No traffic gets past HE ipv6 tunnel
-
I was kidding, I know what lagg is, but never used it - don't need it.
The thing is : for that small detail, everything look good.
Just to be sure :
The gateway tab :
and
edit : and because he;net is some kind of ISP for you and mle, always keep an eye on https://tunnelbroker.net/status.php
and the he.net users forum : the POP's stop working ones in a while. -
@Gertjan thanks for your input. Unfortunately it all looks correct.
The only major difference I seem to have is my multi-wan setup.My gateways tab looks like so:
You seem to be using a different monitoring IP though, but that shouldn't be an issue.
What I tried so far:
- ruled out name resolution, by directly pinging ipv6 address.
- ruled out wrong routes from client by pinging directly from pfsense to ipv6 address.
Since you mentioned the tunnelbroker.net status page, all tunnel servers are up and running at the time of my testing.
-
@toskium said in No traffic gets past HE ipv6 tunnel:
different monitoring IP though
I've use one of my own servers to ping-reply for dpinger.
Using the console / SSH access, option 8, you can ping6 to some host ?
-
i have pppoe and he.net myself, to make it work for me I had to set mtu to 1472 and mss to 1440 on the gif interface
on tunnelbroker.net the mtu is set to 1472 -
Same thing here :
Although my WAN is connected to my ISP router, I know this routers is doing pppoe on the ADSL side.
edit : and yes, on the he.net side MTU is set to 1472.
-
@Gertjan @kiokoman
I tried what you just suggested, unfortunately no change in the behaviour.
I can't even ping the tunnel server ipv6 endpoint address even though the tunnel is up.
In theory I would need to be able to ping the ipv6 tunnel server address from my pfsense when selecting the HE tunnel interface. -
but the tunnel show it's up, can you ping from pfsense that 2001:470:6c ::1 and ::2 ?
-
@kiokoman I can ping myself -> ::2 but I can not ping the tunnel end at HE with -> ::1.
I am mystified :-) -
If you can't ping6 the remote part of the tunnel, the he.net POP, the one ending with ::1 then I advise you to use ping6 with some parameters, like :
ping6 -I gif0 2001:470:1f12:5c0::1
To force it to use the correct interface.
You can get the interface name with
ifconfig
Btw : starts to looks like a routing issue.
You have no IPv6 activated on your WAN_DHCP and WAN2_PPPOE as these are IPv4 only (are they ?).
-
ping6 -I gif0 -c 3 2001...
works fine. So the tunnel by itself is working.
what I do not yet understand is why that doesn't work from the GUI diagnostic ping when I specifically set the interface to the HE gif0 interface. In theory it should deliver the same result.
WAN:
WAN2:
I do not see any other ipv6 related interfaces in the whole config.
-
This post is deleted! -
That's the current ipv6 routing table:
Destination Gateway Flags Use Mtu Netif Expire default 2001:470:6c:aaaa::1 UGS 151 1500 gif0 ::1 link#19 UH 1747 16384 lo0 2001:470:20::2 2001:470:6c:aaaa::1 UGHS 0 1500 gif0 2001:470:6c:aaaa::1 link#43 UH 23260 1280 gif0 2001:470:6c:aaaa::2 link#43 UHS 6 16384 lo0 2001:470:6d:aaaa::/64 link#32 U 6249 1500 lagg0.4088 2001:470:6d:aaaa::1 link#32 UHS 0 16384 lo0 2001:4860:4860::8888 2001:470:6c:aaaa::1 UGHS 0 1500 gif0 fe80::%igb0/64 link#1 U 0 1500 igb0 fe80::8261:5fff:fe04:ea3f%igb0 link#1 UHS 0 16384 lo0 fe80::%lo0/64 link#19 U 0 16384 lo0 fe80::1%lo0 link#19 UHS 0 16384 lo0 fe80::%lagg0/64 link#23 U 0 1500 lagg0 fe80::208:a2ff:fe11:5f66%lagg0 link#23 UHS 0 16384 lo0 fe80::%igb0.7/64 link#24 U 0 1500 igb0.7 fe80::8261:5fff:fe04:ea3f%igb0.7 link#24 UHS 0 16384 lo0 fe80::%lagg0.4081/64 link#25 U 0 1500 lagg0.4081 fe80::208:a2ff:fe11:5f66%lagg0.4081 link#25 UHS 0 16384 lo0 fe80::%lagg0.4082/64 link#26 U 21 1500 lagg0.4082 fe80::208:a2ff:fe11:5f66%lagg0.4082 link#26 UHS 0 16384 lo0 fe80::%lagg0.4083/64 link#27 U 0 1500 lagg0.4083 fe80::208:a2ff:fe11:5f66%lagg0.4083 link#27 UHS 0 16384 lo0 fe80::%lagg0.4084/64 link#28 U 0 1500 lagg0.4084 fe80::208:a2ff:fe11:5f66%lagg0.4084 link#28 UHS 0 16384 lo0 fe80::%lagg0.4085/64 link#29 U 0 1500 lagg0.4085 fe80::208:a2ff:fe11:5f66%lagg0.4085 link#29 UHS 0 16384 lo0 fe80::%lagg0.4086/64 link#30 U 0 1500 lagg0.4086 fe80::208:a2ff:fe11:5f66%lagg0.4086 link#30 UHS 0 16384 lo0 fe80::%lagg0.4087/64 link#31 U 0 1500 lagg0.4087 fe80::208:a2ff:fe11:5f66%lagg0.4087 link#31 UHS 0 16384 lo0 fe80::%lagg0.4088/64 