1. Home
  2. pfSense® Software
  3. IPv6
  4. Static setup, LAN->WAN forwarding not working [SOLVED]

Static setup, LAN->WAN forwarding not working [SOLVED]

  • E

    Hi! I've got a /48 block from an ISP for native, static setup:

    WAN interface:
    {prefix}::1/64 = ISP gateway
    {prefix}::2/64 = My pfsense 2.2.6 on WAN

    LAN interface:
    {prefix}:0a00::2/64 = My pfsense 2.2.6 on LAN
    RA with "unmanaged" (i.e. without DCPv6) successfully assigns addresses and router info.

    However, while I can ping ISP gateway and Internet sites from the FW through WAN interface, I cannot ping them through FW's LAN interface (or the actual workstations on the LAN). Pinging the FW itself from LAN works.

    In other words, from LAN,
    ping6 {prefix}:0a00::2 works, and
    ping6 {prefix}::2 works, but
    ping6 {prefix}::1 and ping6 www.google.com only work through FW's Diagnostics/Ping, and even then only when "WAN" is selected as a source, not "LAN".

    6to4 tunneling on WAN and "follow interface" on LAN worked a few days back, but this new static IPv6 setup just drops all LAN->WAN traffic.

    My ISP doesn't offer DHCPv6 so I need to get static setup working, "Track interface" is not an option.

    Some configuration points:

    • Rules allow all traffic out from LAN interface, and ICMP from WAN to LAN.

    • IPv4 is NATed out (manual NAT). Works, and most rules are IPv4+6.

    • IPv4 is using CARP for High Availability. Backup device is not configured for IPv6 at all for now – I'd like to get it working on a single FW first.

    • Manual routing table is empty.

    • "Block bogon networks" is disabled on both WAN and LAN.

    • LAN interface's "upstream gateway" field is empty. (Shouldn't be necessary to point the FW to itself. Tried and it didn't help.)

    • Tried adding a default route to {prefix}:0a00::2 on a LAN workstation. Didn't work, which is not surprising, since pinging WAN doesn't work even from Pfsense itself when LAN interface is selected as a source.

    Any ideas how to proceed? Since there's no NATing in IPv6, do I have to add manual routes, enable LAN->WAN IPv6 forwarding from somewhere, or what could I try?

    0
  • E

    Solved. This turned out to be an ISP side routing issue. Like in https://forum.pfsense.org/index.php?topic=104583.0 , I was trying to advertise the /48 to the ISP gateway through SA, which is apparently not how it's supposed to work.

    Testing with netcat6, I listened at a remote server for UDP packets and sent one from the LAN. It went through. So in fact LAN->Internet was working, but replies (Internet->LAN) never came through.

    This was resolved by the ISP setting up a separate link network {linkprefix}::/64, and then routing {prefix}::/48 <-> {linkprefix}::1/64 (ISP GW) <-> {linkprefix}::2/64 (Pfsense) <-> LAN. (No route daemon running on pfsense, only static configs at ISP side.)

    Unfortunately, I never found out why/how Internet<->Pfsense traffic worked before (regardless of Pfsense box's address), if there were no routes set up at ISP's before. Maybe their gateway added my Pfsense box as a single host to their routing tables through IPv6 Neighbor discovery or something.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy