Cannot route IPv6 - Frustrated



  • I'm a Comcast business customer, I have a static /30 for IPv4 and a /56 for ipv6. Config looks like:

    *** Welcome to pfSense 2.4.3-RELEASE-p1 (amd64) on pfSense ***

    WAN (wan) -> igb0 -> v4: xx.xx.17.177/30
    v6/DHCP6: xxxx:xxxx:xx:c000:21b:21ff:fe74:6ba4/64
    LAN (lan) -> igb1 -> v4: 172.16.0.254/16
    v6: xxxx:xxxx:xx:c0ff::254/64

    I have a cisco switch with IP services running on the LAN. All VLANs are assigned 172.16.x.x/24 and xxxx:xxxx:xx:c0xx::254/64. IPv4 works like a champ. From the Cisco switch, I can ping ipv6 to both the WAN and LAN interfaces on the Pfsense box, but cannot ping ipv6 past that. Can anyone see anything obvious?

    Current configuration : 6759 bytes
    !
    ! Last configuration change at 12:14:39 CDT Fri Aug 31 2018
    ! NVRAM config last updated at 12:15:18 CDT Fri Aug 31 2018
    !
    version 15.0
    no service pad
    service timestamps debug datetime msec
    service timestamps log uptime
    no service password-encryption
    !
    hostname 3560g
    !
    boot-start-marker
    boot-end-marker
    !
    !
    enable secret 5 blahblahblah
    !
    no aaa new-model
    clock timezone MST -7 0
    clock summer-time CDT recurring
    system mtu routing 1500
    vtp interface vlan11
    ip routing
    ip domain-name sdjdofj
    ip name-server x.x.x.x
    !
    !
    !
    ipv6 unicast-routing

    interface GigabitEthernet0/24
    description To Router
    no switchport
    ip address 172.16.0.253 255.255.255.0
    ipv6 address xxxx:xxxx:xx:C0FF::253/64
    ipv6 enable

    interface Vlan6
    ip address 172.16.6.254 255.255.255.0
    ipv6 address xxxx:xxxx:xx:C001::254/64
    ipv6 enable

    ip route 0.0.0.0 0.0.0.0 172.16.0.254
    !
    ipv6 route ::/0 xxxx:xxxx:xx:C0FF::254


  • Rebel Alliance Global Moderator

    @johnnybinator said in Cannot route IPv6 - Frustrated:

    and a /56 for ipv6

    So they routed that /56 to you... Sounds more like they just put a /56 on your connection like they put your /30... These idiots do not understand..

    If they routed that /56 to you - what is your transit.. Are you just going to use link-local? They are routing that /56 they gave you to your dhcp address you got on your wan?



  • @johnpoz

    I get a gateway assigned to me when I get my DHCPv6 address....fe80::fc91:14ff:fec8:d069

    netstat -r :
    Internet:
    Destination Gateway Flags Netif Expire
    default xx-xx-17-178-stati UGS igb0
    10.200.0.0/24 172.16.0.253 UGS igb1
    10.200.1.254 link#2 UHS lo0
    10.200.1.254/32 link#2 U igb1
    xx.xx.17.176/30 link#1 U igb0
    xx-xx-17-177-stati link#1 UHS lo0
    localhost link#4 UH lo0
    172.16.0.0/16 link#2 U igb1
    pfSense link#2 UHS lo0

    Internet6:
    Destination Gateway Flags Netif Expire
    default fe80::21b:21ff:fe7 UGS igb0
    localhost link#4 UH lo0
    xxxx:xxxx:xx:c000: link#1 U igb0
    xxxx:xxxx:xx:c000: xxxx:xxxx:xx:c0ff: UGS igb1
    xxxx:xxxx:xx:c000: link#1 UHS lo0
    xxxx:xxxx:xx:c0ff: link#2 U igb1
    pfSense link#2 UHS lo0
    fe80::21b:21ff:fe7 fe80::21b:21ff:fe7 UGHS igb0
    fe80::%igb0/64 link#1 U igb0
    fe80::21b:21ff:fe7 link#1 UHS lo0
    fe80::%igb1/64 link#2 U igb1
    fe80::21b:21ff:fe7 link#2 UHS lo0
    fe80::%lo0/64 link#4 U lo0
    fe80::1%lo0 link#4 UHS lo0

