IPv6 WAN Gateway monitoring reports 100% packet loss
-
After upgrading to CE 2.5.X and then to 2.6.0 I experienced a situation where the IPv6 WAN Gateway monitoring reported 100% packet loss. The solution was to go to Interfaces -> WAN then save the settings, click the Apply and it would start working again.
Having now upgraded from CE 2.6.0 to 21.01 I found the exact same problem, however the same solution still works.
There appears to be a problem with IPv6, in that to upgrade from CE 2.6.0 I had to select Prefer IPv4 Network in System -> Advanced -> Networking, this is due in part to certificates not resolving and ews.netgate.com only has an IPv4 addressEdit, just rebooted 22.01 and like CE 2.5.2 and CE 2.6.0. found that the IPv6 WAN Gateway was offline again, if left all IPv6 traffic is blocked.
After going to Interfaces -> WAN , then press Save and Apply Changes
Since disabling Prefer to use IPv4 even if IPv6 is available
System Updates reports this
With Prefer IPv4 enabled
System Update now works
-
In relation to the failed update attempts on 31st March, I extracted the Log entries for the pfsense during the day. DNS_logs_for_CE_2.6.0_to_22.01.txt
The logs include the attempt with Prefer IPv4 disabled and with it Prefer IPv4 enabled and my test for after the successful upgrade when performing a System Update with Prefer IPv4 disabled and then enabling to get the working screenshoot
-
When using a Dual Stack environment I have checked if Prefer IPv4 is not enabled then attempting to list Available Packages within Package Manager also fails. Enable Prefer IPv4 networking and it becomes available. Installed Packages appears in either mode but the response it delayed if you have previously attempted to see Available Packages.
There is definitely an IPv6 only resolution failure when performing a lookup for Available Packages or performing an Upgrade. -
@vortex21 I have a very similar problem, but I think it's because pfsense can't establish an ipv6 connection, because if I try to ping any ipv6 address from pfsense directly (with Diagnostics -> Ping) with the Wan address as the source I get no response back. But ipv6 in the LAN Network is working fine. Could you try to ping an ipv6 address from pfsense with Diagnostics and see if even that is working probably
-
My gateway has a link local address, which won't work. You have to use a global address a bit further out. I did a traceroute to Google to find the first global address it passed through. That works fine here.
-
@jknott I think my problem lies a bit deeper, because I can't ping any ipv6 address on the Internet from pfsense itself. LAN works fine though, so I can ping ipv6 address from the LAN Network and I can ping the hosts in the LAN network from pfsense. So in summary my pfsense gets an ipv6 address on WAN but has no ipv6 connectivity to the Internet at all. When I do a ping for example to ipv6.google.com and a packet capture simultaneously I see the ping packages leafing but no response coming back
-
I only get the problem of the IPv6 gateway offline when I perform a reboot of my pfsense pc. Once I have saved my WAN settings again, the gateway monitoring starts working again and traffic is routed through pfsense. I do not use IPv6 NAT.
I have not checked using the Diagnostic ipv6 ping on the firewall, but all IPv6 clients on the LAN side are unable to ping any IPv6 address externally. -
@vsey said in IPv6 WAN Gateway monitoring reports 100% packet loss:
@jknott I think my problem lies a bit deeper, because I can't ping any ipv6 address on the Internet from pfsense itself. LAN works fine though, so I can ping ipv6 address from the LAN Network and I can ping the hosts in the LAN network from pfsense. So in summary my pfsense gets an ipv6 address on WAN but has no ipv6 connectivity to the Internet at all. When I do a ping for example to ipv6.google.com and a packet capture simultaneously I see the ping packages leafing but no response coming back
Here is a packet capture of my ipv6 pings. One can see the Gateway pings and the pings I did to google but their is no response coming back and I don't know why
-
I had a power outage this morning due to a toaster tripping the earth leakage circuit breaker. When pfsense was booted the WAN IPv6 connection reported 100% packet loss while IPv4 reported everything fine. I tried using the diagnostic IPv6 ping and they all failed, in fact so did all IPv4 diagnostic pings. Went to the WAN interface, saved the settings, and applied them and everthing was working correctly. Pfsense is configured as a router, as I have a public ::/48, this is divided into multiple ::/64 so internal traffic passes through pfsense to my internet firewall router and then hits my ISP's network.
-
@vortex21
Just upgraded to Version 22.05.r.20220609.1919 and after rebooting the IPv6 WAN Gateway monitoring failed again. So again I had to go to Interfaces -> WAN , then press Save and Apply Changes for the WAN gateway monitoring to work otherwise IPv6 traffic is blocked
-
@vortex21 Is your pfSense behind another router doing DHCP with IPv6? In this situation it was normal to fail for me too but a reboot of pfSense would solve that, not provoke that behavior. What monitoring IP are you using?
-
Hi,
No, DHCPv6 is not being used. If I reboot my firewall the IPV6 Gateway also fails so I have to manually re-save the WAN settings and then IPv6 will begin to work again.
I am using a static IP on my edge router both interfaces are statically assigned, I am using the private interface on the router as my monitoring IPv6 address.
-
@vortex21
Hi, upgraded to release 22.05.r.20220614.0600 today and IPv6 WAN monitoring again failed requiring WAN interface having to be saved and then Apply Changes for it to start working again.
-
@vortex21
Upgraded to 22.05.r.20220614.1944 and experienced the same problem. Also worth noting that unless Prefer to use IPv4 even if IPv6 is available (System -> Advanced -> Networking ) is enabled then upgrade will not complete.
-
@vortex21
Just upgraded to 22.05.r.20220617.0613 but only after ensuring that Prefer IPv4 even if IPv6 is available is enabled in System -> Advanced -> Networking.
After applying update, I still lose connectivity to the IPv6 gateway. So that I have to save the WAN settings again to get the IPv6 gateway monitoring to work, this is with out changing any settings. From a monitoring perspective the RTT and RTTsd times are lower for IPv6 compared to IPv4. -
-
Hi, tried applying the fix in the latest update of https://github.com/pfsense/pfsense/pull/4595. Unfortunately it did not fix the problem, I had to re-save the WAN interface settings and IPv6 GW Montoring worked
-
@vortex21 How did you apply the fix? As it states in the PR notes, it probably won't work with the System Patches package alone due to the number of changes and the differences between the original files in pfS+ vs CE. So did you manually apply the changes to all the related files?
-
@luckman212
Hi, followed the steps below1 install cmdwatch:
pkg add https://pkg.freebsd.org/FreeBSD:12:amd64/latest/All/cmdwatch-0.2.0_2.txz-
download the script:
fetch https://gist.githubusercontent.com/luckman212/0fdea1cbdc0a561d781a52c7d34fb60d/raw/ffd321ef196fb1c919dd66700acdd4acc02b3e63/dpinger_static_routes.php
-
cmdwatch --interval=2 'php -q dpinger_static_routes.php'
-
php -a
include("config.inc");
install_cron_job('/usr/bin/nice -n20 /etc/rc.checkv6addrchange', true, "/1", '', '', '', '*', 'root', true); -
After reboot, ran via ssh cmdwatch --interval=2 'php -q dpinger_static_routes.php'
-
Then checked GUI, IPv6 monitoring was offline, and I had to save WAN interface to fix monitoring issue.
-
-
@vortex21 You are missing most of the important steps. You just downloaded the little helper script from the other PR which does nothing but display some info. You need to apply the patches in the linked commit that actually change the behavior. I know it might be a bit complicated- so I'll try to post a step by step.
Are you using pfSense+ or CE?
