Lost outbound IPv6 connectability after a couple of changes - but why/how?



  • Need troubleshooting help - can you point me in the right direction?

    Symptom
    I have a proxmox install behind pfsense, and apt-get update hangs. Traceroute shows hops until it arrives at prod.debian.map.fastly.net (2a04:4e42:2c::204). At first I went to an up/down site service and it said it's not responding. I waited a day, but still hanging. I think it's me, though, because I cannot ping to IPv6 outside of pfsense.

    The following recent changes occurred, and I'm not sure what caused it:
    Change #1
    I switch from residential Time Warner cable internet to Spectrum/TWC business cable with a static IPv4. I know that residential modem had an IPv6 address. Spectrum says no IPv6 address is provided with my current subscription. A page like this used to be all greens, now it confirms I have no IPv6 address, and IPv6 only sites will be a problem.

    Change #2
    They gave me a stupid Arris modem and it was broadcasting into the network behind pfsense. I posted about this here, and to make the modem not accessible from any device behind pfsense, I created two new networks that had the same subnets as the Arris broadcasts, and blocked all incoming and outgoing from those interfaces. I noticed no issues after this change. pfsense Firewall status logs show:

    Jul 30 11:14:21 WAN Block ULA networks from WAN block fc00::/7 (12000) 192.168.0.1 224.0.0.1 IGMP
    Jul 30 11:15:54 WAN Block ULA networks from WAN block fc00::/7 (12000) 192.168.100.3:138 192.168.100.255:138 UDP

    I'm not sure where the 100.3 came from...the modem was 100.1 and I made the network interface 100.1...maybe Spectrum changed it?

    This change successfully blocked ping access from anything behind pfsense. Had no affect that I could tell on the WAN static ip of 96.11.x.y

    pfsense settings
    Under System>Advanced>Networking I have "Allow IPv6" unchecked.

    On the firewall rules for the interface behind which proxmox sits, I have IPv4+6 any protocal set to PASS at the bottom of the rules list.

    Possible confusion on my part?
    I think that preventing IPv6 from coming into the network, means only connections initiated from the WAN. Is this correct?

    I think that being able to connect to IPv6 requires that I haven't blocked outgoing IPv6 traffic.

    I'm at a loss for what to check. I forget how, but last night I ran a test that seemed to indicate the MAC address of the modem was the point of failure regarding connectivity from an IPv6 standpoint. But, I couldn't figure it out.

    EDIT (Additional Info):
    From Diagnostics/Ping I have these results:

    • Hostname: prod.debian.map.fastly.net, IP Protocal: IPv6, source address: auto selected, RESULTS: (Error) Host "prod.debian.map.fastly.net" did not respond or could not be resolved.

    • When I run the same things with IPv4 it passes through no problem with A record of 151.101.44.204.

    From Diagnostics/DNS Lookup, the same domain will show both A and AAAA records. So my system can find it, but does not have the ability to use it?

    EDIT #2:
    From the proxmox install, I ran "ip -6 neigh" and it shows the ipv6-local link through the proxmox bridge that goes to a NIC card on my server that heads straight to the Spectrum modem. The response shows the mac address of the router, and notes "router REACHABLE". I have all local networks behind pfsense set to IPv4 subnets with static(no DHCP) so this makes sense to me as the only IPv6 that was found.



  • SOLVED: I concluded it was the ISP and will be pursuing this.