IPv6 unable to access internet on LAN interface

JKnott

@xayumi said in IPv6 unable to access internet on LAN interface:

Usually you will assign a private range within your LAN and then do NAT for IPv6 like v4 or?

No, you don't use NAT on IPv6. The purpose of NAT is to get around the IPv4 address shortage.

As for your problem, we'd need a lot more info, including packet captures of what's on the WAN and LAN.

Derelict

@xayumi said in IPv6 unable to access internet on LAN interface:

PING6(56=40+8+8 bytes) 2404:c804:183a:e100::1 --> 2404:6800:4005:800::2003
16 bytes from 2404:6800:4005:800::2003, icmp_seq=0 hlim=55 time=4.031 ms

Unable to ping to internet

PING6(56=40+8+8 bytes) 2404:c804:183a:e100::1:1 --> 2404:6800:4005:800::2003

Those are sourcing from the same /64. The first thing I would try is setting the IPv6 Prefix ID on LAN to 1.

You also need to be sure you are passing IPv6 into LAN on the LAN firewall rules.

If that doesn't solve it be sure to this is checked on Interfaces > WAN: Debug Start DHCP6 client in debug mode.

Then look at the DHCP logs for information about what exactly is happening between you and the ISP.

xayumi

Thanks! Derelict, JKnott, i managed to solved the issues.

1. I called up ISP, they told a /64 address but single IP one and only one is assigned to me (unless i subscribe to other plan with additional $$)
2. Thus I change to DHCPv6 on WAN
3. On lan side,I use fc::/7 reserved range and do NAT

Now it is working, thanks a lot !!!

C:\Users\xxxxxxx>tracert -d google.com.hk

Tracing route to google.com.hk [2404:6800:4005:806::2003]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms fc::1
2 16 ms 1 ms 3 ms 2404:c800:8101:418::1
3 2 ms 3 ms 2 ms 2404:c800:8102:1935::21
4 3 ms 2 ms 2 ms 2404:c800:8002:1e::1
5 2 ms 3 ms 4 ms 2400:8800:1f0f:4::1
6 4 ms 4 ms 4 ms 2001:4860:1:1::1ed
7 2 ms 4 ms 2 ms 2001:4860:1:1::1ec
8 10 ms 4 ms 4 ms 2001:4860:0:e07::1
9 3 ms 13 ms 4 ms 2001:4860:0:1::1ec7
10 3 ms 4 ms 2 ms 2404:6800:4005:806::2003

Trace complete.

C:\Users\xxxxxxx>ping -6 google.com.hk

Pinging google.com.hk [2404:6800:4005:806::2003] with 32 bytes of data:
Reply from 2404:6800:4005:806::2003: time=2ms
Reply from 2404:6800:4005:806::2003: time=3ms
Reply from 2404:6800:4005:806::2003: time=12ms
Reply from 2404:6800:4005:806::2003: time=6ms

Ping statistics for 2404:6800:4005:806::2003:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 12ms, Average = 5ms

Derelict

That is really sad.

Gertjan

@xayumi said in IPv6 unable to access internet on LAN interface:

I called up ISP, they told a /64 address but single IP one and only one is assigned to me (unless i subscribe to other plan with additional $$)

Visit https://ipv6.he.net/
They supply you all you need, and more.
Free of charge.
Rock solid.

xayumi

Yes it works now, but any ideas for how to enable Privacy Extensions (RFC 4941) for SLAAC/DHCPv6 on WAN?

Since I am using virtual router, i don't wanna expose my mac address or mac vendor, thanks!

Gertjan

I'm trying to stay away from SLAAC.
I received a routable /64 from he.net, setup the DHCP6 on my LAN's, and stopped looking at it.

Derelict

@xayumi Not really.

IPv6 in pfSense is designed to be used properly.

What you (Or actually, your ISP) is doing is pretty much nonsense.

JKnott

@xayumi said in IPv6 unable to access internet on LAN interface:

I called up ISP, they told a /64 address but single IP one and only one is assigned to me (unless i subscribe to other plan with additional $$)

They only give you 1 IPv6 address???? I get a /64 on my cell phone and a /56 at home. Unbelievable!!!

Yes it works now, but any ideas for how to enable Privacy Extensions (RFC 4941) for SLAAC/DHCPv6 on WAN?

You can't do it with only 1 address. With privacy extensions, You'll wind up with 8 addresses after a week.

xayumi

@gertjan said in IPv6 unable to access internet on LAN interface:

I received a routable /64 from he.net, setup the DHCP6 on my LAN's, and stopped looking at it.

That's nice, do you need to run any routing protocol on your WAN or you'd just enable WAN with DHCPv6?

Thanks !!

xayumi

@jknott said in IPv6 unable to access internet on LAN interface:

@xayumi said in IPv6 unable to access internet on LAN interface:

I called up ISP, they told a /64 address but single IP one and only one is assigned to me (unless i subscribe to other plan with additional $$)

They only give you 1 IPv6 address???? I get a /64 on my cell phone and a /56 at home. Unbelievable!!!