    2.4.3-RELEASE][admin@pfSense.iroquois.lan]/root: ping6 2600::
    PING6(56=40+8+8 bytes) xxxx:xxxx:xx:c000:21b:21ff:fe74:6ba4 --> 2600::
    16 bytes from 2600::, icmp_seq=0 hlim=53 time=105.081 ms
    16 bytes from 2600::, icmp_seq=1 hlim=53 time=74.743 ms
    ^C
    --- 2600:: ping6 statistics ---
    2 packets transmitted, 2 packets received, 0.0% packet loss
    round-trip min/avg/max/std-dev = 74.743/89.912/105.081/15.169 ms
    [2.4.3-RELEASE][admin@pfSense.iroquois.lan]/root: traceroute6 2600::
    traceroute6 to 2600:: (2600::) from xxxx:xxxx:xx:c000:21b:21ff:fe74:6ba4, 64 hops max, 12 byte packets
    1 xxxx:xxxx:xx:c000:fc91:14ff:fec8:d069 7.577 ms 8.127 ms 1.183 ms
    2 2001:558:4001:1::1 28.595 ms 26.088 ms 9.672 ms
    3 po-101-rur02.albuquerque.nm.albuq.comcast.net 10.268 ms 10.860 ms 10.226 ms
    4 be-5-ar02.albuquerque.nm.albuq.comcast.net 19.892 ms 106.813 ms 49.574 ms
    5 be-33654-cr02.losangeles.ca.ibone.comcast.net 46.259 ms 35.965 ms 49.629 ms
    6 be-11587-pe02.600wseventh.ca.ibone.comcast.net 40.364 ms 41.328 ms 41.419 ms
    7 sl-mst55-la-ae3.0.v6.sprintlink.net 38.446 ms 34.247 ms 39.716 ms
    8 sl-mst31-la-be16.v6.sprintlink.net 40.107 ms 47.024 ms 49.950 ms
    9 sl-crs1-ria-be9.v6.sprintlink.net 39.984 ms 47.010 ms 40.347 ms
    10 sl-crs1-fw-be2.v6.sprintlink.net 61.324 ms 67.239 ms 58.430 ms
    11 sl-crs1-atl-be8.v6.sprintlink.net 90.441 ms 87.174 ms 81.340 ms
    12 sl-crs1-ffx-be3.v6.sprintlink.net 79.085 ms 99.518 ms 89.714 ms
    13 sl-crs1-orl-be12.v6.sprintlink.net 80.154 ms 87.339 ms 89.628 ms
    14 sl-lkdstr2-p1-0.v6.sprintlink.net 81.795 ms 79.787 ms 87.076 ms


  • Rebel Alliance Global Moderator

    Not sure what your trying to show with that.. Your tracing to where??

    What has that have to do with your /56 actually being routed to you??

    PM the /56 they gave you.



  • @johnpoz
    I'm obviously new to this stuff

    What I was showing was that I can ping6 2600:: from my router. If that works, there's a route set. Right?



  • @johnnybinator said in Cannot route IPv6 - Frustrated:

    What I was showing was that I can ping6 2600:: from my router. If that works, there's a route set. Right?

    Why are you pinging 2600::? That wouldn't be a valid address. Its the network address for a huge /112 prefix.

    It's entirely possible to connect to your ISP using only the link local address, as that's the norm on IPv6. However, you should see some DHCPv6 traffic, unless you're expected to manually configure your connection. Have you asked your ISP about what they provide?



  • @jknott
    I just picked 2600:: because it's easy to type. I get the same results from 2001:4860:4860::8888.

    Comcast will not support IPv6. At all. I keep calling and asking questions, they keep telling me that I can use their gateway as my router, and things will work perfectly, but as soon as I introduce my own router, they stop and tell me I'm on my own. It's VERY frustrating.

    I guess what I was hoping for was someone who is also set up like me, Comcast Business, Static, etc. and has this figured out.

    All I want is to assign static IPv6 addresses to my internal servers and play a little. I had no idea it was going to be this difficult. All of this is because Comcast wants me to use their device as my router, which I refuse to do. Perhaps I'm being a bit thick headed.



  • @jknott said in Cannot route IPv6 - Frustrated:

    @johnnybinator said in Cannot route IPv6 - Frustrated:

    What I was showing was that I can ping6 2600:: from my router. If that works, there's a route set. Right?

    Why are you pinging 2600::? That wouldn't be a valid address. Its the network address for a huge /112 prefix.

    It's entirely possible to connect to your ISP using only the link local address, as that's the norm on IPv6. However, you should see some DHCPv6 traffic, unless you're expected to manually configure your connection. Have you asked your ISP about what they provide?

    2600:: is actually a valid address. It is owned by Sprint and a lot of people use it as a quick ipv6 ping address.

    From RFC 4291:

    "The use of "::" indicates one or more groups of 16 bits of zeros. The "::" can only appear once in an address. The "::" can also be used to compress leading or trailing zeros in an address."

