Mark gateway as down and don‘t use it

  • Hi!

    I use dual stack and failover. But only one WAN has an IPv6. If that WAN has packetloss on IPv6 and the gateway goes offline, how can I setup stop using IPv6 completly and fallback to IPv4 only?

    Right now, even the gateway is marked as offline, it‘s still beeing used.

  • Rebel Alliance Developer Netgate

    If all gateways are down for a protocol, then it falls back to assuming they are all up as a last resort.

    Deciding between IPv6 and IPv4 is up to the clients, not the firewall. You can't fail over for just one protocol.

  • Problem is, sometimes I have massive packetloss on my WAN1, so IPv4 switches to WAN2. But WAN2 is IPv4 only, so IPv6 stays at WAN1 with packetloss. Result is that all IPv6 sites as google, youtube still using WAN1 IPv6 and get a timeout. For that I want that if the IPv6 gateway shows offline, IPv6 is completely not being used anymore. If there is no connection for IPv6, clients switches to IPv4. But as long as the gateway is used and clients get some response, they still use IPv6.

    I wish I could say that if a gateway is down, no traffic is getting routet over it.

  • Rebel Alliance Developer Netgate

    You need to have both protocols on both WANs, ideally.

    Like I already said, the clients themselves have to decide to choose between IPv4 and IPv6. Clients have no way to know what is happening beyond the gateway, however, so they have no way to know what to do. Even if you could shut off the IPv6 WAN/gateway on pfSense the clients wouldn't know that, they'd still send V6 traffic to the firewall.

  • Of course they do, but if the receive no answer, they switch to IPv4. That's what I want. Killing the IPv6 connectivity if the gateway is down.

  • LAYER 8 Global Moderator

    but that can take a while, and cause delays, etc.. And as we all know to most users if the page doesn't come up in less than a few seconds then the whole internet is down... And refreshing is just too much work, open a ticket ;)

    To be honest unless you have some real need for ipv6, and your wanting your failover to be quick and easy and not cause delays your prob better off just turning ipv6 off on the wan that does have it vs trying to run failover with 1 wan that has it and another that doesn't

    There was a thread pretty much just like this the other day.. One option is bring up HE tunnel, and use that and just change the tunnel over to your other wan if the first want goes down, etc.

    Let me see if I can dig up that thread.

    edit: here you go

  • Well I have setup my IPv6 LAN to "Track Interface" and chose my WAN to track. So how should Failover work with that? Even with a tunnelbroker. Or am I wrong?

  • LAYER 8 Global Moderator

    Well you could just forget the track interface and use the /48 and setup your different segments with /64s out of your /48 and just bring the tunnel backup on failover on the 2nd isp.

    Or like in that thread use NPt for your prefex translation, which might be harder with tracked networks?

    Or guess you could setup ULA on your lan and do different NPt depending if going out your isp connection or the HE tunnel.

    Multiple ways to skin any cat.. But to be honest the simple solution would just turn off the ipv6.. Or setup your clients to prefer IPv4 over IPv6 which would allow them to not feel the pain on loss of ipv6 unless they were actively using ipv6 for some ipv6 only resource.

  • Well ok, but instead of that I could use my second WAN or why do you prefer a tunnel broker? As said I have both WAN's with Dual Stack. I only use the second WAN as IPv4 only because of the Track Interface problem.

    I don't know how to setup my LAN other? If I chose a static IP for it, IPv6 stops working.

  • LAYER 8 Global Moderator

    if both have ipv6 then you could do the npt and ula sort of setup.

  • NPt doesn‘t work with dynamic prefixes. There is a feature request since years now...

  • LAYER 8 Global Moderator

    Then use HE ;)

    Or just freaking turn it off.. What resource is out there that is only available via IPv6?? I mean really? While I agree ipv6 is the future.. Its not tomorrow that is for damn sure.

    If its a headache just disable it. No more headache.

  • Here in Germany most new private internet connections only have DS-Lite. Connecting to them you need an IPv6.

    Next is that my ISP starts switching IPV4 only or DS customers to DS-Lite.

    I‘m not a fan of IPv6, but now is the time to discover how it works and troubleshoot it.

  • LAYER 8 Global Moderator

    So you need to access these private internet connections?

    I agree learn and play.. Been using it for years - and to be honest while its kewl as shit and fun.. It can also be a PITA..

    Have you second isp give you static... Get your own static ipv6 range and advertise it out of your 2 isp connections, etc. etc.. There are many ways to skin this cat, some easier than others. Some less painful than others.

  • No. No ISP in Germany provides static IPv6 :(

    I do some work for people, for that I have to connect to them, yes. It's strange, the WAN2 IPv6 (Telekom) works fine. Only WAN1 IPv6 is the problem, but only the routing from LAN to Internet. WAN to Internet is no problem.

    I found a lot of threads regarding this problem with pfSense, but no solution.

    To be clear:

    alt text

    alt text

  • LAYER 8 Global Moderator

    Then just get your own..

    There is always a solution.. Its just many small companies don't want to pay to do it the right way ;) If you want to play on the world stage with IPv6 and have multiple redundant paths and be able to route this network over these paths.. Just like you would do with IPv4 you need to own the space, etc. No its not cheap.. Then again most companies that don't want to pony up to play in the big game don't need multiple isp connections, and just live with the SLA of their 1 provider, etc.

    We do this with IPv4, you advertise your network out of your locations, with different metrics for the different locations... If one location goes down then the network is available at the other location, etc. This is not new, IPv6 really doesn't change this aspect.. You own some space, you have your ASN you work with your isps to allow you to advertise prefixes of your space out of this location or that location, etc. etc. be it IPv4 or IPv6..

    So when you say there no solution, your just saying you have not found a solution that fits your current cost model.

    That there is no isp in DE that provides static IPv6 seems unlikely - more like the ISP that charge what your willing to pay do not provide static IPv6 for free, etc.. So your saying deutsche telekom will not provide you with internet connection and a static ipv6 prefix?

  • Ok I‘ve got it running. Had to do some changes in my IPv6 config to fix the packetloss problem (seems to be a bug in pfSense).
    Now I‘ve setup WAN2 IPv6 and enter it as Tier 2 in Failover group. After that I disable gateway monitoring action and uncheck the only prefix setting.

    Now if WAN1 fails, it switches to WAN2. But there IPv6 can‘t work so it fallback instant to IPv4. It‘s running like a charm, I‘m happy.
    Let‘s hope for a feature dynamic Prefix in NPt to get IPv6 failover proper running.

  • LAYER 8 Global Moderator

    @mrsunfire said in Mark gateway as down and don‘t use it:

    (seems to be a bug in pfSense).

    And what changes were those exactly? If you feel there is a bug then you should be reporting it.

  • Now I only request a prefix, not an IP adress. Without that I had massive random packetloss. The WAN interface didn't forward traffic sometimes. I could rebuilt this problem on different hardware and a fresh install of pfSense. But this happend only with my ISP Unitymedia. Deutsche Telekom worked fine. So I think it's a bug, but I don't know it.

  • LAYER 8 Netgate

    When that is the case it is customary to duplicate the steps to repeat the condition and report it, so the developers have something to work with regarding your specific set of circumstances.

    I understand it is a burden. Sometimes it is easier to just say, "it's a bug, fix it."

Log in to reply