[SOLVED] Setting up native IPv6 connectivity

samip537

@David_W:

In cannot_ping.jpg you appear to be mistakenly using ping, not ping6.

Yeah, I have. I was tired when making that probably, but the problem still is there.

jimp

The screenshot shows the LAN IP address ending in ::1 but the ping test was going to ::3, which is correct?

samip537

@jimp:

The screenshot shows the LAN IP address ending in ::1 but the ping test was going to ::3, which is correct?

Which screenshot?

The LAN IP address on pfSense does not end in ::1, but rather ::3 which is the thing I'm trying to ping.
IPv6 gateway ends in ::1 which is unreacheable from the local devices.

The ping does work to pfSense.
[Check attachment called, Ping_to_pfsense_works.JPG]

Traceroute6 to google.fi fails.
[Attachment named, traceroute6_fails.JPG]

awebster

Way back at the beginning you said…

Allocated blocks:
2001:2060:4f:c::1/64 (In use.)

2001:2060:4f:d::1/64
2001:2060:4f:e::1/64
(These two for pfSense.)

You haven't mentioned anything about the 2001:2060:4f:c::/64 block, but from the discussions, it looks like whatever is routing traffic to 2001:2060:4f:d::/64 isn't routing 2001:2060:4f:e::/64 to 2001:2060:4f:d::1.

Without that, its never going to work.

–A.

samip537

@awebster:

Way back at the beginning you said…

Allocated blocks:
2001:2060:4f:c::1/64 (In use.)

2001:2060:4f:d::1/64
2001:2060:4f:e::1/64
(These two for pfSense.)

You haven't mentioned anything about the 2001:2060:4f:c::/64 block, but from the discussions, it looks like whatever is routing traffic to 2001:2060:4f:d::/64 isn't routing 2001:2060:4f:e::/64 to 2001:2060:4f:d::1.

Without that, its never going to work.

–A.

I haven't mentioned about the 2001:2060:4f:c::/64 block as it's irrelevant for this discussion. It has absolutely nothing to do with pfSense configuration. I don't even know why I mentioned it in the first place. So the problem basically is on the ISP/Provider side or what should I do? Add a route in pfSense from 2001:2060:4f:d::/64 to 2001:2060:4f:e::/64?

hda

We could use 3 more GUI screenshots from you, to confirm the total situation:

• Interfaces: WAN
• Interfaces: LAN
• Status: Interfaces

awebster

@samip537:

I haven't mentioned about the 2001:2060:4f:c::/64 block as it's irrelevant for this discussion. It has absolutely nothing to do with pfSense configuration. I don't even know why I mentioned it in the first place. So the problem basically is on the ISP/Provider side or what should I do? Add a route in pfSense from 2001:2060:4f:d::/64 to 2001:2060:4f:e::/64?

Ok, but how does the traffic get from the Internet to 2001:2060:4f:d::/64 and 2001:2060:4f:e::/64 ?

If I traceroute this from outside, it stops at 2001:2060:4f::2
So somehow there is filtering or a routing missing at 2001:2060:4f::2 to get it any further.

samip537

@hda:

We could use 3 more GUI screenshots from you, to confirm the total situation:

• Interfaces: WAN
• Interfaces: LAN
• Status: Interfaces

Here are the screenshots requested in the attachments. You should be able to identify each file by file name.

P.S IPv4 related WAN properties and information has been censored for privacy and server security purposes.

@awebster:

@samip537:

I haven't mentioned about the 2001:2060:4f:c::/64 block as it's irrelevant for this discussion. It has absolutely nothing to do with pfSense configuration. I don't even know why I mentioned it in the first place. So the problem basically is on the ISP/Provider side or what should I do? Add a route in pfSense from 2001:2060:4f:d::/64 to 2001:2060:4f:e::/64?

Ok, but how does the traffic get from the Internet to 2001:2060:4f:d::/64 and 2001:2060:4f:e::/64 ?

