IPv6 unable to access internet on LAN interface



  • Hi I am calvin from hong Kong, had been using your software for quite a while years, recently, my home internet had supported IPv6, while I had facing some technical configuration issues with IPv6.

    WAN -
    IPv6 Configuration Type - DHCP6
    Enabled - Request a IPv6 prefix/information through the IPv4 connectivity link
    Enabled - Send an IPv6 prefix hint to indicate the desired prefix size for delegation
    Enabled - Required by some ISPs, especially those not using PPPoE

    LAN
    IPv6 Configuration Type - Track Interface
    Track IPv6 Interface - WAN
    IPv6 Prefix ID - 0

    Current situation:
    WAN - Able to get a IPv6 address from ISP - 2404:c804:183a:e100::1
    LAN - Auto-assigned from track interface
    DHCPv6 RA - Router mode - Unmanaged - [SLAAC]
    Ping to Google via WAN with IPv6 = success

    PING6(56=40+8+8 bytes) 2404:c804:183a:e100::1 --> 2404:6800:4005:800::2003
    16 bytes from 2404:6800:4005:800::2003, icmp_seq=0 hlim=55 time=4.031 ms
    16 bytes from 2404:6800:4005:800::2003, icmp_seq=1 hlim=55 time=3.277 ms
    16 bytes from 2404:6800:4005:800::2003, icmp_seq=2 hlim=55 time=3.468 ms

    --- google.com.hk ping6 statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss
    round-trip min/avg/max/std-dev = 3.277/3.592/4.031/0.320 ms

    :: ISSUE ::
    Unable to ping to internet

    PING6(56=40+8+8 bytes) 2404:c804:183a:e100::1:1 --> 2404:6800:4005:800::2003

    --- google.com.hk ping6 statistics ---
    3 packets transmitted, 0 packets received, 100.0% packet loss


  • Rebel Alliance Moderator

    Did you check your LAN interface via "Status/Interfaces"? Does it have a valid IPv6 address?

    Why the second ping from ::1:1? That's not a valid address pfSense should have and as it doesn't differ from the WAN prefix on my first glimpse it makes no sense on LAN?



  • Hi JeGr,

    the LAN ip address was assigned by track interface from my WAN.
    Usually you will assign a private range within your LAN and then do NAT for IPv6 like v4 or?

    I tried to called my ISP but they have no ideas on what subnet or mask will be assigned for me and rather it can be routable.

    Bests,
    Calvin



  • @xayumi said in IPv6 unable to access internet on LAN interface:

    Usually you will assign a private range within your LAN and then do NAT for IPv6 like v4 or?

    No, you don't use NAT on IPv6. The purpose of NAT is to get around the IPv4 address shortage.

    As for your problem, we'd need a lot more info, including packet captures of what's on the WAN and LAN.


  • LAYER 8 Netgate

    @xayumi said in IPv6 unable to access internet on LAN interface:

    PING6(56=40+8+8 bytes) 2404:c804:183a:e100::1 --> 2404:6800:4005:800::2003
    16 bytes from 2404:6800:4005:800::2003, icmp_seq=0 hlim=55 time=4.031 ms

    Unable to ping to internet

    PING6(56=40+8+8 bytes) 2404:c804:183a:e100::1:1 --> 2404:6800:4005:800::2003

    Those are sourcing from the same /64. The first thing I would try is setting the IPv6 Prefix ID on LAN to 1.

    You also need to be sure you are passing IPv6 into LAN on the LAN firewall rules.

    If that doesn't solve it be sure to this is checked on Interfaces > WAN: Debug Start DHCP6 client in debug mode.

    Then look at the DHCP logs for information about what exactly is happening between you and the ISP.



  • Thanks! Derelict, JKnott, i managed to solved the issues.

    1. I called up ISP, they told a /64 address but single IP one and only one is assigned to me (unless i subscribe to other plan with additional $$)
    2. Thus I change to DHCPv6 on WAN
    3. On lan side,I use fc::/7 reserved range and do NAT

    Now it is working, thanks a lot !!!

    C:\Users\xxxxxxx>tracert -d google.com.hk

    Tracing route to google.com.hk [2404:6800:4005:806::2003]
    over a maximum of 30 hops:

    1 <1 ms <1 ms <1 ms fc::1
    2 16 ms 1 ms 3 ms 2404:c800:8101:418::1
    3 2 ms 3 ms 2 ms 2404:c800:8102:1935::21
    4 3 ms 2 ms 2 ms 2404:c800:8002:1e::1
    5 2 ms 3 ms 4 ms 2400:8800:1f0f:4::1
    6 4 ms 4 ms 4 ms 2001:4860:1:1::1ed
    7 2 ms 4 ms 2 ms 2001:4860:1:1::1ec
    8 10 ms 4 ms 4 ms 2001:4860:0:e07::1
    9 3 ms 13 ms 4 ms 2001:4860:0:1::1ec7
    10 3 ms 4 ms 2 ms 2404:6800:4005:806::2003

    Trace complete.

