IPv6 Connectivity problem in vm

Bob.Dig

I really don't know where to start... I have a Hyper-V VM with Windows 10 connected to a Hyper-V "private switch" to the pfSense VM. This interface is the only one which get an IPv6 Address-prefix from pfsense.
I see some wired firewall log entries for weeks now, gmail tried to connect via IPv6, which was allowed but than switched to IPv4 to bring Email to the mailserver hosted on that Win10 VM.
On this machine, when I start a vanilla firefox and go to a IPv6-testsite like https://ipv6-test.com/ I get "IPv6 is Not supported.
When I type ipconfig -all, everything looks like it should. I got my IPv6-Adddress from the DHCPv6 Server and Windows got his own etc.
It doesn't make any sense to me. Any ideas?

2.5.0-DEVELOPMENT (amd64)
built on Sun Mar 08 05:18:17 EDT 2020
FreeBSD 12.0-RELEASE-p10

PS:I got another VM on that same Hyper-V Switch with ubuntu, with has no problem, so it might be a Windows problem. But that Vm was fresh installed and there is nothing installed other then the E-Mail-Server and Firefox for testing.

PPS: When I restart that machine, the IPv6 connectivity is there, I don't know for how long, can't be much.

JKnott

@Bob-Dig

Does the Windows computer have IPv6 working properly? Is the VM network adapter in bridge or NAT mode? IPv6 won't work through NAT mode.

Bob.Dig

@JKnott It is Hyper-V not VMWare . It is working after a reboot. I guess it is a Windows Bug.

JKnott

@Bob-Dig

Who said anything about VM Ware? VM often means just virtual machine. I use VirtualBox.

Gertjan

For what it's worth : I'm using a pfSense in a VM, on a Hyper-V Windows 10 box.
My ISP isn't informed about the existence of IPv6 yet, they just adapted IPv4 so it actually works.
With the help oh tunnebroker.he.net, some clicks in the GUI in pfSense and done : high quality IPv6 everywhere.

edit : To use IPv6 from he.net you need t have their T-Shirt ... something like that - I don't recall.

Bob.Dig

Still found no cause for that behavior. I set up a new VM with another Windowsversion, still after some time, firefox, as an example, has no IPv6 Connectivity anymore. IPv6 is pingable through pfsense.

Gertjan

@Bob-Dig said in IPv6 Connectivity problem in vm:

still after some time

The client (?) that looses IPv6 : it's using 'DHCPv6' ? You set up the DHCPv6 server ? How ? "DHCPv6 log" says what ?

For all what I know :
My ISP (it's he.net) gave me a IPv6 gateway.

On my side, I had to enter 'my' IPv6 - he.net gave it to me :

This ........1 is the gateway,.........2 being "me", or on the pfSense side.

he.net uses another appoarch as the what classic ISP normally use : I can't setup my pfSense WAN interface with some IPv4 and IPv6 settings. My upstream ISP device is a router, and added to that, it only handles IPv4.
he.net and pfSense found the solution : I had to create a new interface, dedicated to IPv6 only, that uses the gateway and client IPv6 mentioned above. Added to that : it's using a IPv6 over IPv4 protocol, which means that all the IPv6 traffic is encapsulated in some IPv4 data stream - the GIF protocol (dono if it's is actuality a protocol) that looks somewhat like what VPN does.

he.net offers me an entire

which is a simple 'minimal' /64 block, just ok for one LAN.
So I set up my LAN interface like this :
2001:470:1f13:5c1::/64

and use a small part of it for DHCPv6 so it can hand out IPv6 out of this range to my devices :

I has to add me rules on my LAN interface :

The first rule is me playing with my firewall and exists just for fun. The other two seem rather logic to me, and can even be condensed in one rule.

The "he.net WAN special IPv6" interface doesn't need any rules and can stay empty - as any good WAN interface.

Also : he.net gives also another block for me : a woping huge

which I can map onto my other 256 LAN interfaces .......... :))))
edit : sorry, no : 65535 other interfaces

A lot of what I said is valid for my "special IPv6 ISP" and the reason why I use it is two folded :
They are still today one of the few ISP's that offer the IPv6 as it was meant to be. They didn't fcked up the RFC.
They give - for free - you a /48 as it was meant to be from the beginning.
They have a solid background. No bla bla bla. Good forum support.
And they are ... strange. They actually give (== for free) you a rather special T-Shirt if you mange to finish this one : https://ipv6.he.net/certification/cert-main.php
If you want to use their IPv6 facilities, or, IMHO, use any IPv6 faculities, you should finish the certification tour. You'll be needing it. It enables you to understand how to setup IPv6 on your side, and you'll be knowing what your ISP should do for you so it works - and, very important, it enables you to 'see' and 'check' how it works, and what to do when it doesn't.
I have the impression that he.net did all this for me.

