IPv6 traceroute not showing first hop (pfSense)
-
Ok I take it that is your pfsense interface at the 00:16:17 mac..
So did you edit your icmp redirects in tunables? Should be a 1
If you set that for 0 for IPv6, then that would explain why you get them for IPv4 and not for IPv6
-
@johnpoz said in IPv6 traceroute not showing first hop (pfSense):
So did you edit your icmp redirects in tunables? Should be a 1
It's set to 1. However, wouldn't that setting affect redirects, when a packet is not supposed to pass through a router? Traceroute is supposed to receive an ICMP message, when the hop limit decrements to 0, which has nothing to do with redirects.
-
When the TTL does not allow it to be forwarded, it sends you a ICMP does it not. I guess I could reboot mine changing it to 0 and see if causes the problem. But that was the only guess I had at the time which could cause that problem..
There might be some other tunable that could cause it not to send the ICMP message I guess. Out of the box this should just work... If its sending the traffic to pfsense, out of the box pfsense should send the ICMP v6 message when TTL on does not allow it to forward.
-
@johnpoz said in IPv6 traceroute not showing first hop (pfSense):
Out of the box this should just work.
That is my expectation too. I should at least see a response from pfSense. I just ran Wireshark again and do not see any response at all on IPv6, but see all the TTL exceeded messages on IPv4. As I mentioned above, I'm not expecting response from anything beyond pfSense on IPv6, due to the ISP problem. I'll have to try again after that's been resolved. However, I'd be very surprised if that problem caused pfSense to not respond.
-
So do you have any rules in say floating that would stop the udp... Did you try with icmp vs udp?
Where exactly are you sniff at... The client machine or pfsense interface?
-
That capture was between my desktop computer and pfSense. I just ran Wireshark again, filtering on ICMP6, and still do not see any ICMP6 TTL exceeded messages. I do see other ICMP6 traffic.
-
So pfsense is actually seeing this traffic? Sniff on pfsense.. Setup packet capture on pfsense, then run your trace on your client... Pfsense actually sees the trace?
-
@johnpoz said in IPv6 traceroute not showing first hop (pfSense):
So pfsense is actually seeing this traffic? Sniff on pfsense.. Setup packet capture on pfsense, then run your trace on your client... Pfsense actually sees the trace?
Given that I can see the outgoing UDP between pfSense and modem, it has to pass through pfSense. As mentioned earlier, the problem is not pfSense passing the traceroute. The problem is that it doesn't respond to packets that die with hop limit of 1. I've attached the Packet Capture on pfSense of the outgoing UDP. Packet Capture, filtering on ICMP6, does not show any TTL exceeded messages.
-
Where are you sniffing at? And 00:16:17:a7:f2:d3 is PFSENSE mac address?
"Given that I can see the outgoing UDP between pfSense and modem,"
And how exactly are you seeing that?
If pfsense is not a HOP on your way to get where your going, then it will not respond if your "bridging" at pfsense..
Are you doing any policy routing or multi wan setup for IPv6?
https://www.netgate.com/docs/pfsense/routing/troubleshooting-traceroute-output.html -
@johnpoz said in IPv6 traceroute not showing first hop (pfSense):
Where are you sniffing at? And 00:16:17:a7:f2:d3 is PFSENSE mac address?
"Given that I can see the outgoing UDP between pfSense and modem,"
And how exactly are you seeing that?
If pfsense is not a HOP on your way to get where your going, then it will not respond if your "bridging" at pfsense..
Are you doing any policy routing or multi wan setup for IPv6?
https://www.netgate.com/docs/pfsense/routing/troubleshooting-traceroute-output.htmlThat was done with the pfSense Packet Capture, to show you that the UDP packets are heading out through pfSense. That MAC is for my desktop computer. I do not have any policy routing or multiwan setup. As I mentioned a few times, when I run Wireshark between pfSense and modem, I can see the outgoing UDP packets, but not seeing any returned ICMP6 TTL exceeded messages. This indicates that traceroute is leaving the desktop computer, passing through pfSense and out to the Internet. I don't understand why you're asking about things like policies, when it's obvious pfSense passing those packets out to the Internet. I mentioned that 4 days ago when I said: "They are also leaving pfSense and out to the Internet, as shown with Wireshark, between pfSense computer and modem. I'm just not getting any response from pfSense". At the moment, I'm not worried about ICMP6 TTL exceeded messages from any point beyond pfSense, as I have that ISP problem I mentioned earlier. That file I uploaded earlier, with the "CASA" MAC, shows the UDP packets leaving pfSense.
