Cannot route IPv6 - Frustrated
-
@johnnybinator said in Cannot route IPv6 - Frustrated:
@isaacfl
You know, that's a good idea. I hadn't thought of that. Thanks.Have you been using pfsense for awhile, so it is only ipv6 you are struggling with? or are you new to pfsense?
Will help me to know that.
-
I've been running pfSense for 5 + years. I love it. IPv6 is pretty new to me. I can see there's more than a small amount to learn.
I've been in IT for 25 years, I usually adapt to new things easier than this. Maybe I'm getting old.
-
@johnnybinator said in Cannot route IPv6 - Frustrated:
I've been running pfSense for 5 + years. I love it. IPv6 is pretty new to me. I can see there's more than a small amount to learn.
I've been in IT for 25 years, I usually adapt to new things easier than this. Maybe I'm getting old.
ok I would try the get a pc working on the lan side of the pfsense then. I would bet it is probably working, then we would need to figure out how to get it to work in your configuration.
I have only been using pfsense for a few months, so new on its idiosynchrocies, but I have been working with ipv6 for a few years now. So I am more familiar with ipv6 than pfsense.
I won't be able to spend anymore time today, but I will say that ipv6 routing isn't as difficult as ipv4. The difference is ipv6 uses the link local address and multicast on each interface to do the actual routing.
-
@johnnybinator said in Cannot route IPv6 - Frustrated:
I've been running pfSense for 5 + years. I love it. IPv6 is pretty new to me. I can see there's more than a small amount to learn.
I've been in IT for 25 years, I usually adapt to new things easier than this. Maybe I'm getting old.
For the most part, IPv6 works the same as IPv4, but with longer addresses. However, there are some differences, such as ARP being replaced with neighbour discovery, default gateway and prefix being automagically configured with router advertisements. There are other things for improved performance, such as fix length headers and extension headers
One book I find is a good reference is IPv6 Essentials, from O'Reilly.
-
What is your delegated /56? Are they actually delegating it to you?
Check the Start DHCP6 client in debug mode checkbox on WAN, Save, and Apply, then examine the DHCP logs. You should see what you want to by searching for message IA_PD or process dhcp6c. What is it showing for a /56 delegated?
You would then need to route a larger prefix of that, say a /60 to the switch then add /64s to the individual switch layer 3 interfaces and configure DHCP6, SLAAC, etc. on the switch (Just like IPv4).
-
This is what I get (I do get an address):
Sep 1 10:37:43 dhcp6c 8607 failed to parse configuration file
Sep 1 10:37:43 dhcp6c 8607 called
Sep 1 10:37:43 dhcp6c 8607 /var/etc/dhcp6c_wan.conf:3 IA_PD (0) is not defined
Sep 1 10:37:43 dhcp6c 8607 called
Sep 1 10:37:43 dhcp6c 8607 <3>end of sentence [;] (1)
Sep 1 10:37:43 dhcp6c 8607 <3>end of closure [}] (1)
Sep 1 10:37:43 dhcp6c 8607 <13>begin of closure [{] (1)
Sep 1 10:37:43 dhcp6c 8607 <13>[0] (1)
Sep 1 10:37:43 dhcp6c 8607 <13>[na] (2)
Sep 1 10:37:43 dhcp6c 8607 <3>[id-assoc] (8)
Sep 1 10:37:43 dhcp6c 8607 <3>end of sentence [;] (1)
Sep 1 10:37:43 dhcp6c 8607 <3>end of closure [}] (1)
Sep 1 10:37:43 dhcp6c 8607 <3>comment [# we'd like some nameservers please] (35)
Sep 1 10:37:43 dhcp6c 8607 <3>end of sentence [;] (1)
Sep 1 10:37:43 dhcp6c 8607 <3>["/var/etc/dhcp6c_wan_script.sh"] (31)
Sep 1 10:37:43 dhcp6c 8607 <3>[script] (6)
Sep 1 10:37:43 dhcp6c 8607 <3>end of sentence [;] (1)
Sep 1 10:37:43 dhcp6c 8607 <3>[domain-name] (11)
Sep 1 10:37:43 dhcp6c 8607 <3>[request] (7)
Sep 1 10:37:43 dhcp6c 8607 <3>end of sentence [;] (1)
Sep 1 10:37:43 dhcp6c 8607 <3>[domain-name-servers] (19)
Sep 1 10:37:43 dhcp6c 8607 <3>[request] (7)
Sep 1 10:37:43 dhcp6c 8607 <3>comment [# request prefix delegation] (27)
Sep 1 10:37:43 dhcp6c 8607 <3>end of sentence [;] (1)
Sep 1 10:37:43 dhcp6c 8607 <3>[0] (1)
Sep 1 10:37:43 dhcp6c 8607 <3>[ia-pd] (5)
Sep 1 10:37:43 dhcp6c 8607 <3>[send] (4)
Sep 1 10:37:43 dhcp6c 8607 <3>comment [# request stateful address] (26)
Sep 1 10:37:43 dhcp6c 8607 <3>end of sentence [;] (1)
Sep 1 10:37:43 dhcp6c 8607 <3>[0] (1)
Sep 1 10:37:43 dhcp6c 8607 <3>[ia-na] (5)
Sep 1 10:37:43 dhcp6c 8607 <3>[send] (4)
Sep 1 10:37:43 dhcp6c 8607 <3>begin of closure [{] (1)
Sep 1 10:37:43 dhcp6c 8607 <5>[igb0] (4)
Sep 1 10:37:43 dhcp6c 8607 <3>[interface] (9)
Sep 1 10:37:43 dhcp6c 8607 skip opening control port
Sep 1 10:37:43 dhcp6c 8607 failed initialize control message authentication
Sep 1 10:37:43 dhcp6c 8607 failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
Sep 1 10:37:43 dhcp6c 8607 extracted an existing DUID from /var/db/dhcp6c_duid: BLAH BLAH -
I assume you have a firewall rule to pass the ipv6 traffic on your LAN interface?