    It is the "trailing zeros" part. But it has always felt weird to me, since I think of it should be 2600::0.



  • @isaacfl said in Cannot route IPv6 - Frustrated:

    It is the "trailing zeros" part. But it has always felt weird to me, since I think of it should be 2600::0.

    2600:: and 2600::0 are the exact same address. 2600:: is not a valid address for a device, because the lowest address in any prefix (or IPv4 subnet) is considered the network address and not usable for hosts. Now, if it was 2600::1, then that would indeed be a valid address for a device. Same with 2600:0:0:0:1:: /64 There's nothing wrong with using :: for trailing zeros in an address, provided that address is not the lowest in a prefix. Compare with IPv4 192.168.0.0 /24 and 192.168.0.128 /24. Both addresses are in the same subnet. The first is not a usable address because it's the lowest address in the subnet, but the 2nd is because it isn't the lowest address. The 128 works out to 10000000, which includes seven trailing zeros.



  • @jknott said in Cannot route IPv6 - Frustrated:

    @isaacfl said in Cannot route IPv6 - Frustrated:

    It is the "trailing zeros" part. But it has always felt weird to me, since I think of it should be 2600::0.

    2600:: and 2600::0 are the exact same address. 2600:: is not a valid address for a device, because the lowest address in any prefix (or IPv4 subnet) is considered the network address and not usable for hosts. Now, if it was 2600::1, then that would indeed be a valid address for a device. Same with 2600:0:0:0:1:: /64 There's nothing wrong with using :: for trailing zeros in an address, provided that address is not the lowest in a prefix. Compare with IPv4 192.168.0.0 /24 and 192.168.0.128 /24. Both addresses are in the same subnet. The first is not a usable address because it's the lowest address in the subnet, but the 2nd is because it isn't the lowest address. The 128 works out to 10000000, which includes seven trailing zeros.

    It isn't quite the same in ipv6 as it is in ipv4. While it is a valid unicast address it is reserved as is a special address. It predefined as the Subnet-Router anycast address for that subnet. All traffic sent to the anycast address should be delivered to the closest router in that network. So I assume, this case, 2600:: is a router inside Sprint. Devices can have anycast addresses, hosts should not.

    I am not sure what pfsense does with the anycast address. I know that it doesn't respond to the ping.



  • @jknott
    Glad we got that cleared up. Sorry for pinging a network.

    Does anyone have any idea how I can get me IPv6 setup working?

    Someone somewhere has to be using Comcast Business, pfSense, and a static /56, right?



  • @johnnybinator said in Cannot route IPv6 - Frustrated:

    @jknott
    Glad we got that cleared up. Sorry for pinging a network.

    Does anyone have any idea how I can get me IPv6 setup working?

    Someone somewhere has to be using Comcast Business, pfSense, and a static /56, right?

    Actually, that is what 2600:: has been set up for. An easy to remember ipv6 address when you may not have working dns that you can ping.



  • @isaacfl
    Yeah, That's how I found that IP address. I just googled "easy to remember pingable IPv6 addresses.

    Anyway, I'd still love to hear from anyone with Comcast Business, pfSense, static /56. I say business because I'm told by Comcast that they use different firmware on Business service modems.

    Not that this is anyone else's problem, but my bill went up significantly when I got the static /30 and /56. I had been using my own modem up until then. The new bill with static and their "gateway" is $50.00 more. All this was to get IPv6 routing working. Soon I'm going to tell them where they can put their "gateway" & static IP.



  • @johnnybinator said in Cannot route IPv6 - Frustrated:

    @jknott
    Glad we got that cleared up. Sorry for pinging a network.

    Does anyone have any idea how I can get me IPv6 setup working?

    Someone somewhere has to be using Comcast Business, pfSense, and a static /56, right?

    What you have above doesn’t really make since to me. I don’t have comcast business or static ipv6. Mine is dhcp /56

    But if you really have a static /56 assigned to you, then this is what I would try.

    For discussion, we are going to say they gave you 2605🔢1234:12::/56

    This means you have 256 subnets:

    2605:1234:1234:1200/64
    2605:1234:1234:1201/64
    2605:1234:1234:1202/64
    ……
    2605:1234:1234:12fe/64
    2605:1234:1234:12ff/64
    

    On Wan interface
    IPv6 Configuration Type, choose SLAAC. Everything else ok.

