No traffic gets past HE ipv6 tunnel

toskium

@JKnott don't know if the following is sufficient, let me know if you need to know more.

ipv6 Routes on the pfsense look like so:

the only ipv6 rule on the LAN interface is that:

JKnott

Then you'll have to do some testing. For example you say you can't ping anything at the other end. Do you mean the tunnel end point? Or something on the LAN that the end point is connected to? The first is some hard error. The other is a routing issue. So, start with pinging end point to end point and if that's successful, go further. Also, is it a DNS issue, where pinging by host name fails? What about by IP address?

Gertjan

Probably not related, but this firewall rule won't introduce any issues :

I'm using tunnel.he.net myself.

I compared your routing table with mine.
I found 3 differences :

1 = I'm using pfBlockerNG(latest) : that' where my ::10.10.10.1 comes from.
3 = I'm exposing a /64 out of the he.net's /46 for my VPN server, so I can use IPv4 and IPv6 for my road warriors.

It sure 1 & 3 are actually not related.

2=> Mine is attached to an interface 'em1'.
Your is a lagg ?? Now where did that lagg came from ? ( and what is it ? ^^)
I advise you to go by the books : use an (one unique) LAN interface and make IPv6 work. When done, go lagg ...

toskium

@Gertjan Mine is on a lagg interface since the xg7100 does not have separate physical interfaces. The current config for the xg7100 is the result of a conversion from a SG3100. This was done by netgate support and they asked me in the process which switch port is supposed to be mapped on what interface, so that's the reason the interface looks as it does :-).

Gertjan

I was kidding, I know what lagg is, but never used it - don't need it.

The thing is : for that small detail, everything look good.

Just to be sure :

The gateway tab :

and

edit : and because he;net is some kind of ISP for you and mle, always keep an eye on https://tunnelbroker.net/status.php
and the he.net users forum : the POP's stop working ones in a while.

toskium

@Gertjan thanks for your input. Unfortunately it all looks correct.
The only major difference I seem to have is my multi-wan setup.

My gateways tab looks like so:

You seem to be using a different monitoring IP though, but that shouldn't be an issue.

What I tried so far:

ruled out name resolution, by directly pinging ipv6 address.
ruled out wrong routes from client by pinging directly from pfsense to ipv6 address.

Since you mentioned the tunnelbroker.net status page, all tunnel servers are up and running at the time of my testing.

Gertjan

@toskium said in No traffic gets past HE ipv6 tunnel:

different monitoring IP though

I've use one of my own servers to ping-reply for dpinger.

Using the console / SSH access, option 8, you can ping6 to some host ?

kiokoman

i have pppoe and he.net myself, to make it work for me I had to set mtu to 1472 and mss to 1440 on the gif interface
on tunnelbroker.net the mtu is set to 1472

Gertjan

Same thing here :

Although my WAN is connected to my ISP router, I know this routers is doing pppoe on the ADSL side.

edit : and yes, on the he.net side MTU is set to 1472.

toskium

@Gertjan @kiokoman
I tried what you just suggested, unfortunately no change in the behaviour.
I can't even ping the tunnel server ipv6 endpoint address even though the tunnel is up.
In theory I would need to be able to ping the ipv6 tunnel server address from my pfsense when selecting the HE tunnel interface.

kiokoman

but the tunnel show it's up, can you ping from pfsense that 2001:470:6c ::1 and ::2 ?

toskium

@kiokoman I can ping myself -> ::2 but I can not ping the tunnel end at HE with -> ::1.
I am mystified :-)

Gertjan

If you can't ping6 the remote part of the tunnel, the he.net POP, the one ending with ::1 then I advise you to use ping6 with some parameters, like :

ping6 -I gif0 2001:470:1f12:5c0::1

To force it to use the correct interface.

You can get the interface name with

ifconfig

Btw : starts to looks like a routing issue.

