Issues with IPv6 on 2VLANs

pbnet

Hello,

My ISP just changed his IPv6 allocation to customers from /64 to /56.
Since I have two VLANs, I assigned IPv6 addresses on both VLANs.
What I did: on each LAN interface on PFSense I configured IPv6 as track interface and changed the IPv6 prefix ID for each LAN interface. 0 for the first VLAN and 1 for the second VLAN.
The result is: I have IPv6 on both VLANs, but with a caveat:

on both VLANs, but mostly on the first VLAN, PFSense respons slowly to ICMP request and also to Internet access, thus when accessing dual-stacked sites, the first try will mostly go on IPv4 and the second one on IPv6

Example of slow response from first VLAN:

Tracing route to pfsense.org [2610:160:11:11::69]
over a maximum of 30 hops:

1 * <1 ms <1 ms suzet.pbnet.local [2a02:2f0b:8407:6600:baac:6fff:fe90:d2dd]
2 9 ms 6 ms 6 ms 2a02:2f0b:84ff:ff00::2
3 2 ms 1 ms 2 ms border-f-1.WANV6.suzet.local [2a02:2f0b:804f:ff01::1]
4 * * * Request timed out.
5 1 ms 1 ms 1 ms br01.v6.bucuresti.rdsnet.ro [2a02:2f00:8708:3:1:0:2:0]
6 1 ms 2 ms 1 ms ae-1.r00.buchro01.ro.bb.gin.ntt.net [2001:728:0:5000::2fd]
7 1 ms 1 ms 1 ms ae-1.r01.buchro01.ro.bb.gin.ntt.net [2001:728:0:2000::6e]
8 32 ms 31 ms 32 ms ae-17.r02.frnkge04.de.bb.gin.ntt.net [2001:728:0:2000::17e]
9 32 ms 31 ms 31 ms 2001:728:0:4000::1e
^C
C:\Users\andrei>tracert pfsense.org

Tracing route to pfsense.org [2610:160:11:11::69]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms suzet.pbnet.local [2a02:2f0b:8407:6600:baac:6fff:fe90:d2dd]
2 * 8 ms 6 ms 2a02:2f0b:84ff:ff00::2
3 2 ms 2 ms 1 ms border-f-1.WANV6.suzet.local [2a02:2f0b:804f:ff01::1]
4 12 ms 3 ms 2 ms cr00.v6.bucuresti.rdsnet.ro [2a02:2f00:8708:2::2:0]
5 1 ms 1 ms 2 ms br01.v6.bucuresti.rdsnet.ro [2a02:2f00:8708:3:1:0:2:0]

To be honest I don't know if it's a DNS issue or not. DNS is using Unbind then fowards requests to CloudFlare DNS.

Sample traceroute on 2nd VLAN: (As you can see, no timeout on 1st hop)

andrei@lg:~$ traceroute6 www.ripe.net
traceroute to (2001:67c:2e8:22::c100:68b) from 2a02:2f0b:8407:6601:20c:29ff:feda:1c80, 30 hops max, 24 byte packets
1 2a02:2f0b:8407:6601:baac:6fff:fe90:d2e1 (2a02:2f0b:8407:6601:baac:6fff:fe90:d2e1) 0.305 ms 0.196 ms 0.184 ms
2 2a02:2f0b:84ff:ff00::2 (2a02:2f0b:84ff:ff00::2) 9.181 ms 6.654 ms 6.705 ms
3 border-f-1.WANV6.suzet.local (2a02:2f0b:804f:ff01::1) 2.339 ms 2.095 ms 1.764 ms
4 cr00.v6.bucuresti.rdsnet.ro (2a02:2f00:8708:2::2:0) 5.181 ms 2.021 ms 3.947 ms
5 xr01.v6.amsterdam.rdsnet.ro (2a02:2f00:8708:4:1:17:5014:0) 36.135 ms 36.638 ms 36.078 ms
6 amsix-501.xe-0-0-0.jun1.bit-1.network.bit.nl (2001:7f8:1::a501:2859:2) 37.985 ms 39.11 ms 38.416 ms
7 gw.ipv6.amsix.eqix3rtr.ripe.net (2001:7f8:1::a500:3333:1) 38.672 ms 38.42 ms 39.311 ms
8 gw.ipv6.amsix.eqix3rtr.ripe.net (2001:7f8:1::a500:3333:1) 38.78 ms !X 38.962 ms !X 38.617 ms !X

Thanks for any idea/clue you guys can give me here.

Andy.

msf2000

Try a static IPv6 address with /64 mask on 1 of the VLAN interfaces and see if that helps.

pbnet

Could you share some more info on how to do it ?
I mean, I get IPv6 IPs from my ISP using DHCP-PD.
Do you want me to put a link-local IP there ?

Thanks.
Andy

Derelict

The typical way to assign /64s out of a /56 PD is to set the inside interfaces to Track Interface.

What are your firewall rules on the two VLAN interfaces?

pbnet

Hi Derelict,

Here is the info you requested:
Here is the WAN configuration:

WAN

And the configuration for both VLANs (LANs)

LAN1

LAN2

And the Firewall Rules:

FW1

FW2

And here is a sample trace... here it went pretty well, but at times, the 1st hop barely responds (and this is the PFSense box)

trace

Thanks,
Andy.

Derelict

So everything is working you just sometimes miss a windows traceroute?

pbnet

Exactly.
But since it misses the 1st hop, for example if I go to www.ripe.net, the first time the site will detect me over IPv4, if I refresh the page, it will detect me on IPv6... it's like the 1st time it learns the route, then it knows what to do the second time, and so on...
Same behaviour on test-ipv6.com
As DNS I use CloudFlare over TLS, but I don't blame the DNS so far...

Thanks,
Andy

Derelict

Sounds like something to be solved on the client side.

I don't think protocol stack detection uses traceroute but I have never looked into how windows does that.

If it has IPv6 and a gateway and can resolve names the browser should try IPv6 first. But that depends on the browser configuration.

pbnet

The browser first tries IPv6.
I don't really suspect a client issue, since this kind of issues don't occur on the 2nd VLAN...
To be honest, the first hop doesn't have the same IPv6 IP as listed in the IP status in PFSense.. it only matches that IP for the 1st VLAN.

Derelict

You'll need to elaborate.

You have pass IPv6 any any any on both interfaces. That is really all there is to it on the firewall.

pbnet

Sure,

Here is the IP status:

IPSTAT

When I do a traceroute, from VLAN1, the first hop is PFSense and the IP shown in interfaces for LAN: 2a02:2f0b:8407:6600:baac:6fff:fe90:d2dd

trace1

When I do it from VLAN2, the first hop is: 2a02:2f0b:8407:6601:baac:6fff:fe90:d2e1

trace22

The only difference is that on VLAN2, the IP of the gateway doesn't get resolved (and I really don't know why and how I managed to make it resolve to PFSense's name for VLAN1). Being dynamic (each time the PPPoE connections goes on, a different IPv4/IPv6 is received, it does not make sense to put it in Unbind DNS on the PFSense box).

I wonder why no issues appear on VLAN2 whatsoever...

Thanks.

Derelict

Looks like it's working fine to me.

pfSense automatically puts A, AAAA, and both PTR records into the local DNS for LAN but only LAN.

If you want to eliminate name resolution on your traceroutes, use the -d flag.

pbnet

Is there a way to have A, AAAA into the local DNS also for LAN2 ?
It works on IPv4, but not on IPv6 for LAN2.

Coming back to the traceroute, it's the same issue also without name resolution

LAN1:

Tracing route to ipv6.he.net [2001:470:0:64::2]
over a maximum of 30 hops:

1 * * * Request timed out.
2 10 ms 8 ms 8 ms 2a02:2f0b:84ff:ff00::2
3 2 ms 1 ms 1 ms 2a02:2f0b:804f:ff01::1
4 4 ms 1 ms 2 ms 2a02:2f00:8708:2::2:0
5 2 ms 1 ms 2 ms 2a02:2f00:8708:3:1:0:2:0
6 1 ms 1 ms 1 ms 2001:2000:3080:1c6::1
7 30 ms 30 ms 30 ms 2001:2000:3019:6a::1
8 * * 30 ms 2001:2000:3018:13::1
9 30 ms 29 ms 30 ms 2001:470:0:168::1
10 69 ms 40 ms 58 ms 2001:470:0:2d4::1
11 48 ms 46 ms 47 ms 2001:470:0:431::2
12 50 ms * * 2001:470:0:410::2
13 * * 109 ms 2001:470:0:440::1
14 109 ms 109 ms 109 ms 2001:470:0:20a::1
15 175 ms 175 ms 175 ms 2001:470:0:296::2
16 173 ms 173 ms 173 ms 2001:470:0:1b1::1
17 193 ms 194 ms 193 ms 2001:470:0:438::2
18 182 ms 182 ms 182 ms 2001:470:0:64::2

Trace complete.

