Problem Loading web pages with ipv6

unemployed_ghost · Oct 23, 2020, 5:58 AM

hi,
i have a problem loading web pages with ipv6 protocol.
first of all i've made many tests and found out that with my providers router ipv6 browsing works fine.
My provider gives me a /56 DP.

I have configured pfsense with DHCPv6 at WAN and /56 DP , enable hint, use ipv4 link.
at router advertisments i selected Assisted RA flags.
the lan interfaces have ipv6 at track.

I get an ipv6 for the WAN and /64 for every lan (total 5) interfaces.

I can see both my ip (v4 and v6 ) that i have at ipv6 test web pages on the internet.
I can ping web pages with ping6 (macos) command and resolves fine and answered fine.
i can dig v6 web pages.
i can access ipv6 directly with the ip v6 address.
The problem is i cant load web pages from the browser (tried safari, chrome, firefox, different pc, mac, linux) same behavior.

Please someone help me with this problem.

P.S. I have those packages at pfsense (snort, pfblockerng)
P.S.2 I have the DNS resolver works as a resolver. ( i tried with as forwarder, even disabled,)(tried different dns servers, at pfsense or directly to clients) ---> no change :(
P.S. 3 pfsense makes the PPoE session and provider router on bridge.

Gertjan · Oct 23, 2020, 7:46 AM

@unemployed_ghost said in Problem Loading web pages with ipv6:

P.S. I have those packages at pfsense (snort, pfblockerng)
P.S.2 I have the DNS resolver works as a resolver. ( i tried with as forwarder, even disabled,)(tried different dns servers, at pfsense or directly to clients) ---> no change :(

The DNS Resolver should be set up as and kept as a resolver. Actually, the settings were ok when you installed pfSense from scratch. These are proven to work well.

Not related to your question, but pfblockerng-devel needs the Resolver to work as a resolver.

General advise : packages like snort and pfblockerng-devel should be activated only when IPv4 and IPv6 works well.

You do have a firewall rule on each LAN interface that let's pass IPv6 traffic - and ICMPv6 traffic ?
The default rule on the LAN interface will d the job just fine. To be copied to the other OPTx interfaces = your other LAN type interfaces.

unemployed_ghost · Oct 23, 2020, 9:12 AM

thanks for your answer.

yes i have a proper rule (Allow ipv4+6 on each lan, protocol ANY port ANY)

The DNS resolver works as it was by default.( i just made changes to test and reverted them)

Web sites resolving to ipv6 address just web pages not loading to web browsers :(

Gertjan · Oct 23, 2020, 9:28 AM

You're using PPOE.
The word 'MTU' means something to you ?
Try lowering it - there are ping tests that show you when packets are fragmented (MTU to big) and when you lower the MTU, you'll hit a moment when they stop being fragmented. That will be your perfect WAN MTU setting.

unemployed_ghost · Oct 23, 2020, 10:30 AM

I have an MTU of 1492 as my ISP suggests.

JKnott · Oct 23, 2020, 10:44 AM

@unemployed_ghost

Try something basic. Can you ping the the IPv6 sites? It could be your ISP has a problem, even though you have valid addresses. I ran into that a couple of years ago. Regardless, a browser should try IPv6 first and then IPv4 if it fails. Is that happening?

unemployed_ghost · Oct 23, 2020, 10:47 AM

i can ping the ipv6 sites.
browsers not reverting to ipv4 if ipv6 fails not know why. (how to check this?)

kiokoman · Oct 23, 2020, 11:33 AM

and what website did you trying to access for example?

NogBadTheBad · Oct 23, 2020, 11:35 AM

what does this show:-

https://ipv6-test.com

Gertjan · Oct 23, 2020, 11:46 AM

A browser should :

Use IPv6 (if it is available** on the device)
and if no answer, it should fall back to IPv4 (if available ;) )

available means : it should have some sort of IPv6 starting with ff.... or 20..... and it has probably multiple IPv6. Execute "ipconfig /all" or ifconfig on your device to check.
It should know about a IPv6 capable gateway, which should point to pfSense - and a DNS (also a the LAN IPv6 of pfSense)
Or : if you have a mouse :

and you can check the status also over there which shows everything.
All this to check if your device is all set up.

On the pfSense side :

As I have a IPv4 (only) WAN and a 'special' interface that gives me IPv6, as my ISP doesn't know what IPv6 is ....

Another test :
http://test-ipv6.com/

unemployed_ghost · Oct 23, 2020, 11:53 AM

it cant even load ipv6-test.com if idont close ipv6 from lan settings and use ipv4

the site keeps loading on browser forever (no error no anything)
@NogBadTheBad said in Problem Loading web pages with ipv6:

what does this show:-

https://ipv6-test.com

unemployed_ghost · Oct 23, 2020, 11:51 AM

@Gertjan

test-ipv6.com
shows my ipv4 and ipv6 ip
and score 10/10

unemployed_ghost · Oct 25, 2020, 11:34 AM

suddenly i can open webpages with ipv6 but not all of them
i tested disabling ipv4 on my client (pc) network card and leave only ipv6

i.e. ipv6-test.com not opening
the netgate forum opens fine
some other local forum page not opening
ipv6.google.com opens
youtube opens
google.com opens

Any clue what is going on?

no logs at the firewall
i can only see the ip:53 request and the reply after that no logs

kiokoman · Oct 25, 2020, 12:50 PM

if it is pppoe
go to the interface and set MSS to 1452, test and see if it's better.
eventually lower the value to 1440

unemployed_ghost · Oct 26, 2020, 1:36 PM

After another call to my ISP the problem finally solved!!!
There was nothing from my side!

Thank you all for your support.