Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    No traffic gets past HE ipv6 tunnel

    Scheduled Pinned Locked Moved IPv6
    39 Posts 6 Posters 4.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      toskium @Gertjan
      last edited by toskium

      @Gertjan @kiokoman
      I tried what you just suggested, unfortunately no change in the behaviour.
      I can't even ping the tunnel server ipv6 endpoint address even though the tunnel is up.
      In theory I would need to be able to ping the ipv6 tunnel server address from my pfsense when selecting the HE tunnel interface.

      1 Reply Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8
        last edited by kiokoman

        but the tunnel show it's up, can you ping from pfsense that 2001:470:6c ::1 and ::2 ?

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        T 1 Reply Last reply Reply Quote 0
        • T
          toskium @kiokoman
          last edited by toskium

          @kiokoman I can ping myself -> ::2 but I can not ping the tunnel end at HE with -> ::1.
          I am mystified :-)

          1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan
            last edited by

            If you can't ping6 the remote part of the tunnel, the he.net POP, the one ending with ::1 then I advise you to use ping6 with some parameters, like :

            ping6 -I gif0 2001:470:1f12:5c0::1
            

            To force it to use the correct interface.

            You can get the interface name with

            ifconfig
            

            Btw : starts to looks like a routing issue.

            You have no IPv6 activated on your WAN_DHCP and WAN2_PPPOE as these are IPv4 only (are they ?).

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            T 1 Reply Last reply Reply Quote 0
            • T
              toskium @Gertjan
              last edited by

              @Gertjan

              ping6 -I gif0 -c 3 2001...
              

              works fine. So the tunnel by itself is working.

              what I do not yet understand is why that doesn't work from the GUI diagnostic ping when I specifically set the interface to the HE gif0 interface. In theory it should deliver the same result.

              WAN:
              0ebe47a9-0ed3-4287-944f-1db7d88c33e0-image.png

              WAN2:
              84b93276-8524-4a07-8f68-aa6fabf87cc4-image.png

              I do not see any other ipv6 related interfaces in the whole config.

              T 1 Reply Last reply Reply Quote 0
              • T
                toskium @toskium
                last edited by

                This post is deleted!
                1 Reply Last reply Reply Quote 0
                • T
                  toskium
                  last edited by toskium

                  That's the current ipv6 routing table:

