Cannot Ping pfSense ULA From Subnet Without ULA Assigned to Firewall

  • I'm seeing some unexpected behavior that I wanted to run by the pfSense community before filing a bug report. I have a pfSense gateway with roughly 10 VLANS. On some of these VLANs, the firewall is set to track the WAN IPv6 interface and hand out GUAs. On other VLANs, I've assigned the firewall a ULA and distribute the ULA prefix via RAs or static assignments.

    During a recent attempt to assign all of my VLANs the same DNS server IP (fd53::1), I discovered that not all of my subnets could reach the ULA address, despite simplifying my firewall rules (for testing purposes) to allow all traffic between subnets. Can anyone confirm that they're seeing the same behavior (or not) before I file a bug report? Here are some additional details:

    • I've assigned pfSense a ULA (fd53::1) on a VLAN interface (VLAN 53). My other VLANs all have their own interfaces and corresponding subnets, with various addressing schemes.

    • If the source subnet has a ULA address set on the firewall interface for that VLAN (for instance, fd00:172:28:203::1), then devices in that subnet can ping the firewall's ULA addresses from a different subnet.

    • If the firewall is set to track the WAN interface on a subnet (and thus, doesn't have a ULA assigned on its subnet-facing interface), then devices in that subnet cannot ping any of the firewall's ULA's in different subnets.

    • Devices in different subnets can ping each other's ULA's OK.

    • Devices in different subnets can ping GUA's on the firewall OK. For instance, using the same source and destination subnets, I can ping the firewall if I assign it an address of 53::1. If I change the firewall address to fd53::1, pings no longer succeed.

    • Pings run directly on the firewall itself (using the diagnostic menu) work OK between subnets regardless of ULA assignment.

    To me, this suggests an issue with the firewall's routing between ULA and non-ULA interfaces, but I wanted to get some feedback before pursuing this further. I'm aware that there is already a bug report for ULA's assigned as VIP's - this isn't related because I'm not using VIP's here.

  • LAYER 8 Global Moderator

    And what specific rules do you have on these interfaces?

    Lets call it Lan1 and Lan2

    So what are your rules if source is set as Lan1 Net for your rule, then that will be the prefix that is set on the interface. if you have a GUA on it then lan1 net would be that prefix.. If you have a ULA then that would be the lan net..

    So lets be clear on what rules you have in place on your different interfaces.

    You said you simplified the rules - so what are these exactly?

    Happy to try and duplicate.. I have some vlans that are GUA, and other that have no IPv6, so should be easy to just assign a ULA on one of these.. And then your saying devices in the gua prefix can not talk to the ula pfsense IP interface?

    edit: Trying to duplicate..

    So I have my lan, which has gua on it from HE part of my /48
    I then on my DTV vlan which had no ipv6 on it at all put

    fd53::1/64 per your example

    Now from the HE lan vlan I can ping pfsense ula vlan interface..
    C:>ping fd53::1

    Pinging fd53::1 with 32 bytes of data:
    Reply from fd53::1: time<1ms
    Reply from fd53::1: time<1ms
    Reply from fd53::1: time<1ms

    From this

    If the firewall is set to track the WAN interface on a subnet (and thus, doesn't have a ULA assigned on its subnet-facing interface), then devices in that subnet cannot ping any of the firewall's ULA's in different subnets.

    My setup seems to work fine, I have a gua vlan and it can ping ula vlan.. My isp does not support ipv6 so I can not easy test tracking a tracked interface... But I don't see how it would be any different than static assigned gua..

    Rules on my lan which is the gua prefix are just any any ipv4+ipv6 with source be set to lan net.

  • Hi @johnpoz,

    Appreciate your taking the time to test this out! I'm trying to ping from a GUA to a ULA, which is what you tested, so it sounds like it's working OK for you. It would appear that we have several differences between our setups, though. My main LAN subnet is tracking the WAN IPv6 prefix, and I also advertise a ULA prefix. As you said, not sure why either of those things would make any difference, but I'm trying to narrow down what may be causing the behavior I'm seeing. Would you mind posting screenshots of your interface configurations? I'm including the same for my interfaces below, as well as a image of my firewall config. It's set to Allow All IPv4&6 from Any to Any in both VLANs.

    0_1543668459674_FirewallRules.png 0_1543668528081_2018-12-01 (1).png 0_1543668532684_2018-12-01 (3).png

  • LAYER 8 Global Moderator

    sure here is my gua interface, that my pc is in - lan.. And here is the vlan I have running that my dtv interface with the ula address assigned.

    And then my pc info that is in the gua lan segment that I ping the ula.. Do you have any rules in floating?



    I noticed you have a /128 prefix - that is WRONG ;)

    That is more than likely your issue.

  • @johnpoz, are you sure that the /128 prefix is wrong? I only have one IP address in that subnet - the firewall - as incoming ping requests should be routed from a different subnet. Nevertheless, I tried changing both subnets to a /64 prefix for testing purposes, but that didn't allow me to ping the firewall.

    I only have one floating rule, and that's just a Match for QoS tagging. Here are some screenshots as a sanity check. Any other ideas as to what might be causing this?
    0_1543872819764_2018-12-03 (2).png
    0_1543872878994_2018-12-03 (1).png

  • @johnpoz said in Cannot Ping pfSense ULA From Subnet Without ULA Assigned to Firewall:

    I noticed you have a /128 prefix - that is WRONG ;)

    I have a /128 on my WAN interface. Works fine, including pinging. Packet Capture shows the pings coming from that /128 address.

  • LAYER 8 Global Moderator

    Dude see the other thread your talking in - I hear you /128 is viable address for a tunnel and loopback - but its not really a global address mask.. Talk to your isp if you have problem with it, etc..

    Min viable prefix in ipv6 is /64 --- your the ipv6 is better than sliced bread guy around here.. You should know this ;)

  • Either way, I still can't ping the firewall address regardless of the prefix length. 53::1 works fine, fd53::1 doesn't work - and the 53::1 address works whether the prefix is /64 or /128. I've tested from Ubuntu, Windows, and Android, to rule out an OS related issue, but they're all a no-go.

    Is anyone able to test this from a interface IPv6 address set to Track WAN Prefix? That's the only different variable that I can see here. If not, I'll likely spin up a clean pfSense VM to see whether this is occurring on a fresh install. Is it possible that a plugin could be causing this, and if so, is there a consistent way to disable them without complete removal?