IPv6 issue with ISP router



  • Hi,

    For a brand new installation, we asked our ISP to provide us an IPv4 and IPv6 connectivity.
    IPv4 is working correctly.

    The setup is the following:

    
    ISP Upstream <-- Point to point network --> ISP CPE (cisco) <----> PFSense
    
    

    They attributed us a /48, the setup is fully static (no DHCPv6-PD or SLAAC).

    They have setup the CPE (a cisco router) so that their WAN interface is using an ipv6 point-to-point network (let's say it is 2001:XXXX:ZZZZ::371/126), and on the LAN side of the ICP CPE their interface is 2001:XXXX:YYYY::1/48.
    (this is something I find strange, I thought there would have been an interconnexion network outside of our /48)

    On the WAN side of the PFSense router, I have setup 2001:XXXX:YYYY::2/48.
    I added an IPv6 gateway to 2001:XXXX:YYYY::1.

    From the pfsense shell I can ping:

    • the CPE LAN (2001:XXXX:YYYY::1)
    • the CPE WAN ( 2001:XXXX:ZZZZ::371/126)

    but I can't ping the other side of their point-to-point net (nor access any IPv6 site).

    From an exterior IPv6 host, I can ping everything except our pfsense WAN, note: when capturing the traffic on the WAN I don't see anything coming in).

    They assured me that from their CPE they can ping anywhere including our pfsense WAN.
    Our WAN firewall allows ICMPv6 (echo rep, echo req, router adv, router sol, neighbor sol, neighbor adv).

    We double-checked our config and their CPE config of the LAN side.

    I'm out of clue about what I have done wrong in the config, my gut feeling is that there is something wrong in their CPE configuration, but it's hard to tell from outside.

    Any idea of what can be wrong and how we can further troubleshoot ?

    Thanks!
    Masterzen.



  • @masterzen:


    (this is something I find strange, I thought there would have been an interconnexion network outside of our /48)

    On the WAN side of the PFSense router, I have setup 2001:XXXX:YYYY::2/48.
    I added an IPv6 gateway to 2001:XXXX:YYYY::1.

    From the pfsense shell I can ping:

    • the CPE LAN (2001:XXXX:YYYY::1)
    • the CPE WAN ( 2001:XXXX:ZZZZ::371/126)

    but I can't ping the other side of their point-to-point net (nor access any IPv6 site).

    From an exterior IPv6 host, I can ping everything except our pfsense WAN, note: when capturing the traffic on the WAN I don't see anything coming in).

    They assured me that from their CPE they can ping anywhere including our pfsense WAN.
    Our WAN firewall allows ICMPv6 (echo rep, echo req, router adv, router sol, neighbor sol, neighbor adv).

    We double-checked our config and their CPE config of the LAN side.

    I'm out of clue about what I have done wrong in the config, my gut feeling is that there is something wrong in their CPE configuration, but it's hard to tell from outside.

    Any idea of what can be wrong and how we can further troubleshoot ?

    Thanks!
    Masterzen.

    First 2001:XXXX:ZZZZ::371/126 is outside of 2001:XXXX:YYYY::/48. I don't understand your confusion.
    Secondly: from your description the error seems to lie outside of your realm. I'm quite sure that your provider's setup is faulty.



  • @pmisch:

    @masterzen:


    (this is something I find strange, I thought there would have been an interconnexion network outside of our /48)

    On the WAN side of the PFSense router, I have setup 2001:XXXX:YYYY::2/48.
    I added an IPv6 gateway to 2001:XXXX:YYYY::1.

    From the pfsense shell I can ping:

    • the CPE LAN (2001:XXXX:YYYY::1)
    • the CPE WAN ( 2001:XXXX:ZZZZ::371/126)

    but I can't ping the other side of their point-to-point net (nor access any IPv6 site).

    From an exterior IPv6 host, I can ping everything except our pfsense WAN, note: when capturing the traffic on the WAN I don't see anything coming in).

    They assured me that from their CPE they can ping anywhere including our pfsense WAN.
    Our WAN firewall allows ICMPv6 (echo rep, echo req, router adv, router sol, neighbor sol, neighbor adv).

    We double-checked our config and their CPE config of the LAN side.

    I'm out of clue about what I have done wrong in the config, my gut feeling is that there is something wrong in their CPE configuration, but it's hard to tell from outside.

    Any idea of what can be wrong and how we can further troubleshoot ?

    Thanks!
    Masterzen.

    First 2001:XXXX:ZZZZ::371/126 is outside of 2001:XXXX:YYYY::/48. I don't understand your confusion.

    My confusion is that they put our attributed /48 on the CPE LAN.
    I thought that for proper interconnection you had to do either a point-to-point network (ie a dedicated /126 or /64 outside of the /48) or use a /64 from the attributed /48.

    The 2001:XXXX:ZZZZ::370/126 address is their interconnection between their upstream routers and their CPE, not our pfsense and their CPE.

    @pmisch:

    Secondly: from your description the error seems to lie outside of your realm. I'm quite sure that your provider's setup is faulty.

    Yes, I'm quite positive it's not our setup, but they seem to think otherwise…
    I have asked them to capture packets at different points on the CPE to see where packets are dropped but they don't seem to want to do it :(