IPv6 Blocked Since Upgrade to 2.2 - TWC

torchpeppers

Hello everyone,

I have TWC and I switched from a Mikrotik router to pfsense 2.1.5 last year.  Native IPv6 worked great for me until I upgraded to 2.2 however.  I did the automated upgrade, and after upgrading I would get an IPv6 address and delegated space over DHCP like normal, but nothing on my network could connect over IPv6 anymore.  I can ping ipv6 addresses from pfsense and I can ping pfsense from devices on the LAN, but nothing else can ping out anymore.  I exported my config and reinstalled 2.1.5, and IPv6 worked again, but when I upgraded to 2.2 a second time it stopped working.

This is the IPv6 configuration setup I use (/56 delegation, though only one subnet in use right now)
https://forum.pfsense.org/index.php?topic=87623.msg481615#msg481615

Any idea what could cause pfsense to have connectivity, but none of my clients since upgrading to 2.2?

em1 is my LAN interface, em0 is my WAN.

[2.2.2-RELEASE][admin@hostname]/root: ifconfig em0
em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
	options=209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic>ether be:be:ec:d1:5f:1a
	inet6 fe80::bcbe:ecff:fed1:5f1a%em0 prefixlen 64 scopeid 0x1 
	inet 72.177.23.2 netmask 0xffffe000 broadcast 255.255.255.255 
	inet6 2605:6000:ffc0:7b:4cbb:b614:46a5:38a1 prefixlen 128 
	nd6 options=23 <performnud,accept_rtadv,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active</full-duplex></performnud,accept_rtadv,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic></up,broadcast,running,simplex,multicast> 

[2.2.2-RELEASE][admin@hostname]/root: ifconfig em1
em1: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
	options=209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic>ether 46:ba:e6:4b:47:a8
	inet 10.100.55.2 netmask 0xffffff00 broadcast 10.100.55.255 
	inet 10.100.55.1 netmask 0xffffff00 broadcast 10.100.55.255 vhid 1 
	inet6 2605:6000:ef42:e100:44ba:e6ff:fe4b:47a8 prefixlen 64 
	inet6 fe80::1:1%em1 prefixlen 64 scopeid 0x2 
	nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
	carp: MASTER vhid 1 advbase 1 advskew 0</full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic></up,broadcast,running,promisc,simplex,multicast> 

[2.2.2-RELEASE][admin@hostname]/root: netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags      Netif Expire
default            72.177.0.1         UGS         em0
10.15.0.0/24       link#4             U           em3
10.15.0.1          link#4             UHS         lo0
10.15.0.2          link#4             UHS         lo0
10.16.0.0/24       link#3             U           em2
10.16.0.2          link#3             UHS         lo0
10.100.0.0/14      10.100.55.11       UGS         em1
10.100.55.0/24     link#2             U           em1
10.100.55.1        link#2             UHS         lo0
10.100.55.2        link#2             UHS         lo0
10.104.0.0/14      10.100.55.11       UGS         em1
72.177.0.0/19      link#1             U           em0
72.177.23.2        link#1             UHS         lo0
127.0.0.1          link#7             UH          lo0
172.31.0.0/16      10.100.55.11       UGS         em1

