Client in LAN Interface Cannot ping ipv6 link local on WAN Interface



  • Hello expert,
    I'am a newbie to pfsense, and I build multiwan using pfsense, i use mikrotik as router ISP 1 and ISP 2, and on pfsense I use ipv6 link local address between router ISP and router pfsense, but to my client configure static ipv6 global, I configure assisted router advertisement on lan interface and My client gets ipv6, my client can ping to LAN Interface but cannot ping to WAN Interface.
    does anyone know where the fault is?


  • LAYER 8 Global Moderator

    Why would you think a you would be able to ping a link local address that is in another L2?

    No you can not ping link local address that are not in the same L2 network..  Why they are called link "local" ;)

    Are you meaning that your lan device can not ping your wan global IPv6 address?  If so what are the rules on your lan interface?



  • yes, i can not ping to ipv6 global, because ipv6 is global installed in mikrotik router, and between mikrotik router and pfsense i only use local address, i also have not added rules on LAN interface?
    what rules should I add? ;D



  • As Jon mentioned, link local traffic is only on the local link  It is never passed through routers, which is what has to happen, if you try to ping the WAN interface.  If there's a router, which pfSense is, in between you and the destination, you must use a routeable address, either global or unique local.


  • LAYER 8 Global Moderator

    If you want a device to talk to a global address it needs a global address.  While in theory you can talk from a linklocal to a global if they are in the same L2.  That is not your case, and even so the device with the linklocal traffic would not be able to be passed beyond that L2 without having an address that can route past the L2.. So JKnott mentions it could be ULA, which you can route internally - it would not be viable on the actual public internet.

    Your pfsense doesn't actually have to have a global on the L2 between it and the router.  If though it should!!!  But your client will have to have one if you want to be able to talk to stuff via that linklocal transit your using upstream of pfsense.  Your upstream will have to know that to get to this global behind pfsense that it sends traffic to the pfsense linklocal on its wan.

    You would have to create your routes using your linklocal transit..  In such a case I would grab a /64 out of the larger prefix you use and use it as the transit..  For your routing entries. But sure it is possible to do such routing with linklocal, or use a ULA as your transit IP scheme, etc.

    This is not really the sort of config for a newbie to networking in general, nor someone that is not fully up to speed on IPv6.. IPv6 is way more than just a longer IP address ;)



  • If you want a device to talk to a global address it needs a global address.

    Not quite.  It can, provided it doesn't have to go over the public Internet.  PfSense can easily route between global and ULA addresses.  I have done that here.  This is no different than using RFC 1918 addresses on IPv4.

    But your client will have to have one if you want to be able to talk to stuff via that linklocal transit your using upstream of pfsense.

    Here we go again.  Global addresses are not normally used for routing.  As I pointed out recently in another thread, routing is done using link local addresses between routers.  Check your routing table to verify.  You can also capture router advertisements to see what address is provided for routing.  However, those global addresses are definitely useful for management and diagnostic purposes.

    But sure it is possible to do such routing with linklocal, or use a ULA as your transit IP scheme, etc.

    Once again, link local addresses are always used for routing, unless specifically configured otherwise.  Take a look at your routing table in pfSense and computer operating systems.  You will see link local addresses.  For example, here is the default IPv6 route on the Linux computer I'm currently sitting at:

    default via fe80::1:1 dev eth0  proto ra  metric 1024  expires 46sec hoplimit 64 pref medium

    As you can see, it's a link local address, as provided by pfSense.  Further, it's entirely possible for a router to have the same link local address on multiple interfaces.  It's only necessary to have unique link local addresses for devices on any given link.  This would not be possible with a routable address.

    As I mentioned in other threads, many things in IPv6 are different from IPv4.  You need to update your understanding of this.  There is one other difference shown in that default route that goes to another disagreement we had a while back.  Do you see that "medium" at the end of the line?  That refers to router priority.  By changing that, you could have multiple default routes, possibly via alternate ISPs, simply by assigning different priorities, as pfSense can do.  Then should the primary default route fail, another can then be used.  This is part of IPv6 and can only be accomplished in IPv4 by using a first hop redundancy protocol.


Log in to reply