IPv6 Prefexi Delegation and Tracking Interface Problem



  • Hello everybody.
    This is my first post, because I couldn't find any where else the solution of this simple problem (hopefully  ;D).
    I've got a PFSense at the last release, using a IPV6 prefix delegation /64 from my ISP on WAN, and now try to track interface on LAN.
    My computers on LAN gets the prefix and IP information, but not the Gateway information (looks ok that).
    The problem: my computer can find the ip from a Name Servers, but the ICMP information doens't get trought it, and than I've Time Out information for PING requests.

    Firewall rules, all by default.
    System > Advanced > Network > Allow IPv6 ok
    Send IPv6 prefix hint ok
    DHCP6 ok on WAN ok

    I've got a working OpenVPN tunnel, so IPv6 it's ok.

    Can anyone help me, I would appreciate that.



  • By default ICMP ping is blocked, you'll need to create a rule for it, or look at your firewall logs, identify the packet that's being blocked and use the the easy rule button.



  • If you're using ipv6-test.com, as marjohn56 said, you need to enable the icmp6 rule. What's specifically required is echo request, nothing more. If you are using a windows client, you also need to enable echo-request on the client as well. There is already a rule called "Virtual Machine Monitoring (Echo Request - ICMPv6-In)" that you can enable. If you enable those rules, ipv6-test.com will work. If I recall correctly, you also have to enable icmp4 echo request on pfsense as well, for ipv4.



  • Hey! First of all: thank you for these replies!
    But the thing is:
    1)I do have IPv6 in my computer (see at www.fischer-ti.com.br/Files/3.png ).
    2)No blocking on my firewall (see at www.fischer-ti.com.br/Files/2.png ). Just something to face/whats :)
    3)No test confirmation (see at www.fischer-ti.com.br/Files/1.png ). - NO IPv6 Detected.
    4) No ping response from LAN or WAN IPv6 - (See the states at www.fischer-ti.com.br/Files/4.png)

    Can anyone help me? :)
    Thanks.



  • Tudo bem? Are you in Brasil or Portugal? My Portuguese isn't very good but I'm pretty sure your ipv6 isn't working properly, not just the firewall.

    What version of windows are you running? Some versions of windows 10 have dhcpv6 problems. If you're running windows 10, try ipconfig /release6 and ipconfig /renew6.

    If you want to get full marks on ipv6-test.com and test-ipv6.com, you need to have the inbound firewall rule called virtual machine monitoring (echo request icmpv6-in) enabled on the client.

    On pfsense, all you need is icmpv4 and icmpv6 echo-request enabled in the firewall, not all.

    Please post the output of ipconfig /all.

    No one cares about your ip addresses. It would make it easier if you posted the details without obfuscating anything.

    Please try running ipv6-test.com. It gives some different information.

    Post your WAN, LAN and dhcpv6 configurations from pfsense.



  • Hey BimmerDiver, thank you for these replies, I'm from Brazil! o/ and thought that you would start to write all in portuguese! hehehehe

    I'm running on Windows 10, but the problem it's happening in windows 7 also.
    Firewall rule echo request enabled - in portuguese: Monitoramento de Máquinas Virtuais (Solicitação de Eco - ICMPv6-Entrada)

    So here it goes:

    1. My ipv6 when working good: www.fischer-ti.com.br/Files/5.png
    2. Ipv6 from interfaces (look at the size of wan and lan ipv6 - ONT it's giving a number not calculated I believe) -  www.fischer-ti.com.br/Files/6.png
    3. Test from the site you asked me to - www.fischer-ti.com.br/Files/7.png
    4. My wan DHCP6 configuration - www.fischer-ti.com.br/Files/8.png
    5. ipconfig /all from my computer - www.fischer-ti.com.br/Files/ipconfig.txt

    The interesting thing about my IPv6 it's: when connected directly to my ONT, my IPv6 it's something like /64 from prefix delegation and a number from 1 to FFFF, in sequence from the last.
    But when connected trought the PFSense, I'm receiving a full number that I believe it's being calculated with my ID.