                  Destination	Gateway	Flags	Use	Mtu	Netif	Expire
                  default	2001:470:6c:aaaa::1	UGS	151	1500	gif0	
                  ::1	link#19	UH	1747	16384	lo0	
                  2001:470:20::2	2001:470:6c:aaaa::1	UGHS	0	1500	gif0	
                  2001:470:6c:aaaa::1	link#43	UH	23260	1280	gif0	
                  2001:470:6c:aaaa::2	link#43	UHS	6	16384	lo0	
                  2001:470:6d:aaaa::/64	link#32	U	6249	1500	lagg0.4088	
                  2001:470:6d:aaaa::1	link#32	UHS	0	16384	lo0	
                  2001:4860:4860::8888	2001:470:6c:aaaa::1	UGHS	0	1500	gif0	
                  fe80::%igb0/64	link#1	U	0	1500	igb0	
                  fe80::8261:5fff:fe04:ea3f%igb0	link#1	UHS	0	16384	lo0	
                  fe80::%lo0/64	link#19	U	0	16384	lo0	
                  fe80::1%lo0	link#19	UHS	0	16384	lo0	
                  fe80::%lagg0/64	link#23	U	0	1500	lagg0	
                  fe80::208:a2ff:fe11:5f66%lagg0	link#23	UHS	0	16384	lo0	
                  fe80::%igb0.7/64	link#24	U	0	1500	igb0.7	
                  fe80::8261:5fff:fe04:ea3f%igb0.7	link#24	UHS	0	16384	lo0	
                  fe80::%lagg0.4081/64	link#25	U	0	1500	lagg0.4081	
                  fe80::208:a2ff:fe11:5f66%lagg0.4081	link#25	UHS	0	16384	lo0	
                  fe80::%lagg0.4082/64	link#26	U	21	1500	lagg0.4082	
                  fe80::208:a2ff:fe11:5f66%lagg0.4082	link#26	UHS	0	16384	lo0	
                  fe80::%lagg0.4083/64	link#27	U	0	1500	lagg0.4083	
                  fe80::208:a2ff:fe11:5f66%lagg0.4083	link#27	UHS	0	16384	lo0	
                  fe80::%lagg0.4084/64	link#28	U	0	1500	lagg0.4084	
                  fe80::208:a2ff:fe11:5f66%lagg0.4084	link#28	UHS	0	16384	lo0	
                  fe80::%lagg0.4085/64	link#29	U	0	1500	lagg0.4085	
                  fe80::208:a2ff:fe11:5f66%lagg0.4085	link#29	UHS	0	16384	lo0	
                  fe80::%lagg0.4086/64	link#30	U	0	1500	lagg0.4086	
                  fe80::208:a2ff:fe11:5f66%lagg0.4086	link#30	UHS	0	16384	lo0	
                  fe80::%lagg0.4087/64	link#31	U	0	1500	lagg0.4087	
                  fe80::208:a2ff:fe11:5f66%lagg0.4087	link#31	UHS	0	16384	lo0	
                  fe80::%lagg0.4088/64	link#32	U	619	1500	lagg0.4088	
                  fe80::208:a2ff:fe11:5f66%lagg0.4088	link#32	UHS	0	16384	lo0	
                  fe80::%lagg0.4000/64	link#33	U	0	1500	lagg0.4000	
                  fe80::208:a2ff:fe11:5f66%lagg0.4000	link#33	UHS	0	16384	lo0	
                  fe80::%lagg0.20/64	link#34	U	0	1500	lagg0.20	
                  fe80::208:a2ff:fe11:5f66%lagg0.20	link#34	UHS	0	16384	lo0	
                  fe80::%lagg0.30/64	link#35	U	0	1500	lagg0.30	
                  fe80::208:a2ff:fe11:5f66%lagg0.30	link#35	UHS	0	16384	lo0	
                  fe80::%lagg0.40/64	link#36	U	0	1500	lagg0.40	
                  fe80::208:a2ff:fe11:5f66%lagg0.40	link#36	UHS	0	16384	lo0	
                  fe80::%lagg0.50/64	link#37	U	0	1500	lagg0.50	
                  fe80::208:a2ff:fe11:5f66%lagg0.50	link#37	UHS	0	16384	lo0	
                  fe80::%lagg0.60/64	link#38	U	0	1500	lagg0.60	
                  fe80::208:a2ff:fe11:5f66%lagg0.60	link#38	UHS	0	16384	lo0	
                  fe80::%lagg0.70/64	link#39	U	0	1500	lagg0.70	
                  fe80::208:a2ff:fe11:5f66%lagg0.70	link#39	UHS	0	16384	lo0	
                  fe80::%lagg0.80/64	link#40	U	0	1500	lagg0.80	
                  fe80::208:a2ff:fe11:5f66%lagg0.80	link#40	UHS	0	16384	lo0	
                  fe80::%lagg0.90/64	link#41	U	0	1500	lagg0.90	
                  fe80::208:a2ff:fe11:5f66%lagg0.90	link#41	UHS	0	16384	lo0	
                  fe80::%pppoe0/64	link#42	U	0	1492	pppoe0	
                  fe80::208:a2ff:fe11:5f66%pppoe0	link#42	UHS	0	16384	lo0	
                  fe80::%gif0/64	link#43	U	0	1500	gif0	
                  fe80::8261:5fff:fe04:ea3f%gif0	link#43	UHS	0	16384	lo0
                  

                  for better readability:
                  e9f7ec0f-f645-4cac-afba-590cef7d8ff6-image.png

                  1 Reply Last reply Reply Quote 0
                  • kiokomanK
                    kiokoman LAYER 8
                    last edited by kiokoman

                    @toskium said in No traffic gets past HE ipv6 tunnel:

                    2001:470:20::2

                    what is it? ^
                    and why do you have google dns there ?

                    ah i see it's he net dns

                    ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                    Please do not use chat/PM to ask for help
                    we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                    Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                    T 1 Reply Last reply Reply Quote 0
                    • T
                      toskium @kiokoman
                      last edited by

                      @kiokoman this comes from my general DNS settings, the howto on docs.netgate.com stated to add google DNS servers in System > General Setup like so:

                      b0cc0d12-6847-46cd-98b7-8350b8d61754-image.png

                      GertjanG 1 Reply Last reply Reply Quote 0
                      • kiokomanK
                        kiokoman LAYER 8
                        last edited by kiokoman