You have no IPv6 activated on your WAN_DHCP and WAN2_PPPOE as these are IPv4 only (are they ?).

toskium

@Gertjan

ping6 -I gif0 -c 3 2001...

works fine. So the tunnel by itself is working.

what I do not yet understand is why that doesn't work from the GUI diagnostic ping when I specifically set the interface to the HE gif0 interface. In theory it should deliver the same result.

WAN:

WAN2:

I do not see any other ipv6 related interfaces in the whole config.

toskium

This post is deleted!

toskium

That's the current ipv6 routing table:

Destination	Gateway	Flags	Use	Mtu	Netif	Expire
default	2001:470:6c:aaaa::1	UGS	151	1500	gif0	
::1	link#19	UH	1747	16384	lo0	
2001:470:20::2	2001:470:6c:aaaa::1	UGHS	0	1500	gif0	
2001:470:6c:aaaa::1	link#43	UH	23260	1280	gif0	
2001:470:6c:aaaa::2	link#43	UHS	6	16384	lo0	
2001:470:6d:aaaa::/64	link#32	U	6249	1500	lagg0.4088	
2001:470:6d:aaaa::1	link#32	UHS	0	16384	lo0	
2001:4860:4860::8888	2001:470:6c:aaaa::1	UGHS	0	1500	gif0	
fe80::%igb0/64	link#1	U	0	1500	igb0	
fe80::8261:5fff:fe04:ea3f%igb0	link#1	UHS	0	16384	lo0	
fe80::%lo0/64	link#19	U	0	16384	lo0	
fe80::1%lo0	link#19	UHS	0	16384	lo0	
fe80::%lagg0/64	link#23	U	0	1500	lagg0	
fe80::208:a2ff:fe11:5f66%lagg0	link#23	UHS	0	16384	lo0	
fe80::%igb0.7/64	link#24	U	0	1500	igb0.7	
fe80::8261:5fff:fe04:ea3f%igb0.7	link#24	UHS	0	16384	lo0	
fe80::%lagg0.4081/64	link#25	U	0	1500	lagg0.4081	
fe80::208:a2ff:fe11:5f66%lagg0.4081	link#25	UHS	0	16384	lo0	
fe80::%lagg0.4082/64	link#26	U	21	1500	lagg0.4082	
fe80::208:a2ff:fe11:5f66%lagg0.4082	link#26	UHS	0	16384	lo0	
fe80::%lagg0.4083/64	link#27	U	0	1500	lagg0.4083	
fe80::208:a2ff:fe11:5f66%lagg0.4083	link#27	UHS	0	16384	lo0	
fe80::%lagg0.4084/64	link#28	U	0	1500	lagg0.4084	
fe80::208:a2ff:fe11:5f66%lagg0.4084	link#28	UHS	0	16384	lo0	
fe80::%lagg0.4085/64	link#29	U	0	1500	lagg0.4085	
fe80::208:a2ff:fe11:5f66%lagg0.4085	link#29	UHS	0	16384	lo0	
fe80::%lagg0.4086/64	link#30	U	0	1500	lagg0.4086	
fe80::208:a2ff:fe11:5f66%lagg0.4086	link#30	UHS	0	16384	lo0	
fe80::%lagg0.4087/64	link#31	U	0	1500	lagg0.4087	
fe80::208:a2ff:fe11:5f66%lagg0.4087	link#31	UHS	0	16384	lo0	
fe80::%lagg0.4088/64	link#32	U	619	1500	lagg0.4088	
fe80::208:a2ff:fe11:5f66%lagg0.4088	link#32	UHS	0	16384	lo0	
fe80::%lagg0.4000/64	link#33	U	0	1500	lagg0.4000	
fe80::208:a2ff:fe11:5f66%lagg0.4000	link#33	UHS	0	16384	lo0	
fe80::%lagg0.20/64	link#34	U	0	1500	lagg0.20	
fe80::208:a2ff:fe11:5f66%lagg0.20	link#34	UHS	0	16384	lo0	
fe80::%lagg0.30/64	link#35	U	0	1500	lagg0.30	
fe80::208:a2ff:fe11:5f66%lagg0.30	link#35	UHS	0	16384	lo0	
fe80::%lagg0.40/64	link#36	U	0	1500	lagg0.40	
fe80::208:a2ff:fe11:5f66%lagg0.40	link#36	UHS	0	16384	lo0	
fe80::%lagg0.50/64	link#37	U	0	1500	lagg0.50	
fe80::208:a2ff:fe11:5f66%lagg0.50	link#37	UHS	0	16384	lo0	
fe80::%lagg0.60/64	link#38	U	0	1500	lagg0.60	
fe80::208:a2ff:fe11:5f66%lagg0.60	link#38	UHS	0	16384	lo0	
fe80::%lagg0.70/64	link#39	U	0	1500	lagg0.70	
fe80::208:a2ff:fe11:5f66%lagg0.70	link#39	UHS	0	16384	lo0	
fe80::%lagg0.80/64	link#40	U	0	1500	lagg0.80	
fe80::208:a2ff:fe11:5f66%lagg0.80	link#40	UHS	0	16384	lo0	
fe80::%lagg0.90/64	link#41	U	0	1500	lagg0.90	
fe80::208:a2ff:fe11:5f66%lagg0.90	link#41	UHS	0	16384	lo0	
fe80::%pppoe0/64	link#42	U	0	1492	pppoe0	
fe80::208:a2ff:fe11:5f66%pppoe0	link#42	UHS	0	16384	lo0	
fe80::%gif0/64	link#43	U	0	1500	gif0	
fe80::8261:5fff:fe04:ea3f%gif0	link#43	UHS	0	16384	lo0