    :) Hopefully it's something very easy that I'm just ignoring.

    Thank you.



  • I've been to Brasil many times (mostly Rio, Macae and Buzios, but also Sao Paulo and other places). Really enjoy it there.

    What version of pfsense are you using?

    For your windows computers, you don't need the legacy adapters. You can disable them with the following commands:

    netsh interface ipv6 isatap set state disabled
    netsh interface ipv6 6to4 set state disabled
    netsh interface teredo set state disabled
    

    How do you know to request a /64? Did your isp tell you that's what they support?

    Please post this information:

    Interfaces / WAN
    Interfaces / LAN
    Services / DHCPv6 Server & RA / LAN / DHCPv6 Server
    Services / DHCPv6 Server & RA / LAN / RA

    Post the entire screens.

    Then, go to interfaces / wan and click save (at the bottom), then apply (at the top). Take note of the time when you do this. Then go into the logs and post the system log and dhcp log starting from before you click apply. This should show what's happening between your pfsense and the isp edge router.

    That should be enough to figure out what's wrong.



  • Nice! Brazil it's a beatiful place to live, just not well administrated. :/
    Anyway, my Interfaces:
    wan: http://fischer-ti.com.br/Files/9.png
    http://fischer-ti.com.br/Files/10.png

    lan: http://fischer-ti.com.br/Files/11.png
    http://fischer-ti.com.br/Files/12.png

    DHCPv6 Server it's not enabled, even so my computer does receive a IPv6, with the prefix delegation from my IPS.
    Inside the ONT it's the answer for the /64 prefix delegation.
    ont: http://fischer-ti.com.br/Files/13.png

    My WAN IPv6 it's working fine! I'm using a OpenVPN with this IP, actually right now I'm remote managing  that.
    The lan ipv6 it's the problem, and computers inside the LAN.
    I've just rebooted my PFsense, and here it goes some logs that I saw, can I be more resource full with that?
    http://fischer-ti.com.br/Files/14.png

    RA:
    http://fischer-ti.com.br/Files/15.png
    http://fischer-ti.com.br/Files/16.png

    Should I create all the rules for DHCPv6? Can't I just pass on the IPv6 delegation from my ISP?
    Maybe it's just this mistake?  :-X

    Thanks!



  • @fischerti:

    Nice! Brazil it's a beatiful place to live, just not well administrated. :/

    Whenever someone asks me about Brazil, I tell them it's a great place to visit (if you're a reasonably experienced traveler) but I wouldn't want to live there.

    I think your problem is that you are trying to use the ONT as the dhcp server. I don't have an ONT, but if it works like a modem, pfsense should be connected to a bridged port so it gets unique ipv4 address and ipv6 prefix.

    Not sure why you set the upstream gateway. Try using none.

    Here is what I posted for someone else having trouble. It applies to you also. I recommend you reset to factory defaults and start again. Use default settings wherever possible. Don't change any setting unless you are sure you need to.

    In the WAN, use ipv4 dhcp and ipv6 dhcp6. I have bogons blocked in my wan settings. Depending on your ISP, you may or may not be able to request a WAN address and some ISP require do not wait for RA. Don't set it unless you know you need to. If you want your prefix to be as static as possible, set do not allow pd release.

    In the LAN, use static for ipv4 and tracking for ipv6. I don't have bogons blocked in my lan settings. Set the LAN to track the wan and start with ipv6 prefix id 0 for the first /64 subnet and increment it by 1 for each subsequent subnet. This field pads the delegated prefix by up to 8 bits to make it a /64.

    In the dhcpv6 server settings, set the minimum / maximum range to be ::1000 / ::2000, or whatever. Set the RA to be assisted.

    That's all that should be required. Give it a try and if you're still having problems, post screen captures of wan, lan and dhcpv6 settings.



  • Hey, thanks for your replies, I'm solving another priority right know, so I'll take a little more time to try it again!
    Pretty soon I'll be back here!!!
    Thanks


Log in to reply