IPv6 WAN Track Interface not assigning addresses to LAN/Public LAN

smitheo1

@jsnl said in IPv6 WAN Track Interface not assigning addresses to LAN/Public LAN:

2607:f8b0

Yes. You should have a 16 /64 networks. The WAN IP should be a /64, which is what I see in both snapshots. It appears that your WAN DHCP6 is a 2607 address? It looks as if it should monitor the 2603 address from Comcast's WAN. That's what I see so far.

jsnl

@smitheo1 said in IPv6 WAN Track Interface not assigning addresses to LAN/Public LAN:

It appears that your WAN DHCP6 is a 2607 address?

No, that's just the IP that it pings every 2 seconds to see if the gateway is up or not. That 2607:f8b0:4003:c00::6a address is ipv6.google.com - the address I'm pinging to make sure I actually have ipv6 connectivity to the world and not just locally with Comcast. Once I get everything up and running I might change it to something locally on Comcast's domain, but for now I want to make sure I can see the internet in IPv6.

Is there any log I can see to know if the actual /60 prefix exchange is successful? Can I sniff it on the firewall in any way? Or do I have to wireshark it with an external laptop?

smitheo1

Ok. I'm tracking.

Yes. You can see the exchange with Wireshark from the client side. You should also be able to sniff the firewall as well. The firewall has the Packet Capture in the Diagnostics section. That's how I learned that something was not passing through.

smitheo1

Try taking a look around in /etc/defaults/rc.conf which is where the addresses are stored to see if something is active.

smitheo1

Sorry it's been a long time, but....what I have done was not use Track Interface. The LAN needs a (non routable IPv6) Static address. Make one up..... 2000:1000:AEAE:3000::1/64 for example. Check and verify if the WAN gateway in the Routing section is using a link-local address from the router. If so, add the Global IPv6 address to the Routing on the WAN interface and disable the link-local IPv6 address. The link-local one is not routable.

If you set the WAN to /56 or whatever, then it's fine. Track Interface takes a routable IPv6 address and assigns it to the LAN, which is not how it's supposed to work, because that is a private network.

JKnott

@smitheo1 said in IPv6 WAN Track Interface not assigning addresses to LAN/Public LAN:

Sorry it's been a long time, but....what I have done was not use Track Interface. The LAN needs a (non routable IPv6) Static address. Make one up..... 2000:1000:AEAE:3000::1/64 for example. Check and verify if the WAN gateway in the Routing section is using a link-local address from the router. If so, add the Global IPv6 address to the Routing on the WAN interface and disable the link-local IPv6 address. The link-local one is not routable.

If you set the WAN to /56 or whatever, then it's fine. Track Interface takes a routable IPv6 address and assigns it to the LAN, which is not how it's supposed to work, because that is a private network.

There appears to be a lot of nonsense in your post. For example, why would you assign a non routeable address to the LAN? Also, the one you used is routeable. It's just not yours. Global Unique Addresses start with 2 or 3. Also, disabling the link local address will break a lot of things such as neighbour and router discovery & advertisements and more. And link local addresses are often used for routing in IPv6. Also, what the heck do you mean by "Track Interface takes a routable IPv6 address and assigns it to the LAN, which is not how it's supposed to work, because that is a private network."? Also, WAN addresses are often /128. In an earlier post you say it should be a /64 and another, /128. Incidentally, that /128 plays no roll in routing to the network. It is simply an address used to access the firewall/router.

smitheo1

@JKnott You use the Global Gateway's delegated network. Track Interface uses the Global Gateway's network to assign a delegated IPv6 address to the LAN.....bad idea. That's why a ton of people are having problems. What's being routed is the delegated network via the /64. 2000:: is a Global network, but the gateway modem's Global network should not overlap with the LAN because it's routable to the Internet.

The firewall/router automatically assigns the link local as the WAN gateway.....it's not routeable dude. IT GOES NOWHERE!!!!! Add the correct Global WAN IPv6 Gateway manually when that happens and turn off the link local. The firewall already knows what that is.

Furthermore, the NAT is blocking all IPv6 by default, so I made the proper NAT.

You obviously don't know how to provide a solution, because I am fully operational with IPv6. It's not nonsense to a certified engineer.

