Strange IPv6 issue - ICMPv6 stopped working.
-
I have 2001:470:28:1c::/64 assigned from HE.
From ground up, it worked with ICMPv6 until I rebooted the firewall, then ICMPv6 suddenly stopped working.
So I have segmented up this in 3 networks:
2001:470:28:1c:1::/80 = lan (RADVD=Managed, DHCPv6 enabled)
2001:470:28:1c:2::/80 = openvpn (RADVD=Router only, DHCPv6 disabled)
2001:470:28:1c:3::/80 = wireless (RADVD=Managed, DHCPv6 enabled)Routing and Everything works perfectly, also does IPv6 connectivity.
However, when ICMPv6-pinging a IP, lets say 2001:470:28:1c:1::6712 , which im surfing from now, it timeout. I then turned on packet capture to listen for all ICMPv6 on IPv6 and started pinging, but the only pings I can see is the gateway monitoring pings between the far endpoint the near endpoint.
I even tried with "promiscuous mode" so it could "listen on all IPs" but still the pings does not seem to arrive to me.However, pings arrive fine when pinging inside-out.
Firewall rules are added, both on the tunnel interface, that allows all ICMPv6, but also a floating rule that allows all ICMPv6.
What can the problem be? Seems its a routing issue?
-
/80s huh. You'll probably see lots of strange issues pop up from time to time.
-
What is the problem with /80's?
The DHCP ranges are correctly configured?
Because all other traffic reach me except for ICMPv6, including externally initiated traffic into dns1.sebbe.eu and dns2.sebbe.euThe reason I selected /80 was that /16 is one "segment" of a IPv6, and since I have:
2001:470:28:1c:XXXX:XXXX:XXXX:XXXXthen I selected the first segment of my /64 to be the network identifier:
2001:470:28:1c:0001:XXXX:XXXX:XXXX = lan
2001:470:28:1c:0002:XXXX:XXXX:XXXX = openvpn
and so on.But what you say, is that I should reduce it right, to /67 or something? Then I can segment it up to 8 networks?
But why does it need so much adress space? Those networks have like max 10 computers each and I have already assigned 281474976710656 (2^48) adresses to each network. Im not gonna exceed 281474976710656 computers in each network anyways, my Equipment would not cope with it anyways.
-
IPv6 network segments are /64.
-
Go to your tunnel config on HE and tell it to assign you a /48. Put a /64 from that /48 on each of your network segments. You'll have 65,536 /64 networks to allocate as you see fit.
-
haha - HE… I'm such a genius...
Still, need to get rid of those /80s and should just do everything with a /48 > a bunch of /64s
-
But whats the technical reason to not being able to subnet it in smaller nets than /64? I dont use SLAAC anyways, so why do I get strange difficulties when I subnet it in smaller nets than /64?
There must be something to do about it to be able to get proper routing with /80's, because theres numerios ISPs out there that hands out smaller networks than /64 to ther customers and for them it works perfectly. I have on certain IPv6 forums Heard about ISPs that deliver an /120 to its customers.I mean, its really a waste of v6 addresses to request a /48, its really madness because the headlines 10 years from now will be "IPv6 Address Exhaustion - are you prepared for IPv8?".
-
For me, the technical reason is "it doesn't work".
-
Innumeracy: Mathematical Illiteracy and Its Consequences
-
Broken - What you get if you slice up IPV6 subnets in non-standard ways with pfsense. Even when the math says it should be fine, it won't be.
-
I mean, its really a waste of v6 addresses to request a /48, its really madness because the headlines 10 years from now will be "IPv6 Address Exhaustion - are you prepared for IPv8?".
2^128 is a huge number. There are enough IPv6 addresses to give every person on earth more than 32,000 /48s. Over 10 million /56 - per person.
Don't sweat it. Feel free to do whatever you want, but don't expect much help when you stray from how you're supposed to do things. You did so, it broke. Do it right, it'll work.
-
Is 32,000 a big number? (I ran out of fingers - Let me take my shoes off)
/48 works really well - I think I have about 5 right now. I will give them back if people start running out.
I agree with derelict.
