IPv6 all working except Internet
-
Does your WAN interface have an IPv6 address? Status -> Interfaces will show you.
-
Yes. WAN is 2607:fc00:f000:b000::2 and IST is 2607:fc00:f000:b000::1. Internal LAN is 2607:fc00:f000:e001::/64. From LAN I can ping ISP at 2607:fc00:f000:b000::1, but not anything beyond that.
-
What about pinging from WAN interface?
Diagnostics -> Ping
Host : 2001:4860:4860::8888
IP Protocol : IPv6
Select Source Address : WAN -
No connectivity.
-
I have issues with the gateway. Not sure how this works but I am confident "Pending" is not good. When I restart the apinger service I get the screenshot error in the logs. Anybody have any idea what this is?
-
ISP connect routing issues ?
How are you instructed by ISP to connect for IPv6 ?
Post screen [Interfaces: WAN], verified with them ? -
Connecting native IPv6. No tunneling, etc. The ISP is 2607:fc00:f000:b000::1 and our pfsense is 2607:fc00:f000:b000::2. We can ping that ISP address from our LAN and the pfsense. We cannot ping anything else on IPv6 Internet. It's almost like pfsense does not know where to send IPv6 since the gateway is "pending" in previous relply. Tests from the internet coming in can ping 2607:fc00:f000:b000::1 but not 2607:fc00:f000:b000::2. We just bought the pfSense SG-2440.
I also posted LAN interface which is different subnet.
-
Try unchecking block bogon networks, maybe your IPv6 prefix is in the bogon list.
Otherwise, if it still doesn't work there might be a routing problem at the ISP.
-
It's not bogon networks and it''s not the ISP. It is the Pfsense firewall. I can ping from internet test sites to the ISP but not the firewall WAN interface. And yes, I have completely dropped the firewall via rules to allow any any ipv6 on the WAN interface. Internally, we can ping the ISP from the LAN. That proves they have a route to us because WAN interface is 2607:fc00:f000:b000::/64 and LAN is 2607:fc00:e001::/64. Look at the pics I sent. Why is the WAN interface "PENDING"? PFsense is dropping the packets since traceroute do not go beyond it. The hit the Link-local address and stop.
-
It's not bogon networks and it''s not the ISP. It is the Pfsense firewall. I can ping from internet test sites to the ISP but not the firewall WAN interface. And yes, I have completely dropped the firewall via rules to allow any any ipv6 on the WAN interface. Internally, we can ping the ISP from the LAN. That proves they have a route to us because WAN interface is 2607:fc00:f000:b000::/64 and LAN is 2607:fc00:e001::/64. Look at the pics I sent. Why is the WAN interface "PENDING"? PFsense is dropping the packets since traceroute do not go beyond it. The hit the Link-local address and stop.
Just because there's routing to and from 2607:fc00:e001::/64 (or even /48 - that prefix suggests you might have the entire /48 delegated to you) doesn't mean there's routing to and from 2607:fc00:f000:b000::/64.
Some ISPs - mine is one of them - statically allocate IPv6 prefixes but require you to establish leases using DHCPv6 and DHCP-PD before they install the routes to use those prefixes.
I would try to ping6 2607:fc00:f000:b000::2 from the the Internet using one of the many sites offering ping6 and traceroute6 facilities. Packet capture the traffic on WAN interface using pfSense's built in packet capture features or the mirroring feature of a managed switch. Mirroring on a switch gives you greater flexibility and more assurance that anything that is supposedly being sent has actually been sent.
Does your packet capture show any incoming ICMPv6 traffic? Do you see any replies?
I would also endorse awebster's suggestion to uncheck the bogon filter on your WAN interface for now. Whilst your WAN interface block doesn't appear in the bogon filter, it is always best to turn off features that might result in dropped traffic whilst debugging a problem.
-
Fixed it. Told all in the first post I am newb with pfsense. On the gateway address I had it as 2607:fc00:f000:b000::1/64. When I changed it to 2607:fc00:f000:b000::1 it went from "pending" to "online". Thanks for the help. :)
-
Glad you found it. Probably would have needed to see the System: Gateways: Edit gateway page to have spotted that.