    On your other interfaces, since it is static, you have to just like you do in ipv4, you need to assign a subnet. Remember these are hex numbers, 00 - ff

    I left a lot of empty subnets on mine. So If I picked the 10 and 20 subnets as examples

    2605:1234:1234:1210/64 for LAN
    2605:1234:1234:1220/64 for OPT1
    

    Then on your LAN interface:

    IPv6 Configuration Type, choose Static IPv6.  Everything else ok.
    Static IPv6 Configuration
    IPv6 Address: 2605:1234:1234:1210/64
    IPv6 Upstream gateway: None
    

    Then on your OPT1 interface:

    IPv6 Configuration Type, choose Static IPv6.  Everything else ok.
    Static IPv6 Configuration
    IPv6 Address: 2605:1234:1234:1220/64
    IPv6 Upstream gateway: None
    

    I have found I get best results by rebooting the router for this to fully work.



  • @johnnybinator said in Cannot route IPv6 - Frustrated:

    @isaacfl
    Yeah, That's how I found that IP address. I just googled "easy to remember pingable IPv6 addresses.

    Anyway, I'd still love to hear from anyone with Comcast Business, pfSense, static /56. I say business because I'm told by Comcast that they use different firmware on Business service modems.

    Not that this is anyone else's problem, but my bill went up significantly when I got the static /30 and /56. I had been using my own modem up until then. The new bill with static and their "gateway" is $50.00 more. All this was to get IPv6 routing working. Soon I'm going to tell them where they can put their "gateway" & static IP.

    Are you sure you have a "static" /56? because on your first post, it kind of looked like you were trying to use a dynamic prefix /56?



  • @isaacfl
    I've only ever been able to use Comcast via DHCP6 on WAN. SLAAC does not get me an address. Also, other than the fact that I don't have an OPT interface. I'm basically configured like you typed up.

    What I'm told by Comcast is that I HAVE to use DHCP6 on my WAN interface. I, WITH MUCH EXASPERATION, mentioned to them that I wanted static not DHCP for IPv6. They said that even though I was using DHCP, the subnet and address assigned to my WAN interface would not change. Apparently they assign the address to me but deliver it via DCHP6.

    For IPv4 this is all working great. I don't understand why there are issues with IPv6. Clearly there's something beyond my grasp.



  • @johnnybinator said in Cannot route IPv6 - Frustrated:

    @isaacfl
    I've only ever been able to use Comcast via DHCP6 on WAN. SLAAC does not get me an address. Also, other than the fact that I don't have an OPT interface. I'm basically configured like you typed up.

    What I'm told by Comcast is that I HAVE to use DHCP6 on my WAN interface. I, WITH MUCH EXASPERATION, mentioned to them that I wanted static not DHCP for IPv6. They said that even though I was using DHCP, the subnet and address assigned to my WAN interface would not change. Apparently they assign the address to me but deliver it via DCHP6.

    For IPv4 this is all working great. I don't understand why there are issues with IPv6. Clearly there's something beyond my grasp.

    Ok, I think you have dynamic. This is not "static" but it is unchanging, as long as your DUID doesn't change. So with pfsense as long as you don't rebuild the router it will stay the same.

    It is part of one of the ipv6 recommended standards that as long as you use the same DUID and you aren't offline for extended period of time then the ISP will give the same prefix (/56 in your case). With pfsense the DUID is created and stored during install and as long as you don't manually change it, it won't change.

    With ipv6 there are 2 parts to dhcp. One is what you are probably familiar with that just gets an ip address to use on an interface. The other part is a request for a prefix that you can then use to assign downstream.

    Here is my Interface WAN setup:
    0_1535758992875_Capture.PNG

    Here is my LAN interface. Note it is track interface and I picked 10 for this subnet from my pool of 00-ff.

    0_1535759186652_Capture1.PNG

    My OPT1 is the same except IPv6 prefix ID is 20. Again arbitrary pick on my part.



  • Also I think it is best to reboot after changing all of this. I don't think you have to, but it shouldn't hurt.



  • @isaacfl

    I have tried the hint on WAN, tack interface setup until I was blue in the face. It does not work with my setup.

    I'm not sure you're reading all the way back to the beginning. My pfSense router does not handle DHCP for my LAN, nor does it handle VLANS.

    All I want to use the router for is routing. All other layer 2/3 is handled by my Cicso switch. DHCP is handled by a Redhat box. All I want it to route IPv6 out of my LAN to pfSense, and then to the Comcast "Gateway" and then to the freakin' internet.

    IPv4 works very well this way. I believe there's a way to do what I want, just something isn't right.



  • @johnnybinator

    This is IPv4. Working great. See how the VLANS are all 172.16.x.254. That's the default gateway on all my subnets. All subnets route to the default route in the cisco, which is the 172.16..0.253/30 which is connected to the pfSense router. Pf sense has a route back to 172.16.0.0/16 via that same interface.