                        but i don't have any dns server on my routing table (i'm also using the /48 from he net)

                        Internet6:
                        Destination                       Gateway                       Flags     Netif Expire
                        default                           2001:470:25:xxx::1            UGS        gif0
                        ::1                               link#4                        UH          lo0
                        2001:470:25:xxx::1                link#9                        UH         gif0
                        2001:470:25:xxx::2                link#9                        UHS         lo0
                        2001:470:26:xxx::/64              link#2                        U           em1
                        2001:470:26:xxx::1                link#2                        UHS         lo0
                        2001:470:b4e1:xxx::/64           link#3                        U           em2
                        2001:470:b4e1:xxx::1             link#3                        UHS         lo0
                        fe80::%em0/64                     link#1                        U           em0
                        fe80::5054:ff:fe3d:64cc%em0       link#1                        UHS         lo0
                        fe80::%em1/64                     link#2                        U           em1
                        fe80::5054:ff:fe91:db46%em1       link#2                        UHS         lo0
                        fe80::%em2/64                     link#3                        U           em2
                        fe80::5054:ff:fe27:556a%em2       link#3                        UHS         lo0
                        fe80::%lo0/64                     link#4                        U           lo0
                        fe80::1%lo0                       link#4                        UHS         lo0
                        fe80::%em1.10/64                  link#8                        U        em1.10
                        fe80::5054:ff:fe91:db46%em1.10    link#8                        UHS         lo0
                        fe80::%gif0/64                    link#9                        U          gif0
                        fe80::6097:dd62:2e35:991d%gif0    link#9                        UHS         lo0
                        fe80::6097:dd62:2e35:991d%ovpnc1  link#10                       UHS         lo0
                        

                        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                        Please do not use chat/PM to ask for help
                        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                        T 1 Reply Last reply Reply Quote 0
                        • T
                          toskium @kiokoman
                          last edited by toskium

                          @kiokoman fair enough, but how did they end up there? (I guess that's a rhetorical question...)
                          Removing them from System > General Setup does not purge them from the routing table.

                          Edit:
                          okay, restarting the gif0 interface purges them. It seems like they are added to the routing table when being entered in System > General Setup as a DNS server.

                          Now that I am able to ping the ipv6 address of the tunnel server over at HE (2001:470:....::1) using:

                          ping6 -I gif0 2001...
                          

                          I should also be able to ping other ipv6 hosts, but I can't. For instance ipv6.google.com

                          ping6 -I gif0 2a00:1450:4005:803::200e
                          

                          leads to 100% package loss

                          1 Reply Last reply Reply Quote 0
                          • kiokomanK
                            kiokoman LAYER 8
                            last edited by kiokoman

                            manually delete it
                            route -6 del 2001:470:20::2 2001:470:6c:aaaa::1
                            route -6 del 2001:4860:4860::8888 2001:470:6c:aaaa::1
                            ok sorry i'm at work, i was too late on answering

                            i think you have discovered a bug there ^ ...
                            i have one of my pfsense with a route that appear at boot out of nowhere, i have setup an earlyshellscript to remove everytime that offending route, since 2.4.4-p3
                            https://forum.netgate.com/topic/147254/lost-ipv6-connectivity-from-one-interface

                            ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                            Please do not use chat/PM to ask for help
                            we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                            Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                            1 Reply Last reply Reply Quote 0
                            • T
                              toskium
                              last edited by

                              Discovering bugs is fine :-) where can I report that properly so it has a chance of being fixed?

                              1 Reply Last reply Reply Quote 0
                              • kiokomanK
                                kiokoman LAYER 8
                                last edited by

                                https://redmine.pfsense.org

                                ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                                Please do not use chat/PM to ask for help
                                we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                                Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                                1 Reply Last reply Reply Quote 0
                                • GertjanG
                                  Gertjan @toskium
                                  last edited by Gertjan

                                  @toskium said in No traffic gets past HE ipv6 tunnel:

                                  @kiokoman this comes from my general DNS settings, the howto on docs.netgate.com stated to add google DNS servers in System > General Setup like so:

                                  b0cc0d12-6847-46cd-98b7-8350b8d61754-image.png

                                  A bug, maybe -I'll add some @home and see what happens.