    C:\Users\xxxxxxx>ping -6 google.com.hk

    Pinging google.com.hk [2404:6800:4005:806::2003] with 32 bytes of data:
    Reply from 2404:6800:4005:806::2003: time=2ms
    Reply from 2404:6800:4005:806::2003: time=3ms
    Reply from 2404:6800:4005:806::2003: time=12ms
    Reply from 2404:6800:4005:806::2003: time=6ms

    Ping statistics for 2404:6800:4005:806::2003:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 12ms, Average = 5ms


  • LAYER 8 Netgate

    That is really sad.



  • @xayumi said in IPv6 unable to access internet on LAN interface:

    I called up ISP, they told a /64 address but single IP one and only one is assigned to me (unless i subscribe to other plan with additional $$)

    Visit https://ipv6.he.net/
    They supply you all you need, and more.
    Free of charge.
    Rock solid.



  • Yes it works now, but any ideas for how to enable Privacy Extensions (RFC 4941) for SLAAC/DHCPv6 on WAN?

    Since I am using virtual router, i don't wanna expose my mac address or mac vendor, thanks!

    0_1549868299621_768e6fad-bee1-4da5-a50c-fdf9821063c9-image.png



  • I'm trying to stay away from SLAAC.
    I received a routable /64 from he.net, setup the DHCP6 on my LAN's, and stopped looking at it.

    0_1549869199767_804a1b6a-c924-43d0-8def-577f79ffc681-image.png


  • LAYER 8 Netgate

    @xayumi Not really.

    IPv6 in pfSense is designed to be used properly.

    What you (Or actually, your ISP) is doing is pretty much nonsense.



  • @xayumi said in IPv6 unable to access internet on LAN interface:

    I called up ISP, they told a /64 address but single IP one and only one is assigned to me (unless i subscribe to other plan with additional $$)

    They only give you 1 IPv6 address???? I get a /64 on my cell phone and a /56 at home. Unbelievable!!!

    Yes it works now, but any ideas for how to enable Privacy Extensions (RFC 4941) for SLAAC/DHCPv6 on WAN?

    You can't do it with only 1 address. With privacy extensions, You'll wind up with 8 addresses after a week.



  • @gertjan said in IPv6 unable to access internet on LAN interface:

    I received a routable /64 from he.net, setup the DHCP6 on my LAN's, and stopped looking at it.

    That's nice, do you need to run any routing protocol on your WAN or you'd just enable WAN with DHCPv6?

    Thanks !!



  • @jknott said in IPv6 unable to access internet on LAN interface:

    @xayumi said in IPv6 unable to access internet on LAN interface:

    I called up ISP, they told a /64 address but single IP one and only one is assigned to me (unless i subscribe to other plan with additional $$)

    They only give you 1 IPv6 address???? I get a /64 on my cell phone and a /56 at home. Unbelievable!!!

    Yes it works now, but any ideas for how to enable Privacy Extensions (RFC 4941) for SLAAC/DHCPv6 on WAN?

    You can't do it with only 1 address. With privacy extensions, You'll wind up with 8 addresses after a week.

    Hi JKnottt, yes they give me /64 for my home, and I was unable to create subnet or whatever within my LAN, currently I am using IPv6 NAT like v4 do for my pfsense... @@!!

    Oh got ya ... maybe I will try to generate a random mac address on my VM's wan to hide this info then if it's not possible to do a quick setting in pfsense :)


  • LAYER 8 Netgate

    If they are assigning a /64 to your WAN you cannot use it on LAN.

    If they are assigning an IPv6 address on WAN and ROUTING a /64 to that you can use that /64 on LAN.

    This is not a pfSense problem. It is an ISP problem.



  • @derelict

    Hi yes, I understand, they just assigned me a ipv6 address with mark /64 on my WAN, instead of a ipv6 and /64 subnet to me.

    I am new to IPv6 just really does spent some hours to figure it out!
    Thanks for your help! NAT for IPv6 is current a solution for me :)



  • @xayumi said in IPv6 unable to access internet on LAN interface:

    @derelict

    Hi yes, I understand, they just assigned me a ipv6 address with mark /64 on my WAN, instead of a ipv6 and /64 subnet to me.

    I am new to IPv6 just really does spent some hours to figure it out!
    Thanks for your help! NAT for IPv6 is current a solution for me :)

    One thing a lot of people have to figure out is the WAN address is not used for routing. It's a /128, which means it's to identify an interface only. It cannot be used to communicate with another device, without going through a router (pfSense). On IPv6, link local addresses are normally used for routing. Link local addresses start with fe80.