    I need this to work the same (or equivalent) on IPv6. Track interface does not get an IPv6 address at all.

    alt text



  • @johnnybinator said in Cannot route IPv6 - Frustrated:

    @isaacfl

    I have tried the hint on WAN, tack interface setup until I was blue in the face. It does not work with my setup.

    I'm not sure you're reading all the way back to the beginning. My pfSense router does not handle DHCP for my LAN, nor does it handle VLANS.

    All I want to use the router for is routing. All other layer 2/3 is handled by my Cicso switch. DHCP is handled by a Redhat box. All I want it to route IPv6 out of my LAN to pfSense, and then to the Comcast "Gateway" and then to the freakin' internet.

    IPv4 works very well this way. I believe there's a way to do what I want, just something isn't right.

    I am not sure I am following your configuration then?

    So when you are saying "does not handle" you don't mean it doesn't work? It is just being done somewhere else?
    If that is the case, then you probably have your "somewhere else" configured wrong, cause in ipv6 routing just works, or it should, since it is automatic.



  • Maybe this will help. In an ipv6 router every interface negotiates a link local address (fe80 addresses). You don't set default gateways because routers advertise themselves to each other and devices.

    So the brick box is pfsense, and it has a single interface internal connected to Cisco, which then further routes?



  • @IsaacFL

    When I set Track interface on LAN it doesn't get an IP address. I still am getting an IPv6 address on WAN.



  • Destination Gateway Flags Netif Expire
    default 96-77-17-178-stati UGS igb0
    10.200.0.0/24 172.16.0.253 UGS igb1
    10.200.1.254 link#2 UHS lo0
    10.200.1.254/32 link#2 U igb1
    xx.xx.17.176/30 link#1 U igb0
    xx-xx-17-177-stati link#1 UHS lo0
    localhost link#4 UH lo0
    172.16.0.0/16 link#2 U igb1
    pfSense link#2 UHS lo0

    Internet6:
    Destination Gateway Flags Netif Expire
    default fe80::fc91:14ff:fe UGS igb0
    localhost link#4 UH lo0
    xxxx:xxxx:xx::c000: link#1 U igb0
    xxxx:xxxx:xx::c000: link#1 UHS lo0
    xxxx:xxxx:xx::c000: link#1 UHS lo0
    fe80::fc91:14ff:fe fe80::fc91:14ff:fe UGHS igb0
    fe80::%igb0/64 link#1 U igb0
    fe80::21b:21ff:fe7 link#1 UHS lo0
    fe80::%igb1/64 link#2 U igb1
    fe80::1:1%igb1 link#2 UHS lo0
    fe80::%lo0/64 link#4 U lo0
    fe80::1%lo0 link#4 UHS lo0



  • @johnnybinator said in Cannot route IPv6 - Frustrated:

    @IsaacFL

    When I set Track interface on LAN it doesn't get an IP address. I still am getting an IPv6 address on WAN.

    from the way picture shows it looks like, it is all done in the Cisco. It is just a point to point connection from the pfsense to cisco? You said Cisco does layer2/3. Layer 3 includes ipv6, so the Cisco has to be configured to do the routing in your case.

    Your best bet is to hook a pc to the pfsense LAN interface and see that it is able to ping the internet.



  • @isaacfl
    You know, that's a good idea. I hadn't thought of that. Thanks.



  • @johnnybinator said in Cannot route IPv6 - Frustrated:

    @isaacfl
    You know, that's a good idea. I hadn't thought of that. Thanks.

    Have you been using pfsense for awhile, so it is only ipv6 you are struggling with? or are you new to pfsense?

    Will help me to know that.



  • @isaacfl

    I've been running pfSense for 5 + years. I love it. IPv6 is pretty new to me. I can see there's more than a small amount to learn.

    I've been in IT for 25 years, I usually adapt to new things easier than this. Maybe I'm getting old.



  • @johnnybinator said in Cannot route IPv6 - Frustrated:

    @isaacfl

    I've been running pfSense for 5 + years. I love it. IPv6 is pretty new to me. I can see there's more than a small amount to learn.

    I've been in IT for 25 years, I usually adapt to new things easier than this. Maybe I'm getting old.

    ok I would try the get a pc working on the lan side of the pfsense then. I would bet it is probably working, then we would need to figure out how to get it to work in your configuration.

    I have only been using pfsense for a few months, so new on its idiosynchrocies, but I have been working with ipv6 for a few years now. So I am more familiar with ipv6 than pfsense.

    I won't be able to spend anymore time today, but I will say that ipv6 routing isn't as difficult as ipv4. The difference is ipv6 uses the link local address and multicast on each interface to do the actual routing.



