Cannot route IPv6 - Frustrated
-
Also I think it is best to reboot after changing all of this. I don't think you have to, but it shouldn't hurt.
-
I have tried the hint on WAN, tack interface setup until I was blue in the face. It does not work with my setup.
I'm not sure you're reading all the way back to the beginning. My pfSense router does not handle DHCP for my LAN, nor does it handle VLANS.
All I want to use the router for is routing. All other layer 2/3 is handled by my Cicso switch. DHCP is handled by a Redhat box. All I want it to route IPv6 out of my LAN to pfSense, and then to the Comcast "Gateway" and then to the freakin' internet.
IPv4 works very well this way. I believe there's a way to do what I want, just something isn't right.
-
This is IPv4. Working great. See how the VLANS are all 172.16.x.254. That's the default gateway on all my subnets. All subnets route to the default route in the cisco, which is the 172.16..0.253/30 which is connected to the pfSense router. Pf sense has a route back to 172.16.0.0/16 via that same interface.
I need this to work the same (or equivalent) on IPv6. Track interface does not get an IPv6 address at all.
-
@johnnybinator said in Cannot route IPv6 - Frustrated:
I have tried the hint on WAN, tack interface setup until I was blue in the face. It does not work with my setup.
I'm not sure you're reading all the way back to the beginning. My pfSense router does not handle DHCP for my LAN, nor does it handle VLANS.
All I want to use the router for is routing. All other layer 2/3 is handled by my Cicso switch. DHCP is handled by a Redhat box. All I want it to route IPv6 out of my LAN to pfSense, and then to the Comcast "Gateway" and then to the freakin' internet.
IPv4 works very well this way. I believe there's a way to do what I want, just something isn't right.
I am not sure I am following your configuration then?
So when you are saying "does not handle" you don't mean it doesn't work? It is just being done somewhere else?
If that is the case, then you probably have your "somewhere else" configured wrong, cause in ipv6 routing just works, or it should, since it is automatic. -
Maybe this will help. In an ipv6 router every interface negotiates a link local address (fe80 addresses). You don't set default gateways because routers advertise themselves to each other and devices.
So the brick box is pfsense, and it has a single interface internal connected to Cisco, which then further routes?
-
When I set Track interface on LAN it doesn't get an IP address. I still am getting an IPv6 address on WAN.
-
Destination Gateway Flags Netif Expire
default 96-77-17-178-stati UGS igb0
10.200.0.0/24 172.16.0.253 UGS igb1
10.200.1.254 link#2 UHS lo0
10.200.1.254/32 link#2 U igb1
xx.xx.17.176/30 link#1 U igb0
xx-xx-17-177-stati link#1 UHS lo0
localhost link#4 UH lo0
172.16.0.0/16 link#2 U igb1
pfSense link#2 UHS lo0Internet6:
Destination Gateway Flags Netif Expire
default fe80::fc91:14ff:fe UGS igb0
localhost link#4 UH lo0
xxxx:xxxx:xx::c000: link#1 U igb0
xxxx:xxxx:xx::c000: link#1 UHS lo0
xxxx:xxxx:xx::c000: link#1 UHS lo0
fe80::fc91:14ff:fe fe80::fc91:14ff:fe UGHS igb0
fe80::%igb0/64 link#1 U igb0
fe80::21b:21ff:fe7 link#1 UHS lo0
fe80::%igb1/64 link#2 U igb1
fe80::1:1%igb1 link#2 UHS lo0
fe80::%lo0/64 link#4 U lo0
fe80::1%lo0 link#4 UHS lo0 -
@johnnybinator said in Cannot route IPv6 - Frustrated:
When I set Track interface on LAN it doesn't get an IP address. I still am getting an IPv6 address on WAN.
from the way picture shows it looks like, it is all done in the Cisco. It is just a point to point connection from the pfsense to cisco? You said Cisco does layer2/3. Layer 3 includes ipv6, so the Cisco has to be configured to do the routing in your case.
Your best bet is to hook a pc to the pfsense LAN interface and see that it is able to ping the internet.
-
@isaacfl
You know, that's a good idea. I hadn't thought of that. Thanks. -
@johnnybinator said in Cannot route IPv6 - Frustrated:
@isaacfl
You know, that's a good idea. I hadn't thought of that. Thanks.Have you been using pfsense for awhile, so it is only ipv6 you are struggling with? or are you new to pfsense?
Will help me to know that.
-
I've been running pfSense for 5 + years. I love it. IPv6 is pretty new to me. I can see there's more than a small amount to learn.