JKnott

@smitheo1 said in IPv6 WAN Track Interface not assigning addresses to LAN/Public LAN:

You obviously don't know how to provide a solution, because I am fully operational with IPv6. It's not nonsense to a certified engineer.

I have also been operational with IPv6 for over 9 years, initially with a 6in4 tunnel, but the past 3.5 years as provided by my ISP. What sort of engineer? I'm a Cisco CCNA and have been working with networks since before Ethernet and IP, in fact before packets were used. I also did Novell CNA & CNE, many years ago. I also did Electrical Engineering, with telecommunications systems for my elective subjects.

You introduced NAT to this thread. Why do you need NAT to get IPv6 working? I've never had to use it. NAT is a hack to get around the IPv4 address shortage, so there's no need for it with IPv6.

As for my working network, it uses DHCPv6-PD from my ISP. This provides a /128 WAN address for pfSense and a /56 prefix, which I can split into individual /64s. I currently use 3. I use track interface and it works fine. I also have some Unique Local Addresses configured. They work too, but can't reach the internet by using those addresses. Tell me again why you need NAT, manually configured addresses, etc., to get your network to work. Again, if you turn off link local (is that even possible?), you will break things that IPv6 depends on. Link local addresses are mandatory for IPv6. Every device capable of IPv6 has a link local address (FE80:: /16), even if it has no other IPv6 address.

smitheo1

@JKnott IPv6 This firewall software is so bugged....and I see people modifying the radvd to make it work. It's actually the Track Interface. What will happen if you use the Track Interface, the LAN will have an IP from the Global Gateway's pool when it actually need a static address in the 2000 or above...omitting the Global IPv6's WAN network. When the lease expires (because it's tracking one of the the 16 delegated /64....with a /56), it will stop working and you will need to reboot the firewall to gain a new lease. That's not how it's supposed to be applied to the private LANs.

NAT is not a hack. It's a translation of private IP address to one public address. You need to use a static IPv6 that is not routable to the Internet, but will translate to the WAN's /128, which brings me to the next situation. It was all being blocked.

"Tell me again why you need NAT, manually configured addresses, etc., to get your network to work. Again, if you turn off link local (is that even possible?), you will break things that IPv6 depends on."

We were doing troubleshooting a long time ago while following Netgate's instructions and it didn't work. I then started observing the firewall logs and they were all blocked...localhosts and all. I created a manual NAT rule (because of the required link-local and local hosts including the LAN translations) that allows everything to be translated over the WAN and it started working.

When the Automatic Outbound NAT is checked, it's as if the product was locked down. IPv4 works just fine. Most of the time, it's the other way around.....the product works with most rules being applied to allow all traffic then can become locked down or blocked by an organization or person.

smitheo1

Notice the COX entry. I had to manually add it because the link-local entry was automatically added. I went nowhere in the land of link-local.

JKnott

@smitheo1 said in IPv6 WAN Track Interface not assigning addresses to LAN/Public LAN:

This firewall software is so bugged

Then how is it working so well for so many?

NAT is not a hack.

It was created to get around the address shortage, as there are nowhere near enough IPv4 addresses to go around. I am aware that it is also sometimes used to remap networks, to get around collisions caused by trying to merge 2 networks, where both are on the same RFC1918 address blocks. In short, it's again a hack to get around a problem caused by hack to get around the address shortage. If you can't get an IPv6 network operating properly, without NAT, then I would have to question your competence as an "engineer".

I went nowhere in the land of link-local.

Here is my gateway: fe80::217:10ff:fe9a:a199
That sure looks like a link local address to me.

smitheo1

Note the LAN Interface. 2000:xxxx:xxxx:xxxx::1 x can be whatever you need as long as it's not 2600:xxxx....because it is the Global IPv6 gateway. The firewall will return an error that it's being used and overlaps with 2600:xxxx

I requested a /62, so I use 4 /64 networks on the private interfaces, but it's actually 2 /64's in use.

smitheo1

@JKnott No it doesn't work for many. I don't teach certified individuals to call anything a hack and I'm glad that you don't have more than 20 years of experience now. Have a nice day, but you are just being a troll. I was here to help the gentleman at the beginning of this thread.