                                  Why did you add all these DNS servers ?
                                  You are aware that you don't need them ?? The resolver, out of the box is close to perfect. [ and then people start forwarding because ... / [ we never know why ] /..... and things go downhill ]

                                  edit :
                                  When I add these :

                                  881fd212-7933-46b5-a277-9f863d3b0fc5-image.png

                                  ...the IPv6 of the DNS of he.net, I wind up seeing this :

                                  3d4fe86a-9119-4a37-9b9f-d40e6fdd292d-image.png

                                  in the routing table.
                                  Which doesn't look 'wrong' to me, as 2001:470:20::2 should be reached over the interface gif0 = he.net = my (their) 2001:470:1f12:5xx::1

                                  edit : and my IPv6 still works ....

                                  No "help me" PM's please. Use the forum, the community will thank you.
                                  Edit : and where are the logs ??

                                  1 Reply Last reply Reply Quote 0
                                  • kiokomanK
                                    kiokoman LAYER 8
                                    last edited by kiokoman

                                    because i use bind on another server and not unbound nor forwarder for example ^^

                                    ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                                    Please do not use chat/PM to ask for help
                                    we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                                    Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                                    1 Reply Last reply Reply Quote 0
                                    • T
                                      toskium
                                      last edited by

                                      @Gertjan I added the DNS servers because the howto says so.

                                      GertjanG 1 Reply Last reply Reply Quote 0
                                      • GertjanG
                                        Gertjan @toskium
                                        last edited by

                                        @toskium said in No traffic gets past HE ipv6 tunnel:

                                        the howto says so

                                        Source ?

                                        Read again the initial setup instruction : you'll find https://docs.netgate.com/pfsense/en/latest/config/general.html where it says :

                                        Note
                                        The DNS Resolver is active by default and uses resolver mode (DNS Resolver). When set this way the DNS Resolver does not need forwarding DNS servers as it will communicate directly with root DNS servers and other authoritative DNS servers.

                                        I don't want to say that forwarding - using tiers DNS servers, is bad.
                                        It was somewhat mandatory in the early ages. But not anymore.
                                        You use DNS : use the source aka "Internet itself".

                                        No "help me" PM's please. Use the forum, the community will thank you.
                                        Edit : and where are the logs ??

                                        1 Reply Last reply Reply Quote 0
                                        • T
                                          toskium
                                          last edited by

                                          @Gertjan according to the recipe for setting up a ipv6 tunnel. You will need to go to docs.netgate.com and search vor Hurricane Electric. Askismet doesn't allow me to post the direct link. It's the first result, if you look in the DNS chapter of that recipe you will find the reference.

                                          1 Reply Last reply Reply Quote 0
                                          • GertjanG
                                            Gertjan
                                            last edited by Gertjan

                                            You mean :

                                            f42fadd6-28f1-498f-a6a7-b5d1e050084a-image.png

                                            Or https: slash slash docs dot netgate dot com slash /pfsense/en/latest/recipes slash ipv6-tunnel-broker.html#setup-ipv6-dns ?
                                            (Askismet can be circumvented so easily)

                                            Because the doc is somewhat old.

                                            This :

                                            If the DNS Resolver is used in non-forwarding mode, it will talk to IPv6 root servers automatically once IPv6 connectivity is functional.

                                            is not an "if" any more.
                                            The DNS Resolver is used out of the box.
                                            pfSense used a forwarder in the past, it's still there : the lightweight forwarder (dnsmasq), mutual exclusive with the functionality of the resolver (unbound).

                                            Way back, code had to be mean, lean and small, as devices had limited resources.
                                            The Internet start with these, Internet IS https://en.wikipedia.org/wiki/Root_name_server.
                                            So : why take your info from "some one" if you can tap into the source ?

                                            But ...... the damage has been done.
                                            people like to use VPN 'for protection' and '8.8.8.8' for their DNS, and antivirals for their safety. They haven't figured out yet that it's all - and only - a "€/$" thing.

                                            To gain some milli seconds, it could be useful to use a close by DNS server. he.net has a (their) own DNS servers close at every POP.
                                            You don't need them, they are just optional, as all the others.

                                            No "help me" PM's please. Use the forum, the community will thank you.
                                            Edit : and where are the logs ??

                                            T 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.