Cannot route IPv6 - Frustrated

johnnybinator

I'm a Comcast business customer, I have a static /30 for IPv4 and a /56 for ipv6. Config looks like:

*** Welcome to pfSense 2.4.3-RELEASE-p1 (amd64) on pfSense ***

WAN (wan) -> igb0 -> v4: xx.xx.17.177/30
v6/DHCP6: xxxx:xxxx:xx:c000:21b:21ff:fe74:6ba4/64
LAN (lan) -> igb1 -> v4: 172.16.0.254/16
v6: xxxx:xxxx:xx:c0ff::254/64

I have a cisco switch with IP services running on the LAN. All VLANs are assigned 172.16.x.x/24 and xxxx:xxxx:xx:c0xx::254/64. IPv4 works like a champ. From the Cisco switch, I can ping ipv6 to both the WAN and LAN interfaces on the Pfsense box, but cannot ping ipv6 past that. Can anyone see anything obvious?

Current configuration : 6759 bytes
!
! Last configuration change at 12:14:39 CDT Fri Aug 31 2018
! NVRAM config last updated at 12:15:18 CDT Fri Aug 31 2018
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log uptime
no service password-encryption
!
hostname 3560g
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 blahblahblah
!
no aaa new-model
clock timezone MST -7 0
clock summer-time CDT recurring
system mtu routing 1500
vtp interface vlan11
ip routing
ip domain-name sdjdofj
ip name-server x.x.x.x
!
!
!
ipv6 unicast-routing

interface GigabitEthernet0/24
description To Router
no switchport
ip address 172.16.0.253 255.255.255.0
ipv6 address xxxx:xxxx:xx:C0FF::253/64
ipv6 enable

interface Vlan6
ip address 172.16.6.254 255.255.255.0
ipv6 address xxxx:xxxx:xx:C001::254/64
ipv6 enable

ip route 0.0.0.0 0.0.0.0 172.16.0.254
!
ipv6 route ::/0 xxxx:xxxx:xx:C0FF::254

johnpoz

@johnnybinator said in Cannot route IPv6 - Frustrated:

and a /56 for ipv6

So they routed that /56 to you... Sounds more like they just put a /56 on your connection like they put your /30... These idiots do not understand..

If they routed that /56 to you - what is your transit.. Are you just going to use link-local? They are routing that /56 they gave you to your dhcp address you got on your wan?

johnnybinator

@johnpoz

I get a gateway assigned to me when I get my DHCPv6 address....fe80::fc91:14ff:fec8:d069

netstat -r :
Internet:
Destination Gateway Flags Netif Expire
default xx-xx-17-178-stati UGS igb0
10.200.0.0/24 172.16.0.253 UGS igb1
10.200.1.254 link#2 UHS lo0
10.200.1.254/32 link#2 U igb1
xx.xx.17.176/30 link#1 U igb0
xx-xx-17-177-stati link#1 UHS lo0
localhost link#4 UH lo0
172.16.0.0/16 link#2 U igb1
pfSense link#2 UHS lo0

Internet6:
Destination Gateway Flags Netif Expire
default fe80::21b:21ff:fe7 UGS igb0
localhost link#4 UH lo0
xxxx:xxxx:xx:c000: link#1 U igb0
xxxx:xxxx:xx:c000: xxxx:xxxx:xx:c0ff: UGS igb1
xxxx:xxxx:xx:c000: link#1 UHS lo0
xxxx:xxxx:xx:c0ff: link#2 U igb1
pfSense link#2 UHS lo0
fe80::21b:21ff:fe7 fe80::21b:21ff:fe7 UGHS igb0
fe80::%igb0/64 link#1 U igb0
fe80::21b:21ff:fe7 link#1 UHS lo0
fe80::%igb1/64 link#2 U igb1
fe80::21b:21ff:fe7 link#2 UHS lo0
fe80::%lo0/64 link#4 U lo0
fe80::1%lo0 link#4 UHS lo0

