Lost outbound IPv6 connectability after a couple of changes - but why/how?
gboone last edited by gboone
Need troubleshooting help - can you point me in the right direction?
I have a proxmox install behind pfsense, and apt-get update hangs. Traceroute shows hops until it arrives at prod.debian.map.fastly.net (2a04:4e42:2c::204). At first I went to an up/down site service and it said it's not responding. I waited a day, but still hanging. I think it's me, though, because I cannot ping to IPv6 outside of pfsense.
The following recent changes occurred, and I'm not sure what caused it:
I switch from residential Time Warner cable internet to Spectrum/TWC business cable with a static IPv4. I know that residential modem had an IPv6 address. Spectrum says no IPv6 address is provided with my current subscription. A page like this used to be all greens, now it confirms I have no IPv6 address, and IPv6 only sites will be a problem.
They gave me a stupid Arris modem and it was broadcasting into the network behind pfsense. I posted about this here, and to make the modem not accessible from any device behind pfsense, I created two new networks that had the same subnets as the Arris broadcasts, and blocked all incoming and outgoing from those interfaces. I noticed no issues after this change. pfsense Firewall status logs show:
Jul 30 11:14:21 WAN Block ULA networks from WAN block fc00::/7 (12000) 192.168.0.1 184.108.40.206 IGMP
Jul 30 11:15:54 WAN Block ULA networks from WAN block fc00::/7 (12000) 192.168.100.3:138 192.168.100.255:138 UDP
I'm not sure where the 100.3 came from...the modem was 100.1 and I made the network interface 100.1...maybe Spectrum changed it?
This change successfully blocked ping access from anything behind pfsense. Had no affect that I could tell on the WAN static ip of 96.11.x.y
Under System>Advanced>Networking I have "Allow IPv6" unchecked.
On the firewall rules for the interface behind which proxmox sits, I have IPv4+6 any protocal set to PASS at the bottom of the rules list.
Possible confusion on my part?
I think that preventing IPv6 from coming into the network, means only connections initiated from the WAN. Is this correct?
I think that being able to connect to IPv6 requires that I haven't blocked outgoing IPv6 traffic.
I'm at a loss for what to check. I forget how, but last night I ran a test that seemed to indicate the MAC address of the modem was the point of failure regarding connectivity from an IPv6 standpoint. But, I couldn't figure it out.
EDIT (Additional Info):
From Diagnostics/Ping I have these results:
When I run the same things with IPv4 it passes through no problem with A record of 220.127.116.11.
From Diagnostics/DNS Lookup, the same domain will show both A and AAAA records. So my system can find it, but does not have the ability to use it?
From the proxmox install, I ran "ip -6 neigh" and it shows the ipv6-local link through the proxmox bridge that goes to a NIC card on my server that heads straight to the Spectrum modem. The response shows the mac address of the router, and notes "router REACHABLE". I have all local networks behind pfsense set to IPv4 subnets with static(no DHCP) so this makes sense to me as the only IPv6 that was found.
gboone last edited by
SOLVED: I concluded it was the ISP and will be pursuing this.