Unable to communicate with https://packages.pfsense.org.
-
You might consider entering a IPV6 DNS server at the bottom of the list of DNS servers…
Or disabling IPV6 altogether if you just don't quite understand it?
-
@stephenw10, that solved the error contacting http://packages.pfsense.org, now I have a working list :-)
@kejianshi, as it fails pinging6 from the pfsense server to the default external GW using the ipv6 address directly, no DNS can be contacted either.
(*) ipv6 was configured-uncofngured here by a long-gone sysadmin who made some strange things here.
I too think that disabling ipv6 completely could have resolved this quickly but I really would like to have this ipv6 working, it would be really helpful if anyone knows a good document to start the config over.
Thank you very much again!
-
You want IPV6 working? we can do that too…
IPV6 seems easier to me than IPV4 - Maybe I'm strange.
-
Yeah, you're strange. ;)
Impossible to really give you much advise without knowing a lot more about your network but a good place to start would be here:
https://doc.pfsense.org/index.php/Example_basic_configurationSteve
-
Its as easy as IPV4 and no NAT issues. Sure its base 16 but I have 8 fingers on each hand, so no problem. (-;
I love that I can easily give anything I want a public IP and easily firewall it.
For Audio/Video this will be great as soon as people accept it.
My biggest issue is that most things are IPV6 ready but not really being skinned in most GUIs yet.
-
@stephenw10, thank you again but that seems pretty general, one thing in my network is that we don't have DMZ :-)
@kejianshi, great you find it v6 easier than v4, I'm still grasping it
I want to install squid (or squid3?) + squidgauard (or dansguard?) and I'm reading that these packages have problems with ipv6, is this right?
A little context if you could use it for some advice…
Our public ipv6 addresses are
network 2800:160:17C5:0:0:0:0:0/48 GW 2800:160:17C5:0:0:0:0:1My pfsense server info
2.2-RELEASE (amd64) built on Thu Jan 22 14:03:54 CST 2015 FreeBSD 10.1-RELEASE-p4 You are on the latest version.This server has 3 network i/f and 3 vlans
cablenic WAN up 100baseTX <full-duplex> 190.8.65.21 2800:160:17c5::2 cablenic intsi up 1000baseT <full-duplex> 192.168.32.253 cablenic intsm up 1000baseT <full-duplex> 192.168.18.245 cablenic VLANCER up 1000baseT <full-duplex> 172.28.255.254 2800:160:17c5::1:1 (here are 50% of network PCs) cablenic VLANTI up 1000baseT <full-duplex> 192.168.168.1 cablenic VLANSEM up 1000baseT <full-duplex> 192.168.14.254 (here are 50% of network PCs)</full-duplex></full-duplex></full-duplex></full-duplex></full-duplex></full-duplex>Thank you again!!
-
The best piece of advise I can give you is to start with a basic configuration and build it up testing at each stage. Don't try and do everything in one go.
@ kejianshi: Hexadecimal limbs, why didn't I think of that. ;)
Steve
-
So what IPv6 are you using on the lan side if that is your public?
inetnum: 2800:160::/32
status: allocated
aut-num: N/A
owner: Gtd Internet S.A.
ownerid: CL-GISA-LACNIC
responsible: Manuel Suanez Berrios
address: Moneda, 920, Piso 11
address: 6500712 - Santiago - RM
country: CL -
@johnpoz, I had this previous config which might have changed as I was playing around…
VLANCER, 2800:160:17c5::1:1 /52 VLANSEM, 2800:160:17c5::1:2 /52 and so on...@stephenw10, you are correct, step-by-step, the only thing I want by now is to establish connection from my pfsense server to my default public GW first then to the world using ipv6 address –no DNS at first :-)
Our DNS servers would be
2800:160::2 2800:160::1Thanks for your kind replies!
-
/52 ?? yeah that would not be correct..
-
Sleeping - Look at this when I wake.
-
@johnpoz /52 is not correct? I thought it could be subdivided in 16 networks with this… any suggestion?
-
min size of ipv6 segment is suppose to be /64, you can get a /48 for example from say tunnel broker HE, they route that to you via your tunnel then you can break that up into as many /64 you want.
-
But those VLANs have the same subnet, no?
-
I have had great success with a /48 for WAN and handing out /64s on all interfaces, including openvpn interfaces.
I do want to experiment with something like a /52 on the WAN and handing out a limited number of /64s after. (tried before and failed)
Why? Because some data centers for some odd reason are still hesitant to hand me a /48. Maybe all they have is a /48 themselves?
I know thats a crap configuration, but it would solve problems for me also to get that to work.
I will soon have a chance to try that… "soon" according to the data center.
However, as previously stated, if you want IPV6 now, getting a HE IPV6 tunnel works super well.
-
@stephenw10, yes, those VLANs had the same /52…
@kejianshi, I will better go with /64, so I will post here how it goes...
In any case my "problem" is pinging from pfsense to my default route (even though both ips answer from the Internet)...
pfsense <----> default GW 2800:160:17c5::2/48 <----> 2800:160:17c5::1 /48I don't know why but I'm still thinking the ipv4 way, I resist to waste so many addresses :-)
Thank you guys for following up…
-
/64 on the wan is near useless. You really want to be able to give each LAN/OPT interface a /64
-
@kejianshi I'm sorry I wasn't clear… I want first to get this two addresses to communicate each other (pf <-> gw) using the /48 mask... only then I will change the /52 to /64 configs for my internal networks...
Any suggestion as to how troubleshoot this pf <-> gw issue? It's worth saying that this problem presents only for ipv6. It works fine in ipv4...
I'm folllowing this document, but I have done it twice for the WAN part and I still don't find anything :-
https://doc.pfsense.org/index.php/Connectivity_TroubleshootingThank you again
-
Just to let you know that I finally could establish comm between pf <-> gw . I'm almost sure it was a fw rule, but I touched so many little things… now I'm going to subnet using /64... Thank you all for your kind support.
-
Its really difficult to help figure out IPV6 without seeing your settings. For me anyway. But I'm glad its working for you.
