ISP-assigned static IPv6 /48 issues
-
If you can't communicate between LAN or VLANs it's either a routing or firewall rule issue. One thing though is to get routing working before adding rules that may block traffic. As I mentioned, I can't check my system at the moment but, IIRC, you have to specifically allow traffic between (V)LANs. When I set up a VLAN recently for my guest WiFi, I had the opposite issue. I wanted to prevent guests, on the VLAN, from accessing anything on the LAN.
-
@jknott said in ISP-assigned static IPv6 /48 issues:
If you can't communicate between LAN or VLANs it's either a routing or firewall rule issue. One thing though is to get routing working before adding rules that may block traffic. As I mentioned, I can't check my system at the moment but, IIRC, you have to specifically allow traffic between (V)LANs. When I set up a VLAN recently for my guest WiFi, I had the opposite issue. I wanted to prevent guests, on the VLAN, from accessing anything on the LAN.
Between those particular interfaces, the LAN and VLAN, I must allow traffic, so there is a firewall rule in place on both, which allows any kind of traffic, both ipv4 and 6, between the two. I can ping from any direction, from pfSense, both interfaces IP addresses (from LAN interface to the IPv6 of VLAN and vice-versa), but not the clients behind the interfaces (so from VLAN to a static client of LAN). The client responds (or should) to ping from anywhere, as its local firewall is set to respond. The LAN client responds to ping coming from the internet, from another network.
-
Perhaps you can post your rules, so we're not guessing.
-
@jknott
Sure thing, here they are (well, the relevant ones, from top to bottom). So the two interfaces i am talking about is LAN and WIFI (WIFI being a vlan). These two should communicate between each other. And they do on IPv4, but they don't on IPv6.
Thank you!
-
@peter-fyri said in ISP-assigned static IPv6 /48 issues:
And they do on IPv4, but they don't on IPv6
Well, the first thing to do is find out what the differences are between IPv4 & IPv6. The only IPv4 rule I see is for ICMP and also IPv6. I expect you're using NAT on IPv4, which can also affect this. As I mentioned, I can't check my system to see what's what. My rule is to start simple, get it working before getting fancy, so you could try a single allow everything rule initially.
-
@jknott
Yes, I unfortunately I cannot share the rules below, as It exposes sensitive data.
However, for testing purposes, I only need ping to work, from that point forward, I will surely manage to work out any other issues. But, also for testing purposes, the rules that limit IPv6 connectivity to/from these two subnets, were before (like a few hours ago) set to any (so any IPv6 source was allowed). But ping or any other connectivity still failed. And these rules were at the top of the rules, before any other limiting... and.. still didn't work :( -
@peter-fyri said in ISP-assigned static IPv6 /48 issues:
as It exposes sensitive data
I assume you mean addresses, as there's no need to hide ports. If that's a concern, one way around that is to use an alias, such as the way you used "LAN net" or "WIFI net". Still, start simple to get it working then add rules as needed. That way, you have some idea what breaks it.
-
@jknott
Well, it doesn't work. Can't communicate between subnets no matter what I do. I'm 99% sure it is not about firewall rules (not excluding the possibility of course). Maybe it has to do with that link-local address I added for the WAN from the CLI and things are not properly routed because of it. I don't know.
In the worst case, I'll move the WiFi clients in the same subnet as the LAN, for both IPv4 and 6. -
Link local addresses are never routed. With IPv6, they're used for things like router advertisements, neighbour discovery, etc.. As I mentioned, I had to add rules to prevent my guest WiFi/VLAN from reaching my main LAN. I can't tell you what my rules are, though they have been posted on some other thread, until I get pfsense up & running again.
-
@peter-fyri said in ISP-assigned static IPv6 /48 issues:
to set 2a02:xxxx:aaaa::1/48 on the LAN interface
If you are not past it yet, this advice is absolutely incorrect.
You have 65536 /64 networks to use out of your /48:
2a02:xxxx:aaaa:0::/64
2a02:xxxx:aaaa:1::/64
2a02:xxxx:aaaa:2::/64
2a02:xxxx:aaaa:3::/64
2a02:xxxx:aaaa:4::/64
2a02:xxxx:aaaa:5::/64
...
2a02:xxxx:aaaa:fffb::/64
2a02:xxxx:aaaa:fffc::/64
2a02:xxxx:aaaa:fffd::/64
2a02:xxxx:aaaa:fffe::/64
2a02:xxxx:aaaa:ffff::/64LAN should be numbered with something like:
2a02:xxxx:aaaa:1:/64
WIFI with something like:
2a02:xxxx:aaaa:2:/64
-
@JKnott @Derelict
Thank you guys.I am passed this issue, everything is almost fine, after I added that specific link local, the ISP has sent me. My only problem is that the interface clients don't communicate between each other (for the time being, ping). The internet communicates with them, from anywhere, they communicate with the internet, but not between each other. I mean clients from one interface with clients from another interface. Clients within the same subnet talk to each other just fine.
The very first thing I tried is adding an allow from any to any firewall rule on IPv6 for both interfaces, all protocols, first rule from top to bottom, but nothing..
