IPv6 Router behind router
-
That's not been my experience. The only thing I recall that required a reboot was a system update.
-
@jknott
Not to get on a tangent here but just last night I was fixing another pfSense for UPnP and it also required reboots for all things NAT. Resetting firewall states was not enough.Unless I'm doing work with HAProxy, I pretty much know it's going to have to be rebooted.
-
Well, it looks like I am plugging right along but I may have hit a road block..
First, the static routing needed to be done the USG to get to the internet.
::/0 next hop "pfsenseLANcard" ---- on USG, after that, internet.
I have all the static routes for the subnets for my VLANs in USG but it wasn't getting to the internet until I put that route in. 80% certain that this was wrong.
As mentioned earlier, I got a /64 from the pfSense LAN RA. Now, I would like to make sure these computers will be able to be routable from/to the internet. What is required for that?
I was looking at this tool:
http://www.gestioip.net/cgi-bin/subnet_calculator.cgiCurrent Static routes in pfsense:
2001:xxxx:xxxx:1300::/64 Gateway "USGsWAN64"
2001:xxxx:xxxx:1301::/64 Gateway "USGsWAN64"
2001:xxxx:xxxx:1302::/64 Gateway "USGsWAN64"
2001:xxxx:xxxx:1303::/64 Gateway "USGsWAN64"pfSense CANNOT ping (from LAN) USGsWAN64
Is this looping?
2001:xxxx:xxxx:1300::/64 Gateway "USGsWAN64" BECAUSE:
2001:xxxx:xxxx:1300:yyyy:zzzz:aaaa:bbbb is the USG WAN's address
What should I really be doing instead of what I am doing?
-
As I said, I haven't worked with the USG, so I can't provide specific help with it. However, what it appear's you're doing is just setting up the default route. With IPv6, that should be provided with the RA, likely a link local address. Do you not see that? BTW, for something like this, packet captures REALLY come in handy.
What does the USG show for the default route?
-
The WAN_DHCP6 coming from the modem is a link-local, I was editing my post when it got denied and saw you posted here..
I would guess, since I can't capture packets from 3000 miles away, I should try the LUA address to allow the internet to find the servers?
Such as:
::/0 next-hop fe80::b290:xxx:yyyy:7819Is I did exactly as you said with the pfSense static, but didn't know about the 1300 address subnet. Wouldn't that cause a loop as stated in the last post?
The USG's default route is the pfSense_v6_LAN
-
@matthewgcampbell Can you help finish this issue?
pfSense cannot ping the USG WAN's IP but can ping computers/devices inside the with ONLY the LAN.
The computers are accessible on the internet, but I had to use this:
SSH to USG:
"set interfaces ethernet eth2 ipv6 address autoconf"
"set protocols static route6 ::/0 next-hop pf:sense:wan:dhcp:link:local:addr"After I commit that the routes are fine to the net but again, the USG just won't ping from pfSense, neither will any VLAN gateway I set up in Unifi.
The routes are all good, so, I am lost as to why I can ping the IPv4 side fine and replicate the IPv4 ICMP rule for IPv6 and get "no reply". As far as I remember, ICMP is pretty important to IPv6.
-
Nevermind on the Ping..
Had to do a WAN Local rule on the Firewall in USG..
Finally have this all set up after almost a year!
-
@abuttino said in IPv6 Router behind router:
The WAN_DHCP6 coming from the modem is a link-local, I was editing my post when it got denied and saw you posted here..
I would guess, since I can't capture packets from 3000 miles away, I should try the LUA address to allow the internet to find the servers?
Such as:
::/0 next-hop fe80::b290:xxx:yyyy:7819Is I did exactly as you said with the pfSense static, but didn't know about the 1300 address subnet. Wouldn't that cause a loop as stated in the last post?
The USG's default route is the pfSense_v6_LAN
The link local address should work. Also, who says you can't do a packet capture from 3000 miles away. If you can access the pfsense configuration, you can run Packet Capture and download the capture.
You shouldn't have looping if you don't have loops. Are you configuring an address that's on the USG for the gateway?
-
After returning home, I tried to get it all set up, but now all clients are not connecting to IPv6 properly.
I can ping Google on IPv6 on all clients but all computers say they aren't getting internet on the IPv6 side and ipv6-test.com says there is no internet.
What am I missing? I don't get why it sees the IPv6 connection by ping but won't connect to sites or pass any tests. Seems like a routing issue to me, any insights?
-
Is pfsense still behind another router? If so, you won't be able to get IPv6 to work properly. It has to see DHCPv6-PD to provide the prefix to the LAN.
-
@abuttino I agree with @JKnott, but it also could be a firewall issue as clients can ping but the IPv6 test website doesn’t work, at my house I allow all by delegated prefixes though the firewall to the internet to any address. Not sure if that’s good practice or not, I guess you could just allow any on port 80 or 443 as opposed to any port but I feel like that would cause issues when connecting to my work vpn which is IPv6 only, as I set it up like that.
Edit: I assume it’s not behind another router as you are bypassing the AT&T gateway (at least that is what you said you were attempting previously, right?), the is the week I would be able to help you with setting it up but there was some construction across the street from my house by the power company and they cut both my AT&T and google fiber lines, so I’m currently stuck on starlink.
-
@jknott No, there is a modem in front of pfSense, CM8200A DOCSIS3.1 Cable modem connected to Cox Business on a /56 DHCP address.
This just worked when I was in NY, now it doesn't.
So disenchanted with IPv6 on Unifi.
-
I can use the IPV6 that are assigned on the USG DHCP to address computers from the internet. It just won't say "Internet" on Network and Sharing Center, or pass any IPv6 tests.
Ping (as well as traceroutes) from local computers to google.com are fine even though it says "No Internet Access".
The traceroutes go from the USG to the pfSense LAN IPv6 out to the internet, even though I have the link-local gateway address of Cox specified in the next-hop on the USG.
