Static setup, LAN->WAN forwarding not working [SOLVED]



  • Hi! I've got a /48 block from an ISP for native, static setup:

    WAN interface:
    {prefix}::1/64 = ISP gateway
    {prefix}::2/64 = My pfsense 2.2.6 on WAN

    LAN interface:
    {prefix}:0a00::2/64 = My pfsense 2.2.6 on LAN
    RA with "unmanaged" (i.e. without DCPv6) successfully assigns addresses and router info.

    However, while I can ping ISP gateway and Internet sites from the FW through WAN interface, I cannot ping them through FW's LAN interface (or the actual workstations on the LAN). Pinging the FW itself from LAN works.

    In other words, from LAN,
    ping6 {prefix}:0a00::2 works, and
    ping6 {prefix}::2 works, but
    ping6 {prefix}::1 and ping6 www.google.com only work through FW's Diagnostics/Ping, and even then only when "WAN" is selected as a source, not "LAN".

    6to4 tunneling on WAN and "follow interface" on LAN worked a few days back, but this new static IPv6 setup just drops all LAN->WAN traffic.

    My ISP doesn't offer DHCPv6 so I need to get static setup working, "Track interface" is not an option.

    Some configuration points:

    • Rules allow all traffic out from LAN interface, and ICMP from WAN to LAN.

    • IPv4 is NATed out (manual NAT). Works, and most rules are IPv4+6.

    • IPv4 is using CARP for High Availability. Backup device is not configured for IPv6 at all for now – I'd like to get it working on a single FW first.

    • Manual routing table is empty.

    • "Block bogon networks" is disabled on both WAN and LAN.

    • LAN interface's "upstream gateway" field is empty. (Shouldn't be necessary to point the FW to itself. Tried and it didn't help.)

    • Tried adding a default route to {prefix}:0a00::2 on a LAN workstation. Didn't work, which is not surprising, since pinging WAN doesn't work even from Pfsense itself when LAN interface is selected as a source.

    Any ideas how to proceed? Since there's no NATing in IPv6, do I have to add manual routes, enable LAN->WAN IPv6 forwarding from somewhere, or what could I try?



  • Solved. This turned out to be an ISP side routing issue. Like in https://forum.pfsense.org/index.php?topic=104583.0 , I was trying to advertise the /48 to the ISP gateway through SA, which is apparently not how it's supposed to work.

    Testing with netcat6, I listened at a remote server for UDP packets and sent one from the LAN. It went through. So in fact LAN->Internet was working, but replies (Internet->LAN) never came through.

    This was resolved by the ISP setting up a separate link network {linkprefix}::/64, and then routing {prefix}::/48 <-> {linkprefix}::1/64 (ISP GW) <-> {linkprefix}::2/64 (Pfsense) <-> LAN. (No route daemon running on pfsense, only static configs at ISP side.)

    Unfortunately, I never found out why/how Internet<->Pfsense traffic worked before (regardless of Pfsense box's address), if there were no routes set up at ISP's before. Maybe their gateway added my Pfsense box as a single host to their routing tables through IPv6 Neighbor discovery or something.