IPv6 Problems (not working)

lordbob75

I've recently started using pfSense as a firewall/router for my network so that I can learn more about networking (I work in the IT field) as well as secure my network.

I was able to get it setup pretty well I think, though I'll admit I had some issues with it.

Anyways, I've been running into issues with IPv6 not working that are causing me some annoyance.  IPv6 seems to work on my internal network, but I'm unable to ping any IPv6 addresses outside my network, and I fail all the tests when I test at http://test-ipv6.com/

At first I thought it was an issue with Charter (my ISP) DNS servers or something, but once I connected my computer directly to the modem, I passed all the IPv6 tests on that website (although it says my ISP DNS server doesn't connect to IPv6, and I was able to fix that by using another IPv6 DNS server manually assigned in my computers IPv6 settings).

So it looks like the issue is being caused by my pfSense box, which sits at the edge of my network, connected to my modem and router (the router is my WAP and switch).

Since I have Charter, I found these instructions (http://www.charter.net/support/internet/ipv6-faq/) on how to setup their 6RD connection, but when I do that the gateway just shows as offline and I get no IPv6 connectivity.

I also tried the HE tunnel, but after following the instructions I simply cannot get the gateway to show as online.

I'm happy to post whatever logs or info needed to assist with this, but I'm just totally lost at this point.  I did see a bunch of topics others have posted about the latest pfsense update breaking their ipv6 setups, but I was hoping I didn't have that or it was fixed by now.

I am unable to ping ipv6 hostnames from my computer or my pfsense box.
I am able to use DNS lookup for IPv6 no problem.

Any and all help would be greatly appreciated.  I definitely feel like I'm a bit over my head, but I'd like to learn how this all works anyways.

JKnott

Are they still using 6rd?  Many ISPs used 6rd and 6to4 as a transition method, until native IPv6 was available.  Mine did, but now provides native IPv6 and I have pfSense configured to work with DHCPv6.  Better call Charter's support to find out what they're providing.

lordbob75

@JKnott:

Are they still using 6rd?  Many ISPs used 6rd and 6to4 as a transition method, until native IPv6 was available.  Mine did, but now provides native IPv6 and I have pfSense configured to work with DHCPv6.  Better call Charter's support to find out what they're providing.

Yes, according to the rep I asked, the settings on the Charter FAQ page I linked are correct.  I must have done something wrong with my configuration, but absolutely no clue what.

johnpoz

"I also tried the HE tunnel, but after following the instructions I simply cannot get the gateway to show as online."

HE setup would be inside IPv4 tunnel.. So any issues you have there point to PEBKAC or something wrong with ipv6 itself on the pfsense box..

So in your HE setup.. you show your tunnel up?  So gif0 is up for example??  But when you create your IPv6 gateway you do not show that up?

lordbob75

@johnpoz:

"I also tried the HE tunnel, but after following the instructions I simply cannot get the gateway to show as online."

HE setup would be inside IPv4 tunnel.. So any issues you have there point to PEBKAC or something wrong with ipv6 itself on the pfsense box..

So in your HE setup.. you show your tunnel up?  So gif0 is up for example??  But when you create your IPv6 gateway you do not show that up?

Sorry I should have been more specific about what I did there.  The HE tunnel never showed as online either (so gif0).  It did show as a different gateway, both ipv6 ones showing as offline (IPv4 was fine).

It's definitely possible that it's user error.  I would definitely assume it was something I did rather than an issue with the OS, but I have seen multiple posts here about IPv6 issues that are similar to mine, so I suppose that's a possibility.  I don't know a huge amount about Linux (I've used it a few times but that's more or less the extent of what I know), nor am I an expert on networking (though I know more about that than Linux, and I would like to get my network+ at some point in the near future).  So as I said, I would assume user error before OS issue, and I'm only even considering OS issue because of the other posts about it.  I'm thinking that 2.4 might fix my issue (if it's the same as one of the other threads about the ISP waiting for a signal that pfsense isn't sending for whatever reason), so I can live with waiting for that to release to find out.

EDIT:  Also just to reiterate if I didn't say it in the OP:  IPv6 tests shows IPv6 working properly if I connect my computer directly to the modem (bypassing pfsense), so it's not an issue with my ISP.  Has to be something on the pfSense box (since I don't change any settings on my computer for the connection to work, it's all done on my pfsense box)

johnpoz

While is quite possible your isp ipv6 setup and pfsense don't want to play nice..

