Issues with IPv6 on 2VLANs
-
Could you share some more info on how to do it ?
I mean, I get IPv6 IPs from my ISP using DHCP-PD.
Do you want me to put a link-local IP there ?Thanks.
Andy -
The typical way to assign /64s out of a /56 PD is to set the inside interfaces to Track Interface.
What are your firewall rules on the two VLAN interfaces?
-
Hi Derelict,
Here is the info you requested:
Here is the WAN configuration:And the configuration for both VLANs (LANs)
And the Firewall Rules:
And here is a sample trace... here it went pretty well, but at times, the 1st hop barely responds (and this is the PFSense box)
Thanks,
Andy. -
So everything is working you just sometimes miss a windows traceroute?
-
Exactly.
But since it misses the 1st hop, for example if I go to www.ripe.net, the first time the site will detect me over IPv4, if I refresh the page, it will detect me on IPv6... it's like the 1st time it learns the route, then it knows what to do the second time, and so on...
Same behaviour on test-ipv6.com
As DNS I use CloudFlare over TLS, but I don't blame the DNS so far...Thanks,
Andy -
Sounds like something to be solved on the client side.
I don't think protocol stack detection uses traceroute but I have never looked into how windows does that.
If it has IPv6 and a gateway and can resolve names the browser should try IPv6 first. But that depends on the browser configuration.
-
The browser first tries IPv6.
I don't really suspect a client issue, since this kind of issues don't occur on the 2nd VLAN...
To be honest, the first hop doesn't have the same IPv6 IP as listed in the IP status in PFSense.. it only matches that IP for the 1st VLAN. -
You'll need to elaborate.
You have pass IPv6 any any any on both interfaces. That is really all there is to it on the firewall.
-
Sure,
Here is the IP status:
When I do a traceroute, from VLAN1, the first hop is PFSense and the IP shown in interfaces for LAN: 2a02:2f0b:8407:6600:baac:6fff:fe90:d2dd
When I do it from VLAN2, the first hop is: 2a02:2f0b:8407:6601:baac:6fff:fe90:d2e1
The only difference is that on VLAN2, the IP of the gateway doesn't get resolved (and I really don't know why and how I managed to make it resolve to PFSense's name for VLAN1). Being dynamic (each time the PPPoE connections goes on, a different IPv4/IPv6 is received, it does not make sense to put it in Unbind DNS on the PFSense box).
I wonder why no issues appear on VLAN2 whatsoever...
Thanks.
-
Looks like it's working fine to me.
pfSense automatically puts A, AAAA, and both PTR records into the local DNS for LAN but only LAN.
If you want to eliminate name resolution on your traceroutes, use the
-d
flag. -
Is there a way to have A, AAAA into the local DNS also for LAN2 ?
It works on IPv4, but not on IPv6 for LAN2.Coming back to the traceroute, it's the same issue also without name resolution
LAN1:
Tracing route to ipv6.he.net [2001:470:0:64::2]
over a maximum of 30 hops:1 * * * Request timed out.
2 10 ms 8 ms 8 ms 2a02:2f0b:84ff:ff00::2
3 2 ms 1 ms 1 ms 2a02:2f0b:804f:ff01::1
4 4 ms 1 ms 2 ms 2a02:2f00:8708:2::2:0
5 2 ms 1 ms 2 ms 2a02:2f00:8708:3:1:0:2:0
6 1 ms 1 ms 1 ms 2001:2000:3080:1c6::1
7 30 ms 30 ms 30 ms 2001:2000:3019:6a::1
8 * * 30 ms 2001:2000:3018:13::1
9 30 ms 29 ms 30 ms 2001:470:0:168::1
10 69 ms 40 ms 58 ms 2001:470:0:2d4::1
11 48 ms 46 ms 47 ms 2001:470:0:431::2
12 50 ms * * 2001:470:0:410::2
13 * * 109 ms 2001:470:0:440::1
14 109 ms 109 ms 109 ms 2001:470:0:20a::1
15 175 ms 175 ms 175 ms 2001:470:0:296::2
16 173 ms 173 ms 173 ms 2001:470:0:1b1::1
17 193 ms 194 ms 193 ms 2001:470:0:438::2
18 182 ms 182 ms 182 ms 2001:470:0:64::2Trace complete.