link#32 U 619 1500 lagg0.4088 fe80::208:a2ff:fe11:5f66%lagg0.4088 link#32 UHS 0 16384 lo0 fe80::%lagg0.4000/64 link#33 U 0 1500 lagg0.4000 fe80::208:a2ff:fe11:5f66%lagg0.4000 link#33 UHS 0 16384 lo0 fe80::%lagg0.20/64 link#34 U 0 1500 lagg0.20 fe80::208:a2ff:fe11:5f66%lagg0.20 link#34 UHS 0 16384 lo0 fe80::%lagg0.30/64 link#35 U 0 1500 lagg0.30 fe80::208:a2ff:fe11:5f66%lagg0.30 link#35 UHS 0 16384 lo0 fe80::%lagg0.40/64 link#36 U 0 1500 lagg0.40 fe80::208:a2ff:fe11:5f66%lagg0.40 link#36 UHS 0 16384 lo0 fe80::%lagg0.50/64 link#37 U 0 1500 lagg0.50 fe80::208:a2ff:fe11:5f66%lagg0.50 link#37 UHS 0 16384 lo0 fe80::%lagg0.60/64 link#38 U 0 1500 lagg0.60 fe80::208:a2ff:fe11:5f66%lagg0.60 link#38 UHS 0 16384 lo0 fe80::%lagg0.70/64 link#39 U 0 1500 lagg0.70 fe80::208:a2ff:fe11:5f66%lagg0.70 link#39 UHS 0 16384 lo0 fe80::%lagg0.80/64 link#40 U 0 1500 lagg0.80 fe80::208:a2ff:fe11:5f66%lagg0.80 link#40 UHS 0 16384 lo0 fe80::%lagg0.90/64 link#41 U 0 1500 lagg0.90 fe80::208:a2ff:fe11:5f66%lagg0.90 link#41 UHS 0 16384 lo0 fe80::%pppoe0/64 link#42 U 0 1492 pppoe0 fe80::208:a2ff:fe11:5f66%pppoe0 link#42 UHS 0 16384 lo0 fe80::%gif0/64 link#43 U 0 1500 gif0 fe80::8261:5fff:fe04:ea3f%gif0 link#43 UHS 0 16384 lo0
for better readability:
-
@toskium said in No traffic gets past HE ipv6 tunnel:
2001:470:20::2
what is it? ^
and why do you have google dns there ?ah i see it's he net dns
-
@kiokoman this comes from my general DNS settings, the howto on docs.netgate.com stated to add google DNS servers in System > General Setup like so:
-
but i don't have any dns server on my routing table (i'm also using the /48 from he net)
Internet6: Destination Gateway Flags Netif Expire default 2001:470:25:xxx::1 UGS gif0 ::1 link#4 UH lo0 2001:470:25:xxx::1 link#9 UH gif0 2001:470:25:xxx::2 link#9 UHS lo0 2001:470:26:xxx::/64 link#2 U em1 2001:470:26:xxx::1 link#2 UHS lo0 2001:470:b4e1:xxx::/64 link#3 U em2 2001:470:b4e1:xxx::1 link#3 UHS lo0 fe80::%em0/64 link#1 U em0 fe80::5054:ff:fe3d:64cc%em0 link#1 UHS lo0 fe80::%em1/64 link#2 U em1 fe80::5054:ff:fe91:db46%em1 link#2 UHS lo0 fe80::%em2/64 link#3 U em2 fe80::5054:ff:fe27:556a%em2 link#3 UHS lo0 fe80::%lo0/64 link#4 U lo0 fe80::1%lo0 link#4 UHS lo0 fe80::%em1.10/64 link#8 U em1.10 fe80::5054:ff:fe91:db46%em1.10 link#8 UHS lo0 fe80::%gif0/64 link#9 U gif0 fe80::6097:dd62:2e35:991d%gif0 link#9 UHS lo0 fe80::6097:dd62:2e35:991d%ovpnc1 link#10 UHS lo0
-
@kiokoman fair enough, but how did they end up there? (I guess that's a rhetorical question...)
Removing them from System > General Setup does not purge them from the routing table.Edit:
okay, restarting the gif0 interface purges them. It seems like they are added to the routing table when being entered in System > General Setup as a DNS server.Now that I am able to ping the ipv6 address of the tunnel server over at HE (2001:470:....::1) using:
ping6 -I gif0 2001...
I should also be able to ping other ipv6 hosts, but I can't. For instance ipv6.google.com
ping6 -I gif0 2a00:1450:4005:803::200e
leads to 100% package loss
-
manually delete it
route -6 del 2001:470:20::2 2001:470:6c:aaaa::1
route -6 del 2001:4860:4860::8888 2001:470:6c:aaaa::1
ok sorry i'm at work, i was too late on answeringi think you have discovered a bug there ^ ...
i have one of my pfsense with a route that appear at boot out of nowhere, i have setup an earlyshellscript to remove everytime that offending route, since 2.4.4-p3
https://forum.netgate.com/topic/147254/lost-ipv6-connectivity-from-one-interface -
Discovering bugs is fine :-) where can I report that properly so it has a chance of being fixed?
-
https://redmine.pfsense.org
-
@toskium said in No traffic gets past HE ipv6 tunnel:
@kiokoman this comes from my general DNS settings, the howto on docs.netgate.com stated to add google DNS servers in System > General Setup like so:
A bug, maybe -I'll add some @home and see what happens.
Why did you add all these DNS servers ?
You are aware that you don't need them ?? The resolver, out of the box is close to perfect. [ and then people start forwarding because ... / [ we never know why ] /..... and things go downhill ]edit :
When I add these :...the IPv6 of the DNS of he.net, I wind up seeing this :
in the routing table.
Which doesn't look 'wrong' to me, as 2001:470:20::2 should be reached over the interface gif0 = he.net = my (their) 2001:470:1f12:5xx::1edit : and my IPv6 still works ....