But an HE tunnel really should take your isp out of the equation all together.  Since to your isp all it would be seeing is typical IPv4 traffic.  So as long as you have ipv4 connectivity to HE tunnelbroker site your using you should be able to get ipv6 working regardless to your current isp ipv6 setup.

I personally would go do that road..  Other than maybe a bit more latency to be honest a HE tunnel is easier to setup, more stable and just works ;)  And you don't have to worry about your ipv6 prefixes changing when the wind blows from your isp.  And you can get a /48 to use..

My isp (comcast) does have native ipv6.  But I would call it flaky at best, I just use a HE tunnel for my ipv6 needs.. More than happy to help you work out why your HE tunnel is not working.  Atleast with that we would have common ground to work with, unless your on comcast as well we don't have a common connection type to help figure out what is wrong.  Also the support on HE is pretty good as well, with lots of people on their forums and HE staff as well to help figure out what is not working if need be.  Unless your ISP is one of the really few rare ones with good support, your more likely to get better support from HE than your ISP ;)

Are you allowing Ping to your wan IP - this can be common problem when setting up a HE tunnel.  You need to allow ping to your wan..

https://ipv6.he.net/certification/faq.php
–--
*Two important notes:

Your IPv4 endpoint address must be reachable via ICMP ECHO_REQUEST (Internet Control Message Protocol).
    If you are using a NAT (Network Address Translation) appliance, please make sure it allows and forwards IP protocol 41.

What is IP Protocol 41?
    IP Protocol 41 is one of the Internet Protocol numbers. Within the IPv4 header, the IPv4 Protocol field is set to 41 to indicate an encapsulated IPv6 packet.
–--

Is pfsense behind a nat??  Or does it get a public IP on its wan?

lordbob75

@johnpoz:

While is quite possible your isp ipv6 setup and pfsense don't want to play nice..

But an HE tunnel really should take your isp out of the equation all together.  Since to your isp all it would be seeing is typical IPv4 traffic.  So as long as you have ipv4 connectivity to HE tunnelbroker site your using you should be able to get ipv6 working regardless to your current isp ipv6 setup.

I personally would go do that road..  Other than maybe a bit more latency to be honest a HE tunnel is easier to setup, more stable and just works ;)  And you don't have to worry about your ipv6 prefixes changing when the wind blows from your isp.  And you can get a /48 to use..

My isp (comcast) does have native ipv6.  But I would call it flaky at best, I just use a HE tunnel for my ipv6 needs.. More than happy to help you work out why your HE tunnel is not working.  Atleast with that we would have common ground to work with, unless your on comcast as well we don't have a common connection type to help figure out what is wrong.  Also the support on HE is pretty good as well, with lots of people on their forums and HE staff as well to help figure out what is not working if need be.  Unless your ISP is one of the really few rare ones with good support, your more likely to get better support from HE than your ISP ;)

Are you allowing Ping to your wan IP - this can be common problem when setting up a HE tunnel.  You need to allow ping to your wan..

https://ipv6.he.net/certification/faq.php
–--
*Two important notes:

Your IPv4 endpoint address must be reachable via ICMP ECHO_REQUEST (Internet Control Message Protocol).
    If you are using a NAT (Network Address Translation) appliance, please make sure it allows and forwards IP protocol 41.

What is IP Protocol 41?
    IP Protocol 41 is one of the Internet Protocol numbers. Within the IPv4 header, the IPv4 Protocol field is set to 41 to indicate an encapsulated IPv6 packet.
–--

Is pfsense behind a nat??  Or does it get a public IP on its wan?

Hmm… It's entirely possible that I never setup the HE tunnel correctly.  I followed the directions, but there were definitely a few steps I would have really liked some clarification on (setting up the ICMP request was one of them).
I'll have to take a look at it again either tomorrow or this weekend and see if I can figure out where I went wrong.

I've got Charter as my ISP.  I can't speak for their IPv6 stability, though as I said earlier it did work when I connected my computer to the modem.  I did speak with their support earlier and basically once I confirmed it worked through my modem they closed the chat.  They won't support anything past the modem (fair but annoying).

johnpoz

What directions?  These https://doc.pfsense.org/index.php/Using_IPv6_with_a_Tunnel_Broker