If I traceroute this from outside, it stops at 2001:2060:4f::2
So somehow there is filtering or a routing missing at 2001:2060:4f::2 to get it any further.

What do you mean by "but how does the traffic get from the Internet to 2001:2060:4f:d::/64 and 2001:2060:4f:e::/64"? I don't understand your point here.

The one at  2001:2060:4f::2 is not over my control as you can see from the reverse. (turku-ipv6-gw.woima.eu (2001:2060:4f::2))

awebster

Talk to your provider, the routing is messed up…

traceroute6 -n 2001:2060:4f:d::1

…
7  2001:2000:6028:2003::1  155.319 ms  145.846 ms  144.258 ms
8  2001:2000:6028:2003::2  148.698 ms  142.799 ms  149.023 ms
9  2001:2060:4f:d::1  142.449 ms  148.295 ms  150.436 ms

Looks good.

traceroute6 -n 2001:2060:4f:d::2

…
7  2001:2000:6028:2003::1  167.166 ms  142.889 ms  146.229 ms
8  2001:2000:6028:2003::2  144.331 ms  144.679 ms  144.495 ms
9  2001:2060:4f::2  153.608 ms  148.259 ms  143.434 ms
10  * * *
11  * * *

Looks good, especially if you aren't allowing inbound traceroute requests.  If you see a bunch from …::55, it's me.
And

ping6 2001:2060:4f:d::2

PING 2001:2060:4f:d::2(2001:2060:4f:d::2) 56 data bytes
64 bytes from 2001:2060:4f:d::2: icmp_seq=1 ttl=50 time=151 ms
64 bytes from 2001:2060:4f:d::2: icmp_seq=2 ttl=50 time=143 ms

Seems to confirm that it is working.

traceroute6 -n 2001:2060:4f:e::1

…
7  2001:2000:6028:2003::1  154.028 ms  143.610 ms *
8  2001:2000:6028:2003::2  149.536 ms  154.901 ms  154.917 ms
9  2001:2060:4f:e::1  150.610 ms  155.257 ms  141.915 ms

ping6 2001:2060:4f:e::1

PING 2001:2060:4f:e::1(2001:2060:4f:e::1) 56 data bytes
64 bytes from 2001:2060:4f:e::1: icmp_seq=1 ttl=51 time=166 ms
64 bytes from 2001:2060:4f:e::1: icmp_seq=2 ttl=51 time=138 ms

But wait!  You said your device is on 2001:2060:4f:e::3, so who is answering ::1 address ?!

traceroute6 -n 2001:2060:4f:e::3

…
7  2001:2000:6028:2003::1  163.236 ms  142.555 ms  152.851 ms
8  2001:2000:6028:2003::2  153.137 ms  153.784 ms  153.791 ms
9  2001:2060:4f::2  154.282 ms  149.070 ms  148.692 ms
10  2001:2060:4f::2  2180.388 ms !H * *

ping6 2001:2060:4f:e::3

PING 2001:2060:4f:e::3(2001:2060:4f:e::3) 56 data bytes
From 2001:2060:4f::2 icmp_seq=1 Destination unreachable: Address unreachable

Also not correct, …e::1 works (but maybe it shouldn't be), and ...e::3 goes somewhere completely different?!

samip537

@awebster:

Talk to your provider, the routing is messed up…

traceroute6 -n 2001:2060:4f:d::1

…
7  2001:2000:6028:2003::1  155.319 ms  145.846 ms  144.258 ms
8  2001:2000:6028:2003::2  148.698 ms  142.799 ms  149.023 ms
9  2001:2060:4f:d::1  142.449 ms  148.295 ms  150.436 ms

Looks good.

traceroute6 -n 2001:2060:4f:d::2

…
7  2001:2000:6028:2003::1  167.166 ms  142.889 ms  146.229 ms
8  2001:2000:6028:2003::2  144.331 ms  144.679 ms  144.495 ms
9  2001:2060:4f::2  153.608 ms  148.259 ms  143.434 ms
10  * * *
11  * * *