Internet6:
Destination                       Gateway                       Flags      Netif Expire
default                           fe80::217:10ff:fe86:c259%em0  UGS         em0
::1                               link#7                        UH          lo0
2605:6000:400:7b::/64             link#1                        U           em0
2605:6000:700:7b::/64             link#1                        U           em0
2605:6000:c00:7b::/64             link#1                        U           em0
2605:6000:ef42:e100::/64          link#2                        U           em1
2605:6000:ef42:e100:44ba:e6ff:fe4b:47a8 link#2                        UHS         lo0
2605:6000:ffc0:7b::/64            link#1                        U           em0
2605:6000:ffc0:7b:4cbb:b614:46a5:38a1 link#1                        UHS         lo0
fe80::%em0/64                     link#1                        U           em0
fe80::bcbe:ecff:fed1:5f1a%em0     link#1                        UHS         lo0
fe80::%em1/64                     link#2                        U           em1
fe80::1:1%em1                     link#2                        UHS         lo0
fe80::%em2/64                     link#3                        U           em2
fe80::2408:c5ff:fead:1a15%em2     link#3                        UHS         lo0
fe80::%em3/64                     link#4                        U           em3
fe80::a87e:18ff:fe6c:775%em3      link#4                        UHS         lo0
fe80::%lo0/64                     link#7                        U           lo0
fe80::1%lo0                       link#7                        UHS         lo0
ff01::%em0/32                     fe80::bcbe:ecff:fed1:5f1a%em0 U           em0
ff01::%em1/32                     2605:6000:ef42:e100:44ba:e6ff:fe4b:47a8 U           em1
ff01::%em2/32                     fe80::2408:c5ff:fead:1a15%em2 U           em2
ff01::%em3/32                     fe80::a87e:18ff:fe6c:775%em3  U           em3
ff01::%lo0/32                     ::1                           U           lo0
ff02::%em0/32                     fe80::bcbe:ecff:fed1:5f1a%em0 U           em0
ff02::%em1/32                     2605:6000:ef42:e100:44ba:e6ff:fe4b:47a8 U           em1
ff02::%em2/32                     fe80::2408:c5ff:fead:1a15%em2 U           em2
ff02::%em3/32                     fe80::a87e:18ff:fe6c:775%em3  U           em3
ff02::%lo0/32                     ::1                           U           lo0

[2.2.2-RELEASE][admin@hostname]/root: pfctl -sr | egrep 'inet6|icmp6'
block drop in log inet6 all label "Default deny rule IPv6"
block drop out log inet6 all label "Default deny rule IPv6"
pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
block drop log quick inet6 proto tcp from any port = 0 to any
block drop log quick inet6 proto udp from any port = 0 to any
block drop log quick inet6 proto tcp from any to any port = 0
block drop log quick inet6 proto udp from any to any port = 0
pass in quick on em0 inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state label "allow dhcpv6 client in WAN"
block drop in log on ! em0 inet6 from 2605:6000:ffc0:7b:4cbb:b614:46a5:38a1 to any
block drop in log inet6 from 2605:6000:ffc0:7b:4cbb:b614:46a5:38a1 to any
block drop in log on em0 inet6 from fe80::bcbe:ecff:fed1:5f1a to any
block drop in log quick on em0 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
block drop in log on ! em1 inet6 from 2605:6000:ef42:e100::/64 to any
block drop in log inet6 from 2605:6000:ef42:e100:44ba:e6ff:fe4b:47a8 to any
block drop in log on em1 inet6 from fe80::1:1 to any
pass quick on em1 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
pass quick on em1 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
pass quick on em1 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
pass quick on em1 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
pass in quick on em1 inet6 proto udp from fe80::/10 to 2605:6000:ef42:e100:44ba:e6ff:fe4b:47a8 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
pass out quick on em1 inet6 proto udp from 2605:6000:ef42:e100:44ba:e6ff:fe4b:47a8 port = dhcpv6-server to fe80::/10 keep state label "allow access to DHCPv6 server"
block drop in log on em2 inet6 from fe80::2408:c5ff:fead:1a15 to any
block drop in log on em3 inet6 from fe80::a87e:18ff:fe6c:775 to any
pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
pass out route-to (em0 fe80::217:10ff:fe86:c259) inet6 from 2605:6000:ffc0:7b:4cbb:b614:46a5:38a1 to ! 2605:6000:ffc0::/56 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass in quick on em1 inet6 from 2605:6000:ef42:e100::/64 to any flags S/SA keep state label "USER_RULE: Default allow LAN IPv6 to any rule"

torchpeppers

So I tried going back to 2.1.5 again, and as expected it started working again.  I compared the firewall settings, and they were effectively identical (aside from differing IP ranges provided by DHCP).  The only differences I noticed was that auto_linklocal is turned on in 2.2, but not in 2.1.

torchpeppers

After doing some more digging and clearing out all the deprecated ipv6 addresses on my client, I noticed I was getting two separate, but similar address ranges.  Somehow during the upgrade radvd.conf found itself with two subnet advertisements, one for the valid address range and another for an older range that I had not received in quite some time.  I manually removed the old range from radvd.conf, HUP'ed radvd, and after a reboot to ensure a clean network slate my client is connecting again.