LAN2:

Tracing route to ipv6.he.net [2001:470:0:64::2]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 2a02:2f0b:8407:6601:baac:6fff:fe90:d2e1
2 10 ms 9 ms 7 ms 2a02:2f0b:84ff:ff00::2
3 2 ms 2 ms 21 ms 2a02:2f0b:804f:ff01::1
4 5 ms 2 ms 2 ms 2a02:2f00:8708:2::2:0
5 1 ms 1 ms 1 ms 2a02:2f00:8708:3:1:0:2:0
6 1 ms 1 ms 1 ms 2001:2000:3080:1c6::1
7 30 ms 30 ms 30 ms 2001:2000:3019:6a::1
8 30 ms 30 ms 30 ms 2001:2000:3018:13::1
9 30 ms 30 ms 30 ms 2001:470:0:168::1
10 48 ms 43 ms 57 ms 2001:470:0:2d4::1
11 45 ms 128 ms 45 ms 2001:470:0:431::2
12 51 ms 50 ms * 2001:470:0:410::2
13 110 ms * 110 ms 2001:470:0:440::1
14 110 ms 109 ms 110 ms 2001:470:0:20a::1
15 181 ms 182 ms 181 ms 2001:470:0:296::2
16 179 ms 187 ms 178 ms 2001:470:0:1b1::1
17 189 ms 188 ms 188 ms 2001:470:0:438::2
18 183 ms 182 ms 182 ms 2001:470:0:64::2

Trace complete.

I wonder if that's an issue with the LAN1 gateway or not.

As I said, the issue on LAN1 is just on the 1st try... then everything is smooth:

Tracing route to ipv6.he.net [2001:470:0:64::2]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 2a02:2f0b:8407:6600:baac:6fff:fe90:d2dd
2 10 ms 8 ms 8 ms 2a02:2f0b:84ff:ff00::2
3 * * 1 ms 2a02:2f0b:804f:ff01::1
4 5 ms 2 ms 2 ms 2a02:2f00:8708:2::2:0
5 2 ms 2 ms 2 ms 2a02:2f00:8708:3:1:0:2:0
6 1 ms 1 ms 1 ms 2001:2000:3080:1c6::1
7 * * 30 ms 2001:2000:3019:6a::1
8 30 ms 30 ms 30 ms 2001:2000:3018:13::1
9 30 ms 30 ms 30 ms 2001:470:0:168::1
10 40 ms 71 ms 41 ms 2001:470:0:2d4::1
11 46 ms 52 ms 47 ms 2001:470:0:431::2
12 70 ms 49 ms 50 ms 2001:470:0:410::2
13 109 ms 109 ms 109 ms 2001:470:0:440::1
14 * 124 ms 109 ms 2001:470:0:20a::1
15 176 ms 177 ms 175 ms 2001:470:0:296::2
16 173 ms 173 ms 180 ms 2001:470:0:1b1::1
17 192 ms 194 ms 194 ms 2001:470:0:438::2
18 182 ms 182 ms 182 ms 2001:470:0:64::2

Trace complete.

Thanks.

Derelict

No idea then. Sorry. Maybe someone else sees it.

pfadmin

Just a shot:

0_1537816194769_d25e8a11-ad06-4cd9-8570-3a241220ce87-grafik.png

Last rule in PBNETLAN2 seems to be incorrect. On interface PBNETLAN2 should be no traffic from LAN1 net. So source-dest is vice versa or rule should be under LAN. But its only IPv4

Try another rule with IPv6* * * * * * if some IPv6 traffic is not captured with LAN net or PBNETLAN2 net as source. maybe..

pfadmin

Derelict

Yeah I saw that but in this case it is meaningless. Traffic will simply never match that rule, as is evidenced by the counters there.

pbnet

Updated:

UpdatedRules .

But the problem remains:

newtrace25

Thanks,
Andrei.

Derelict

No. The point was that rule does nothing. It should be deleted.

I still maintain your issue is on the client.

I suppose it could possibly be a setting in the DHCPv6 server or something but I can't imagine what that would be.

Maybe something else on that VLAN issuing router advertisements? Just guessing.