pfSense stops routing IPv6 after a few days

A Former User

This post is deleted!

msmith100

@jknott Oops I think I should have been more clear. I mean a /64 for the WAN, and a /56 delegated to 1+ LAN networks, each of which is assigned 1 of 256 /64's from that /56 by pfsense per your configuration.
My current config, masked for privacy:

 WAN (wan)       -> pppoe0     -> v4/PPPoE: 104.163.xxx.xxx/32
                                  v6/DHCP6: 2606:6d00:1234:1234:1234:1234:1234:1234/64
 LAN (lan)       -> bge0       -> v4: 192.168.0.100/24
                                  v6: 2606:6d00:8888:1111::1/64
.....
 VLAN4(opt4)   -> bge0.3     -> v4: 192.168.11.100/24
                                  v6: 2606:6d00:8888:1112::1/64

As I understand it, I could even not have a globally routable address on the WAN, and it would have no effect. I've seen some other people setup pfsense in that manner, actually - I think on Teksavvy?

@ijeff As long as your config matches what the ISP provides, then there should be no issue and it's their problem. I have heard of cases on various forums though of some ISPs with really strange configs (e.g. Telus on the west coast), including requiring non-standard (i.e. modifying config files manually) behavior w.r.t. DHCP renewing and such. That might be the case in your situation - pfsense is following standard RFCs, and your ISP is not. Further complicating manners, there are also some ISP-grade routers out there with known issues that had to be patched to fix weird IPv6 behavior in the last few years.

Wish I could help further...

ijeff

So would it in theory be possible to use fe80:: addresses on the LAN side and have the router use NAT to pass everything through the single IPv6 address?

JKnott

@msmith100 said in pfSense stops routing IPv6 after a few days:

As I understand it, I could even not have a globally routable address on the WAN, and it would have no effect. I've seen some other people setup pfsense in that manner, actually - I think on Teksavvy?

Quite possibly your WAN address is not used for routing. Check your default route with the netstat -r command. Don't be surprised if you see a link local address.

JKnott

@ijeff

Why on earth would you want to do that? NAT was created to get around the IPv4 address shortage. On IPv6, a single /64 contains 18.4 billion, billion addresses.

ijeff

@jknott

Seemed like a quick and dirty way of getting IPv6 if my ISP has a non-compliant setup? If it’s not the way to do it then that’s fine.

Someone elsewhere has mentioned that I should investigate enabling large ICMP and ICMP v6 since that’s not allowed on the WAN side of the firewall, but I’m not on site at the moment.

JKnott

@ijeff

What do you mean by "large ICMP"? That would tend to indicate an attack.

ijeff

@jknott

They specifically mentioned to make sure the following was enabled:

• Allowing large ICMP
• Allowing v6 ICMP across the network

msmith100

@jknott No it's not. Still useful to have for pfsense itself as a pseudo-privacy layer e.g. for DNS requests, and I assume there is at least some good if non-essential reason it's part of an RFC and done by default by my ISP.

msmith100

@ijeff I have no idea how that would help you. AFAIK by default pfsense has rules that allow the bare minimum essential IPv6 ICMP traffic, so that shouldn't be the cause of your issue.

ijeff

@msmith100

I think you're right, it looks like pfSense is doing everything it needs to by default.

I've been referred to this bug which seems to explain the exact issue I'm having. My ISP and the ISP mentioned in the bug actually use very similar network hardware (Cisco Nexus) so it may be completely related to that...

I might wait until 2.5.0 is released with this bug fixed before trying further troubleshooting...

ijeff

I've upgraded to 2.5.0 today and will monitor and report back.

ijeff

No further issues since upgrading to 2.5.0. Looks like the bugs have been squashed!