Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    intermittent IPv6 connectivity between LAN to WAN (through firewall) but not from firewall itself to upstream gateway

    Scheduled Pinned Locked Moved IPv6
    3 Posts 2 Posters 588 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fossicker
      last edited by

      Well, here goes. Thanks for reading.

      Our library is fortunate enough to have a gigabit Internet connection provided by MSLN (University of Maine System). IPv4 is not a problem. We are running a new SG-5100
      and the WAN is jacked directly into the MSLN-provided Edge Router. There is a little IPv6 network /126 between the two, such that the ER is 2610:48:433b:1::1 and the pfSense WAN is ::2 and from the pfSense shell I can always without fail ping ::1 and always ping the IPv6 Internet (ipv6.he.net for example). The internal networks are
      each assigned their own /64 such that the LAN iface is 2610:48:433b:2:: and DHCPv6 is configured to hand out a range plus DNS, and RA for the router, to LAN clients, example:

      eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
      link/ether b8:27:eb:14:24:57 brd ff:ff:ff:ff:ff:ff
      inet 10.0.10.19/24 brd 10.0.10.255 scope global eth0
      valid_lft forever preferred_lft forever
      inet6 2610:48:433b:2::29c/128 scope global noprefixroute dynamic
      valid_lft 5164sec preferred_lft 2464sec
      inet6 2610:48:433b:2:84c3:ee4b:d718:f529/64 scope global mngtmpaddr noprefixroute dynamic
      valid_lft 86391sec preferred_lft 14391sec
      inet6 fe80::9659:f211:a65c:2648/64 scope link
      valid_lft forever preferred_lft forever

      For brevity, LAN hosts can't always ping6 the Edge Router upstream of the WAN nor can they ping the firewall's WAN interface (!) , and therefore can't always reach the IPv6 Internet. This comes and goes without seeming to have a reason, hence I write this treatise for help. However, the firewall itself, via it's shell, can ALWAYS ping the ER upstream and can ALWAYS ping the IPv6 Internet.
      So something is rotten between the LAN hosts and the firewall's WAN interface. Firewall rules are simple LAN IPv4/6 allow to any, it should be a straight shot (no NAT).

      Oh and if the problem lies with this new fangled Unifi Switch I just installed recently I'm going to throw it in the ocean and reinstall the old ProCurve that was working perfectly albeit incredibly loudly (bad fan, hence the upgrade). It's the only thing that lies between the LAN hosts and the SG-5100.

      I don't think the problem lies with MSLN although I did open a ticket with their support just in case it's the Edge Router gone wonky.

      Any ideas?

      F 1 Reply Last reply Reply Quote 0
      • F
        fossicker @fossicker
        last edited by

        @fossicker Also I can always ping the Edge Router's IPV6 address from the wild and wooly Internet (my home connection via HE tunnel broker). For diagnostics I have the WAN open to ICMPv6 and I can always ping that too from outside. It's not a DNS problem,
        that much I know.

        1 Reply Last reply Reply Quote 0
        • kiokomanK
          kiokoman LAYER 8
          last edited by

          https://redmine.pfsense.org/issues/9577 maybe this apply to you also :)

          ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
          Please do not use chat/PM to ask for help
          we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
          Don't forget to Upvote with the 👍 button for any post you find to be helpful.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.