External Ping doesn't work

  • Hi,

    I have a /64 block and set my WAN ipv6 to the a❌y:z::1 /64.
    Externally I can now ping this IP without a problem. Also a VIP with a❌y:z::7 was added and works without a problem.
    My DNS are set to the google ipv6 dns ip's.

    Now I want to set up my LAN. So I generated a local IPv6 net here: https://www.ultratools.com/tools/rangeGenerator

    I set the LAN interface to b❌y:z::1 of that pool and  1 server to b❌y:z::2. (prefix of the net is fda9 btw)
    My gateway on the server is set to b❌y:z::1 as is the DNS Server.

    Now on the server, i can ping b❌y:z::1 without an issue,
    and also on pfsense I can ping b❌y:z::2 from the lan interface.

    External ping6 from my wan to google.com works without an issue (resolves to 2a00:1450:4001:816::200e)

    However my server cannot ping the ipv6 of google, nor can pfsense using the LAN interface.

    local server ping -6 google.com does resolve the ip address (Pinging google.com [2a00:1450:4001:816::200e] with 32 bytes of data:)
    tracert shows the reply from pfsense and then nothing.

    I'm fairly new to both pfsense and ipv6. What could I be missing?

  • Please provide more info. You say that you have a /64 prefix a❌y:z. Is it static? Did your isp allocate it to you? If your prefix is a❌y:z, why are you allocating LAN addresses in b❌y:z? That's not your /64. You should be setting your LAN gateway to a❌y:z::1 and setting your dhcpv6 ranges to something like ::1000 and ::2000 or whatever. There is no need for a WAN address.

  • LAYER 8 Global Moderator

    If your isp gave you a /64 you can not just subnet that or create some ULA address and use it locally..  That is not how is suppose to work.

    Your isp should give you something larger than /64, ie /60 or /56 and then you would setup the /64's that make up that larger prefix as one of your lans either manually or via track..

  • Sorry it took a while for me to reply, but I got side tracked a bit and had to put this on hold.

    Basically, I have received a /64 static block from my "isp" 2a01❌y:z

    I have a WAN where the /64 block will arrive and a LAN where my servers are connected.
    All settings described before have been resetted, only the 2a01❌y:z::1 is assigned to my WAN and is pingable.

    I'm a complete noob at ipv6, so that's why I started to set it up much the same as you would set up a ipv4 network (public range to WAN, private range on LAN)

  • @joca83be:

    I'm a complete noob at ipv6, so that's why I started to set it up much the same as you would set up a ipv4 network (public range to WAN, private range on LAN)

    That's your first mistake.  People have been using NAT and private addresses for so long they think it's normal.  It's a hack that has no place on IPv6.  You say you only have a /64 prefix.  Is that a limitation imposed by your ISP?  On mine, if I use their modem/router as a router, I only get a single /64.  But if I put it in bridge mode, with a separate router, I can have my choice up to a /56, which is 256 /64s.

  • I now understand I shouldn't have tried to treat V6 as v4. So bit by bit I'm learning.

    As for the /64 range. I think this all I'm getting, there is no option to request another V6 range with my hoster (hetzner)

  • Talk to your ISP, if they can't offer anything more than a single /64, they obviously don't know IPv6 and/or don't care, so switch providers.

  • LAYER 8 Global Moderator

    "Basically, I have received a /64 static block from my "isp" 2a01❌y:z"

    If all they gave you was /64, then they do not want you putting anything behind a router, ie pfsense.  The only way to use a firewall in such a case would be bridged so your devices behind the firewall are on that /64

    hetzner is online host, so this is in the cloud somewhere?  Or a DC and your trying to run your own router/firewall - pfsense?  If you want to use IPv6 behind pfsense then they should route more networks to you, or should use delegation to allow your router to request a prefix, /60, /56, /48 etc.. That would then be routed to you.

    I have quite a few vps that have ipv6 address space, and yeah you get a /64.  But these vps are meant to be directly connected to the hosting network, and not behind some firewall/router.  So your trying to run pfsense on some virtual esxi box or something and put your other vms you create behind pfsense in the cloud?

Log in to reply