Update
-
Re: Comcast and ipv6
A small update - For some reason I found Under Advanced/Firewall the ipv6 checkbox unchecked. Now I can pull a ipv6 WAN IP (which is good), but for some reason I am not pulling a ipv6 DNS entry from comcast. Just their V4 addresses. Also the radvd service wont start. I am not seeing anything in the system logs, but perhaps I need to turn on more - will keep digging.
This is all so strange because it used to work just fine.
Thanks!
-
Re: Comcast and ipv6
A small update - For some reason I found Under Advanced/Firewall the ipv6 checkbox unchecked. Now I can pull a ipv6 WAN IP (which is good), but for some reason I am not pulling a ipv6 DNS entry from comcast. Just their V4 addresses. Also the radvd service wont start. I am not seeing anything in the system logs, but perhaps I need to turn on more - will keep digging.
This is all so strange because it used to work just fine.
Thanks!
Sorry for the double post 0 thought I was answering my own post but instead posted a new topic...
Meanwhile, since I could not pull a ipv6 DNS entry via DHCPv6, I added them in by hand and turned on RAs (stateless) and checked the box at the bottom (Use same settings as DHCPv6 server). I also changed to a /60 and set the prefix ID to 1. The added DNS entries are in the list, radvd is now running and I am able to resolve ipv6 addresses and ping the same from clients connected thru pfsense (I also pass 10/10 on the ipv6 test site) This setup is not automatic like it should be and is a kludge in my mind. I am sure I am missing a setting somewhere and can unwind this but not sure where to check at this point,.
-
Re: Comcast and ipv6
A small update - For some reason I found Under Advanced/Firewall the ipv6 checkbox unchecked. Now I can pull a ipv6 WAN IP (which is good), but for some reason I am not pulling a ipv6 DNS entry from comcast. Just their V4 addresses. Also the radvd service wont start. I am not seeing anything in the system logs, but perhaps I need to turn on more - will keep digging.
This is all so strange because it used to work just fine.
Thanks!
Sorry for the double post 0 thought I was answering my own post but instead posted a new topic...
Meanwhile, since I could not pull a ipv6 DNS entry via DHCPv6, I added them in by hand and turned on RAs (stateless) and checked the box at the bottom (Use same settings as DHCPv6 server). I also changed to a /60 and set the prefix ID to 1. The added DNS entries are in the list, radvd is now running and I am able to resolve ipv6 addresses and ping the same from clients connected thru pfsense (I also pass 10/10 on the ipv6 test site) This setup is not automatic like it should be and is a kludge in my mind. I am sure I am missing a setting somewhere and can unwind this but not sure where to check at this point,.
And that lasted like 5 minutes, not it's not working at all. I cannot resolve the ipv6 addresses anymore. Punting, disabled RAs and pulled out the manual ipv6 DHCP addresses. Hopefully someone more intelligent than I can figure this out.
-
but for some reason I am not pulling a ipv6 DNS entry from comcast. Just their V4 addresses.
You don't need one or more upstream IPv6 DNS.
You don't need one or more upstream IPv4 neither.
Remember : the resolvers already has the addresses and URls of the main root DNS servers.The DHCPv6 server on your LAN will dispatch the LAN IPv6 of pfSense, so DNS requests from your LAN will get answered when they are IPv4 or IPv6.
No "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
I have probably described this poorly, but in the past when this worked, the pfsense router would pull 4 DNS IPs from comcast - 2 ipv4 (75.75.75.75 and 76.76.76.76) and 2 ipv6 (2001:558:feed::1, 2001:558:feed::2) . I only pull the 2 ipv4 addresses regardless of any settings I have tried.
Are you saying that is no longer required? I thought unless I run v6 over v4, I would always need the ipv6 DNS servers on teh WAN side in pfsense (especially when I have my end devices use the pfsense box as their DNS server in DHCP).
Thanks!
-
Are you saying that is no longer required?
In the past, our 'ISP box' obtained a WAN IP from the ISP? and a couple of upstream DNS servers.
Our box contained a low-bud DNS forwarder.
If the box was setup as a modem type device, then obtaining a DNS from upstream - the ISP, is even mandatory. But these days no one uses a ISP modem + one PC (I guess).So, these day : throw way - don't use - the list of DNS you receive.
As said : the Resolver, out of the box - is perfect which means : you do not have to neither need to supply any DNS server info.
pfSense, using Unbound, the Resolver, will handle all DNS for your LAN. And do some caching while doing so.Try it out for yourself :
- Save your config first.
- Reset pfSense to default - and reboot
- Assign Interfaces
- Log into the GUI, and assign a password.
- Set up WAN - if it is DHCP this step isn't needed.
Done.
You saw that these steps do not need you to enter any DNS related settings, yet DNS works.
