[SOLVED] ipv6 no routing between lan & wan

shebang

Hi

/edit
I'm using 2.3.4-RELEASE on an Alix board

I'm having trouble with mit IPv6 setup on my pfsense box.
My ISP (Telekom in Germany) gives me a native ipv6 address. I get a public ipv6 address on my wan interface via dhcp6-client.
My LAN interfaces is set to track the wan-interface and also gets an corresponding ipv6 address.

I've disabled the dhcp6 service for the lan interface and set the RA-Daemon to unmanaged for stateless autoconfig.
I've added an ICMPv6 (any) Firewall rule to the WAN interface (pass)

I'm using fixed dns entries for both, v4 & v6 on wan (both are the google dns servers)

On my clients I get a proper public ipv6 address. I also can do name resolution without problems. This is done by the pfsense box itself (dns resolver)
I can ping the LAN interface of the pfsense box.
I just can't ping or access any ipv6 enabled sites / ip-addresses from my clients. But I have a proper ipv6 routing table

From the box itself i can lookup and ping ipv6 addresses. So it seems like IPv6 on the pfsenseboxis working just fine.
netstat -r -n on the box gives me a proper routing table.

The client(s) itself is not the problem as ipv6 is working behind a different router (fritzbox) on the same / other telekom connections.

It seems like there is a problem with the routing of th eipv6 between lan and wan.

I do not now how to debug any further. Any help / hint is much appreciated.

Thanks!

/edit

got it to work: on a Telekom (DTAG) connection you have to check "Only request an IPv6 prefix, do not request an IPv6 address" and REBOOT(!) After that everything is working fine!

awebster

First thing to check is whether you've set pfSense to allow IPv6 to pass (by default it is), but have a look at
System -> Advanced -> Networking Tab and make sure that Allow IPv6 is checked.

Next, check that LAN IPv6 subnet is different than WAN IPv6 subnet.  The ISP should be allocated a prefix to you (/56 maybe), but your LAN interface should be the first (by default) /64 inside that prefix.

shebang

ok, thats strange, my wan has a /64 address and my lan has a /56 address.

DHCPv6 Prefix Delegation size was set to /64. I'll change it so /56 and see what happens.

/edit

I changed the Prefix Delegation size, but i still have /64 on the wan, but now also on lan interface.

The wan ipv6 is    2003:d6:2bbf:2efa:aaa:xxxx:yyyy:zzzz
The lan ipv6 is      2003:d6:2bee:f500:aaa:xxxx:yyyy:zzzz

I can ping the public lan & wan ip adress from my client now but i still cant reach anything outside my network

/edit 2

I set the prefix id of the lan interface from 0 to 1 -> no change in connectivity
The default firewall IPv6 allow lan to any rule is seeing some traffic.
But the ICMPv6 firewall rule on wan is not seeing any traffic.

from the box itself everything works:

[2.3.4-RELEASE][admin@gateway.lan]/root: ping6 ipv6.google.com
PING6(56=40+8+8 bytes) 2003:d6:2bbf:2f0d:aaa:xxxx:yyyy:zzzz --> 2a00:1450:4001:81b::200e
16 bytes from 2a00:1450:4001:81b::200e, icmp_seq=0 hlim=58 time=16.093 ms
16 bytes from 2a00:1450:4001:81b::200e, icmp_seq=1 hlim=58 time=16.279 ms
16 bytes from 2a00:1450:4001:81b::200e, icmp_seq=2 hlim=58 time=16.199 ms

ttimpe

Was just about to post the same problem. I have a Vigor 130 + pfSense here, with the Vigor doing the VLAN 7 tagging OOTB.