv6 fortunately though. I work for an ISP and we are looking to make IPv6 available to our customers. I have been given a test server to work on that connects to an IPv6 enabled router to access the internet.Anyways, I am trying to enable IPv6 on the pfsense firewall right now. I figured setting it up would be almost exactly the same as IPv4. When I ping the IPv6 LAN address from my computer, I am able to get a response. However, if I try to ping the WAN address, router address, or ipv6.google.com I get a "transmit failed. general failure.". Because of this, I am figuring that somewhere the firewall is blocking communication between the LAN and WAN. IPv4 works just fine and I am able to ping the entire route out to the internet. I am performing all of this via the GUI since the server is in the basement and is quite a hassle to access (I can access it for the SSH if I really need to). I am not quite sure what other information you folks would need in order to help me, so please let me know if you need anything!
Thank you to anyone that is able to help me! I really appreciate it!
-
A silly one: you enabled IPv6 support ?
-> checked "Allow IPv6" in "System: Advanced: Networking" -
Yes I have. Haha I wish that were the case! Thanks for the reply.
-
I have the exact same issue, word-for-word. Have you figured out a solution?
-
Some more details on your configuration would be helpful. How did you set up IPv6 on your WAN and LAN interfaces? Static? DHCP-PD? Autoconf? Have you added appropriate firewall rules?
-
I realize it's been a few months since there was any activity on this thread but I have the same issue.
Allow IPv6 is checked under Advanced->Networking
WAN IPv6 Configuration Type is DHCP, Delegation Size 64
LAN IPv6 Configuration Type is Track Interface
Track IPv6 LAN IPv6 Interface is WAN
Default allow any IPv6 firewall rule in place.
The only other firewall rule is the IPv4 allow any.
I'm running pfSense 2.1.5.
My ISP is Comcast.
I can ping ipv6.google.com from pfSense, but not from the LAN. -
…
WAN IPv6 Configuration Type is DHCP, Delegation Size 64
...
My ISP is Comcast.Go with the delegation size of Comcast for WAN. pFSense LAN will conform to /64
Reboot after new config is necessary ?
-
Hmmm…. That may have been it. Rebooted for other config changes. Then noticed the delegation size was set to none. Changed it back to 64, saved and applied changes and now have IPv6 access from clients. Thanks!
-
I have a new related question now. Testing at http://test-ipv6.com/ now gives me a 10/10 score. However http://ipv6-test.com/ reports ICMP "Filtered". I don't see anything in my config that should filter ICMP. Is there something I can do to eliminate the filtering?
-
Apparently that site wants to be able to use ICMP to reach all the way to the host. This is news to me that not being able to receive ICMP might be bad.
I was able to get this site to report "Reachable" by changing my IPv6 ICMP Echo Request from any to WAN address. Changed it to IPv6 ICMP any from any to any.
Anyone know what ICMPv6 is safe to allow and what isn't?
-
Anyone know what ICMPv6 is safe to allow and what isn't?
There is no clear set of IPv6 security guidelines. A lot of security experts do not understand IPv6 themselves, and their advice is, ‘turn IPv6 off.’
If you find a good article on ICMPv6 firewalling, please share with the rest of us.
-
Yep - Allowing the ICMP hasn't caused me any issues.
And its required for GIF and for native ipv6 also.
Your box can be pinged, but thats not the end of the world.
I prefer GIF (tunnel broker) to what most ISPs are offering.
-
I'm still having this problem.
I do have the "IPv6 ICMP any from any to any" rule for WAN. Testing whit http://ipv6-test.com/ it returns ICMP Filtered (Your router or firewall is filtering ICMPv6 messages sent to your computer. An IPv6 host that cannot receive ICMP messages may encounter problems like some web pages loading partially or not at all.)
So… yeah any new options out there?
-
Make sure your computer (or whatever device you're testing from) doesn't have a firewall that is filtering ICMPv6 as well. Windows Firewall does, by default, except from the LAN (at least in home/work networks; public might filter it in all cases).
For example, I can run the test on my Windows PC and it will show filtered, but I can run it on my iPhone and it will pass.
There is an advanced rule you can create to allow Windows Firewall to respond to ICMPv6. Steps are detailed in this Technet article. Note that instead of opening Group Policy Management Console, you would go to Control Panel > Windows Firewall > Advanced Settings. Also, this may not be available on non-professional versions of Windows (i.e. Home Premium).
-
It works. thx
-
Hey dudes my turn to reboot this thread
i need a little help
i set up my pfsense so i get an ipv6 on my client but i can't ping google dns the set up is as follow ,i get an ip range from my isp 2001:878::xxx/64
i setup wan as dhcp delegation size 64
lan as static 2001:878::1/64
and i set up "DHCPv6" router advertisements unmanaged
Allow ipv6 is checked
i have set up the default allow in the firewall as the only thing in there except the ipv4 defaulti was thinking the problem is because i have ipv4 enable and running but that should be possible right?? having ipv6 and ipv4 on the same pfsense
-
Usually if you're getting your prefix from your ISP via DHCP+PD, you wouldn't set the LAN as static. On the LAN interface you should select Track Interface, then under the IPv6 section, you should select WAN as the interface to track.
The WAN and LAN addresses should be from different address ranges, not the same subnet. so if your WAN is getting 2001:878::xxx, your LAN should not be using 2001:878::1.
IPv4 is not the problem. IPv4 and IPv6 can co-exist just fine.
-
i tried the track interface thing but it don't work.
i was think that it wouldn't work if you had the same subnets on both sides of pfsense but then again it is ipv6could it be something the ISP have to do?? an error in there setup??
-
i was think that it wouldn't work if you had the same subnets on both sides of pfsense …
Right. So first your ISP should supply, native IPv6, at least prefix /63 or lower size-value.
I think a /64 prefix won't work for creating a LAN. -
i got a /64 network all to my self, the last 64 bit's of an ipv6 address is for interfaces, so the way it should work is the pfsense just works as an firewall and don't route.. the ipv6 world is an nat free world :)