I've been in IT for 25 years, I usually adapt to new things easier than this. Maybe I'm getting old.
-
@johnnybinator said in Cannot route IPv6 - Frustrated:
I've been running pfSense for 5 + years. I love it. IPv6 is pretty new to me. I can see there's more than a small amount to learn.
I've been in IT for 25 years, I usually adapt to new things easier than this. Maybe I'm getting old.
ok I would try the get a pc working on the lan side of the pfsense then. I would bet it is probably working, then we would need to figure out how to get it to work in your configuration.
I have only been using pfsense for a few months, so new on its idiosynchrocies, but I have been working with ipv6 for a few years now. So I am more familiar with ipv6 than pfsense.
I won't be able to spend anymore time today, but I will say that ipv6 routing isn't as difficult as ipv4. The difference is ipv6 uses the link local address and multicast on each interface to do the actual routing.
-
@johnnybinator said in Cannot route IPv6 - Frustrated:
I've been running pfSense for 5 + years. I love it. IPv6 is pretty new to me. I can see there's more than a small amount to learn.
I've been in IT for 25 years, I usually adapt to new things easier than this. Maybe I'm getting old.
For the most part, IPv6 works the same as IPv4, but with longer addresses. However, there are some differences, such as ARP being replaced with neighbour discovery, default gateway and prefix being automagically configured with router advertisements. There are other things for improved performance, such as fix length headers and extension headers
One book I find is a good reference is IPv6 Essentials, from O'Reilly.
-
What is your delegated /56? Are they actually delegating it to you?
Check the Start DHCP6 client in debug mode checkbox on WAN, Save, and Apply, then examine the DHCP logs. You should see what you want to by searching for message IA_PD or process dhcp6c. What is it showing for a /56 delegated?
You would then need to route a larger prefix of that, say a /60 to the switch then add /64s to the individual switch layer 3 interfaces and configure DHCP6, SLAAC, etc. on the switch (Just like IPv4).
-
This is what I get (I do get an address):
Sep 1 10:37:43 dhcp6c 8607 failed to parse configuration file
Sep 1 10:37:43 dhcp6c 8607 called
Sep 1 10:37:43 dhcp6c 8607 /var/etc/dhcp6c_wan.conf:3 IA_PD (0) is not defined
Sep 1 10:37:43 dhcp6c 8607 called
Sep 1 10:37:43 dhcp6c 8607 <3>end of sentence [;] (1)
Sep 1 10:37:43 dhcp6c 8607 <3>end of closure [}] (1)
Sep 1 10:37:43 dhcp6c 8607 <13>begin of closure [{] (1)
Sep 1 10:37:43 dhcp6c 8607 <13>[0] (1)
Sep 1 10:37:43 dhcp6c 8607 <13>[na] (2)
Sep 1 10:37:43 dhcp6c 8607 <3>[id-assoc] (8)
Sep 1 10:37:43 dhcp6c 8607 <3>end of sentence [;] (1)
Sep 1 10:37:43 dhcp6c 8607 <3>end of closure [}] (1)
Sep 1 10:37:43 dhcp6c 8607 <3>comment [# we'd like some nameservers please] (35)
Sep 1 10:37:43 dhcp6c 8607 <3>end of sentence [;] (1)
Sep 1 10:37:43 dhcp6c 8607 <3>["/var/etc/dhcp6c_wan_script.sh"] (31)
Sep 1 10:37:43 dhcp6c 8607 <3>[script] (6)
Sep 1 10:37:43 dhcp6c 8607 <3>end of sentence [;] (1)
Sep 1 10:37:43 dhcp6c 8607 <3>[domain-name] (11)
Sep 1 10:37:43 dhcp6c 8607 <3>[request] (7)
Sep 1 10:37:43 dhcp6c 8607 <3>end of sentence [;] (1)
Sep 1 10:37:43 dhcp6c 8607 <3>[domain-name-servers] (19)
Sep 1 10:37:43 dhcp6c 8607 <3>[request] (7)
Sep 1 10:37:43 dhcp6c 8607 <3>comment [# request prefix delegation] (27)
Sep 1 10:37:43 dhcp6c 8607 <3>end of sentence [;] (1)
Sep 1 10:37:43 dhcp6c 8607 <3>[0] (1)
Sep 1 10:37:43 dhcp6c 8607 <3>[ia-pd] (5)
Sep 1 10:37:43 dhcp6c 8607 <3>[send] (4)
Sep 1 10:37:43 dhcp6c 8607 <3>comment [# request stateful address] (26)
Sep 1 10:37:43 dhcp6c 8607 <3>end of sentence [;] (1)
Sep 1 10:37:43 dhcp6c 8607 <3>[0] (1)
Sep 1 10:37:43 dhcp6c 8607 <3>[ia-na] (5)
Sep 1 10:37:43 dhcp6c 8607 <3>[send] (4)
Sep 1 10:37:43 dhcp6c 8607 <3>begin of closure [{] (1)
Sep 1 10:37:43 dhcp6c 8607 <5>[igb0] (4)
Sep 1 10:37:43 dhcp6c 8607 <3>[interface] (9)
Sep 1 10:37:43 dhcp6c 8607 skip opening control port
Sep 1 10:37:43 dhcp6c 8607 failed initialize control message authentication
Sep 1 10:37:43 dhcp6c 8607 failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
Sep 1 10:37:43 dhcp6c 8607 extracted an existing DUID from /var/db/dhcp6c_duid: BLAH BLAH -
I assume you have a firewall rule to pass the ipv6 traffic on your LAN interface?