2.4.3-RELEASE][admin@pfSense.iroquois.lan]/root: ping6 2600::
PING6(56=40+8+8 bytes) xxxx:xxxx:xx:c000:21b:21ff:fe74:6ba4 --> 2600::
16 bytes from 2600::, icmp_seq=0 hlim=53 time=105.081 ms
16 bytes from 2600::, icmp_seq=1 hlim=53 time=74.743 ms
^C
--- 2600:: ping6 statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 74.743/89.912/105.081/15.169 ms
[2.4.3-RELEASE][admin@pfSense.iroquois.lan]/root: traceroute6 2600::
traceroute6 to 2600:: (2600::) from xxxx:xxxx:xx:c000:21b:21ff:fe74:6ba4, 64 hops max, 12 byte packets
1 xxxx:xxxx:xx:c000:fc91:14ff:fec8:d069 7.577 ms 8.127 ms 1.183 ms
2 2001:558:4001:1::1 28.595 ms 26.088 ms 9.672 ms
3 po-101-rur02.albuquerque.nm.albuq.comcast.net 10.268 ms 10.860 ms 10.226 ms
4 be-5-ar02.albuquerque.nm.albuq.comcast.net 19.892 ms 106.813 ms 49.574 ms
5 be-33654-cr02.losangeles.ca.ibone.comcast.net 46.259 ms 35.965 ms 49.629 ms
6 be-11587-pe02.600wseventh.ca.ibone.comcast.net 40.364 ms 41.328 ms 41.419 ms
7 sl-mst55-la-ae3.0.v6.sprintlink.net 38.446 ms 34.247 ms 39.716 ms
8 sl-mst31-la-be16.v6.sprintlink.net 40.107 ms 47.024 ms 49.950 ms
9 sl-crs1-ria-be9.v6.sprintlink.net 39.984 ms 47.010 ms 40.347 ms
10 sl-crs1-fw-be2.v6.sprintlink.net 61.324 ms 67.239 ms 58.430 ms
11 sl-crs1-atl-be8.v6.sprintlink.net 90.441 ms 87.174 ms 81.340 ms
12 sl-crs1-ffx-be3.v6.sprintlink.net 79.085 ms 99.518 ms 89.714 ms
13 sl-crs1-orl-be12.v6.sprintlink.net 80.154 ms 87.339 ms 89.628 ms
14 sl-lkdstr2-p1-0.v6.sprintlink.net 81.795 ms 79.787 ms 87.076 ms

johnpoz

Not sure what your trying to show with that.. Your tracing to where??

What has that have to do with your /56 actually being routed to you??

PM the /56 they gave you.

johnnybinator

@johnpoz
I'm obviously new to this stuff

What I was showing was that I can ping6 2600:: from my router. If that works, there's a route set. Right?

JKnott

@johnnybinator said in Cannot route IPv6 - Frustrated:

What I was showing was that I can ping6 2600:: from my router. If that works, there's a route set. Right?

Why are you pinging 2600::? That wouldn't be a valid address. Its the network address for a huge /112 prefix.

It's entirely possible to connect to your ISP using only the link local address, as that's the norm on IPv6. However, you should see some DHCPv6 traffic, unless you're expected to manually configure your connection. Have you asked your ISP about what they provide?

johnnybinator

@jknott
I just picked 2600:: because it's easy to type. I get the same results from 2001:4860:4860::8888.

Comcast will not support IPv6. At all. I keep calling and asking questions, they keep telling me that I can use their gateway as my router, and things will work perfectly, but as soon as I introduce my own router, they stop and tell me I'm on my own. It's VERY frustrating.

I guess what I was hoping for was someone who is also set up like me, Comcast Business, Static, etc. and has this figured out.

All I want is to assign static IPv6 addresses to my internal servers and play a little. I had no idea it was going to be this difficult. All of this is because Comcast wants me to use their device as my router, which I refuse to do. Perhaps I'm being a bit thick headed.

IsaacFL

@jknott said in Cannot route IPv6 - Frustrated:

@johnnybinator said in Cannot route IPv6 - Frustrated:

What I was showing was that I can ping6 2600:: from my router. If that works, there's a route set. Right?

Why are you pinging 2600::? That wouldn't be a valid address. Its the network address for a huge /112 prefix.

It's entirely possible to connect to your ISP using only the link local address, as that's the norm on IPv6. However, you should see some DHCPv6 traffic, unless you're expected to manually configure your connection. Have you asked your ISP about what they provide?

2600:: is actually a valid address. It is owned by Sprint and a lot of people use it as a quick ipv6 ping address.

From RFC 4291:

"The use of "::" indicates one or more groups of 16 bits of zeros. The "::" can only appear once in an address. The "::" can also be used to compress leading or trailing zeros in an address."

It is the "trailing zeros" part. But it has always felt weird to me, since I think of it should be 2600::0.

JKnott

@isaacfl said in Cannot route IPv6 - Frustrated:

It is the "trailing zeros" part. But it has always felt weird to me, since I think of it should be 2600::0.

