Spectrum (Upstate NY)/IPv6 Routing Out But Dies On Return
-
This post is deleted! -
@hbp4c said in Spectrum (Upstate NY)/IPv6 Routing Out But Dies On Return:
I feel like I'm close and I've missed something simple. Any ideas are welcome!
After glancing through all that, I'm confused. The key is to keep things simple and take them one step at a time. You say the reply gets to the WAN. Where on the WAN? Does it actually reach the WAN interface but then disappear? You can use Packet Capture to see if the reply gets there. Can you try pinging from a different network? Here I have 2 options for this. I can tether to my cell phone, but I also get 2 separate connections through my cable modem. That way I can ping my network and see if the requests actually arrive. This is the sort of thing you do to isolate the problem.
As an example, last year I had a problem with IPv6. I could ping from pfSense and get a reply, but not from a computer behind pfSense. Likewise, I could, through the 2nd connection, ping from outside to pfsense, but not to the LAN. This indicated a routing problem by my ISP. I then used a managed switch, configured as a network tap, to monitor, using Wireshark, what happened when I rebooted pfSense. With that I was able to identify a problem with my ISP and even identify the failing system by host name. Then the hard part began, getting my ISPs network guys to get off their butts and fix the problem. That part took a senior tech coming to my home, with his own modem and seeing the problem still happened and then going back to the head end and finding that things worked fine on 3 of 4 CMTS, but not on the one I had identified by name. The network guys finally accepted they had a problem and fixed it.
-
Ok, let me summarize:
If you'll look at the screenshot of the ping which is a tcpdump of the ipv6 traffic on my router, my router with a 2602: address sends an ICMP request out to google. Google replies twice and the packet gets back to the WAN interface on my router.
However, if I run the same tcpdump on the general vlan interface on my router, I do not see the echo response.
I included the firewall rules that are in play, and ipv6 should be allowed.
This looks like an routing issue to me, but not sure (due to this being RA) how to diagnose that.
Thanks.
-
Yes, it could be a routing issue. Again, packet capture can help. When you examine the packets, do you see the correct addresses? Are there any firewall rules blocking? All RAs do is provide things like the gateway address, prefix, DNS, etc.. Again, examining the packets can tell you a lot.
Also, please be precise in describing what you're doing. For example, when you run tcpdump on the LAN, I assume you're pinging from the LAN, but I can't be certain. Also, firewalls are generally used for things that originate outside of the firewall, so if pings are going out, the replies should be coming back without a specific rule to allow it, etc.. Also, on the rules you have General net for source. What does that mean? In looking at what you have, I'd say you've created a complex config that may be causing your problems. As always, start simple and go from there, so you have some idea what might have caused a failure.
-
@JKnott
Did you read the detailed post I started with? I explained what General net is in detail and how I'm configured and you mentioned you "glanced" at my post.I'm not trying to be disrespectful, but if you're just shotgunning answers at me you're not being helpful.
Best.
-
You've deleted the post which makes doing that hard.
But it seems unlikely Google are replying twice in that packet capture. More likely the ping reply is being incorrectly routed back out of the WAN so you see it twice. If you view the pcap at full detail you will see the MAC addresses begin used so you can check that. Check the system routing if so.
Steve
-
@stephenw10 Yes, I decided to just nuke this tread. Not sure how to delete the whole thread but I don't have time to work on this right now.
Thanks for the suggestion.