Can ping IPv6 from LAN but not from firewall itself

deed02392 · Dec 3, 2018, 10:46 AM

Hi all,

I have set up IPv6 successfully in that I can access IPv6 internet from my LAN completely fine. However I noticed I couldn't resolve names using IPv6 only DNS servers.

Upon investigation, I noticed I can't actually ping6 anything from the firewall to the internet.

Things I've tried:

Manually set default gateway for IPv6
Valid DHCP6 address on both WAN (non-fe80 address) and LAN (gets a delegated /64) interfaces
Only built-in deny rules on WAN and NAT created rules (but these are incoming anyway obviously)

I can't find any configuration options that would prevent IPv6 access from the firewall, and obviously it's weird that I can access the v6 internet fine from the LAN.

Anyone have any ideas what it could be?

johnpoz · Dec 3, 2018, 1:40 PM

How exactly are you testing this?


[2.4.4-RELEASE][root@sg4860.local.lan]/root: ping6 ipv6.google.com
PING6(56=40+8+8 bytes) 2001:470:<snipped>::2 --> 2607:f8b0:4002:c09::66
16 bytes from 2607:f8b0:4002:c09::66, icmp_seq=0 hlim=48 time=56.963 ms
16 bytes from 2607:f8b0:4002:c09::66, icmp_seq=1 hlim=48 time=47.911 ms

deed02392 · Dec 3, 2018, 1:40 PM

@johnpoz exactly like this, with a shell on the box

johnpoz · Dec 3, 2018, 1:47 PM

And what does it show you? What if you do a traceroute to the ipv6 address.

Are you not resolving the ipv6 address, what is it using for the source.. Did you try setting the source in your ping command?

[2.4.4-RELEASE][root@sg4860.local.lan]/root: ping6 -H
usage: ping6 [-DdfHmnNoqrRtvwW] [-a addrtype] [-b bufsiz] [-c count] [-g gateway]
             [-h hoplimit] [-I interface] [-i wait] [-l preload] [-P policy]
             [-p pattern] [-S sourceaddr] [-s packetsize] [-x waittime]
             [-X timeout] [hops ...] host

lets see the ifconfig from your wan showing your IPv6 info..

deed02392 · Dec 3, 2018, 7:05 PM

100% packet loss. Asterisks of doom.

I couldn't post the output here due to a spam alert...

https://pastebin.com/4RuqgCEH

johnpoz · Dec 3, 2018, 7:08 PM

prefixlen 128

Problem!

deed02392 · Dec 3, 2018, 9:07 PM

Really? I was talking to a guy yesterday and he had connectivity just fine with a prefixlen of 128. So why is it an issue?

johnpoz · Dec 3, 2018, 9:25 PM

Your gateway is outside your prefix - do you have a tunnel? /128 is the same as /32 in ipv4.. Its like a loopback address.. So yeah that is more than likely your problem.

Whats your route show you for your default?

deed02392 · Dec 3, 2018, 9:55 PM

Hmm OK. It was the same case for somebody else I was troubleshooting with yesterday, although their /128 for their WAN was even more different from their delegated subnet than mine is.

Having said that I cannot tr6 to my gateway...

My gateway is:

Destination                       Gateway                       Flags     Netif Expire
default                           fe80::d694:e8ff:fe1e:2b6b%vmx0 UG        vmx0

$ traceroute6 to fe80::d694:e8ff:fe1e:2b6b (fe80::d694:e8ff:fe1e:2b6b) from fe80::20c:29ff:fee2:ebe8%vmx0, 64 hops max, 20 byte packets
sendto: No route to host

JKnott · Dec 4, 2018, 1:50 AM

@deed02392 said in Can ping IPv6 from LAN but not from firewall itself:

Really? I was talking to a guy yesterday and he had connectivity just fine with a prefixlen of 128. So why is it an issue?

On IPv6, routing is normally done via link local addresses. A public address is not needed on the WAN interface, though may be used for testing etc.. A /128 prefix designates an interface only, which may be used internally for determining the interface to use for routing.

johnpoz · Dec 4, 2018, 1:58 AM

If your isp is handing you a /128 its for their internal use and not meant to be used for connectivity, etc..

What I can tell you /128 is not really valid and its same /32 in ipv4 world --- used for loopback interfaces, etc.. You can not route to them - they are good for firewall rules and access via the same layer 2, etc. etc..

That you would think you could route traffic off of it is -- contact your ISP to why they assign you a /128 if its suppose to be a global address..

deed02392 · Dec 4, 2018, 10:05 AM

I understand the concept of bitmasking on addresses. I just assumed that I would be able to route via the loopback address (presumably belonging to my ISPs switch) given out by DHCP, from this /128 I was also given.

One solution I can think of would be to give my firewall an address from the delegated /64, but how do I do this? My LAN network is tracking the WAN interface and that is where it seemingly magically gets its delegated /64. If that works, why doesn't my firewall get a working address?

johnpoz · Dec 4, 2018, 11:16 AM

You need to talk to your ISP..

deed02392 · Dec 4, 2018, 12:01 PM

What should I ask them? Because I have a feeling they are just going to tell me to contact the vendor of my third-party router. And that's what I'm here doing already.

JKnott · Dec 4, 2018, 12:08 PM

FWIW, I have a /128 WAN address and can ping from the firewall. Packet capture shows the ping coming from that /128 address.

deed02392 · Dec 4, 2018, 4:34 PM

Right, so the simple fact my WAN has a /128 address isn't necessarily a problem. In which case it's hard to appreciate that there is a problem with my ISP that cannot be fixed with pfSense configuration. That's why I am here!

deed02392 · Dec 4, 2018, 12:41 PM

@johnpoz My ISP told me I have a /56. That's where one of the /64s that my LAN has came from.

Also, how does it make sense that my LAN can reach IPv6 internet when that connection would presumably have been routed by the firewall's configured gateway too?

JKnott · Dec 4, 2018, 4:34 PM

@deed02392 said in Can ping IPv6 from LAN but not from firewall itself:

Right, so the simple fact my WAN has a /128 address isn't necessarily a problem. In which case it's hard to appreciate that there is a problem with my ISP that cannot be fixed with pfSense configuration. That's why I am here!

Try using Packet Capture to examine the outgoing pings and any result. I trust you're aware you have to use ping6 with pfSense, whereas with some Linux distros and Windows, the same ping command works for both IPv4 and IPv6.

deed02392 · Dec 4, 2018, 8:38 PM

I ran ping6 with packet capture. In the resultant capture I see ICMPv6 requests going back and forth between what looks like the gateway and me... but it does not show the failing ping6 requests to google.com that I shared above.

https://i.imgur.com/dIX2URS.png

In the process of trying different configuration options I seem to have broken IPv6 entirely, so I guess I'm done experimenting for now.

I guess there's no such thing as a simple setup of an IPv6 WAN. I thought I had it at enable DHCP6, set LAN to track WAN and then enable a DHCP6 server on LAN.

yellowbrick · Dec 4, 2018, 8:48 PM

FWIW...
I am also with Hyperoptic (2a01:4b00::/32) and am seeing the exact same problem.
https://forum.netgate.com/topic/135917/ipv6-setup-with-hyperoptic-uk-isp

My setup is the same as yours:
-get a /56 PD
-get a /128 WAN address
-Link local IPv6 gateway
-cannot ping6 from pfSense box
-can ping out from LAN OK