[Solved] Unable to ping pfSense's LAN interface on IPv6
-
I don't know much about IPv6, but I thought I'd give it a shot on my home network. I configured my Windows Server 2012 R2 DHCP server to hand out addresses on the fd01::/16 subnet, but to no avail. I then set up pfSense to have a static IP on fd01::1, but I can't seem to ping it, and the request just times out. I then set it up to do router advertisements, but the machines on the network don't seem to pick it up (wrong IP?).
Note that I configured my DHCPv6 relay to my AD DHCP server.
(http://i.imgur.com/LdIOKpF.png, IPv6 configuration on LAN)
(http://i.imgur.com/ukuViEO.png, DHCPv6 Relay service configuration)
(http://i.imgur.com/arEd7zT.png, Router Advertisement configuration)Further research indicates that pfSense seems to be broadcasting on a link-local IPv6 address, and I can't figure out why. I can ping the link-local address, but it shouldn't be running there.
(http://i.imgur.com/9SGorpp.png, Wireshark)Setup info:
- Using external DHCP, Windows Server 2012 R2
- Using external DNS, Windows Server 2012 R2
- pfSense is running on Hyper-V (WAN that's only connected to the VM, LAN that's connected to the host as management and a cheap TP-Link unmanaged switch)
Help would be greatly appreciated, I'm at a loss here.
-
Does your isp support IPv6? If not setup yourself a free ipv6 tunnel from Hurricane Electric… This is going to be much more useful to you then trying to run a ipv6 ULA address.. Where did you get the idea to use /16 - that is broken to even start with..
While there is a a fd01::/8 range in ULA - that is not meant to be a local subnet, all local subnets would be /64
Get yourself a tunnel from HE, https://tunnelbroker.net/ you can get a /48 from them.. Then you can setup as many /64 as you need on your local network. These will be able to actually talk to the real world so much better to learn with then some ULA range.
They also have a certification you can go through for ipv6 is very helpful in learning about ipv6.. And when you reach sage you get a free t-shirt ;) All free btw..
https://ipv6.he.net/certification/ -
I already have an IPv6 tunnel, the issue (IIRC) was that pfSense muttered something about the address already being in use on another interface. I tried again, and now it works. Does this seem correct?
(http://i.imgur.com/kxFYYpR.png, New IPv6 setup)Edit: Ping now works (http://i.imgur.com/YhKSog4.png)
(Still, makes me wonder why the /16 didn't) -
you don't have an IP actually set.. your ending the IP with :: there should be a number there if you want it to be 1 then add that. Or whatever you actually want. Example here is my lan IPv6 address on pfsense.
If you already had a tunnel why were you trying to setup ULA?
As to /16 that not really a valid network in ipv6.. Pretty much everything other than a prefix given you by your isp or say HE is going to be a /64 Anything you setup on your network is going to be /64 unless you were going to assign some prefix of your /48 to some other router downstream from your pfsense box.
-
I set an IP, noticed something was missing ;)
As for the tunnel, like I said, pfSense muttered something about the IP already being in use on another interface. Might've just copied the wrong address, that time.
I have a new issue though (well sort of), why do PCs on my network self-assign IPs? Shouldn't they get them from the DHCP scope I set up a few minutes ago?
(http://i.imgur.com/4KbwVd6.png)Edit: One of my servers now has 3 IPv6 addresses.
-
yeah windows machines like to use multiple ipv6.. And even randomize them on reboot. So sure getting dhcpv6 to assign can be tricky. How do you have your RA setup?
If you want to turn off that feature
netsh interface ipv6 set privacy state=disabled store=active
netsh interface ipv6 set privacy state=disabled store=persistent
netsh interface ipv6 set global randomizeidentifiers=disabled store=active
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistentPersonally since I only play with ipv6 on some of my machines. Most of them have it disabled. I just setup the machines I want to use IPv6 as statics ;) Make is much easier to work with.. Currently I have even RA disabled on pfsense. I just setup the machines I want test something with ipv6 static at the time, or the couple of machines that use ipv6 all the time like my ntp server that is part of pool, he is static.. This does make life simpler ;)
Clearly something you would not do in a true production setup. But for the handful of machines on my home network that I want to test ipv6 with it is easier ;) And gives you complete control that way.
-
My RA is currently set to Assisted. Should I switch it to managed?
On another note: I can't seem to establish an IPv6 connection to the outside world. My LAN rules are correct (they allow all IPv6 traffic), and the only thing I can ping is HE's IPv6 address. Is this a DNS issue?
Edit: Probably not a DNS issue. I don't know what it is, though.
-
Which HE ipv6 address are you pinging?
What would dns have to do with pinging? Are you saying you can not resolve an IPv6 address? Do a ipv6 traceroute.. So see attached examples from my windows box..
So I can resolve ipv6 stuff, it resolves via using my ipv6 address of pfsense on the lan.
I can ping ipv6 stuff on the internet
Trace shows that it hits my pfsense lan IPv6, it then hits the other end of the tunnel with HE. And then internet ipv6 until it gets to the target. Those are 2 different networks in the first 2 hops.. I can PM them too you if you want to see, but didn't want to post those public since they are global ipv6 addresses (ie public)As to your RA.. if your going to want to run a dhcp server and you don't want autoconfig ipv6 then yeah you would set it to managed not assisted. Or if your just want to get ipv6 up and running with playing with all the fun that is RA and DHCPv6 at a later time just turn off RA and dhcp6 and setup statics so you have validated your ipv6 traffic is working and going through the tunnel, etc.. Then you can start playing with using dhcpv6 and RA stuff. Happy to turn it on and provide assistance, but its just easier to use static for how I currently use ipv6. For example my windows machine wasn't even using ipv6 until I needed to show you a trace and ping, etc. I just enabled it remotely for that post.. Then I will turn it back off ;)
-
-
yeah doesn't look like your tunnel is working. You seem to be able to hit your pfsense box.. But then not going out the tunnel. And you seem to be defaulting to using dns via ipv4 and don't even have a PTR setup.. Is that your Windows dns box - you need to setup a reverse zone for your 10.1.1 network so your client can resolve the PTR it does when you use nslookup.
Does pfsense show your tunnel up?
-
Yeah, the pfSense box shows that my tunnel is reachable (20ms). My DNS servers are 10.1.1.1 and 10.1.1.2. I fixed the PTR records. Should I run it again?
-
what are you gateways setup like and your lan rules - your not forcing out a specific gateway are you?
-
Not that I know of… (http://i.imgur.com/gFQDAgH.png) (http://i.imgur.com/DqdWouD.png)
-
http://i.imgur.com/peLYol7.png
(test-ipv6.com) -
So this was weird… I rebooted the router, and rebooted my PC.
http://i.imgur.com/ckElooZ.png
It works!
I have no idea what changed, but it works now.Thanks for your help, it means a lot :)
-
@tomsparklabs said in [Solved] Unable to ping pfSense's LAN interface on IPv6:
rebooted the router
Hmm, thanks from the future...I set up an HE tunnel tonight and though the router could get out over IPv6, and PCs got IPv6 addresses, I found the PCs could not ping the router, dig to pfSense DNS over IPv6 to the LAN IPv6 was blocked by the default block firewall rule despite already having a LAN IPv6 to any rule, and new rules I added for DNS.
Restarting pfSense (2.5.1) got IPv6 working fine from the PCs.
Oddly https://test-ipv6.com/ worked...I guess over IPv4? But it showed IPv6 working, 10/10.