for better readability:

kiokoman

@toskium said in No traffic gets past HE ipv6 tunnel:

2001:470:20::2

what is it? ^
and why do you have google dns there ?

ah i see it's he net dns

toskium

@kiokoman this comes from my general DNS settings, the howto on docs.netgate.com stated to add google DNS servers in System > General Setup like so:

kiokoman

but i don't have any dns server on my routing table (i'm also using the /48 from he net)

Internet6:
Destination                       Gateway                       Flags     Netif Expire
default                           2001:470:25:xxx::1            UGS        gif0
::1                               link#4                        UH          lo0
2001:470:25:xxx::1                link#9                        UH         gif0
2001:470:25:xxx::2                link#9                        UHS         lo0
2001:470:26:xxx::/64              link#2                        U           em1
2001:470:26:xxx::1                link#2                        UHS         lo0
2001:470:b4e1:xxx::/64           link#3                        U           em2
2001:470:b4e1:xxx::1             link#3                        UHS         lo0
fe80::%em0/64                     link#1                        U           em0
fe80::5054:ff:fe3d:64cc%em0       link#1                        UHS         lo0
fe80::%em1/64                     link#2                        U           em1
fe80::5054:ff:fe91:db46%em1       link#2                        UHS         lo0
fe80::%em2/64                     link#3                        U           em2
fe80::5054:ff:fe27:556a%em2       link#3                        UHS         lo0
fe80::%lo0/64                     link#4                        U           lo0
fe80::1%lo0                       link#4                        UHS         lo0
fe80::%em1.10/64                  link#8                        U        em1.10
fe80::5054:ff:fe91:db46%em1.10    link#8                        UHS         lo0
fe80::%gif0/64                    link#9                        U          gif0
fe80::6097:dd62:2e35:991d%gif0    link#9                        UHS         lo0
fe80::6097:dd62:2e35:991d%ovpnc1  link#10                       UHS         lo0

toskium

@kiokoman fair enough, but how did they end up there? (I guess that's a rhetorical question...)
Removing them from System > General Setup does not purge them from the routing table.

Edit:
okay, restarting the gif0 interface purges them. It seems like they are added to the routing table when being entered in System > General Setup as a DNS server.

Now that I am able to ping the ipv6 address of the tunnel server over at HE (2001:470:....::1) using:

ping6 -I gif0 2001...

I should also be able to ping other ipv6 hosts, but I can't. For instance ipv6.google.com

ping6 -I gif0 2a00:1450:4005:803::200e

leads to 100% package loss