PPPoE IPv6 + Hurricane Electrics IPv6 - Assymmetric routing / no ping from External to pppoe assigned IPv6 Adddress possibile, despite that, everything is working...?
-
Do you have IPv6 enabled on the PPPoE interface, if yes why? Disable it there, you don't need it with a he.net tunnel.
-
@4920441-0 said in PPPoE IPv6 + Hurricane Electrics IPv6 - Assymmetric routing / no ping from External to pppoe assigned IPv6 Adddress possibile, despite that, everything is working...?:
The funny thing is, I use the IPv6 assigned IP Address on the pfsense for connecting to two ipsec endpoints in the internet which works fine - despite the fact it seems to problematic regarding pmtu.
First, that has nothing to do with this Problem, because yes off course If I had only one IPv6 default route the problem would exist, because there is only one route to go - yes of course I have enabled IPv6 on PPPoE else there would not be an IPv6 Address nor could it work in any way I have described...
Since when shouldn't pfsense be able to have more than one default route in the first place?
Second, I use the native IPv6 - as mentioned above - ('The funny thing is, I use the IPv6 assigned IP Address on the pfsense for connecting to two ipsec endpoints in the internet which works fine - despite the fact it seems to problematic regarding pmtu.') for two Ipsec connections, since the latency is only about 8 ms compared to appx 18 ms its much nicer this way.
The routing itself, if it is initated by pfsense itself works without problems, but the problem lies in the incoming queue somewhere since received icmp6 packets are sent out to the wrong interface.
Only using one interface is not a solution....
Cheers,
4920441
-
@4920441-0 said in PPPoE IPv6 + Hurricane Electrics IPv6 - Assymmetric routing / no ping from External to pppoe assigned IPv6 Adddress possibile, despite that, everything is working...?:
Since when shouldn't pfsense be able to have more than one default route in the first place?
Read up on what a default route is, you can only have one for IPv4 and one for IPv6. Use policy routing if you need more than one gateway.
-
Sure - regarding I would like to route packets from an internal network to another network.
Since this is a interface route (Packet comes from somewhere in pppoe Interface) the reply has to be sent out through the interface it came in (pppoe).Your suggestion were true, if it would not work initiating a connection via the IPv6 part directly on the firewall or through a connected IPv6 Subnet - but that Part is absolutely working fine!
Only 'non-state' incoming packets are sent out via the standard default route and that should not be the case since they should bound to an interface route not to a default and not to a policy based route.
Its as easy as that, broken down to IPv4 - its nearly the same:
If you have two interfaces
192.168.1.1
172.16.1.1And you ping the interface 192.168.1.1 - the packet is received by 192.168.1.1 and replied by 192.168.1.1 and NOT by 172.16.1.1 - even if it would be the set default route.
That is not working right now in IPv6 context as mentioned.
Cheers
4920441
P.S.: If I set IPv6 'default gw' to 'none' - and make some policy based rules as you mentioned - as I had not tried that before - everything else is working finde, but the same Problem comes up... If I have one rule allowd to from HE tunnel which is used for outgoing , the other policy rule regarding incomiing connections on the pppoe interface are routed through the appropriate gateway back the same happens! Every incoming icmp packet on the pppoe Interface is routet via the he tunnel - despite all policy based routes.
It only works if I set the pppoe IPv6 gateway as default gateway, then incoming packets a also sent out where there are received.... but then my policy based routes through the hurricane tunnel don't work any more. -
@4920441-0 said in PPPoE IPv6 + Hurricane Electrics IPv6 - Assymmetric routing / no ping from External to pppoe assigned IPv6 Adddress possibile, despite that, everything is working...?:
It only works if I set the pppoe IPv6 gateway as default gateway, then incoming packets a also sent out where there are received.... but then my policy based routes through the hurricane tunnel don't work any more.
Then you need to fix your rules for policy routing, show screenshots if you can't do it yourself.
-
Ok ok.... I clean up all my policy based rules once again, and when I am down to only a couple of rules and it's still not working I'll come back to you.
Cheers,
4920440
-
So, lastly, I got the following:
I completely disabled all default ipv6 gateways.
And two pairs of 'floating' rules, with the 'Apply the action immediately on match' Flag, so they should only be the first rules which match.
The first two are for the WAN IPv6 Address (this is the address which is tried to be pinged from an external Ipv6 Network)
One for Incoming one for outgoing traffic - just to be sure.
The second two are for the LAN IPv6 Subnet (which is still Hurricane Electrics), the same one for in one for out.And the symptons are exactly the same! HE still works in any direction but the WAN IPv6 Address receives ICMP Req on its interface but pfsense sends it out on the Hurricane Electric Interface - WITHOUT any default route acitvated and with the policy based route that every Packet which is received or send on the pppoe Interface should get the pppoe IPv6 Gateway as next hop.
Even worse: the floating rule does not catch any traffic at all, despite it should.
Did I mention that the floating rule for Hurricane Elecrics works? Maybe it has something to do with a faulty implementation of the DHCPv6 over pppoe implementation?
-
I bet if I switch to the dev branch, suddenly everything is working fine....
-
@4920441-0 And why should that be? Besides if you were reading the announcements about the changes in the dev-version you wouldn't talk about that.
-
Simple: because its a pppoe related bug.
I got another IPv6 network on another interface propagated via SLAAC and it is also routet, this one is pingable without any problems.
Only pppoe Connections via DHCP over pppoe behave strange...Cheers,
-
I have been working on a similar setup. Dual WAN IPv4+IPv6. I get native IPv4 from my ISP. For IPv6 I have been using Hurricane Electric for at least a decade. Recently, I stumbled upon a tunnel service that does both IPv4 and IPv6. This makes it possible to rather easily move services, yet keeping IPs the same, both IPv4 and IPv6.
But that's more of a backstory. I have been researching quite the same problem you describe. Packets that are generated on the router (e.g. ICMP TTL Exceeded when doing a traceroute) should be sent back through the same interface they entered, but for IPv6, this doesn't work.
It seems that in FreeBSD, the backing operating system for pfSense, this is simply not implemented for IPv6. There is code in review for this, but it may take some more time before that reaches FreeBSD itself, and consequently pfSense.
Hope this helps.