Struggling to get basic IPv6 working...

SteveITS

The WAN side has to be in a different subnet than the LAN side, so routing can happen. So in effect with IPv6 and two routers (ISP and pfSense) the WAN subnet gets 18 quintillion addresses (a /64), and the LAN side another 18 quintillion. Also the WAN side is usually granted a /56 or something as indicated so several more dozen quintillion are typically unused. This is so it can assign /64s to multiple routers if necessary....the ISP router has to be able to talk to all of those /64s.

The temporary IPv6 is because "they" decided tracking was too easy with one IP per device so software like a browser can request a unique/temporary IP. So perhaps if each software program gets an IP its good we have a few quintillion spares in our /64.

As far as not pinging the pfSense WAN IP from the LAN, have you enabled the option to log packets from the default block rule in the log settings? That will at least tell you if the default block rule is blocking the attempt. Also check the firewall on the Windows PC.

Lou Erickson

No, I haven't got logging for the default block rules. I just looked for that and couldn't find where to turn it on. Do you know? If I can see packets blocked on IPv6 from my client, that definitely helps know it is some firewall fun.

SteveITS

Status/System Logs/Settings, check "Log packets matched from the default block rules in the ruleset". I usually just turn it on temporarily otherwise it will log a lot of stuff.

Lou Erickson

I missed it in there. And look what I found when I turned it on:

bogon network

Apparently pfsense thinks my range is a bogon network.

Quesion: Is it, or is pfsense's list out of date?

That I know how to answer: whois tells me that 2603:3024::/32 is allocated to my ISP. So it's not a bogon, and my local pfsense's list must be outdated.

Where is that kept, and how do I update it?

I can disable it for now and see if it fixes things!

Lou Erickson

Well, there's an option to control how often the bogon list is updated, but I've had this allocation a while (and whois says it's been registered since 17 Jan 2019) so it isn't a frequency problem. Do not know why my ip range is triggering that, and can't see it so it's hard to say.

I disabled it to see if that let things work.

Suddenly, in the general system log, I see:

cannot route

I don't know why it can't route that.

Lou Erickson

That may be a red herring. I found more errors under the "gateways" tab on system logging, where it was failing to see one of the defined gateways. It was testing one I had set up while struggling earlier, but am not using. I erased it and the errors have stopped.

I can still ping anything on both the WAN and LAN interfaces, but nothing from my clients.

JKnott

@Lou-Erickson said in Struggling to get basic IPv6 working...:

You say to ping the WAN address from the local client.
I see two WAN addresses; the one from the ISP, and the link-local fe80 one.

Ping the one with the /128 prefix. This will show you are able to at least reach another interface on your pfSense box. If that works, you can try something else, such as ipv6.google.com.

You can also try a test site, such as [test-ipv6.com](link url).

I don't know why those are getting addresses from 2603:3024:1f00:6201 instead of 2603:3024:1f00:6200, or why it gets two of them, but the link-local seems to make sense.

If you're using SLAAC on your LAN, you will have one consistent address and up to seven privacy addresses. You get a new one every day and they last about a week. You use the privacy address when you have outgoing connections and the consistent one is used for incoming, such as for servers, etc..

That gateway address is correct and is provided by the RA. One difference, compared to IPv4, is DHCP does not provide the gateway address, etc.. So, RAs are always used to provide the prefix and gateway address.

I can not ping the WAN's link-local fe80::208:a2ff:fe0c:ecaf address. It says "Destination host unreachable".

You should not be able to ping that from devices on your LAN, as link local addresses are not routeable.

As for firewall rules, if you didn't add any, it should work out of the box.

You might also mention who your ISP is. Someone else might have experience with them.

Lou Erickson

First, let me say thank you for continuing to answer my questions and look at all these things I've posted. I know I've thrown a bunch of data out, but I don't know fully what you'll need to see to make sense of what's happening. I really appreciate your taking your time to reply!

Everyone on this forum has been very responsive and helpful, and I really appreciate it. So often forums are not very helpful and I often hesitate to go there. This one has been great. Thank you all for making it that way!

@JKnott said in Struggling to get basic IPv6 working...:

@Lou-Erickson said in Struggling to get basic IPv6 working...:

You say to ping the WAN address from the local client.
I see two WAN addresses; the one from the ISP, and the link-local fe80 one.

Ping the one with the /128 prefix. This will show you are able to at least reach another interface on your pfSense box. If that works, you can try something else, such as ipv6.google.com.

I don't see an address on the WAN interface with a /128. Both are a /64.

	inet6 fe80::208:a2ff:fe0c:ecaf%mvneta2 prefixlen 64 scopeid 0x8
	inet6 2603:3024:1f00:6200:208:a2ff:fe0c:ecaf prefixlen 64 autoconf

The LAN interface lists the fe80::1:1 address.

From my client machine, I can ping fe80::1:1

Pinging fe80::208:a2ff:fe0c:ecaf returns "Destination host unreachable."
Pinging 2603:3024:1f00:6200:208:a2ff:fe0c:ecaf returns "Request timed out."

Pinging ipv6.google.com returns "Request timed out." but that isn't a surprise as we can't seem to ping through to the WAN side of pfsense.

That gateway address is correct and is provided by the RA. One difference, compared to IPv4, is DHCP does not provide the gateway address, etc.. So, RAs are always used to provide the prefix and gateway address.

Okay, but who's the RA here? This seems to be sending a sensible address, so is pfsense the RA?

As for firewall rules, if you didn't add any, it should work out of the box.

Following another guide, I added pass-all rules for IPv6 addresses, as only IPv4 was passed. They're in the first post; are they correct?

You might also mention who your ISP is. Someone else might have experience with them.

I'm using Comcast Business, with static IPs. Old habit not to shill for them, although the business people have been okay. From what I understand their IPv6 configuration is tolerable by now.

JKnott

@Lou-Erickson said in Struggling to get basic IPv6 working...:

I don't see an address on the WAN interface with a /128. Both are a /64.

You had one 12 hours ago.

Okay, but who's the RA here? This seems to be sending a sensible address, so is pfsense the RA?

RA = Router Advertisement. It comes from pfSense on the LAN side or your ISP on the WAN.

It seems to me someone else here was on Comsast business, though I don't know who.

Also, it might be best if you were to start from scratch again, as you've made so many changes that it's hard to know where the problem is.

Lou Erickson

Yes, I think that's best.

My copy of "IPv6 Essentials" has arrived, and I'm slowly reading it. I'll try again when I have more clue, and will start a new thread.

Thank you for all your help, and for keeping up with my flailing blindly about.

JKnott

@Lou-Erickson said in Struggling to get basic IPv6 working...:

My copy of "IPv6 Essentials" has arrived

That is an excellent book for IPv6, though it's about the general principles and doesn't get into connecting to an ISP, DHCPv6-PD, etc.. It's also a good idea to use Wireshark, to examine what's actually on the wire.

BTW, I have copies of that book on both my computer and tablet.