2.4.3-RELEASE-p1 / 2.4.4 - IPV6 Issues - Description and need help (Resolved, Updated)



  • I upgraded to 2.43 and then attempted 2.4.4 due to issues related to IPV6 failures.

    Configuration: SG-4860
    WAN IPV4/6 to Spectrum / Time Warner IPV6/56 with prefix hint
    LAN for switches and AP (IPV4/6) IPV6/64
    5 VLANs for (IPV4/6 and IPV4 alone) IPV6/64
    All primary hardware gets addresses via SLAAC and DHCPv6 as do user devices.
    This configuration had been stable for ~18 months, without much difficulty UNTIL the upgrade to 2.4.3-release-p1.
    Patches with 2.4.3.-release-p1 were attempted and did not help:

    https://github.com/pfsense/pfsense/commit/c9159949e06cc91f6931bf2326672df7cad706f4.patch

    https://github.com/pfsense/pfsense/commit/63b2c4c878655746f903565dec3f34b3d410153f.patch

    Afterwards I attempted to update to 2.4.4a...., and could not achieve it until I temporarily disabled IPV6. This was done, as another post suggested that the issue was never present in 2.4.4. I also attempted to recreate the IPV6 gateway (delete and new).

    Failures:

    • First problem noted: IPV6 Gateway via dpinger fails, and has been persistently 100% failed since 2.4.3p1. Patches would allow me to ping google.com's address. However, the cable modem's fe80 address typically pinged by the router since day 1, no longer works. Pinging with the %igb0 address added also fails.

    • Pinging and traceroutes from the VLANs is now haphazard. Sometimes it works, sometimes it doesn't. This occurs randomly throughout the day. The patches made this a little bit better on 2.4.3p1, but I reverted them (after?) the 2.4.4 update. The failures continue.
      It always drops the first hop, although right after the a IPV6 connection is established that hop is visible for a few seconds, ending with a ::1 global unicast address.

    • I am unable to ping6 or traceroute6 from the router itself, via either the GUI or the console. This includes both global unicast address (randomly), as well as the link-local address to the cable modem. This is FIRMLY broken for the link local address. I've looked at my firewall rules, and I can't see anything that would be interfering with it (GUI view)

    Additionally, all VLANs work off a single hardware interface (LAN). I had been attempting to switch those VLANs to individual hardware ports several weeks before this update, but could not figure out how to do so properly. Regardless, this configuration was working for several weeks, before the update made IPV6 flaky.

    Thoughts and help would be appreciated.

    Thanks,

    Pablo



  • I have largely resolved this issue and figured that I would provide some additional details. During this process, I have swapped between /56 and /64 prefix requests, and eventually was unable to get any address for the /56. Recalling that this could be related to the DUID. I deleted /var/db/dhcp6c_duid, and restarted. Going on ~20 hours, I have had a stable IPV6 connection with new prefixes.

    I had already reverted the patches by this time. I was on 2.4.4.a.20180606.0352 at that time.

    However:

    • Traceroute and the disappearing first hop remains in place, and I do not know if there is a fix for this or not.
    • Gateway monitoring of IPV6 will not work with the fe80 address on the modem.
    • This may be related to traffic shaping. I attempted to use the wizard to setup traffic shaping which failed silently. Upon doing that, IPV6 became wonky again. duid file removal and reboot correcting the problem.


  • I have an unusual ipv6 WAN issue with 2.4.4 where as when I go to whatismyip it shows my WAN ipv6 address whereas before the update it would show the actual IP of the desktop i was on. I can still create rules to access internal to wan via ipv6 just wondering if anyone else has noticed this new behavior. I also have Spectrum.


  • Rebel Alliance Global Moderator

    If your seeing your wan IPv6 - then your running proxy on pfsense, so yeah that is how it would work.