LAN2:
Tracing route to ipv6.he.net [2001:470:0:64::2]
over a maximum of 30 hops:1 <1 ms <1 ms <1 ms 2a02:2f0b:8407:6601:baac:6fff:fe90:d2e1
2 10 ms 9 ms 7 ms 2a02:2f0b:84ff:ff00::2
3 2 ms 2 ms 21 ms 2a02:2f0b:804f:ff01::1
4 5 ms 2 ms 2 ms 2a02:2f00:8708:2::2:0
5 1 ms 1 ms 1 ms 2a02:2f00:8708:3:1:0:2:0
6 1 ms 1 ms 1 ms 2001:2000:3080:1c6::1
7 30 ms 30 ms 30 ms 2001:2000:3019:6a::1
8 30 ms 30 ms 30 ms 2001:2000:3018:13::1
9 30 ms 30 ms 30 ms 2001:470:0:168::1
10 48 ms 43 ms 57 ms 2001:470:0:2d4::1
11 45 ms 128 ms 45 ms 2001:470:0:431::2
12 51 ms 50 ms * 2001:470:0:410::2
13 110 ms * 110 ms 2001:470:0:440::1
14 110 ms 109 ms 110 ms 2001:470:0:20a::1
15 181 ms 182 ms 181 ms 2001:470:0:296::2
16 179 ms 187 ms 178 ms 2001:470:0:1b1::1
17 189 ms 188 ms 188 ms 2001:470:0:438::2
18 183 ms 182 ms 182 ms 2001:470:0:64::2Trace complete.
I wonder if that's an issue with the LAN1 gateway or not.
As I said, the issue on LAN1 is just on the 1st try... then everything is smooth:
Tracing route to ipv6.he.net [2001:470:0:64::2]
over a maximum of 30 hops:1 <1 ms <1 ms <1 ms 2a02:2f0b:8407:6600:baac:6fff:fe90:d2dd
2 10 ms 8 ms 8 ms 2a02:2f0b:84ff:ff00::2
3 * * 1 ms 2a02:2f0b:804f:ff01::1
4 5 ms 2 ms 2 ms 2a02:2f00:8708:2::2:0
5 2 ms 2 ms 2 ms 2a02:2f00:8708:3:1:0:2:0
6 1 ms 1 ms 1 ms 2001:2000:3080:1c6::1
7 * * 30 ms 2001:2000:3019:6a::1
8 30 ms 30 ms 30 ms 2001:2000:3018:13::1
9 30 ms 30 ms 30 ms 2001:470:0:168::1
10 40 ms 71 ms 41 ms 2001:470:0:2d4::1
11 46 ms 52 ms 47 ms 2001:470:0:431::2
12 70 ms 49 ms 50 ms 2001:470:0:410::2
13 109 ms 109 ms 109 ms 2001:470:0:440::1
14 * 124 ms 109 ms 2001:470:0:20a::1
15 176 ms 177 ms 175 ms 2001:470:0:296::2
16 173 ms 173 ms 180 ms 2001:470:0:1b1::1
17 192 ms 194 ms 194 ms 2001:470:0:438::2
18 182 ms 182 ms 182 ms 2001:470:0:64::2Trace complete.
Thanks.
-
No idea then. Sorry. Maybe someone else sees it.
-
Just a shot:
Last rule in PBNETLAN2 seems to be incorrect. On interface PBNETLAN2 should be no traffic from LAN1 net. So source-dest is vice versa or rule should be under LAN. But its only IPv4
Try another rule with IPv6* * * * * * if some IPv6 traffic is not captured with LAN net or PBNETLAN2 net as source. maybe..
pfadmin
-
Yeah I saw that but in this case it is meaningless. Traffic will simply never match that rule, as is evidenced by the counters there.
-
Updated:
.
But the problem remains:
Thanks,
Andrei. -
No. The point was that rule does nothing. It should be deleted.
I still maintain your issue is on the client.
I suppose it could possibly be a setting in the DHCPv6 server or something but I can't imagine what that would be.
Maybe something else on that VLAN issuing router advertisements? Just guessing.