  • @johnnybinator said in Cannot route IPv6 - Frustrated:

    @isaacfl

    I've been running pfSense for 5 + years. I love it. IPv6 is pretty new to me. I can see there's more than a small amount to learn.

    I've been in IT for 25 years, I usually adapt to new things easier than this. Maybe I'm getting old.

    For the most part, IPv6 works the same as IPv4, but with longer addresses. However, there are some differences, such as ARP being replaced with neighbour discovery, default gateway and prefix being automagically configured with router advertisements. There are other things for improved performance, such as fix length headers and extension headers

    One book I find is a good reference is IPv6 Essentials, from O'Reilly.


  • Netgate

    What is your delegated /56? Are they actually delegating it to you?

    Check the Start DHCP6 client in debug mode checkbox on WAN, Save, and Apply, then examine the DHCP logs. You should see what you want to by searching for message IA_PD or process dhcp6c. What is it showing for a /56 delegated?

    You would then need to route a larger prefix of that, say a /60 to the switch then add /64s to the individual switch layer 3 interfaces and configure DHCP6, SLAAC, etc. on the switch (Just like IPv4).



  • @derelict

    This is what I get (I do get an address):

    Sep 1 10:37:43 dhcp6c 8607 failed to parse configuration file
    Sep 1 10:37:43 dhcp6c 8607 called
    Sep 1 10:37:43 dhcp6c 8607 /var/etc/dhcp6c_wan.conf:3 IA_PD (0) is not defined
    Sep 1 10:37:43 dhcp6c 8607 called
    Sep 1 10:37:43 dhcp6c 8607 <3>end of sentence [;] (1)
    Sep 1 10:37:43 dhcp6c 8607 <3>end of closure [}] (1)
    Sep 1 10:37:43 dhcp6c 8607 <13>begin of closure [{] (1)
    Sep 1 10:37:43 dhcp6c 8607 <13>[0] (1)
    Sep 1 10:37:43 dhcp6c 8607 <13>[na] (2)
    Sep 1 10:37:43 dhcp6c 8607 <3>[id-assoc] (8)
    Sep 1 10:37:43 dhcp6c 8607 <3>end of sentence [;] (1)
    Sep 1 10:37:43 dhcp6c 8607 <3>end of closure [}] (1)
    Sep 1 10:37:43 dhcp6c 8607 <3>comment [# we'd like some nameservers please] (35)
    Sep 1 10:37:43 dhcp6c 8607 <3>end of sentence [;] (1)
    Sep 1 10:37:43 dhcp6c 8607 <3>["/var/etc/dhcp6c_wan_script.sh"] (31)
    Sep 1 10:37:43 dhcp6c 8607 <3>[script] (6)
    Sep 1 10:37:43 dhcp6c 8607 <3>end of sentence [;] (1)
    Sep 1 10:37:43 dhcp6c 8607 <3>[domain-name] (11)
    Sep 1 10:37:43 dhcp6c 8607 <3>[request] (7)
    Sep 1 10:37:43 dhcp6c 8607 <3>end of sentence [;] (1)
    Sep 1 10:37:43 dhcp6c 8607 <3>[domain-name-servers] (19)
    Sep 1 10:37:43 dhcp6c 8607 <3>[request] (7)
    Sep 1 10:37:43 dhcp6c 8607 <3>comment [# request prefix delegation] (27)
    Sep 1 10:37:43 dhcp6c 8607 <3>end of sentence [;] (1)
    Sep 1 10:37:43 dhcp6c 8607 <3>[0] (1)
    Sep 1 10:37:43 dhcp6c 8607 <3>[ia-pd] (5)
    Sep 1 10:37:43 dhcp6c 8607 <3>[send] (4)
    Sep 1 10:37:43 dhcp6c 8607 <3>comment [# request stateful address] (26)
    Sep 1 10:37:43 dhcp6c 8607 <3>end of sentence [;] (1)
    Sep 1 10:37:43 dhcp6c 8607 <3>[0] (1)
    Sep 1 10:37:43 dhcp6c 8607 <3>[ia-na] (5)
    Sep 1 10:37:43 dhcp6c 8607 <3>[send] (4)
    Sep 1 10:37:43 dhcp6c 8607 <3>begin of closure [{] (1)
    Sep 1 10:37:43 dhcp6c 8607 <5>[igb0] (4)
    Sep 1 10:37:43 dhcp6c 8607 <3>[interface] (9)
    Sep 1 10:37:43 dhcp6c 8607 skip opening control port
    Sep 1 10:37:43 dhcp6c 8607 failed initialize control message authentication
    Sep 1 10:37:43 dhcp6c 8607 failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
    Sep 1 10:37:43 dhcp6c 8607 extracted an existing DUID from /var/db/dhcp6c_duid: BLAH BLAH



  • I assume you have a firewall rule to pass the ipv6 traffic on your LAN interface?

