Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Static setup, LAN->WAN forwarding not working [SOLVED]

    IPv6
    1
    2
    3.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      Elnadmin
      last edited by

      Hi! I've got a /48 block from an ISP for native, static setup:

      WAN interface:
      {prefix}::1/64 = ISP gateway
      {prefix}::2/64 = My pfsense 2.2.6 on WAN

      LAN interface:
      {prefix}:0a00::2/64 = My pfsense 2.2.6 on LAN
      RA with "unmanaged" (i.e. without DCPv6) successfully assigns addresses and router info.

      However, while I can ping ISP gateway and Internet sites from the FW through WAN interface, I cannot ping them through FW's LAN interface (or the actual workstations on the LAN). Pinging the FW itself from LAN works.

      In other words, from LAN,
      ping6 {prefix}:0a00::2 works, and
      ping6 {prefix}::2 works, but
      ping6 {prefix}::1 and ping6 www.google.com only work through FW's Diagnostics/Ping, and even then only when "WAN" is selected as a source, not "LAN".

      6to4 tunneling on WAN and "follow interface" on LAN worked a few days back, but this new static IPv6 setup just drops all LAN->WAN traffic.

      My ISP doesn't offer DHCPv6 so I need to get static setup working, "Track interface" is not an option.

      Some configuration points:

      • Rules allow all traffic out from LAN interface, and ICMP from WAN to LAN.

      • IPv4 is NATed out (manual NAT). Works, and most rules are IPv4+6.

      • IPv4 is using CARP for High Availability. Backup device is not configured for IPv6 at all for now – I'd like to get it working on a single FW first.

      • Manual routing table is empty.

      • "Block bogon networks" is disabled on both WAN and LAN.

      • LAN interface's "upstream gateway" field is empty. (Shouldn't be necessary to point the FW to itself. Tried and it didn't help.)

      • Tried adding a default route to {prefix}:0a00::2 on a LAN workstation. Didn't work, which is not surprising, since pinging WAN doesn't work even from Pfsense itself when LAN interface is selected as a source.

      Any ideas how to proceed? Since there's no NATing in IPv6, do I have to add manual routes, enable LAN->WAN IPv6 forwarding from somewhere, or what could I try?

      1 Reply Last reply Reply Quote 0
      • E
        Elnadmin
        last edited by

        Solved. This turned out to be an ISP side routing issue. Like in https://forum.pfsense.org/index.php?topic=104583.0 , I was trying to advertise the /48 to the ISP gateway through SA, which is apparently not how it's supposed to work.

        Testing with netcat6, I listened at a remote server for UDP packets and sent one from the LAN. It went through. So in fact LAN->Internet was working, but replies (Internet->LAN) never came through.

        This was resolved by the ISP setting up a separate link network {linkprefix}::/64, and then routing {prefix}::/48 <-> {linkprefix}::1/64 (ISP GW) <-> {linkprefix}::2/64 (Pfsense) <-> LAN. (No route daemon running on pfsense, only static configs at ISP side.)

        Unfortunately, I never found out why/how Internet<->Pfsense traffic worked before (regardless of Pfsense box's address), if there were no routes set up at ISP's before. Maybe their gateway added my Pfsense box as a single host to their routing tables through IPv6 Neighbor discovery or something.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.