-
-
Yeah something is not right. Post your WAN interface configuration page.
My last renewal for reference. Note the IA_PD being assigned.
Sep 1 03:55:10 dhcp6c 44071 IA timeout for PD-0, state=ACTIVE Sep 1 03:55:10 dhcp6c 44071 reset a timer on igb0, state=RENEW, timeo=0, retrans=10220 Sep 1 03:55:10 dhcp6c 44071 Sending Renew Sep 1 03:55:10 dhcp6c 44071 a new XID (a5356f) is generated Sep 1 03:55:10 dhcp6c 44071 set client ID (len 14) Sep 1 03:55:10 dhcp6c 44071 set server ID (len 14) Sep 1 03:55:10 dhcp6c 44071 set elapsed time (len 2) Sep 1 03:55:10 dhcp6c 44071 set option request (len 4) Sep 1 03:55:10 dhcp6c 44071 set IA_PD prefix Sep 1 03:55:10 dhcp6c 44071 set IA_PD Sep 1 03:55:10 dhcp6c 44071 send renew to ff02::1:2%igb0 Sep 1 03:55:10 dhcp6c 44071 receive reply from fe80::2e86:d2ff:fe89:2019%igb0 on igb0 Sep 1 03:55:10 dhcp6c 44071 get DHCP option client ID, len 14 Sep 1 03:55:10 dhcp6c 44071 DUID: 00:01:00:xx:xx:xx:xx:xx:00:08:a2:0a:59:41 Sep 1 03:55:10 dhcp6c 44071 get DHCP option server ID, len 14 Sep 1 03:55:10 dhcp6c 44071 DUID: 00:01:00:xx:xx:xx:xx:xx:f8:bc:12:3e:b6:9c Sep 1 03:55:10 dhcp6c 44071 get DHCP option DNS, len 32 Sep 1 03:55:10 dhcp6c 44071 get DHCP option IA_PD, len 47 Sep 1 03:55:10 dhcp6c 44071 IA_PD: ID=0, T1=43200, T2=69120 Sep 1 03:55:10 dhcp6c 44071 get DHCP option status code, len 2 Sep 1 03:55:10 dhcp6c 44071 status code: success Sep 1 03:55:10 dhcp6c 44071 get DHCP option IA_PD prefix, len 25 Sep 1 03:55:10 dhcp6c 44071 IA_PD prefix: 2600:dabb:ad00:bc00::/56 pltime=86400 vltime=86400 Sep 1 03:55:10 dhcp6c 44071 dhcp6c Received INFO Sep 1 03:55:10 dhcp6c 44071 nameserver[0] 2001:578:3f::30 Sep 1 03:55:10 dhcp6c 44071 nameserver[1] 2001:578:3f:1::30 Sep 1 03:55:10 dhcp6c 44071 update an IA: PD-0 Sep 1 03:55:10 dhcp6c 44071 status code for PD-0: success Sep 1 03:55:10 dhcp6c 44071 update a prefix 2600:dabb:ad00:bc00::/56 pltime=34359824768, vltime=34359824768 Sep 1 03:55:10 dhcp6c 44071 executes /var/etc/dhcp6c_wan_script.sh Sep 1 03:55:10 dhcp6c dhcp6c renew, no change - bypassing update on igb0 Sep 1 03:55:10 dhcp6c 44071 script "/var/etc/dhcp6c_wan_script.sh" terminated Sep 1 03:55:10 dhcp6c 44071 removing an event on igb0, state=RENEW Sep 1 03:55:10 dhcp6c 44071 got an expected reply, sleeping. Sep 1 03:55:16 dhcp6c 44071 IA timeout for NA-0, state=ACTIVE Sep 1 03:55:16 dhcp6c 44071 reset a timer on igb0, state=RENEW, timeo=0, retrans=9710 Sep 1 03:55:16 dhcp6c 44071 Sending Renew Sep 1 03:55:16 dhcp6c 44071 a new XID (93002a) is generated Sep 1 03:55:16 dhcp6c 44071 set client ID (len 14) Sep 1 03:55:16 dhcp6c 44071 set server ID (len 14) Sep 1 03:55:16 dhcp6c 44071 set IA address Sep 1 03:55:16 dhcp6c 44071 set identity association Sep 1 03:55:16 dhcp6c 44071 set elapsed time (len 2) Sep 1 03:55:16 dhcp6c 