    0_1535822333484_Capture.PNG




  • Netgate

    Yeah something is not right. Post your WAN interface configuration page.

    My last renewal for reference. Note the IA_PD being assigned.

    Sep 1 03:55:10 	dhcp6c 	44071 	IA timeout for PD-0, state=ACTIVE
    Sep 1 03:55:10 	dhcp6c 	44071 	reset a timer on igb0, state=RENEW, timeo=0, retrans=10220
    Sep 1 03:55:10 	dhcp6c 	44071 	Sending Renew
    Sep 1 03:55:10 	dhcp6c 	44071 	a new XID (a5356f) is generated
    Sep 1 03:55:10 	dhcp6c 	44071 	set client ID (len 14)
    Sep 1 03:55:10 	dhcp6c 	44071 	set server ID (len 14)
    Sep 1 03:55:10 	dhcp6c 	44071 	set elapsed time (len 2)
    Sep 1 03:55:10 	dhcp6c 	44071 	set option request (len 4)
    Sep 1 03:55:10 	dhcp6c 	44071 	set IA_PD prefix
    Sep 1 03:55:10 	dhcp6c 	44071 	set IA_PD
    Sep 1 03:55:10 	dhcp6c 	44071 	send renew to ff02::1:2%igb0
    Sep 1 03:55:10 	dhcp6c 	44071 	receive reply from fe80::2e86:d2ff:fe89:2019%igb0 on igb0
    Sep 1 03:55:10 	dhcp6c 	44071 	get DHCP option client ID, len 14
    Sep 1 03:55:10 	dhcp6c 	44071 	DUID: 00:01:00:xx:xx:xx:xx:xx:00:08:a2:0a:59:41
    Sep 1 03:55:10 	dhcp6c 	44071 	get DHCP option server ID, len 14
    Sep 1 03:55:10 	dhcp6c 	44071 	DUID: 00:01:00:xx:xx:xx:xx:xx:f8:bc:12:3e:b6:9c
    Sep 1 03:55:10 	dhcp6c 	44071 	get DHCP option DNS, len 32
    Sep 1 03:55:10 	dhcp6c 	44071 	get DHCP option IA_PD, len 47
    Sep 1 03:55:10 	dhcp6c 	44071 	IA_PD: ID=0, T1=43200, T2=69120
    Sep 1 03:55:10 	dhcp6c 	44071 	get DHCP option status code, len 2
    Sep 1 03:55:10 	dhcp6c 	44071 	status code: success
    Sep 1 03:55:10 	dhcp6c 	44071 	get DHCP option IA_PD prefix, len 25
    Sep 1 03:55:10 	dhcp6c 	44071 	IA_PD prefix: 2600:dabb:ad00:bc00::/56 pltime=86400 vltime=86400
    Sep 1 03:55:10 	dhcp6c 	44071 	dhcp6c Received INFO
    Sep 1 03:55:10 	dhcp6c 	44071 	nameserver[0] 2001:578:3f::30
    Sep 1 03:55:10 	dhcp6c 	44071 	nameserver[1] 2001:578:3f:1::30
    Sep 1 03:55:10 	dhcp6c 	44071 	update an IA: PD-0
    Sep 1 03:55:10 	dhcp6c 	44071 	status code for PD-0: success
    Sep 1 03:55:10 	dhcp6c 	44071 	update a prefix 2600:dabb:ad00:bc00::/56 pltime=34359824768, vltime=34359824768
    Sep 1 03:55:10 	dhcp6c 	44071 	executes /var/etc/dhcp6c_wan_script.sh
    Sep 1 03:55:10 	dhcp6c 		dhcp6c renew, no change - bypassing update on igb0
    Sep 1 03:55:10 	dhcp6c 	44071 	script "/var/etc/dhcp6c_wan_script.sh" terminated
    Sep 1 03:55:10 	dhcp6c 	44071 	removing an event on igb0, state=RENEW
    Sep 1 03:55:10 	dhcp6c 	44071 	got an expected reply, sleeping.
    Sep 1 03:55:16 	dhcp6c 	44071 	IA timeout for NA-0, state=ACTIVE
    Sep 1 03:55:16 	dhcp6c 	44071 	reset a timer on igb0, state=RENEW, timeo=0, retrans=9710
    Sep 1 03:55:16 	dhcp6c 	44071 	Sending Renew
    Sep 1 03:55:16 	dhcp6c 	44071 	a new XID (93002a) is generated
    Sep 1 03:55:16 	dhcp6c 	44071 	set client ID (len 14)
    Sep 1 03:55:16 	dhcp6c 	44071 	set server ID (len 14)
    Sep 1 03:55:16 	dhcp6c 	44071 	set IA address
    Sep 1 03:55:16 	dhcp6c 	44071 	set identity association
    Sep 1 03:55:16 	dhcp6c 	44071 	set elapsed time (len 2)
