HE Tunnelbroker pfSense IPv6 Issue
-
So what is your rules on the lan side network your clients are coming from? Do they allow ipv6? Do you have your clients correctly setup on either your /64 you got from HE, or did you breakup your /48 into different /64s you put on your lan side segments?
-
I appreciate the quick response, thanks John.
I should have mentioned that I'm not that technically minded, and most of what you said has gone right over my head. The part you mentioned about 'clients correctly setup on either your /64 you got from HE, or did you breakup your /48 into different /64s you put on your lan side segments' has totally thrown me. I'm going to start rebuilding the tunnel on my pfSense now, so what I'd like to do is perhaps tell you bits I'm not overly sure on and maybe you can point me in the right direction, if you don't mind.
My first query relates to configuring the tunnel interface and MTU. I'm on a PPPOE connection, so what should I set the MTU too, and do I set that value on my HE tunnel and the pfsense gui, or just the HE tunnel?
Second, when it comes to configuring LAN and tunnel interfaces there's an option to 'Use IPv4 connectivity as parent interface', do I need to tick the box for this option?
Thirdly, I get a bit confused when it comes to DHCPv6 & RA section, I'm pretty sure I get this right, but a bit of info on what I should input as range values would be helpful?
Finally, is it possible you can give me more detailed description on how to input LAN firewall rules please?
I'm pretty sure I get the most of the set up right, I guess I must be doing something right if I can ping IPv6 site from pfSense. And I do apologise for being such a novice and needing so much help, I'm not too worried if I can't get the tunnel up and running, so no rush, but I would be really appreciative of any help you can give.
-
Not sure why you would be worried about setting the MTU until you actually have the tunnel up and working..
If your on PPPoE then change the MTU on the HE site to what your PPPoE can handle, etc.
To be honest I wouldn't worry about setup on dhcpv6 or RA until you have it working static first..
So did you just get the 1 /64 from HE or did you get the /48?
You would setup your HE interface with the tunnel IPv6 they give you, then setup on the lan the /64 they give you.. Then setup client with that IPv6 in your /64 - does that work? Can you ping ipv6.google.com ? If so then you can worry about if your MTU is best or if you want to use DHCPv6 or not. Not really required..
-
The part you mentioned about 'clients correctly setup on either your /64 you got from HE, or did you breakup your /48 into different /64s you put on your lan side segments' has totally thrown me.
One thing about IPv6 is it has an unbelievably huge address space. So, instead of getting just one address from the ISP, as was usual on IPv4, you get large blocks of addresses. The smallest block ISPs are supposed to hand out is a /64, which is 18.4 billion, billion addresses. An ISP may provide larger blocks. Mine provides a /56, which can be spit into 256 /64s. A /48, as he.net provides, has 65536. You can use pfSense to split off individual /64s for each network or VLAN you have.
As for MTU, I don't know what HE requires, but the tunnel broker I used to use set the MTU to 1280, which is the smallest allowed on IPv6. Using PPPoE will require a slightly smaller MTU that the common 1500. Other than a bit of a performance hit, there's no problem using a smaller MTU than necessary.
-
Cheers for the reply.
I got the 1 /64 from HE.
Unfortunately something came up so I wasn't able to rebuild my tunnel earlier but I will try your suggestions tomorrow and let you know what happens, especially leaving dhcpv6 / RA for now. I was able to ping ipv6.google.com on the previous tunnel setup through pfSense, but I didn't try it using command prompt on my PC, I guess that'll help identify what part of the connection is actually not working properly.
Many thanks again for your comments and advice, I really do appreciate it.
-
Right, quick update for you.
I've tried rebuilding my tunnel on pfsense.
I can ping ipv6.google.com through pfsense (see image). I have also added image of my ipv6 test results, the only positive being that my dns server appears to have ipv6 internet access.
I'm pretty sure I'm getting the final LAN firewall rule wrong to let ipv6 traffic out. Any help with setting this up would be appreciated.
-
Another quick up date. I've managed to get the ipv6 test website to identify my ipv6 address (see image)
Unfortunately I've got a message stating I have a broken or misconfigured ipv6 setup, but other than the final lan firewall rule to let ipv6 traffic out, I'm pretty sure everything else is set up correctly.
Any thoughts and/or advice would be greatly appreciated.
-
Just to add, I am also able to ping ipv6.google.com from my PC using command prompt.
-
Post your LAN rules, we can't make heads or tails of what's actually going on if we can't see the rules.
You could also just allow all IPv6 in on the LAN interface for now and it would rule out problems with your LAN rules.
Also post your interface setups including the GIF interface setup, the setup of the OPT interface that acts as your IPv6 WAN and your LAN interface setup.
-
If your HE tunnel was setup it would show you coming form HE.. Not some isp..
-
Cheers for the replies, much appreciated.
Right, I've attached a load of images of my setup in the hope someone can point me in the right direction. I've probably done something really dumb! The image titles say what they are.
Many thanks
-
Where is your gif interface for your tunnel?
I assume those pings your allowing if from HE IPs? Haven't bothered to lookup those source IPs you have limited it too.
Your gif or tunnel is going to be a 1 off from your /64 they give you..
-
Attached is my gif interface details. I also added an image of an option to use ipv4 connectivity as parent interface, does the box need to be checked on this option?
-
Does your gateway come up?
-
Yes it does, but the initial WAN setup for PPPOE, before I started messing around with my ipv6 tunnel details has gone offline, should it do that? (see image)
I've also attached images of my HE tunnel, and the interfaces on the pfsense dashboard, didn't know if they might highlight anything unusual.
-
So you have 1f08 prefix on your tunnel and the 1f09 prefix on your lan right?
Can your lan client ping the 1f09 ::1 address? What IP did you give your client.. What is the ipconfig /all of your client on your lan?
Curious to see your full ipconfig /all from your client… Windows like to use teredo and 6to4 and isatap... Curious if your seeing address there.. I have all those transition technologies disabled and only the clean dualstack running.
-
Cheers for helping out so much John, hopefully we can get there in the end!
Ok, just so you know I've created a new HE tunnel and provided an image of it. On top of that I've tried to build my tunnel again but still having connectivity issues with ipv6 sites. I've attached images of my wan, lan and tunnel interfaces, perhaps you can have a look and see if you notice anything out of place.
I've also ping tested ::1 address from my client with results shown in the image.
Ipconfig /all results shown on last 3 attached images.
Please let me know if you notice anything out of place.
Many thanks.
-
Why is your IPv6 address on your LAN interface not finished?
Give a number on the end ::1 or ::254 something!!
Looks like your pinging the far end of the tunnel. But you seem to have some other addresses on there on your lan. And you don't have a IPv6 dns setup and or global gateway.. If your going t set static then set that up…
Once you have that working, then you can worry about dhcp or autoipv6 addresses via RA, etc.
-
I really appreciate your help John.
With regards to your comments about ipv6 dns and / or global gateway setup, I can't find any reference to these in the guide, so probably the reason why they aren't setup.
I've just hooked up my Asus AC86U to my modem, bypassed my pfsense device, and configured my HE tunnel on the AC86U and I've got ipv6 connectivity straight away. I know I've followed the pfsense guide for setting up an HE tunnel on my pfsense as accurately as I can, but for some reason it just won't work. I don't see why it's so easy to setup on my AC86U yet so difficult on pfsense., it's certainly beaten me.
As I said before it's not important for me to get up and running, just would have been nice to have it, so I'm going to leave it for now. Perhaps when I have more time I'll rebuild pfsense and try again then, perhaps my initial setup wasn't correct.
Thanks again for all your help, I do appreciate your efforts.