JKnott

@smitheo1 said in IPv6 WAN Track Interface not assigning addresses to LAN/Public LAN:

I was here to help the gentleman at the beginning of this thread.

I don't recall him asking to use NAT. You were the first to mention it. He was having issues and some of what he said indicates he doesn't fully understand how certain things work, such as not realizing that a link local address is entirely valid as a gateway address, as I have to my ISP. On my local network, the gateway is pfSense with an address fe80::1:1. Yep, that's another link local address as provided by pfSense to devices on my LAN. While the OP may have issues, NAT is not the answer.

As for myself, I have been working with networks, going back to 1978 (Air Canada reservation system on a proprietary Rockwell Collins network). I first learned about IPv4 in 1995, incidentally about the same time I first heard of IPv6. In addition to IP & Ethernet, I have also worked with SNA, token ring, DECnet and IPX. I also worked at IBM, providing 3rd level support, including on network issues. I have also completed network courses at a couple of local colleges and IBM, along with a lot of self study.

mrsunfire

The biggest problem are dynamic prefixes. With that you can't assaign a static LAN interface. You also can't use NPt because pfSense can't handle with dynmic prefixes.

JKnott

@mrsunfire said in IPv6 WAN Track Interface not assigning addresses to LAN/Public LAN:

The biggest problem are dynamic prefixes. With that you can't assaign a static LAN interface.

With DUID, the prefix should be essentially static. There's a setting "Do not allow PD/Address release" on the WAN page to prevent the prefix from being released.

mrsunfire

True, but if the connection is failing for more than 1 hour my ISP give me a new prefix whatever I do.

smitheo1

@JKnott

@JKnott said in IPv6 WAN Track Interface not assigning addresses to LAN/Public LAN:

Here is my gateway: fe80::217:10ff:fe9a:a199
That sure looks like a link local address to me.

That routes to nowhere. Quit kidding yourself.

JKnott

@smitheo1 said in IPv6 WAN Track Interface not assigning addresses to LAN/Public LAN:

@JKnott

@JKnott said in IPv6 WAN Track Interface not assigning addresses to LAN/Public LAN:

Here is my gateway: fe80::217:10ff:fe9a:a199
That sure looks like a link local address to me.

That routes to nowhere. Quit kidding yourself.

Here's what my computer, running Linux, shows:

ip -6 route show
2607:fea8:4c81:673::/64 dev eth0 proto kernel metric 256 expires 86389sec pref medium
fd48:1a37:2160::/64 dev eth0 proto kernel metric 256 expires 86389sec pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
default via fe80::1:1 dev eth0 proto ra metric 1024 expires 49sec hoplimit 64 pref medium

Notice that default route at the bottom? That's a link local address pointing to pfSense.

Now, on my pfSense box for the default route to my ISP:

/root: route -6 show default
route to: default
destination: default
mask: default
gateway: fe80::217:10ff:fe9a:a199%re0
fib: 0
interface: re0
flags: <UP,GATEWAY,DONE>
recvpipe sendpipe ssthresh rtt,msec mtu weight expire
0 0 0 0 1500 1 0

Take a look at the gateway. That's also a link local address, pointing to my ISP.

On IPv6, link local addresses are often used for routing, as shown in both examples above. With routing, all routing, all you need to know is how to get to the next hop. This could be a routeable address, link local address (IPv6 only) or in the case of a point to point link, the interface that connects to the next hop.

My pfSense box also has a routeable address, assigned by my ISP. However, it's a /128, which means it can't be used to communicate with anything, without being routed by pfSense.

Please stop proving you're clueless about IPv6.

johnpoz

Let me get this right.. Your suggesting the OP use whatever they want - ie just pull some address block out of the air and use it locally.. And then nat that to the IPv6 wan address he gets..

That is your solution?

Sorry dude but that is not a solution, that is a HACK... And not what the OP was asking for at all, that is not teaching anyone anything..

Why did this thread get brought back from the dead in the first place - this is from oct 2018??

If someone is having a problem with ipv6 working on pfsense, then it should be correctly troubleshot to figure out why.. Not setup some nonsense ipv6 nat..