-
-
Yeah something is not right. Post your WAN interface configuration page.
My last renewal for reference. Note the IA_PD being assigned.
Sep 1 03:55:10 dhcp6c 44071 IA timeout for PD-0, state=ACTIVE Sep 1 03:55:10 dhcp6c 44071 reset a timer on igb0, state=RENEW, timeo=0, retrans=10220 Sep 1 03:55:10 dhcp6c 44071 Sending Renew Sep 1 03:55:10 dhcp6c 44071 a new XID (a5356f) is generated Sep 1 03:55:10 dhcp6c 44071 set client ID (len 14) Sep 1 03:55:10 dhcp6c 44071 set server ID (len 14) Sep 1 03:55:10 dhcp6c 44071 set elapsed time (len 2) Sep 1 03:55:10 dhcp6c 44071 set option request (len 4) Sep 1 03:55:10 dhcp6c 44071 set IA_PD prefix Sep 1 03:55:10 dhcp6c 44071 set IA_PD Sep 1 03:55:10 dhcp6c 44071 send renew to ff02::1:2%igb0 Sep 1 03:55:10 dhcp6c 44071 receive reply from fe80::2e86:d2ff:fe89:2019%igb0 on igb0 Sep 1 03:55:10 dhcp6c 44071 get DHCP option client ID, len 14 Sep 1 03:55:10 dhcp6c 44071 DUID: 00:01:00:xx:xx:xx:xx:xx:00:08:a2:0a:59:41 Sep 1 03:55:10 dhcp6c 44071 get DHCP option server ID, len 14 Sep 1 03:55:10 dhcp6c 44071 DUID: 00:01:00:xx:xx:xx:xx:xx:f8:bc:12:3e:b6:9c Sep 1 03:55:10 dhcp6c 44071 get DHCP option DNS, len 32 Sep 1 03:55:10 dhcp6c 44071 get DHCP option IA_PD, len 47 Sep 1 03:55:10 dhcp6c 44071 IA_PD: ID=0, T1=43200, T2=69120 Sep 1 03:55:10 dhcp6c 44071 get DHCP option status code, len 2 Sep 1 03:55:10 dhcp6c 44071 status code: success Sep 1 03:55:10 dhcp6c 44071 get DHCP option IA_PD prefix, len 25 Sep 1 03:55:10 dhcp6c 44071 IA_PD prefix: 2600:dabb:ad00:bc00::/56 pltime=86400 vltime=86400 Sep 1 03:55:10 dhcp6c 44071 dhcp6c Received INFO Sep 1 03:55:10 dhcp6c 44071 nameserver[0] 2001:578:3f::30 Sep 1 03:55:10 dhcp6c 44071 nameserver[1] 2001:578:3f:1::30 Sep 1 03:55:10 dhcp6c 44071 update an IA: PD-0 Sep 1 03:55:10 dhcp6c 44071 status code for PD-0: success Sep 1 03:55:10 dhcp6c 44071 update a prefix 2600:dabb:ad00:bc00::/56 pltime=34359824768, vltime=34359824768 Sep 1 03:55:10 dhcp6c 44071 executes /var/etc/dhcp6c_wan_script.sh Sep 1 03:55:10 dhcp6c dhcp6c renew, no change - bypassing update on igb0 Sep 1 03:55:10 dhcp6c 44071 script "/var/etc/dhcp6c_wan_script.sh" terminated Sep 1 03:55:10 dhcp6c 44071 removing an event on igb0, state=RENEW Sep 1 03:55:10 dhcp6c 44071 got an expected reply, sleeping. Sep 1 03:55:16 dhcp6c 44071 IA timeout for NA-0, state=ACTIVE Sep 1 03:55:16 dhcp6c 44071 reset a timer on igb0, state=RENEW, timeo=0, retrans=9710 Sep 1 03:55:16 dhcp6c 44071 Sending Renew Sep 1 03:55:16 dhcp6c 44071 a new XID (93002a) is generated Sep 1 03:55:16 dhcp6c 44071 set client ID (len 14) Sep 1 03:55:16 dhcp6c 44071 set server ID (len 14) Sep 1 03:55:16 dhcp6c 44071 set IA address Sep 