44071 set option request (len 4) Sep 1 03:55:16 dhcp6c 44071 send renew to ff02::1:2%igb0 Sep 1 03:55:17 dhcp6c 44071 receive reply from fe80::2e86:d2ff:fe89:2019%igb0 on igb0 Sep 1 03:55:17 dhcp6c 44071 get DHCP option client ID, len 14 Sep 1 03:55:17 dhcp6c 44071 DUID: 00:01:00:xx:xx:xx:xx:xx:00:08:a2:0a:59:41 Sep 1 03:55:17 dhcp6c 44071 get DHCP option server ID, len 14 Sep 1 03:55:17 dhcp6c 44071 DUID: 00:01:00:xx:xx:xx:xx:xx:f8:bc:12:3e:b6:9c Sep 1 03:55:17 dhcp6c 44071 get DHCP option DNS, len 32 Sep 1 03:55:17 dhcp6c 44071 get DHCP option identity association, len 46 Sep 1 03:55:17 dhcp6c 44071 IA_NA: ID=0, T1=43200, T2=69120 Sep 1 03:55:17 dhcp6c 44071 get DHCP option status code, len 2 Sep 1 03:55:17 dhcp6c 44071 status code: success Sep 1 03:55:17 dhcp6c 44071 get DHCP option IA address, len 24 Sep 1 03:55:17 dhcp6c 44071 IA_NA address: 2600:abba:daba:1c00:f482:dfe0:8871:7c09 pltime=86400 vltime=86400 Sep 1 03:55:17 dhcp6c 44071 dhcp6c Received INFO Sep 1 03:55:17 dhcp6c 44071 nameserver[0] 2001:578:3f::30 Sep 1 03:55:17 dhcp6c 44071 nameserver[1] 2001:578:3f:1::30 Sep 1 03:55:17 dhcp6c 44071 update an IA: NA-0 Sep 1 03:55:17 dhcp6c 44071 status code for NA-0: success Sep 1 03:55:17 dhcp6c 44071 update an address 2600:abba:daba:1c00:f482:dfe0:8871:7c09 pltime=86400, vltime=140733193474432 Sep 1 03:55:17 dhcp6c 44071 add an address 2600:abba:daba:1c00:f482:dfe0:8871:7c09/128 on igb0 Sep 1 03:55:17 dhcp6c 44071 executes /var/etc/dhcp6c_wan_script.sh Sep 1 03:55:17 dhcp6c dhcp6c renew, no change - bypassing update on igb0 Sep 1 03:55:17 dhcp6c 44071 script "/var/etc/dhcp6c_wan_script.sh" terminated Sep 1 03:55:17 dhcp6c 44071 removing an event on igb0, state=RENEW Sep 1 03:55:17 dhcp6c 44071 got an expected reply, sleeping.
-
@johnnybinator said in Cannot route IPv6 - Frustrated:
@johnpoz
I'm obviously new to this stuffWhat I was showing was that I can ping6 2600:: from my router. If that works, there's a route set. Right?
For the interface address/network, yes. But the /56 you need to route to the inside router is a completely different thing.
-
@johnnybinator said in Cannot route IPv6 - Frustrated:
On your ipv6 pass rule, you might want to change source from LAN net to any for testing.
If you are going to actually be implementing the routing on your Cisco you will need to allow your entire /56 as a source. Remember we aren't doing NAT with ipv6.
What I would do is create a firewall alias, LOCAL_SUBNETS_v6 with your ipv6 prefix /56.
Then in your firewall rule, use LOCAL_SUBNETS_v6 as the source.
-
@isaacfl said in Cannot route IPv6 - Frustrated:
LOCAL_SUBNETS_v6
HILARIOUS! That was is! The rule change fixed it. I used LAN NET because it was set up that way for the IPv4 rule.
Thanks for walking through this mess with me. I Learned a lot.