Yes it works now, but any ideas for how to enable Privacy Extensions (RFC 4941) for SLAAC/DHCPv6 on WAN?

You can't do it with only 1 address. With privacy extensions, You'll wind up with 8 addresses after a week.

Hi JKnottt, yes they give me /64 for my home, and I was unable to create subnet or whatever within my LAN, currently I am using IPv6 NAT like v4 do for my pfsense... @@!!

Oh got ya ... maybe I will try to generate a random mac address on my VM's wan to hide this info then if it's not possible to do a quick setting in pfsense :)

Derelict

If they are assigning a /64 to your WAN you cannot use it on LAN.

If they are assigning an IPv6 address on WAN and ROUTING a /64 to that you can use that /64 on LAN.

This is not a pfSense problem. It is an ISP problem.

xayumi

@derelict

Hi yes, I understand, they just assigned me a ipv6 address with mark /64 on my WAN, instead of a ipv6 and /64 subnet to me.

I am new to IPv6 just really does spent some hours to figure it out!
Thanks for your help! NAT for IPv6 is current a solution for me :)

JKnott

@xayumi said in IPv6 unable to access internet on LAN interface:

@derelict

Hi yes, I understand, they just assigned me a ipv6 address with mark /64 on my WAN, instead of a ipv6 and /64 subnet to me.

I am new to IPv6 just really does spent some hours to figure it out!
Thanks for your help! NAT for IPv6 is current a solution for me :)

One thing a lot of people have to figure out is the WAN address is not used for routing. It's a /128, which means it's to identify an interface only. It cannot be used to communicate with another device, without going through a router (pfSense). On IPv6, link local addresses are normally used for routing. Link local addresses start with fe80.

xayumi

@JKnott yes, JKnott, thanks a lot !!!

@Derelict
Thanks for your tips !!!
Between recently I have enabled the OpenVPN with IPv6 (another subnet) fc01::1/64 and found that the fc::1/64 on LAN side those computers then now unable to route through pfSense but fine via VPN, which is quite strange, both subnet are in NAT rules and policy had enable IPv6

Attached is the configuration which i made changes on VPN side, I look through the log but had no ideas yet why the LAN is not able to goes through IPv6 suddenly after enable IPv6 VPN.

Below is my configuration for OpenVPN for IPv6.

OpenVPN Setting

Network Policy

NAT

End up in routing issues on LAN IPv6 - With OpenVPN clients, able to run both IPv4 and v6 internet access, but LAN side are not working after enable OpenVPN IPv6 setting.

Derelict

Glad it's working.

Note: Even though the ULA space is assigned as fc00::/7, only fd00::/8 should be used. And specifically in /48 prefixes.

https://en.wikipedia.org/wiki/Unique_local_address#Definition

xayumi

@Derelict
Great, let me try re-addressing those! and see :)

JKnott

@Derelict said in IPv6 unable to access internet on LAN interface:

Glad it's working.

Note: Even though the ULA space is assigned as fc00::/7, only fd00::/8 should be used. And specifically in /48 prefixes.

https://en.wikipedia.org/wiki/Unique_local_address#Definition

I thought fd00 was for when you picked your own prefix and fc00 was when you got it from some central server. The idea for the server was to avoid the possibility of a collsion, though it would be hard to collide, when you can choose a random number with 32 bits. I created my prefix by using the command "ps aux|md5sum" on a Linux box and taking enough of it to fill out the prefix.

xayumi

@Derelict Thanks! I do the re-addressing,

with OpenVPN as fd00::2:0:0:0:0:1/64
With LAN as fd00:0:1::/48, and DHCPv6 with allow PD on fd00:0:1:ffff::/64

Now all works finally like a Cham !! Cheers !!

@JKnott Thanks for your tips too !!

Derelict

OK. That is not right either, unfortunately.

You should ALWAYS set an interface network to /64. Always.

You should generate 40 random bits and append them to fd so you have `fd(forty-random-bits)::/48 to use at THAT SITE.

There are 65536 /64 networks to use out of that prefix, 256 /56 prefixes.

For instance, generate a random prefix using a site such as this:

https://cd34.com/rfc4193/

Plug in any MAC address from your network (pretty much guaranteed to be globally-unique) and get the result. That is your /48.

I got this:

Your Private IPv6 network is:
fda9:e2c2:07be::/48

giving you access to the to the following /64s:
fda9:e2c2:07be:0::/64 through fda9:e2c2:07be:ffff::/64

This page uses the first method suggested by IETF using the current
timestamp plus the mac address, sha1 hashed, and the lower 40 bits to
generate your random ULA. Consequently, if two organizations hit this page
within the same second, with the same mac address to generate a ULA, they
could have identical ULAs.

So you use address bits 49-63 from 0 to ffff as the subnet identifier to place on interfaces.