1 03:55:16 dhcp6c 44071 set identity association Sep 1 03:55:16 dhcp6c 44071 set elapsed time (len 2) Sep 1 03:55:16 dhcp6c 44071 set option request (len 4) Sep 1 03:55:16 dhcp6c 44071 send renew to ff02::1:2%igb0 Sep 1 03:55:17 dhcp6c 44071 receive reply from fe80::2e86:d2ff:fe89:2019%igb0 on igb0 Sep 1 03:55:17 dhcp6c 44071 get DHCP option client ID, len 14 Sep 1 03:55:17 dhcp6c 44071 DUID: 00:01:00:xx:xx:xx:xx:xx:00:08:a2:0a:59:41 Sep 1 03:55:17 dhcp6c 44071 get DHCP option server ID, len 14 Sep 1 03:55:17 dhcp6c 44071 DUID: 00:01:00:xx:xx:xx:xx:xx:f8:bc:12:3e:b6:9c Sep 1 03:55:17 dhcp6c 44071 get DHCP option DNS, len 32 Sep 1 03:55:17 dhcp6c 44071 get DHCP option identity association, len 46 Sep 1 03:55:17 dhcp6c 44071 IA_NA: ID=0, T1=43200, T2=69120 Sep 1 03:55:17 dhcp6c 44071 get DHCP option status code, len 2 Sep 1 03:55:17 dhcp6c 44071 status code: success Sep 1 03:55:17 dhcp6c 44071 get DHCP option IA address, len 24 Sep 1 03:55:17 dhcp6c 44071 IA_NA address: 2600:abba:daba:1c00:f482:dfe0:8871:7c09 pltime=86400 vltime=86400 Sep 1 03:55:17 dhcp6c 44071 dhcp6c Received INFO Sep 1 03:55:17 dhcp6c 44071 nameserver[0] 2001:578:3f::30 Sep 1 03:55:17 dhcp6c 44071 nameserver[1] 2001:578:3f:1::30 Sep 1 03:55:17 dhcp6c 44071 update an IA: NA-0 Sep 1 03:55:17 dhcp6c 44071 status code for NA-0: success Sep 1 03:55:17 dhcp6c 44071 update an address 2600:abba:daba:1c00:f482:dfe0:8871:7c09 pltime=86400, vltime=140733193474432 Sep 1 03:55:17 dhcp6c 44071 add an address 2600:abba:daba:1c00:f482:dfe0:8871:7c09/128 on igb0 Sep 1 03:55:17 dhcp6c 44071 executes /var/etc/dhcp6c_wan_script.sh Sep 1 03:55:17 dhcp6c dhcp6c renew, no change - bypassing update on igb0 Sep 1 03:55:17 dhcp6c 44071 script "/var/etc/dhcp6c_wan_script.sh" terminated Sep 1 03:55:17 dhcp6c 44071 removing an event on igb0, state=RENEW Sep 1 03:55:17 dhcp6c 44071 got an expected reply, sleeping. -
@johnnybinator said in Cannot route IPv6 - Frustrated:
@johnpoz
I'm obviously new to this stuffWhat I was showing was that I can ping6 2600:: from my router. If that works, there's a route set. Right?
For the interface address/network, yes. But the /56 you need to route to the inside router is a completely different thing.
-
@johnnybinator said in Cannot route IPv6 - Frustrated:
On your ipv6 pass rule, you might want to change source from LAN net to any for testing.
If you are going to actually be implementing the routing on your Cisco you will need to allow your entire /56 as a source. Remember we aren't doing NAT with ipv6.
What I would do is create a firewall alias, LOCAL_SUBNETS_v6 with your ipv6 prefix /56.
Then in your firewall rule, use LOCAL_SUBNETS_v6 as the source.
