IPv6 routing issues

jcascante

Hello

I'm having a routing IPv6 issue in pfSense.

My WAN interface has a static IPV6 address and the required IPv6 Upstream gateway.

No routing issues from the WAN to IPv6 addresses such as, ipv6.google.com
I can ping ipv6 address from the WAN using IPv6 protocol.

The issue is with the computers behind the pfSense (LAN). I'm not able to ping
IPv6 address from the LAN interface.

The following is my configuration:

WAN IPv6 >> 2803:xxxx:xxx::250 /64
WAN IPv6 Gateway >>2803:xxxx:xxx::252
LAN interface >> 2803:xxxx:0003:98:: /64 static IPv6 2803:xxxx:0003:98::1/64

Firewall rules are in place
IPv6 is enabled System>> Advanced>> Networking >> Allow IPv6

Checking the "States" in the pfSense I see the following message for all the IPv6 traffic: NO_TRAFFIC:NO_TRAFFIC

Hope someone can have an idea about this issue

Thanks in advance

NogBadTheBad

@jcascante said in IPv6 routing issues:

The issue is with the computers behind the pfSense (LAN). I'm not able to ping
IPv6 address from the LAN interface.
The following is my configuration:

Post your LAN firewall rules.

Can you ping by IPv6 address, i.e:-

mac-pro:~ andy$ ping6 2a00:1450:4009:800::200e
PING6(56=40+8+8 bytes) 2a02:xxxx:xxxx:2::14 --> 2a00:1450:4009:800::200e
16 bytes from 2a00:1450:4009:800::200e, icmp_seq=0 hlim=251 time=10.279 ms
16 bytes from 2a00:1450:4009:800::200e, icmp_seq=1 hlim=251 time=9.894 ms
16 bytes from 2a00:1450:4009:800::200e, icmp_seq=2 hlim=251 time=9.977 ms
^C
--- 2a00:1450:4009:800::200e ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 9.894/10.050/10.279/0.165 ms
mac-pro:~ andy$

jcascante

About the LAN rules, I have an any any rule through the IPv6 gateway for IPv6 traffic

But I'm able only to ping the LAN gateway, when I try to ping, for example, goole IPv6 the following is the result:

NogBadTheBad

Try a packet capture on the WAN interface IPv6 only and filter on the IPv6 address your trying to ping, does traffic exit the WAN interface.

You should see requests & replies if it's working.

10:18:21.558373 IP6 2a02:xxxx:xxxx:2::14 > 2a00:1450:4009:800::200e: ICMP6, echo request, seq 0, length 16
10:18:21.566280 IP6 2a00:1450:4009:800::200e > 2a02:xxxx:xxxx:2::14: ICMP6, echo reply, seq 0, length 16
10:18:22.559258 IP6 2a02:xxxx:xxxx:2::14 > 2a00:1450:4009:800::200e: ICMP6, echo request, seq 1, length 16
10:18:22.567319 IP6 2a00:1450:4009:800::200e > 2a02:xxxx:xxxx:2::14: ICMP6, echo reply, seq 1, length 16
10:18:23.559258 IP6 2a02:xxxx:xxxx:2::14 > 2a00:1450:4009:800::200e: ICMP6, echo request, seq 2, length 16
10:18:23.567432 IP6 2a00:1450:4009:800::200e > 2a02:xxxx:xxxx:2::14: ICMP6, echo reply, seq 2, length 16
10:18:24.559257 IP6 2a02:xxxx:xxxx:2::14 > 2a00:1450:4009:800::200e: ICMP6, echo request, seq 3, length 16
10:18:24.567121 IP6 2a00:1450:4009:800::200e > 2a02:xxxx:xxxx:2::14: ICMP6, echo reply, seq 3, length 16
10:18:25.560106 IP6 2a02:xxxx:xxxx:2::14 > 2a00:1450:4009:800::200e: ICMP6, echo request, seq 4, length 16
10:18:25.568160 IP6 2a00:1450:4009:800::200e > 2a02:xxxx:xxxx:2::14: ICMP6, echo reply, seq 4, length 16
10:18:26.560302 IP6 2a02:xxxx:xxxx:2::14 > 2a00:1450:4009:800::200e: ICMP6, echo request, seq 5, length 16
10:18:26.568500 IP6 2a00:1450:4009:800::200e > 2a02:xxxx:xxxx:2::14: ICMP6, echo reply, seq 5, length 16

Why is the gateway set to CNFL_Gateway_IPv6, set it to default.

jcascante

Hello

Thanks for your response

I made the packet capture and there is only "echo request" traffic. There is no communication between the LAN and the IPv6 gateway because I tested and I'm able to ping my IPv6 WAN interface.

