IPV6 whith HE tunnel stopped working SOLVED

Fabio72

I was using the HE tunnel for a while without problems.

A couple of weeks ago I changed pfsense configuration using vlans instead of physical links, maintaining the same logical interfaces. Only the LAN IF as an ipv6 assigned.

Today I noticed that no IPV6 traffic is made from my lan.
The gif interface is up and running.
The HENETV6 gateway is online.
My LAN (vlan) interface has the ipv6 address correctly assigned.
The HE DDNS is correctly updated.

But none of my lan host is getting an IPV6 address any more.
DHCP V6 is running but shows no leases.
Route advertising is ASSISTED.

My NDP table only shows link local addresses and the ipv6 LAN address


Fabio72

I rechecked all configuration again and nothing seems wrong
I do have IPV6 connectivity on the pfSense box

Results

PING6(56=40+8+8 bytes) 2001:470:xx:xx::2 –> 2a00:1450:4002:805::200e
16 bytes from 2a00:1450:4002:805::200e, icmp_seq=0 hlim=55 time=22.059 ms
16 bytes from 2a00:1450:4002:805::200e, icmp_seq=1 hlim=55 time=22.424 ms
16 bytes from 2a00:1450:4002:805::200e, icmp_seq=2 hlim=55 time=24.462 ms

--- ipv6.l.google.com ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 22.059/22.982/24.462/1.057 ms

but no more ipv6 traffic on the lan vlan

my NDP table
2001:470:xx:xx::1 00:00:00:12:12:75 (Xerox) pfSense.arda LAN_IF
fe80::200:ff:fe12:1274%pppoe0 (incomplete) WAN_IF
fe80::200:ff:fe12:1274%ppp1 (incomplete) WAN2_IF
fe80::200:ff:fe12:1275%em1_vlan20 00:00:00:12:12:75 (Xerox) GUEST_IF
fe80::200:ff:fe12:1275%em1_vlan10 00:00:00:12:12:75 (Xerox) LAN_IF
fe80::200:ff:fe12:1275%em1_vlan1 00:00:00:12:12:75 (Xerox) MGT_IF
fe80::200:ff:fe12:1277%em3 00:00:00:12:12:77 (Xerox) MGT_PFSENSE
fe80::200:ff:fe12:1276%em2 00:00:00:12:12:76 (Xerox) VIDEO_IF
fe80::200:ff:fe12:1275%em1 00:00:00:12:12:75 (Xerox) em1
fe80::200:ff:fe12:1274%em0 00:00:00:12:12:74 (Xerox) em0

and a tcpdump of the lan IF only shows link local traffic

17:10:13.103460 IP6 fe80::200:ff:fe12:1275 > ff02::1: ICMP6, router advertisement, length 128
17:10:30.794517 IP6 fe80::200:ff:fe12:1275 > ff02::1: ICMP6, router advertisement, length 128

doktornotor

The HENET… gateway must be edited and marked as default.

Fabio72

It's already the default

I didn't modify the ipv6 settings since it worked flawless weeks ago. What I changed is the migration from physical interfaces to vlans because I added managed switches and uniquiti ap.

The LAN vlan IF shows ipv6 passing packets out but no IN

Interface Stats for em1_vlan10        IPv4            IPv6
  Bytes In                    21873138837                0
  Bytes Out                  577302225637          9321344
  Packets In
    Passed                      174684564                0
    Blocked                          81266                0
  Packets Out
    Passed                      416928447            55516
    Blocked                          9787                0

As I said none of my host is getting an ipv6 address by RA or DHCP6


Gertjan

… and when you undo your changes (import an earlier backup of the config) things start to work again ?

Fabio72

I don't known because if I revert the previous configuration I kick the firewall out of the network, because the network infrastructure is changed and it's now based on vlans. New switch, new rack and new cabling.

I'm not sure if the configuration change is related but it's the only thing I've changed recently. And I don't know when exactly the ipv6 traffic stopped, because everything else is working and the HE gateway is always online…

Fabio72

Was a switch configuration issue:
the trunk port where pfsense was connected was configured to accept only VLAN Frame Types.
Now It's configured to accept all frame types and ipv6 RA started working again.

Fabio72

It's a bug in netgear IGMP Snooping

https://community.netgear.com/t5/Smart-Plus-Click-Switches/GS724Tv4-Enabling-IGMP-Snooping-on-a-VLAN-Breaks-IPv6-on-that/td-p/995071