This might be valid tomorrow : IPv6 is, as IPv4, simple, easy, straight forward and totally logic (for me, it shall be next decade, or so ...)

Bob.Dig

Thanks, but please let us stay on topic, why, now a second, windows machine is loosing its IPv6 connectivity somewhat and how to troubleshoot for that.

Gertjan

@Bob-Dig said in IPv6 Connectivity problem in vm:

let us stay on topic

Exactly. So, start feeding 'us' with some (far !) more info.
Saying : it's doesn't work doesn't allow someone to help you.

I do presume it isn't a VM issue, although, I have no means to exclude it neither.

@Gertjan said in IPv6 Connectivity problem in vm:

The client (?) that looses IPv6 : it's using 'DHCPv6' ? You set up the DHCPv6 server ? How ? "DHCPv6 log" says what ?

Bob.Dig

@Gertjan That vm is using DHCPv6.
Right after a reboot it is looking good like shown in the second picture. That picture is taken from another vm, which also has this problem.

Screenshot_2020-03-11 pfSense localdomain - Services DHCPv6 Server RA PRIVATSWITCH DHCPv6 Server.jpg

Screenshot_2020-03-11 pfSense localdomain - Services DHCPv6 Server RA PRIVATSWITCH Router Advertisements.png

Gertjan

This :

is missing the Prefix. For me, something like ":: to ffff:ffff;ffff;ffff;ffff" isn't normal at all.

How is your LAN interface (yours is called PRIVATESWITCH) set up ?

It should have some 'IPv6' related settings like :

Most often it's set up as a Static IPv6 - or "tracking interface", the others are more rare (?)
Normally, if your ISP assigned you a "fixed" "/64", you put that one on your LAN interface, and the LAN interafce will have abcd.efgh......... ::1 mask /65

Also, you should see in the DHCPv6 server status page that it delivered an IPv6 from the pool.

Like :

Logs : idem : this is a a snippet of one of the leases you can see in the image above :

so I know that 'my' pfSense is actually handing over an Ipv6 friom my pool to one of the LAN devices that was asking for an IPv6.

Bob.Dig

@Gertjan

You can see in the first picture, that it got an IP from DHCPv6

I mean, it is running for a while and than there is no connectivity sais the test-site, although ping6 from pfsense works.

Gertjan

When you select Track Interface, there are IPv6 things to set up :

These :

I guess, because I never sued that facility before - that you should select your WAN type interface.
And a "prefix" that was given to you by the ISP ...
And, I guess.

Bob.Dig

@Gertjan Sure.

Screenshot_2020-03-11 pfSense localdomain - Interfaces PrivatSwitch (hn2).png

Bob.Dig

Problem still persist, help for diagnosing would be much appreciated.

-dualstack WAN, no IPv6 tunnel
-Host Win10 with Hyper-V
-Client (VM): Windows 10 (two different versions tested) have problems
-Client (VM): ubuntu on that same interface has no problem!

Just disabling and then enabling the adapter in Windows makes the ipv6-test-site work again (for some time).

Bob.Dig

Is it normal that the expirations shown under NDP Table are changing all the time? e.g. it shows almost 24 hours and some seconds later it is only 30 seconds. That happens all the time.

Next I will try "Change DHCPv6 display lease time from UTC to local time" in the DHCPv6 Server, maybe Windows wants that...

Gertjan

Why did you decide to use "Interface Tracking" ?
As per ISP information ?

According to https://docs.netgate.com/pfsense/en/latest/book/interfaces/ipv6-wan-types.html#track-interface there should be lines in the logs related to this delegation exchange. Are there any logs lines ? Logs lines are the principal source of information when debugging - and you have none ??

You have a dual WAN (also a very error prone thing) : you're tracking the right WAN interface ?
And what about System > Routing > Gateways : is the right gateway selected ?

edit : NDP uses ICMP6 for discovering "who lives on a network segment" and is somewhat comparable with the ARP protocol used by IPv4. It's build into the IPv6 kernel and driver stack part, and doesn't need any user configuration. ( although : block ICMP6 on your LAN type interface and you'll "break" IPv6 )
See https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol

Bob.Dig

@Gertjan I don't have dual wan and track interface is the default in pfSense. What is wrong with that?

"Change DHCPv6 display lease time from UTC to local time" didn't help.

Bob.Dig

@Gertjan I appreciate your help but you have a total different setup with that he-tunnel and probably not having dualstack on your wan.

Bob.Dig

When I do a "route print" in the windows vm, there is a difference between full connectivity and problematic connectivity. The following (first) line is missing after some time.

IPv6 Route Table
Active Routes:
If Metric Network Destination Gateway
9 271 ::/0 fe80::215:5dff:fe01:7507

This is the PrivatSwitch Interface.