WAN and LAN IPv6

Guest

You should not need it, I have no static route defined. Did you not say that you can ping an ipv6 like google.com from pfsense
?

pvexed

I think the problem is that the /64 blocks are distinct maybe?  I don't have a /48 or a /56 or anything I just have two /64 blocks, and apparently one is routed via the other.

So in block 1 which is the non-routed block, I get assigned a random address from it on WAN via DHCP6.

In block 2 which is the routed block, I assign the first IP as static on the LAN and the rest given out to LAN clients via DHCPv6 or whatever.

In Diagnostics -> Ping I can choose WAN or LAN as the source address and try to ping an IPv6.  When doing this, it correctly pings from block 1 (WAN) or block 2 (LAN) as the source and I get a response.  The problem is that absolutely no IPv6 works on the LAN.  The LAN clients all have addresses from block 2 but they can't ping the static IPv6 on the LAN or anything, there's no v6 connectivity at all.

Guest

Have you set up target?

Guest

That should read RADVD damn autocorrect!

pvexed

I have it set to Assisted with no further configuration options.  Do I need to make an addition to "RA Subnets" or anything?

Guest

@pvexed:

Thanks for your help so far - so in my Gateways section I have a WAN_DHCP6 gateway set as a default, with an fe80 address set as the gateway itself.

I'm a little confused about what exactly I need to add for the static route.  My WAN is automatically assigned some address in the AAAA:XXXX:1:YYY::/64 when it connects, and I can see that in Status -> Interfaces.

For LAN I am trying to statically assign AAAA:XXXX:1:ZZZ::1 to that interface.  When I do that in Interfaces -> LAN, I have an option to set the "Upstream Gateway", but WAN_DHCP6 is not an option here.  I can't add another gateway with the same fe80 address as it complains that gateway IP already exists.

There is no upstream gateway on the LAN, but it should be set on the WAN, is that the case?

pvexed

@marjohn56:

@pvexed:

Thanks for your help so far - so in my Gateways section I have a WAN_DHCP6 gateway set as a default, with an fe80 address set as the gateway itself.

I'm a little confused about what exactly I need to add for the static route.  My WAN is automatically assigned some address in the AAAA:XXXX:1:YYY::/64 when it connects, and I can see that in Status -> Interfaces.

For LAN I am trying to statically assign AAAA:XXXX:1:ZZZ::1 to that interface.  When I do that in Interfaces -> LAN, I have an option to set the "Upstream Gateway", but WAN_DHCP6 is not an option here.  I can't add another gateway with the same fe80 address as it complains that gateway IP already exists.

There is no upstream gateway on the LAN, but it should be set on the WAN, is that the case?

So there's no specific gateway set on the WAN because it's assigned via DHCP6 from ISP rather than statically on my end, but a gateway is defined by DHCP6 and it does work for connectivity from pfSense to the internet - it's an fe80 address.  For the static assignment on the LAN the gateway is set to "None" in the dropdown as it's the only option I have.

Guest

If you look in Routing/Gateways, there should be two entries, one for ipv4, one for ipv6, both are created automatically, are they there?

Guest

I want you to try something else. I suspect you can set your LAN to track your WAN interface. In WAN settings, you have it set to dhcp6. I think you should find that the LAN side will work if you set it track the WAN, so in LAN, set the IPV6 config type to "Track Interface", then  further down the page set the Track IPv6 interface to WAN, leave the prefix ID at 0.

Try that and then tell me what you see on the dashboard for addresses on the LAN interface.

pvexed

@marjohn56:

If you look in Routing/Gateways, there should be two entries, one for ipv4, one for ipv6, both are created automatically, are they there?

Yes they are both there, auto-named WAN_PPPOE and WAN_DHCP6.  Both are set as default and both have "external" addresses set as the Monitor IP and are responding etc. how I'd expect in that regard.

I will try the track interface now.

pvexed

Ok with Track Interface my WAN gets an IP in block 1 and my LAN gets no IPv6 address at all.  It also causes my WAN to flap and constantly disconnect/reconnect until I remove the track interface.

Guest

Ok, put it back as was and do a ping from a device on the LAN side and see if you can ping pfsense's wan  ipv6 address.

pvexed

@marjohn56:

Ok, put it back as was and do a ping from a device on the LAN side and see if you can ping pfsense's wan  ipv6 address.

Doesn't work unfortunately, same deal.

