Native ipv6 and ISP modem bridge issues

awebster

2 Questions:

1. Where are you pinging from to test?
Try Diagnostics -> Ping
Host: 2001:4860:4860::8888  [Google IPv6 of 8.8.8.8]
Protocol: IPv6
Select LAN interface

2. Is your machine on the LAN side getting an IPv6 in the same subnet as your LAN interface, and does it have the correct default gateway?  Since pfSense is broadcasting router advertisements, you'll probably see fe80::1:1 as the default gateway.

infinityz

@awebster:

2 Questions:

1. Where are you pinging from to test?
Try Diagnostics -> Ping
Host: 2001:4860:4860::8888  [Google IPv6 of 8.8.8.8]
Protocol: IPv6
Select LAN interface

2. Is your machine on the LAN side getting an IPv6 in the same subnet as your LAN interface, and does it have the correct default gateway?  Since pfSense is broadcasting router advertisements, you'll probably see fe80::1:1 as the default gateway.

Thanks for your answer awebster, here the tests you've asked for:

Source LAN:
PING6(56=40+8+8 bytes) 2804:14d:ca80:12af:208:a2ff:fe09:354e –> 2001:4860:4860::8888

--- 2001:4860:4860::8888 ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

Test's machine network configuration:

eth1      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX 
          inet addr:192.168.2.5  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: 2804:14d:ca80:12b0:12bf:48ff:fe8a:2b07/64 Scope:Global
          inet6 addr: 2804:14d:ca80:12af:12bf:48ff:fe8a:2b07/64 Scope:Global
          inet6 addr: 2804:14d:ca80:12af::2000/128 Scope:Global
          inet6 addr: fe80::12bf:48ff:fe8a:2b07/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:64765793 errors:0 dropped:321 overruns:0 frame:6
          TX packets:56610801 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:84293835593 (78.5 GiB)  TX bytes:51728229846 (48.1 GiB)
          Interrupt:17

awebster

So since ping from LAN side isn't working, check these things:

• Repeat ping test from WAN interface, I'm guessing it works.

• IPv6 is enabled on pfSense System -> Advanced -> Networking tab: Allow IPv6 box is checked.

• You have a LAN firewall rule Proto: IPv6, Source: LAN net, Port *, Destination: *, Port *.

If both the above are good, I suspect that your ISP's modem or something upstream isn't creating a route for the delegated prefix on their side.
When you plug directly into the ISP modem you are not using a delegated prefix, you are using the subnet of modem.

infinityz

@awebster:

So since ping from LAN side isn't working, check these things:

• Repeat ping test from WAN interface, I'm guessing it works.

• IPv6 is enabled on pfSense System -> Advanced -> Networking tab: Allow IPv6 box is checked.

• You have a LAN firewall rule Proto: IPv6, Source: LAN net, Port *, Destination: *, Port *.

If both the above are good, I suspect that your ISP's modem or something upstream isn't creating a route for the delegated prefix on their side.
When you plug directly into the ISP modem you are not using a delegated prefix, you are using the subnet of modem.

Same results pinging from WAN:

PING6(56=40+8+8 bytes) 2804:14d:ca80:0:4836:f225:e222:1145 –> 2001:4860:4860::8888

--- 2001:4860:4860::8888 ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

Point 2 and 3 YES and YES.

Your assumption about the subnet on the modem makes sense. I thought that a modem in bridge mode was enough :-/
Anything I could try to replicate manually on pfsense or do you think is worthless at this point and I should back to use the tunnel (which is a shame since I've finally got a native ipv6 support:-)) ?

awebster

Strange that the ping didn't work from the WAN side,
What sort of Internet connection do you have, is it PPPoE, or Cable?

infinityz

Cable one, and this was the saddest point :-) I could try different ways to distribute the addresses to the LAN, but even the WAN doesn't work, looks like it just gets the IP address, but no routes were being set :-/

awebster

@infinityz:

… Finally my ISP has managed to release the native ipv6 for their customers ...

I guess they need to un-release native IPv6 until they can get it working properly.  As many others have stated on this forum, just stick with the HE.NET (or equivalent) free tunnel.  I predict that it is still going to take years before IPv6 is working well for everyone.

infinityz

@awebster:

@infinityz:

… Finally my ISP has managed to release the native ipv6 for their customers ...

I guess they need to un-release native IPv6 until they can get it working properly.  As many others have stated on this forum, just stick with the HE.NET (or equivalent) free tunnel.  I predict that it is still going to take years before IPv6 is working well for everyone.

Will do :-) many thanks for your help here, much appreciated

infinityz

I don't know how this would be right or even makes sense! But I've got it working once added this rule on the WAN interface firewall:

IPV6 TCP  *  *  *  *  *

IPV6 working like a charm now on all my clients

awebster

You DO realise that that rule allows the WHOLE IPv6 Internet INSIDE your network, right ?!

infinityz

Yes, but the point is why do I ever need this rule in first place, in order to get the ipv6 connectivity to work :-/