IPv6 doubts
-
If your isp is giving you a /56 via slaac that is utterly borked!!! There are 2 legit prefixes /64 and /128
How about you just let your wan be slaac and setup that /56 broken up behind you and see if that works... How is that isp try and rollout ipv6 and just do not have clue one.. Did nobody at this isp read any of the rfcs?
-
Post the output for your WAN interface from Status > Interfaces.
Chattanooga, Tennessee, USA
A comprehensive network diagram is worth 10,000 words and 15 conference calls.
DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
Do Not Chat For Help! NO_WAN_EGRESS(TM) -
Off topic sorry - tried sending you a chat.. But you have them blocked.. Your link to the use this diagram is not working. Would guess since the change to nodebb vs smf
-
OK yeah chat should be fixed. Waiting for the attachments from the old forum to be sussed out before I hassle that diagram.
-
@Derelict : Of course, as soon as I get home I'll post the relevant info.
-
@johnpoz apparently not, I have exactly zero clue as to why they'd give me a whole /56, only to deny it to me by giving me /64 addresses through SLAAC from their router, smh...
-
@derelict as per your request here's the requested snapshot
-
OK that's a /64 on WAN so that is what I would expect.
Is that statically-configured or is that what is on the interface when WAN is configured for SLAAC?
LAN looks good as well. I would:
(At least temporarily) Pass ICMPv6 (any) traffic on WAN from source any to destination 2001:818:d9d9:ba00::/56
ping6 2001:818:d9d9:ba01::fffe from the outside someplace.
See if you get a response. If so, you can start looking at why LAN isn't working. If not, verify you can ping6 to 2001:818:d9d9:ba00::fffe. If not your pings are probably not working. if so, packet capture on WAN for IPv6 traffic for 2001:818:d9d9:ba01::fffe and test the ping6 to that again. Stop the capture and see if you can see the echo requests coming in from the ISP. If so, you can proceed to figure out why there is no response. If not, you need to nail down the ISP as to exactly how they are provisioning this /56.
-
You've got a bridge interface set up with IP addresses on each interface and the bridge, thought you should only have IP addresses on the bridge interface.
https://doc.pfsense.org/index.php/Interface_Bridges
Andy
1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22
-
@derelict this is statically configured. I haven't tried using SLAAC, will attempt to do so now.
-
Not at all what I recommended you do but OK.
-
@nogbadthebad Yeah I haven't even started with the bridge yet. First thing is to see if this ISP is even sending the traffic.
@cmpsalvestrini Why are you complicating things that aren't working yet with things like interface bridges? Why do you feel the need to do that?
-
Pings to the WAN interface work.
mac-pro:~ andy$ ping6 2001:818:d9d9:ba00::fffe
PING6(56=40+8+8 bytes) 2a02:8010:XXXX:X::14 --> 2001:818:d9d9:ba00::fffe
16 bytes from 2001:818:d9d9:ba00::fffe, icmp_seq=0 hlim=252 time=50.847 ms
16 bytes from 2001:818:d9d9:ba00::fffe, icmp_seq=1 hlim=252 time=51.265 ms
16 bytes from 2001:818:d9d9:ba00::fffe, icmp_seq=2 hlim=252 time=50.797 ms
16 bytes from 2001:818:d9d9:ba00::fffe, icmp_seq=3 hlim=252 time=50.751 ms
16 bytes from 2001:818:d9d9:ba00::fffe, icmp_seq=4 hlim=252 time=51.085 ms -
@derelict I-m still on the static, I fiddled with the LAN side a bit and I have as follows:
Interfaces status:
Firewall:
I know I was complicating things, I removed the bridge and I am trying to be a good boy and use a ULA and the (famous? infamous? nefarious?) NPt service. I get as follows in my client:
All dandy, until:
-
Right. the other doesn't but that could be rules.
-
You have a invert match rule on your wan interface.
Andy
1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22
-
OK now everything is completely different. I would request that you stop making wholesale changes and perform the requested steps.
It is not up to you to be good and use ULA. It is up to the ISP not to be bad to give you something usable.
-
And the destination is WAN net not the entire /56 so you won't be able to ping anything on the inside /64s. Please re-read my suggested actions above.
Chattanooga, Tennessee, USA
A comprehensive network diagram is worth 10,000 words and 15 conference calls.
DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
Do Not Chat For Help! NO_WAN_EGRESS(TM) -
@derelict That's what happens when one starts thinking and having weird ideas. Let me fix that and I'll get back to you.
-
I just noticed the ! I know how much you like them :)