  • @johnpoz
    I am not doing that intentionally, where can I look, I know I installed ftp proxy some years back. How can I verify "proxy" Thanks for replying


  • Rebel Alliance Global Moderator

    What packages are you running? If your not running a proxy then what you say is NOT possible because IPv6 is not natted... So maybe your just thinking they are the same because the IP is so long and your missing the 1 number/letter that makes it a different prefix..

    Look at your installed packages.



  • @johnpoz I have 4 packages installed only proxy is FTP client which I disabled don't use that anyway. I know what my ipv6 address is, and Trace6 and whatismyip all display my WAN Address, 2.4.3 this did not happen. Yes I know this should be impossible which is why its very strange. I can open a firewall port to my Local PC and ping from outside.
    My WAN and my LAN/64 are very different, also I have reserved IP for my desktop. :6700:dead:f1ea:face:221 so I know what I should expect to see from whatismyip. So leave it to me to do something impossible would not be the first time.
    0_1539280223602_54b25d8e-80fd-461d-a26b-fbc973a8b577-image.png

    acme
    security
    0.3.2_4
    Automated Certificate Management Environment, for automated use of LetsEncrypt certificates.

    darkstat
    net-mgmt
    3.1.3_4

    FTP_Client_Proxy
    ftp
    0.3_3
    Basic FTP Client Proxy using ftp-proxy from FreeBSD.

    Open-VM-Tools
    emulators



  • Would appear I have established "Cricket Syndrome" where the room goes silent. But to Interject I have not dismissed the Obvious that my 2.4.4 PFSENSE is in deed somehow using NAT for my ipv6. I have found a tick box under Advanced and when I use this Option Everything goes to Normal. So I must have a Rule some where some how that is forcing ipv6 to use my WAN interface. Oddly some have desired this type of behavior.
    0_1539438079014_85498001-77e2-4619-9d31-2d6993f0ac29-image.png
    So now that I know how to make it work correctly, I have to figure out which Rule is causing NAT with ipv6
    Suggestions?


  • Rebel Alliance Global Moderator

    There is NO nat with IPv6..

    Here is a tracert from one of my ipv6 clients..

    As to crickets - sorry I go through a lot of threads, and somehow missed the email that this one was answered.. I just now noticed your response..

    0_1539439127104_1sthopip6.png

    So you see that 1st hop is pfsense lan side IP and prefix, and 2nd hop is the other side of the tunnel to HE which is what I run my ipv6 through..

    edit:
    Well WOW look at that!!!

    0_1539439639734_whatdoyouknow.png

    It looks like you CAN outbound Nat your IPv6!! When did they add that - I do not recall seeing that in any release notes.. And it works too..
    0_1539439724494_ipv6nat.png

    Do you have your nat set to hybrid or manual and changed your outbound nat to use ipv4+ipv6 on your wan interface?

    edit2:

    Turned off the hybrid outbound nat I created and now back to normal showing the lan side IPv6 prefix address. Pretty kewl shit but not sure why would want to do that? hmmmm

    0_1539440001151_turnedoffhybridnat.png



  • @johnpoz I knew I was not Crazy. Yes WOW and yes WHY. I also have tunnel with HE and that always seems to be unaffected and works fine, its the Native I have issues with. My NAT is set to Manual outbound NAT but I have No rules in the list for ipv6 they are all ipv4. Should I tick the box for Disable Outbound Nat?
    So I am Operatoal again all working except the NAT for WAN on ipv6.



  • I apologize for the Cricket comment, I thought Maybe I found a bug in pfsense. It would seem I have many rules that were generated over the years in that Manual Nat They are all WAN interface and each is ipv4+ipv6. I don't want to change anything right now because I can ping from WAN, I can Ping from LAN but my Local network has no ipv6 access. I will revert to this Morning Config and start trouble shooting again. Where is your NAT set which option should I be using here?
    0_1539445606532_c403b40b-0b78-4fc6-99ef-e956ab6579d8-image.png



  • @johnpoz I did what you show above and I can duplicate with the HE tunnel, shows my tunnel address now. So I must have some Rogue Rule from eon's ago that is messing with me.