2600:: and 2600::0 are the exact same address. 2600:: is not a valid address for a device, because the lowest address in any prefix (or IPv4 subnet) is considered the network address and not usable for hosts. Now, if it was 2600::1, then that would indeed be a valid address for a device. Same with 2600:0:0:0:1:: /64 There's nothing wrong with using :: for trailing zeros in an address, provided that address is not the lowest in a prefix. Compare with IPv4 192.168.0.0 /24 and 192.168.0.128 /24. Both addresses are in the same subnet. The first is not a usable address because it's the lowest address in the subnet, but the 2nd is because it isn't the lowest address. The 128 works out to 10000000, which includes seven trailing zeros.

IsaacFL

@jknott said in Cannot route IPv6 - Frustrated:

@isaacfl said in Cannot route IPv6 - Frustrated:

It is the "trailing zeros" part. But it has always felt weird to me, since I think of it should be 2600::0.

2600:: and 2600::0 are the exact same address. 2600:: is not a valid address for a device, because the lowest address in any prefix (or IPv4 subnet) is considered the network address and not usable for hosts. Now, if it was 2600::1, then that would indeed be a valid address for a device. Same with 2600:0:0:0:1:: /64 There's nothing wrong with using :: for trailing zeros in an address, provided that address is not the lowest in a prefix. Compare with IPv4 192.168.0.0 /24 and 192.168.0.128 /24. Both addresses are in the same subnet. The first is not a usable address because it's the lowest address in the subnet, but the 2nd is because it isn't the lowest address. The 128 works out to 10000000, which includes seven trailing zeros.

It isn't quite the same in ipv6 as it is in ipv4. While it is a valid unicast address it is reserved as is a special address. It predefined as the Subnet-Router anycast address for that subnet. All traffic sent to the anycast address should be delivered to the closest router in that network. So I assume, this case, 2600:: is a router inside Sprint. Devices can have anycast addresses, hosts should not.

I am not sure what pfsense does with the anycast address. I know that it doesn't respond to the ping.

johnnybinator

@jknott
Glad we got that cleared up. Sorry for pinging a network.

Does anyone have any idea how I can get me IPv6 setup working?

Someone somewhere has to be using Comcast Business, pfSense, and a static /56, right?

IsaacFL

@johnnybinator said in Cannot route IPv6 - Frustrated:

@jknott
Glad we got that cleared up. Sorry for pinging a network.

Does anyone have any idea how I can get me IPv6 setup working?

Someone somewhere has to be using Comcast Business, pfSense, and a static /56, right?

Actually, that is what 2600:: has been set up for. An easy to remember ipv6 address when you may not have working dns that you can ping.

johnnybinator

@isaacfl
Yeah, That's how I found that IP address. I just googled "easy to remember pingable IPv6 addresses.

Anyway, I'd still love to hear from anyone with Comcast Business, pfSense, static /56. I say business because I'm told by Comcast that they use different firmware on Business service modems.

Not that this is anyone else's problem, but my bill went up significantly when I got the static /30 and /56. I had been using my own modem up until then. The new bill with static and their "gateway" is $50.00 more. All this was to get IPv6 routing working. Soon I'm going to tell them where they can put their "gateway" & static IP.

IsaacFL

@johnnybinator said in Cannot route IPv6 - Frustrated:

@jknott
Glad we got that cleared up. Sorry for pinging a network.

Does anyone have any idea how I can get me IPv6 setup working?

Someone somewhere has to be using Comcast Business, pfSense, and a static /56, right?

What you have above doesn’t really make since to me. I don’t have comcast business or static ipv6. Mine is dhcp /56

But if you really have a static /56 assigned to you, then this is what I would try.

For discussion, we are going to say they gave you 26051234:12::/56

This means you have 256 subnets:

2605:1234:1234:1200/64
2605:1234:1234:1201/64
2605:1234:1234:1202/64
……
2605:1234:1234:12fe/64
2605:1234:1234:12ff/64

On Wan interface
IPv6 Configuration Type, choose SLAAC. Everything else ok.