Here's the output of ip -6 route show on a client:

AAAA:XXXX:1:ZZZ:IPV6:IPV6:IPV6:IPV6:IPV6 dev wlp2s0 proto kernel metric 600 pref medium
AAAA:XXXX:1:ZZZ::/64 dev wlp2s0 proto ra metric 600 pref medium
fe80::/64 dev wlp2s0 proto kernel metric 256 pref medium
fe80::/64 dev wlp2s0 proto kernel metric 600 pref medium
default via fe80::1:1 dev wlp2s0 proto ra metric 600 pref medium

And ip -6 nei:

fe80::1:1 dev wlp2s0 lladdr 00:08:a2:no:no:no router STALE
AAAA:XXXX:1:ZZZ::1 dev wlp2s0 FAILED

pvexed

Also, if I do a packet capture on pFsense, Interface = LAN, Address Family = IPv6 Only, and run a ping from a LAN client to WAN address, I see the packets coming in to pfSense:
22:08:57.887259 IP6 LAN_CLIENT_V6 > WAN_V6: ICMP6, echo request, seq 1, length 64

Seems they don't go any further than that though.

EDIT: Also did a packet capture on WAN and did a ping from a LAN client.  I think I see the replies trying to get back to the LAN client and failing:
22:13:02.741919 IP6 WAN_V6 > LAN_CLIENT_V6: ICMP6, echo reply, seq 1, length 64
22:13:02.749090 IP6 fe80::V6_GATEWAY > LAN_CLIENT_V6: ICMP6, destination unreachable, unreachable address LAN_CLIENT_V6, length 112

Guest

Can you take a look at your firewall logs and see what's happening there? You do have a default PASS on the LAN side for IPv6 I assume?

pvexed

@marjohn56:

Can you take a look at your firewall logs and see what's happening there? You do have a default PASS on the LAN side for IPv6 I assume?

Yes I have the "Default allow LAN IPv6 to any rule" enabled, and in fact this is a fairly new pfSense install, all the firewall rules are stock.  I don't see any results under Firewall -> Normal View or Firewall -> Dynamic View for any of the v6 addresses involved while trying to ping.

Guest

Hmm, hate to say it, but I'm baffled :(

Let's hope someone else comes in with a fresh mind.

pvexed

Just looking at what my ISP said again, or at least part of it:

Just need to configure static route at WAN device for AAAA:XXXX:1:ZZZ::/64 pointing towards your LAN

Could there be anything to do that given I see when I packet cap on the WAN I see this:
22:13:02.749090 IP6 fe80::V6_GATEWAY > LAN_CLIENT_V6: ICMP6, destination unreachable, unreachable address LAN_CLIENT_V6, length 112

Which seems to be my ISP's gateway (at least its link-local) saying that it can't reach the addresses on my LAN?

pvexed

I made some further progress but it's still not 100%.

I noticed that in Diagnostics -> Routes, that AAAA:XXXX:1:ZZZ::/64 was being given a route on the same link as AAAA:XXXX:1:YYY::/64 even when I didn't have ZZZ defined in my LAN or anything.  This made me think that maybe my ISP's DHCP was adding this route which was perhaps confusing pfSense.

So instead I turned off IPv6 on the WAN, and deleted the gateway for IPv6.  Then I made a new gateway with the ISP link-local address and with the IPv6 over IPv4 link checkbox checked.  Then I statically assigned the old IPv6 address my WAN had to the WAN and set that as the gateway.  WAN came back up and didn't look any different than before (pings/traceroutes from pfSense to internet working as expected).

I checked Diagnostics -> Routes and I can see there's no route for ZZZ block, as expected.  So then I added ZZZ block to LAN as before, and still with upstream gateway set to none, so essentially exactly the same config.  After checking Diagnostics -> Routes now I can see ZZZ block has a route via the LAN port and not the PPPoE link.

Fundamentally, IPv6 now works on LAN clients, I can go to https://ipv6.google.com without issue on LAN clients.  But something is still broken.  All pings and traceroutes stop at the pfSense box.  For example:
tracert -6 google.com

Tracing route to google.com [2a00:1450:4009:812::200e]
over a maximum of 30 hops:

1    <1 ms    <1 ms    <1 ms  pfsense.lan.xxxxx [AAAA:XXXX:1:ZZZ::1]

Trace complete.

Guest

This begins to sound like my system. I have a PPPoE connection the negotiates on V4, then V6 is routed via the PPPoE link, my addresses are all static, although I can use dhcp6.

When you say you cannot ping the LAN client, are you trying to ping it from the WAN?