  • Well I just looked the the Rules to see what might Match and found it. Disabled and all is Normal now. Although its nice to Know so all those Users that keep asking about how to NAT ipv6 and were told not possible, although this is not really Nat as you don't create in bound rules, more of a spoof no?
    0_1539452131779_2a210fc6-7ddf-49a6-a042-8365e06a557a-image.png
    0_1539452261745_a17d789e-b0a6-4940-a494-1e3f057b78bd-image.png I am Back to my Dead Flea Face IP address again!!!


  • Rebel Alliance Global Moderator

    Why are you running manual rules? Why not just run hybrid if you want to create some specific outbound?

    Now the question is when did this become possible? It must be really new I have never noticed it before now that is for sure.. I have not edited outbound nats in a while - but pretty sure the whole ability to pick ipv4 or ipv6 or both has got to be somewhat new..



  • @johnpoz so I must have had that stale rule enabled for Years it says last edit was 2013 But never noticed this issue till 2.4.3 update to 2.4.4 so some how now ipv6 actually recognizes this Rule and enforces it.
    0_1539456996480_f920ad4b-8754-4693-a0c4-debfe19353ba-image.png My Native ipv6 is very unreliable, since my last test its already off line again. I have to constantly Bounce my LAN interface to bring it back. I lowered my MTU to stop Modem crashes now its affecting everything else.
    0_1539457216393_1fee0a1e-453e-4637-b3cc-8e941cc51d35-image.png


  • Rebel Alliance Global Moderator

    Comcast was HORRIBLE!!! for ipv6 - HORRIBLE!!! never used native.. HE way better, and then when moved to new ISP they don't even have native ipv6 support and I don't give 2 shits don't care if they ever get.. I will just use my same /48 I have had for years from HE thank you very much.. I can take that with me no matter what ISP I use ;)

    Just turn off your native and just use your tunnel :)

    edit:
    Just looked brought up my first tunnel with HE
    January 13, 2011 23:40:14 PST

    So yeah a few years back ;)



  • @johnpoz Yes the HE is Solid, that is what I put my exchange server on due to having reverse dns access I can get past the filters. enabled Dmarc and dkip. The HE interface always comes up never fails. I also have a /48 from them they are Great. When I enabled a HE /64 on my local lan my internet speeds got too slow. so I put HE on couple of the Vlans just for some servers and my local network is all native. That's why I keep trying to get ipv6 to work. I think the ISP is so bad about NOT allowing you to have static ip's for any length of time they have very short leases for the /56 so it renews like every other day. each time it renews I have to bounce my LAN to get ipv6 back or reboot the appliance. Yes very annoying. Bounced my LAN and im back in Action again. such a manual process to keep it Alive
    0_1539457578478_41418683-89bd-4ac4-ba91-acc88bac3067-image.png



  • I forgot to say Thank you, because you did solve the issue by getting me to look at those outbound NAT rules. Since I have not changed them in years I never thought to look there till I found that tick box in Advance and followed the crumbs to outgoing NAT for ipv6 but who would have thought that would be the problem. I read the release notes 3 times to make sure I did not miss " And we have enabled NAT now for IPV6" that statement did not exist.
    so again Thanks :-)


  • Rebel Alliance Global Moderator

    Yeah thanks to you as well - I looked through some old release notes I can not find where they enabled that either.. Without this thread prob would of never seen that... I have a PM out to derelict might have to hit up jimp to see when this became an option.. But least know where to look now if anything like this comes up again in other threads

    Yeah I use ipv6 from HE on a few boxes on a few different vlans - many only thing I have that is always using ipv6 is have my ntp server in the pool on both ipv4 and ipv6.. Other than I don't really use IPv6 much - normally even have it turned off on my PC..