    Sep 1 03:55:16 	dhcp6c 	44071 	set option request (len 4)
    Sep 1 03:55:16 	dhcp6c 	44071 	send renew to ff02::1:2%igb0
    Sep 1 03:55:17 	dhcp6c 	44071 	receive reply from fe80::2e86:d2ff:fe89:2019%igb0 on igb0
    Sep 1 03:55:17 	dhcp6c 	44071 	get DHCP option client ID, len 14
    Sep 1 03:55:17 	dhcp6c 	44071 	DUID: 00:01:00:xx:xx:xx:xx:xx:00:08:a2:0a:59:41
    Sep 1 03:55:17 	dhcp6c 	44071 	get DHCP option server ID, len 14
    Sep 1 03:55:17 	dhcp6c 	44071 	DUID: 00:01:00:xx:xx:xx:xx:xx:f8:bc:12:3e:b6:9c
    Sep 1 03:55:17 	dhcp6c 	44071 	get DHCP option DNS, len 32
    Sep 1 03:55:17 	dhcp6c 	44071 	get DHCP option identity association, len 46
    Sep 1 03:55:17 	dhcp6c 	44071 	IA_NA: ID=0, T1=43200, T2=69120
    Sep 1 03:55:17 	dhcp6c 	44071 	get DHCP option status code, len 2
    Sep 1 03:55:17 	dhcp6c 	44071 	status code: success
    Sep 1 03:55:17 	dhcp6c 	44071 	get DHCP option IA address, len 24
    Sep 1 03:55:17 	dhcp6c 	44071 	IA_NA address: 2600:abba:daba:1c00:f482:dfe0:8871:7c09 pltime=86400 vltime=86400
    Sep 1 03:55:17 	dhcp6c 	44071 	dhcp6c Received INFO
    Sep 1 03:55:17 	dhcp6c 	44071 	nameserver[0] 2001:578:3f::30
    Sep 1 03:55:17 	dhcp6c 	44071 	nameserver[1] 2001:578:3f:1::30
    Sep 1 03:55:17 	dhcp6c 	44071 	update an IA: NA-0
    Sep 1 03:55:17 	dhcp6c 	44071 	status code for NA-0: success
    Sep 1 03:55:17 	dhcp6c 	44071 	update an address 2600:abba:daba:1c00:f482:dfe0:8871:7c09 pltime=86400, vltime=140733193474432
    Sep 1 03:55:17 	dhcp6c 	44071 	add an address 2600:abba:daba:1c00:f482:dfe0:8871:7c09/128 on igb0
    Sep 1 03:55:17 	dhcp6c 	44071 	executes /var/etc/dhcp6c_wan_script.sh
    Sep 1 03:55:17 	dhcp6c 		dhcp6c renew, no change - bypassing update on igb0
    Sep 1 03:55:17 	dhcp6c 	44071 	script "/var/etc/dhcp6c_wan_script.sh" terminated
    Sep 1 03:55:17 	dhcp6c 	44071 	removing an event on igb0, state=RENEW
    Sep 1 03:55:17 	dhcp6c 	44071 	got an expected reply, sleeping. 
    

  • Netgate

    @johnnybinator

    @johnnybinator said in Cannot route IPv6 - Frustrated:

    @johnpoz
    I'm obviously new to this stuff

    What I was showing was that I can ping6 2600:: from my router. If that works, there's a route set. Right?

    For the interface address/network, yes. But the /56 you need to route to the inside router is a completely different thing.



  • @johnnybinator said in Cannot route IPv6 - Frustrated:

    @isaacfl
    alt text

    On your ipv6 pass rule, you might want to change source from LAN net to any for testing.

    If you are going to actually be implementing the routing on your Cisco you will need to allow your entire /56 as a source. Remember we aren't doing NAT with ipv6.

    What I would do is create a firewall alias, LOCAL_SUBNETS_v6 with your ipv6 prefix /56.

    Then in your firewall rule, use LOCAL_SUBNETS_v6 as the source.



  • @isaacfl said in Cannot route IPv6 - Frustrated:

    LOCAL_SUBNETS_v6

    HILARIOUS! That was is! The rule change fixed it. I used LAN NET because it was set up that way for the IPv4 rule.

    Thanks for walking through this mess with me. I Learned a lot.