Cannot PING (or access) IPv6 enabled (dual stack) sites from LAN with IPv4
-
Hi
I have been having intermittent connectivity issues with outbound NAT. IPv6 is not enabled on the WAN as we have Time Warner Cable and they have more or less stated they will be the last cable provider in America to embrace IPv6. However we have a DHCP6 server on the LAN & the LAN is fully IPv6 enabled using ULA assigned numbers as well as link-local.
My problem can be described as "It works well most of the time for most sites and then at times it doesn't work at all" it has not since I installed it worked flawlessly. I started in January w/2.2 then 2.2.1 then 2.2.2 but then had to do fresh install of 2.2.2. The problem does not appear to be the DNS forwarder as the site(s) will partially open, just never finish loading.
I also have an issue where I setup a temp VLAN for moving some data on the LAN & when I removed it the Automatic generated NAT rules were removed and would not go back in. I set it to Hybrid and added the Automatic rules back myself (probably a separate issue).
Just now (& why I am making this post) I came to the realization that I could ping yahoo but not google from the Diagnostics, Ping when selecting LAN as the packet source. I can always ping anything from the WAN. I tried other dual stack sites and they also cannot be pinged. So I believe my issue may be IPv6 related. But then again maybe it is the loss of the Automatic NAT rules. What I am asking is "Where does one start in t-shooting this scenario?" TIA!!
-
TWC has most of their network IPv6-enabled. Lot of us here, myself at home included, have native v6 via TWC.
It sounds like what you're seeing there is because of the preference for IPv6 over IPv4.
https://doc.pfsense.org/index.php/Controlling_IPv6_or_IPv4_Preference -
Why in the world would you setup ipv6 on our lan if your not going to access the internet? If you want to play with ipv6 and your isp doesn't have it - setup a tunnel.
If not - turn it off your lan, there is is NO reason to run ipv6 on the lan - NONE!! Your not going to run out of rfc1918 space ever.. And you have millions of addresses to use in that space..
For what possible reason could you have use of ipv6 on the lan, and not just use a tunnel from he or sixxs?
-
johnpoz
We have (sadly :'( ) a mostly Windows network. Many services on Windows require IPv6. Since Vista it is on and the default protocol. Rather go with the flow than running around to 100s of workstations to disable it. Additionally we use IPSec for a few departments and it is a kludge on IPv4. IPv6 is more robust, stable and secure than IPv4 will never be and IPSec is native in the protocol not a patch.
If YOU are going to disable it RTM http://support.microsoft.com/kb/929852 because simply unchecking the binding in network properties is a mistake. There is no way to programatically re-enable it and some updates will fail in that state. Here is one of the better articles including many other good links http://windowsitpro.com/networking/ipv6-support-windows-8-windows-server-2012 It's not about addresses, its about not resisting the future of TCP/IP. Its not that hard anyway, and I ping6 considerably less than I ping. Lastly, there is a new security paradigm coming in ~20 months that is game changing from iamSecureOnline.com and it only uses IPv6. They are in stealth mode which is funny because it is a zero knowledge network.
So I realize that until everyone is dual stack and ISPs resist deployment, like you are, there will be challenges. Thanks for your input. I am reinstalling PFS tonight. :(
-
cmb
Thanks for the prompt reply I love the spirit here. I only wish my experience was a better one. I have had multiple failures with VPN access and this continuous challenge and then the Automatic NAT failure. I have called TWC a few times now (traceroutes showed the local router was trying to route a ULA address!) and they are useless and based on the info you provided out right liars.
I am a FreeBSD nut since the ATT lawsuit in the '90s allowed it back. I have hand rolled many a site-to-site VPN using FreeBSD and an old PC. My big problem is this is on my dime until I prove it works or I simply would buy one and have support. I am re-installing tonight and will make sure I do not enable IPv6 on the LAN interface. As PFS is a custom build I am not sure where to edit the files but it will be fun figuring it out. Thanks again, your post was constructive. ;)
-
"Many services on Windows require IPv6"
NO.. this is just not true.. Where did you get that idea?? Give examples please.. What service do you think requires ipv6 - homegroups?
I have it disabled on pretty much every single windows machine that I touch.. And everything works just fine.. Its a simple way to disable with a reg key..
reg add hklm\system\currentcontrolset\services\tcpip6\parameters /v DisabledComponents /t REG_DWORD /d 255
Only on my boxes I play with do I have it correctly setup.. Rest have it disabled - I even have ipv6 working over my openvpn connection to my home network.. I would love some examples of what you feel actually requires ipv6 in windows network.. Are you using direct access, how would that be working without any ipv6 wan connectivity?
-
Where does outbound NAT come into play here at all? Should be no NAT involved with v6.
Some Windows services will either fail, or are in an unsupported configuration, if you disable IPv6. I recall some complaining about recent MS Exchange versions for instance will encounter problems if you disable IPv6 even if you aren't using it and Microsoft's stance is that isn't a supported configuration. But that doesn't mean you need to be using ULA either. Having it enabled strictly with link-local addresses suffices there. And it doesn't introduce other potential complications.