As said ..... just perfect. -
You don't need one or more upstream IPv6 DNS.
You don't need one or more upstream IPv4 neither.In fact, you only need 1, either IPv4 or IPv6. It makes no difference which.
-
-
Yeah, again, perhaps I mispoke. I do not have any manually-added DNS entries on my system, only what comcast assigns me via DHCP on the WAN ports. No ipv6 provided (they used to be there).
I don't mind using the comcast-provided entries - I have tried many but the comcast ones tend to me my lowest-latency DNS for me.
And, if I didn't mention this before, it's my own modem so no comcast gateway in the lineup.
Thanks!
[ed: spelling and clarity]
-
Unless you put unbound into forwarding mode, those are not used.. But does seem you uncheck for pfsense to use itself for dns, the 127.0.0.1 - so pfsense wouldn't even be able to resolve any of your own stuff for say the firewall log, etc.
-
After I posted that, I noticed I had the 2 check boxes enabled (DNS Override and Disable DNS Forwarder). I disabled them and rebooted. The ipv6 address I was pulling on the WAN is gone and all the comcast DNS entries are now gone. But, unfortunately, 127.0.0.1 never showed back up. Now where did I screw up :-(
I am using DNS resolver but not DNS Forwarder - is that reversed perhaps?
Edit - I forgot to recheck localhost in the settings - now it's there (127.0.0.1). Going to test.
-
There is the forwarder dnsmasq, and then there is using the resolver (unbound) in forwarder mode..
Unbound (resolver mode default) will resolve no matter if you have anything listed in dns servers or not. But pfsense will not be able to resolve anything if you do not have something there.. 127.0.0.1 is all that is needed so pfsense can resolves stuff.. Like to grab the package list, to check for update. To resolve stuff in the firewall log, etc.
Both of those should be unchecked really
-
Thanks - both are unchecked - I had also unchecked localhost below when i set up resolver years ago with the 127.0.0.1 causing problems (and I do mean years ago). I remember it causing me problems, but can't recall what problem. I am set up as such:
-
I personally set unbound to only use my outbound (localhost) and specifically set which interface it listens on.. But all works too. but setting only localhost makes sure that the query is natted via which interface your going outbound on, be it wan, or vpn, etc.
I also set my zone type to static - this prevents anything in your local zone from being attempted to be resolved if there is no local entry.
So for example I use local.lan as my local domain, if I tired to lookup lsjlsjfldf.local.lan it would try and resolve that if set for transparent.. Which I don't want..
-
Thanks! Adjusted accordingly!
Now, I have a ipv6 address on the WAN side, it's assigned a default gateway (so V4 to V4 and V6 to V6). Unbound is running,. Have rebooted modem and the pfsense box. I can query ipv6 DNS entries just fine. The WAN side is set for DHCP for v4 and v6). I have the LAN set to track changes (prefix ID as 0). I am asking for a /64 and have checked the Request a ipv6 prefix using a ipv4 address and send a ipv6 prefix hint. From a PC, i can issue a DNS query and get returned V4 and V6 info and can nslookup a ipv6 address (it resolves) so i think that part is good. But, other than the link local address on the pc, I do not see another ipv6 address. If I hit test-ipv6.com, says I do not have a ipv6 address.
But, if I ping a ipv6 from inside pfsense Diagnostics->Ping (google.com for example), that works so from the WAN out is OK, just somthing on the LAN to WAN side. I see the default rule on the LAN side allowing ipv6 out.
edit: spelling
-
I also flirted with a /60 (prefixID of 1) and checking and unchecking the request prefixID only (no addresses) checkbox on the WAN interface screen. Didn't seem to alter the behavior (but per the logs, looks like I can ask for a /60). FYI, this is comcast.
-
@slk2k
More trying things out -Once I turned on dhcpv6 (made no changes on this screen other than that) and enabled RA (stateless), now I get IPs on the pc and can ping ipv6. Is that the correct way to do this??
Thanks!
Update - that didn't last long - I have a IPv6 address, just fails to function now (pings fail).
-
You don't need dhcpv6 at all if you don't want it.
Also to clear up something said a while back.. You do not need ipv6 dns to query for IPv6 address.. Those are just AAAA records, and have zero to do be it over ipv4 or ipv6 to query for that..
Pings fail how? You get a timeout, what - it doesn't resolve?
What are you trying to ping exactly? And via fqdn or IP, and what happens?
-
Sorry I wasn't more clear. Pings fail to an external fqdn of ipv6 or ipv6 address from a pc. (google.com now is a ipv6 only address) - nslookup returns both the A record and AAA record, so that works just fine. The pings do times out. But ipv6 from pfsense works so it's something on the lan->wan transition (or back) that's not working. Using dhcpv6 and RA's is the correct thing to do?
-