-
@jknott said in IPv6 traceroute not showing first hop (pfSense):
That MAC is for my desktop computer.
And how is that???
Where is pfsense mac in this trace... If pfsense is not a HOP, and doesn't lower the TTL then no it wouldn't respond with icmp..
You see from my above sniff... That mac is pfsense interface.. and my raspberry pi sending the trace.. How is the dest mac in your sniff your PC? When it should be the mac address of your pfsense interface that is the gateway for your client doing the trace.
I ask about policy routing because if you read that link, when doing that pfsense is not a hop in the path, and therefor will not send back icmp on your 0 TTL hop..
-
@johnpoz said in IPv6 traceroute not showing first hop (pfSense):
@jknott said in IPv6 traceroute not showing first hop (pfSense):
That MAC is for my desktop computer.
And how is that???
Where is pfsense mac in this trace... If pfsense is not a HOP, and doesn't lower the TTL then no it wouldn't respond with icmp..
You see from my above sniff... That mac is pfsense interface.. and my raspberry pi sending the trace.. How is the dest mac in your sniff your PC? When it should be the mac address of your pfsense interface that is the gateway for your client doing the trace.
On the desktop computer:
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 74:d4:35:5b:f5:fa brd ff:ff:ff:ff:ff:ffAnd pfSense firewall:
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LINKSTATE>
ether 00:16:17:a7:f2:d3
hwaddr 00:16:17:a7:f2:d3Whether captured on pfSense or desktop computer, the packets between them should show the same MAC addresses. The WAN link will have the pfSense & ISP MACs. The capture I posted about 41 minutes ago was on the LAN side, caputerd in Wireshark on the desktop. The one 4 days ago was on the WAN link, captured with Packet Capture on pfSense. Regardless, whether I have packet captures or not, pfSense is not responding to the traceroute time outs, as I showed with the command line capture earlier. There is only one path from my local network to the Internet and that is via pfSense and cable modem.
-
Ok now that we have cleared that up... Are you doing any policy routing? Are you doing any port forwarding... Have you modified any tunables?
I can not duplicate this problem.. Pfsense should answer these out of the box. So have you tried icmp traceroute?
-
@johnpoz said in IPv6 traceroute not showing first hop (pfSense):
Ok now that we have cleared that up... Are you doing any policy routing? Are you doing any port forwarding... Have you modified any tunables?
No to all the above. Also, given that pfSense is the first hop, why should routing or port forwarding make a difference? An IPv6 packet with a hop limit of 1 should always trigger a TTL timeout without exception.
I can not duplicate this problem.. Pfsense should answer these out of the box. So have you tried icmp traceroute?
Yes and same thing.
-
I've just noticed something else. IPv6 pings to the WAN interface also fail. IPv4 pings do work.
-
On my system, for both ipv4 and ipv6, the first hop is my ISP. All hops give an address and most of the will resolve. The result is similar for both udp and icmp.
-
@bimmerdriver said in IPv6 traceroute not showing first hop (pfSense):
On my system, for both ipv4 and ipv6, the first hop is my ISP. All hops give an address and most of the will resolve. The result is similar for both udp and icmp.
When I do a traceroute, on IPv4, from a computer behind my pfSense firewall, pfSense is the first hop and the first one beyond doesn't show an address. At the moment, there's a problem with my ISP providing IPv6, so I'll have to wait for that to be fixed before seeing what happens with IPv6.
-
@jknott said in IPv6 traceroute not showing first hop (pfSense):
@bimmerdriver said in IPv6 traceroute not showing first hop (pfSense):
On my system, for both ipv4 and ipv6, the first hop is my ISP. All hops give an address and most of the will resolve. The result is similar for both udp and icmp.
When I do a traceroute, on IPv4, from a computer behind my pfSense firewall, pfSense is the first hop and the first one beyond doesn't show an address. At the moment, there's a problem with my ISP providing IPv6, so I'll have to wait for that to be fixed before seeing what happens with IPv6.
Very strange. I'm doing the same thing, but getting a different result.
-
So your getting the results I get, where it just works out of the box @bimmerdriver
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
@johnpoz said in IPv6 traceroute not showing first hop (pfSense):
So your getting the results I get, where it just works out of the box @bimmerdriver
It works fine for me on IPv4, but not IPv6. As I mentioned above, my WAN port is not responding to pings on IPv6, but does on IPv4.
