Can ping IPv6 from LAN but not from firewall itself

deed02392 · Dec 4, 2018, 12:01 PM

What should I ask them? Because I have a feeling they are just going to tell me to contact the vendor of my third-party router. And that's what I'm here doing already.

JKnott · Dec 4, 2018, 12:08 PM

FWIW, I have a /128 WAN address and can ping from the firewall. Packet capture shows the ping coming from that /128 address.

deed02392 · Dec 4, 2018, 4:34 PM

Right, so the simple fact my WAN has a /128 address isn't necessarily a problem. In which case it's hard to appreciate that there is a problem with my ISP that cannot be fixed with pfSense configuration. That's why I am here!

deed02392 · Dec 4, 2018, 12:41 PM

@johnpoz My ISP told me I have a /56. That's where one of the /64s that my LAN has came from.

Also, how does it make sense that my LAN can reach IPv6 internet when that connection would presumably have been routed by the firewall's configured gateway too?

JKnott · Dec 4, 2018, 4:34 PM

@deed02392 said in Can ping IPv6 from LAN but not from firewall itself:

Right, so the simple fact my WAN has a /128 address isn't necessarily a problem. In which case it's hard to appreciate that there is a problem with my ISP that cannot be fixed with pfSense configuration. That's why I am here!

Try using Packet Capture to examine the outgoing pings and any result. I trust you're aware you have to use ping6 with pfSense, whereas with some Linux distros and Windows, the same ping command works for both IPv4 and IPv6.

deed02392 · Dec 4, 2018, 8:38 PM

I ran ping6 with packet capture. In the resultant capture I see ICMPv6 requests going back and forth between what looks like the gateway and me... but it does not show the failing ping6 requests to google.com that I shared above.

https://i.imgur.com/dIX2URS.png

In the process of trying different configuration options I seem to have broken IPv6 entirely, so I guess I'm done experimenting for now.

I guess there's no such thing as a simple setup of an IPv6 WAN. I thought I had it at enable DHCP6, set LAN to track WAN and then enable a DHCP6 server on LAN.

yellowbrick · Dec 4, 2018, 8:48 PM

FWIW...
I am also with Hyperoptic (2a01:4b00::/32) and am seeing the exact same problem.
https://forum.netgate.com/topic/135917/ipv6-setup-with-hyperoptic-uk-isp

My setup is the same as yours:
-get a /56 PD
-get a /128 WAN address
-Link local IPv6 gateway
-cannot ping6 from pfSense box
-can ping out from LAN OK

yellowbrick · Dec 4, 2018, 8:50 PM

@deed02392 Did you need to clone the MAC address to even get IPv6 to work? I had to clone the MAC of the ZTE Hyperoptic router to get IPv6 to work at all.

deed02392 · Dec 4, 2018, 9:19 PM

Hey yellowbrick, glad I'm not alone here! No I did not need to clone the MAC address. It 'just worked'. But I wasn't satisfied with not being able to use pfSense as a caching IPv6 DNS server and unfortunately in the process of trying to fix things I now no longer get any IPv6 addresses.

yellowbrick · Dec 4, 2018, 9:27 PM

@deed02392 Well, try cloning the MAC on the WAN...

deed02392 · Dec 4, 2018, 9:41 PM

I got an e-mail from Hyperoptic today saying that apparently IPv6 is disabled pending a firmware update they are currently working on... not sure if was just being fobbed off but that was enough discouragement to make me leave playing for a few days. I will try again then. I wonder if this is a firewall issue really but I tried a bunch of frankly scary things there too and nothing helped.