Looks good, especially if you aren't allowing inbound traceroute requests.  If you see a bunch from …::55, it's me.
And

ping6 2001:2060:4f:d::2

PING 2001:2060:4f:d::2(2001:2060:4f:d::2) 56 data bytes
64 bytes from 2001:2060:4f:d::2: icmp_seq=1 ttl=50 time=151 ms
64 bytes from 2001:2060:4f:d::2: icmp_seq=2 ttl=50 time=143 ms

Seems to confirm that it is working.

traceroute6 -n 2001:2060:4f:e::1

…
7  2001:2000:6028:2003::1  154.028 ms  143.610 ms *
8  2001:2000:6028:2003::2  149.536 ms  154.901 ms  154.917 ms
9  2001:2060:4f:e::1  150.610 ms  155.257 ms  141.915 ms

ping6 2001:2060:4f:e::1

PING 2001:2060:4f:e::1(2001:2060:4f:e::1) 56 data bytes
64 bytes from 2001:2060:4f:e::1: icmp_seq=1 ttl=51 time=166 ms
64 bytes from 2001:2060:4f:e::1: icmp_seq=2 ttl=51 time=138 ms

But wait!  You said your device is on 2001:2060:4f:e::3, so who is answering ::1 address ?!

traceroute6 -n 2001:2060:4f:e::3

…
7  2001:2000:6028:2003::1  163.236 ms  142.555 ms  152.851 ms
8  2001:2000:6028:2003::2  153.137 ms  153.784 ms  153.791 ms
9  2001:2060:4f::2  154.282 ms  149.070 ms  148.692 ms
10  2001:2060:4f::2  2180.388 ms !H * *

ping6 2001:2060:4f:e::3

PING 2001:2060:4f:e::3(2001:2060:4f:e::3) 56 data bytes
From 2001:2060:4f::2 icmp_seq=1 Destination unreachable: Address unreachable

Also not correct, …e::1 works (but maybe it shouldn't be), and ...e::3 goes somewhere completely different?!

2001:2060:4f:e::1 => Provider's GW. (Working on getting it fixed so it's the pfSense LAN address.)
2001:2060:4f:e::3 => That's the pfSense's LAN interface, pings are not allowed that are originating from WAN interface.

Please use ICMP or TCP, but not UDP when trying to traceroute, might work better.

I have talked to my provider today, they will work on it.

hda

You should be able to make LAN as 2001:2060:f4:e::1/64, all the 2001:2060:f4:e: numbers should be yours.
[The last 64 bits are required reserved for any host on the LAN, SLAAC or DHCPv6 or Static.]

Your gateway for the LAN is obviously 2001:2060:f4:d::1/64
Look in System: (routing) Gateways for your correct route.

For Static on hosts use RA + Router Only
For DHCP6-Server (range in last 64 bits) use RA + Managed (be sure to NOT check bogon networks on Interfaces:LAN)
For SLAAC from hosts use RA + Unmanaged

[N.B. subnets are important to differentiate, so :d::/64 is for your WAN and :e::/64 is for your LAN.]

samip537

@hda:

You should be able to make LAN as 2001:2060:f4:e::1/64, all the 2001:2060:f4:e: numbers should be yours.
[The last 64 bits are required reserved for any host on the LAN, SLAAC or DHCPv6 or Static.]

Your gateway for the LAN is obviously 2001:2060:f4:d::1/64
Look in System: (routing) Gateways for your correct route.

For Static on hosts use RA + Router Only
For DHCP6-Server (range in last 64 bits) use RA + Managed (be sure to NOT check bogon networks on Interfaces:LAN)
For SLAAC from hosts use RA + Unmanaged

Everything works now. Ports are reacheable though IPv6.

Final routes can be found from the attachments.

You may do an traceroute6 to mail.sami-mantysaari.com to check. :)