Can ping IPv6 from LAN but not from firewall itself

deed02392

Really? I was talking to a guy yesterday and he had connectivity just fine with a prefixlen of 128. So why is it an issue?

johnpoz

Your gateway is outside your prefix - do you have a tunnel? /128 is the same as /32 in ipv4.. Its like a loopback address.. So yeah that is more than likely your problem.

Whats your route show you for your default?

deed02392

Hmm OK. It was the same case for somebody else I was troubleshooting with yesterday, although their /128 for their WAN was even more different from their delegated subnet than mine is.

Having said that I cannot tr6 to my gateway...

My gateway is:

Destination                       Gateway                       Flags     Netif Expire
default                           fe80::d694:e8ff:fe1e:2b6b%vmx0 UG        vmx0

$ traceroute6 to fe80::d694:e8ff:fe1e:2b6b (fe80::d694:e8ff:fe1e:2b6b) from fe80::20c:29ff:fee2:ebe8%vmx0, 64 hops max, 20 byte packets
sendto: No route to host

JKnott

@deed02392 said in Can ping IPv6 from LAN but not from firewall itself:

Really? I was talking to a guy yesterday and he had connectivity just fine with a prefixlen of 128. So why is it an issue?

On IPv6, routing is normally done via link local addresses. A public address is not needed on the WAN interface, though may be used for testing etc.. A /128 prefix designates an interface only, which may be used internally for determining the interface to use for routing.

johnpoz

If your isp is handing you a /128 its for their internal use and not meant to be used for connectivity, etc..

What I can tell you /128 is not really valid and its same /32 in ipv4 world --- used for loopback interfaces, etc.. You can not route to them - they are good for firewall rules and access via the same layer 2, etc. etc..

That you would think you could route traffic off of it is -- contact your ISP to why they assign you a /128 if its suppose to be a global address..

deed02392

I understand the concept of bitmasking on addresses. I just assumed that I would be able to route via the loopback address (presumably belonging to my ISPs switch) given out by DHCP, from this /128 I was also given.

One solution I can think of would be to give my firewall an address from the delegated /64, but how do I do this? My LAN network is tracking the WAN interface and that is where it seemingly magically gets its delegated /64. If that works, why doesn't my firewall get a working address?

johnpoz

You need to talk to your ISP..

deed02392

What should I ask them? Because I have a feeling they are just going to tell me to contact the vendor of my third-party router. And that's what I'm here doing already.

JKnott

FWIW, I have a /128 WAN address and can ping from the firewall. Packet capture shows the ping coming from that /128 address.

deed02392

Right, so the simple fact my WAN has a /128 address isn't necessarily a problem. In which case it's hard to appreciate that there is a problem with my ISP that cannot be fixed with pfSense configuration. That's why I am here!

deed02392

@johnpoz My ISP told me I have a /56. That's where one of the /64s that my LAN has came from.

Also, how does it make sense that my LAN can reach IPv6 internet when that connection would presumably have been routed by the firewall's configured gateway too?

JKnott

@deed02392 said in Can ping IPv6 from LAN but not from firewall itself:

Right, so the simple fact my WAN has a /128 address isn't necessarily a problem. In which case it's hard to appreciate that there is a problem with my ISP that cannot be fixed with pfSense configuration. That's why I am here!

Try using Packet Capture to examine the outgoing pings and any result. I trust you're aware you have to use ping6 with pfSense, whereas with some Linux distros and Windows, the same ping command works for both IPv4 and IPv6.

deed02392

I ran ping6 with packet capture. In the resultant capture I see ICMPv6 requests going back and forth between what looks like the gateway and me... but it does not show the failing ping6 requests to google.com that I shared above.

https://i.imgur.com/dIX2URS.png

In the process of trying different configuration options I seem to have broken IPv6 entirely, so I guess I'm done experimenting for now.

I guess there's no such thing as a simple setup of an IPv6 WAN. I thought I had it at enable DHCP6, set LAN to track WAN and then enable a DHCP6 server on LAN.

yellowbrick

FWIW...
I am also with Hyperoptic (2a01:4b00::/32) and am seeing the exact same problem.
https://forum.netgate.com/topic/135917/ipv6-setup-with-hyperoptic-uk-isp

My setup is the same as yours:
-get a /56 PD
-get a /128 WAN address
-Link local IPv6 gateway
-cannot ping6 from pfSense box
-can ping out from LAN OK

yellowbrick

@deed02392 Did you need to clone the MAC address to even get IPv6 to work? I had to clone the MAC of the ZTE Hyperoptic router to get IPv6 to work at all.

deed02392

Hey yellowbrick, glad I'm not alone here! No I did not need to clone the MAC address. It 'just worked'. But I wasn't satisfied with not being able to use pfSense as a caching IPv6 DNS server and unfortunately in the process of trying to fix things I now no longer get any IPv6 addresses.

yellowbrick

@deed02392 Well, try cloning the MAC on the WAN...

deed02392

I got an e-mail from Hyperoptic today saying that apparently IPv6 is disabled pending a firmware update they are currently working on... not sure if was just being fobbed off but that was enough discouragement to make me leave playing for a few days. I will try again then. I wonder if this is a firewall issue really but I tried a bunch of frankly scary things there too and nothing helped.