IPv6 doubts
-
@derelict I-m still on the static, I fiddled with the LAN side a bit and I have as follows:
Interfaces status:
Firewall:
I know I was complicating things, I removed the bridge and I am trying to be a good boy and use a ULA and the (famous? infamous? nefarious?) NPt service. I get as follows in my client:
All dandy, until:
-
Right. the other doesn't but that could be rules.
-
You have a invert match rule on your wan interface.
Andy
1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22
-
OK now everything is completely different. I would request that you stop making wholesale changes and perform the requested steps.
It is not up to you to be good and use ULA. It is up to the ISP not to be bad to give you something usable.
-
And the destination is WAN net not the entire /56 so you won't be able to ping anything on the inside /64s. Please re-read my suggested actions above.
Chattanooga, Tennessee, USA
A comprehensive network diagram is worth 10,000 words and 15 conference calls.
DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
Do Not Chat For Help! NO_WAN_EGRESS(TM) -
@derelict That's what happens when one starts thinking and having weird ideas. Let me fix that and I'll get back to you.
-
I just noticed the ! I know how much you like them :)
-
@Derelict Okay. Things have been fixed to the way they were before, eliminating the bridge (Bad, bad idea I had). I apologize for not following the procedure. I have been dealing with this for the past 2 months trying to get IPv6 working and, well, let's say frustration is a bad counselor. Anyhow, as requested:
Firewall rule:
-
Are you sure you've fully removed the bridge, I can still see the bridge line in the screenshot.
-
OK with those rules in place I should be able to ping 2001:818:d9d9:ba01::fffe but I cannot. So they are apparently not routing that to you like they said.
I would go back to them and ask how exactly this is provisioned.
What do I put on the WAN interface here?
How is the /56 routed to me?
Just ask for generic instructions for any router. It doesn't have to be pfSense-specific.
I would also packet capture for incoming ICMPv6 packets to that address and ping it from the outside and see if they show up.
If not I would packet capture for neighbor solicitations on WAN for that address and ping it again. If they are soliciting for a neighbor on two different /64s on WAN they are, as @johnpoz might say, borked.
-
The bridge should not matter for this test. There should be a 2001:818:d9d9:ba01::fffe/64 address on a localhost interface that should respond. The bridge should not matter here but should be cleaned up for sure.
-
@Derelict Thank you very much, I will ask these questions to the ISP and see about configuring things properly. I'll keep you posted about progress on this issue.
-
@derelict said in IPv6 doubts:
I would also packet capture for incoming ICMPv6 packets to that address and ping it from the outside and see if they show up.
If not I would packet capture for neighbor solicitations on WAN for that address and ping it again. If they are soliciting for a neighbor on two different /64s on WAN they are, as @johnpoz might say, borked.I would diagnose whatever you can so you can be well-prepared to deal with ISP, umm, indifference.
-
UPDATE: I've talked to my ISP again, they said they'd get back to me about it. I asked them how to st up the IPv6 so it works with pfSense, I think I may have stumped them, hehe. In the meantime I need to prepare my weapons of clobbering <rolls all the IPv6 RFCs and readies them to clobber my ISP with them> Just saying, is they are being unorthodox... to quote rock man from the fantastic four: "It's clobberin' time!"
-
@cmpsalvestrini said in IPv6 doubts:
I think I may have stumped them, hehe
Easy enough with first level "support". ;)
-
gets off the phone with ISP <groan> WAN IPv6 address is distributed by SLAAC ... </groan>
I suppose I will have to set up some kind of bridge... I don't see how am I going to get my IPv6 working on the LAN side of my pfSense now. mutters darkly
-
What do you get on the WAN if you set it to SLAAC? (I would set it to SLAAC, apply, then shut down pfSense, reboot your modem until it comes back green, then start pfSense).
After that is the /56 routed to you? They might be doing something there. I have never seen it but they might.
What WAN address you get really doesn't matter. It is the /56 that matters.
-
you can not hand out /56 via slaac.. So how is they said they gave you a /56?
You can assign the router an IPv6 with slaac, and then delegate the /56 with dhcp prefix delegation.
Simple solution to make all your pain go away would be just get a tunnel from HE.. You can get a /48 from them.. Take you all of a few minutes to get it up and running.
-
I know you can't. But if that is what they are saying that is what should be attempted. Who knows what they are doing.
When it doesn't work, he can go back to them and say "What about the /56?" "How is that routed to me?" Because he's certainly not going to get a /56 prefix using SLAAC, as broken as that would be.
-
@cmpsalvestrini said in IPv6 doubts:
gets off the phone with ISP <groan> WAN IPv6 address is distributed by SLAAC ... </groan>
I suppose I will have to set up some kind of bridge... I don't see how am I going to get my IPv6 working on the LAN side of my pfSense now. mutters darkly
Regardless of how you get your WAN address, they have to route your /56 prefix to you. This is normally done via the link local address, but can be done with whatever they assign to your WAN interface.
On my network, I have a /56 prefix, but the WAN address is in a different one. However, my default gateway is a link local address.
default fe80::217:10ff:fe9 UGS re0