On your other interfaces, since it is static, you have to just like you do in ipv4, you need to assign a subnet. Remember these are hex numbers, 00 - ff

I left a lot of empty subnets on mine. So If I picked the 10 and 20 subnets as examples

2605:1234:1234:1210/64 for LAN
2605:1234:1234:1220/64 for OPT1

---

Then on your LAN interface:

IPv6 Configuration Type, choose Static IPv6.  Everything else ok.
Static IPv6 Configuration
IPv6 Address: 2605:1234:1234:1210/64
IPv6 Upstream gateway: None

Then on your OPT1 interface:

IPv6 Configuration Type, choose Static IPv6.  Everything else ok.
Static IPv6 Configuration
IPv6 Address: 2605:1234:1234:1220/64
IPv6 Upstream gateway: None

I have found I get best results by rebooting the router for this to fully work.

IsaacFL

@johnnybinator said in Cannot route IPv6 - Frustrated:

@isaacfl
Yeah, That's how I found that IP address. I just googled "easy to remember pingable IPv6 addresses.

Anyway, I'd still love to hear from anyone with Comcast Business, pfSense, static /56. I say business because I'm told by Comcast that they use different firmware on Business service modems.

Not that this is anyone else's problem, but my bill went up significantly when I got the static /30 and /56. I had been using my own modem up until then. The new bill with static and their "gateway" is $50.00 more. All this was to get IPv6 routing working. Soon I'm going to tell them where they can put their "gateway" & static IP.

Are you sure you have a "static" /56? because on your first post, it kind of looked like you were trying to use a dynamic prefix /56?

johnnybinator

@isaacfl
I've only ever been able to use Comcast via DHCP6 on WAN. SLAAC does not get me an address. Also, other than the fact that I don't have an OPT interface. I'm basically configured like you typed up.

What I'm told by Comcast is that I HAVE to use DHCP6 on my WAN interface. I, WITH MUCH EXASPERATION, mentioned to them that I wanted static not DHCP for IPv6. They said that even though I was using DHCP, the subnet and address assigned to my WAN interface would not change. Apparently they assign the address to me but deliver it via DCHP6.

For IPv4 this is all working great. I don't understand why there are issues with IPv6. Clearly there's something beyond my grasp.

IsaacFL

@johnnybinator said in Cannot route IPv6 - Frustrated:

@isaacfl
I've only ever been able to use Comcast via DHCP6 on WAN. SLAAC does not get me an address. Also, other than the fact that I don't have an OPT interface. I'm basically configured like you typed up.

What I'm told by Comcast is that I HAVE to use DHCP6 on my WAN interface. I, WITH MUCH EXASPERATION, mentioned to them that I wanted static not DHCP for IPv6. They said that even though I was using DHCP, the subnet and address assigned to my WAN interface would not change. Apparently they assign the address to me but deliver it via DCHP6.

For IPv4 this is all working great. I don't understand why there are issues with IPv6. Clearly there's something beyond my grasp.

Ok, I think you have dynamic. This is not "static" but it is unchanging, as long as your DUID doesn't change. So with pfsense as long as you don't rebuild the router it will stay the same.

It is part of one of the ipv6 recommended standards that as long as you use the same DUID and you aren't offline for extended period of time then the ISP will give the same prefix (/56 in your case). With pfsense the DUID is created and stored during install and as long as you don't manually change it, it won't change.

With ipv6 there are 2 parts to dhcp. One is what you are probably familiar with that just gets an ip address to use on an interface. The other part is a request for a prefix that you can then use to assign downstream.

Here is my Interface WAN setup:

Here is my LAN interface. Note it is track interface and I picked 10 for this subnet from my pool of 00-ff.

My OPT1 is the same except IPv6 prefix ID is 20. Again arbitrary pick on my part.

IsaacFL

Also I think it is best to reboot after changing all of this. I don't think you have to, but it shouldn't hurt.

johnnybinator

@isaacfl

I have tried the hint on WAN, tack interface setup until I was blue in the face. It does not work with my setup.

I'm not sure you're reading all the way back to the beginning. My pfSense router does not handle DHCP for my LAN, nor does it handle VLANS.

All I want to use the router for is routing. All other layer 2/3 is handled by my Cicso switch. DHCP is handled by a Redhat box. All I want it to route IPv6 out of my LAN to pfSense, and then to the Comcast "Gateway" and then to the freakin' internet.

IPv4 works very well this way. I believe there's a way to do what I want, just something isn't right.

johnnybinator

@johnnybinator

This is IPv4. Working great. See how the VLANS are all 172.16.x.254. That's the default gateway on all my subnets. All subnets route to the default route in the cisco, which is the 172.16..0.253/30 which is connected to the pfSense router. Pf sense has a route back to 172.16.0.0/16 via that same interface.

I need this to work the same (or equivalent) on IPv6. Track interface does not get an IPv6 address at all.