03:38:17.994597 IP6 2803:xxxx:3:98:ac43:88d8:1808:602a > 2001:4860:4860::8888: ICMP6, echo request, seq 804, length 40
03:38:22.758877 IP6 2803:xxxx:3:98:ac43:88d8:1808:602a > 2001:4860:4860::8888: ICMP6, echo request, seq 805, length 40
03:38:27.759418 IP6 2803:xxxx:3:98:ac43:88d8:1808:602a > 2001:4860:4860::8888: ICMP6, echo request, seq 806, length 40
03:38:32.779074 IP6 2803:xxxx:3:98:ac43:88d8:1808:602a > 2001:4860:4860::8888: ICMP6, echo request, seq 807, length 40
03:38:37.762873 IP6 2803:xxxx:3:98:ac43:88d8:1808:602a > 2001:4860:4860::8888: ICMP6, echo request, seq 808, length 40
03:38:42.759550 IP6 2803:xxxx:3:98:ac43:88d8:1808:602a > 2001:4860:4860::8888: ICMP6, echo request, seq 809, length 40
03:38:47.759580 IP6 2803:xxxx:3:98:ac43:88d8:1808:602a > 2001:4860:4860::8888: ICMP6, echo request, seq 810, length 40
03:38:52.772984 IP6 2803:xxxx:3:98:ac43:88d8:1808:602a > 2001:4860:4860::8888: ICMP6, echo request, seq 811, length 40
03:38:57.759284 IP6 2803:xxxx:3:98:ac43:88d8:1808:602a > 2001:4860:4860::8888: ICMP6, echo request, seq 812, length 40
03:39:02.758949 IP6 2803:xxxx:3:98:ac43:88d8:1808:602a > 2001:4860:4860::8888: ICMP6, echo request, seq 813, length 40

About the gateway I changed it to default but there is the same performance, no IPv6 connection from LAN.

Do you think the issue is on pfSense or maybe is in the ISP side?

Regards

NogBadTheBad

@jcascante said in IPv6 routing issues:

2001:4860:4860::8888

Try a traceroute on the internet to your IP.

https://www.ultratools.com/tools/traceRoute6

Also post your full LAN rules.

jcascante

Sorry for the question but do you mean a traceroute to the IP that I have in my PC or the one configured in interface WAN of pfSense?

About my LAN rules, there are the following:

For IPv4 Internet access

For IPv6 Internet access

The other rules is are just for traffic between VLANs in specific ports such as, SSH, RDP, ICMP. This VLAN, the one I'm using that I'm using for testing, doesn't have a deny rule.

NogBadTheBad

@jcascante said in IPv6 routing issues:

Sorry for the question but do you mean a traceroute to the IP that I have in my PC or the one configured in interface WAN of pfSense?

A local LAN IP and try the WAN after, it could be an issue your ISP.

I see from a previous post you have multi WAN set up, it could be an issue with that.

https://forum.netgate.com/topic/131158/ipsec-multi-wan-failover-pfsense-2-4-2-release-p1

You will need an IPv6 ICMP allow rule on the WAN interface.

Here's how I have my USER interface set up and it works fine.

JKnott

@jcascante said in IPv6 routing issues:

The issue is with the computers behind the pfSense (LAN). I'm not able to ping
IPv6 address from the LAN interface.

This sounds like a routing issue. I had one a few months ago that turned out to be a problem at the ISP. Use Packet Capture or Wireshark to see what's actually happening. When you ping Google from the LAN, do you see the packets go out? Any reply? If you ping your firewall and computers on the LAN, from another device (I used a computer tethered to my cell phone), do you see them coming to the firewall?

JKnott

@jcascante said in IPv6 routing issues:

There is no communication between the LAN and the IPv6 gateway because I tested and I'm able to ping my IPv6 WAN interface.

If you're not seeing the LAN pings going out, you have some configuration issue.

jcascante

@NogBadTheBad Thanks again for the response.

I made the traceroute test and found a routing issue. I'm checking right now with my ISP.

I will post a summary of the issue once this is resolved.

jcascante

@JKnott Hi, thanks for your response. I'm checking right now the issue with my ISP, seems there are some missing routes that are causing this behavior.