IPv6 works fine to internet from pfsense, but not from LAN devices.

S_D

I'm hoping someone can help me here as I'm at my wits end.

I went on holiday for a week, got home and it seems my IPv6 has stopped working correctly. It worked when I first set it up 18 months ago and I haven't really touched it since, but I now have Pfsense+ 22.01.

I'm in the UK. Zen ISP customer. I have a v4 /29 and a v6 allocation. /64 ND and /48 PD.

I have a Fritz 7530 setup in 'modem' mode, so Pfsense is doing PPPoE.

So v4 is all good, no problem.

v6: The WAN is set to DHCP6, gets an address in the /64. Pfsense can ping the internet, DNS resolution works, etc etc. All fine.

LAN is set to an address in the PD network, on a /64 subnet. DHCPv6 and RA setup on Lan. RA set to assisted. All clients get both SLAAC and DHCP addresses no problem. Can ping6 each other, can ping6 the pfsense LAN adapter, can even ping6 the WAN address of pfsense, but cannot ping6 any device on the internet. Doing packet captures on both LAN and WAN I can see the traffic entering the LAN then exiting the WAN, but no replies.

So I thought it was an ISP problem routing my /48 back to me. They insist it's not a problem with them. So I substituted the Fritz box back in in it's default shipping setup, and simply turning on IPv6 on that to give out addresses directly to the clients, without pfsense at all and it worked fine, first time!

So what gives? IPv6 works fine on the diagnostic tools on pfsense, DNS resolution, ping out, ping in etc etc. But I can't ping to the internet from LAN devices. It's as if either it's not routing to the gateway correctly, or it's not receiving back the replies correctly, but that replying traffic is not showing up at all on the WAN NIC packet capture.

Any idea is really gratefully received!

Bob.Dig

@s_d said in IPv6 works fine to internet from pfsense, but not from LAN devices.:

LAN is set to an address in the PD network.

It should be "Track Interface".

S_D

@bob-dig said in IPv6 works fine to internet from pfsense, but not from LAN devices.:

@s_d said in IPv6 works fine to internet from pfsense, but not from LAN devices.:

LAN is set to an address in the PD network.

It should be "Track Interface".

Thank you!

May I ask why? It used to work before when set to static IP and that's the way I saw it on a good YouTube tutorial this afternoon when I was sanity checking everything again...

Bob.Dig

@s_d If WAN has to be set to DHCP, then "Track Interface" is the usual way of doing it. Give it a try.

S_D

@bob-dig said in IPv6 works fine to internet from pfsense, but not from LAN devices.:

@s_d If WAN has to be set to DHCP, then "Track Interface" is the usual way of doing it. Give it a try.

OK unfortunately that's worse. With the Lan set to 'track' the LAN doesn't get a GUA at all. I've checked the DHCPv6 Prefix Delegation size is set to 48, as per Zen's allocation to me. Obviously with no GUA on the LAN my DHCPv6 server and RA don't work on my LAN network either, so no clients are getting a GUA.

NogBadTheBad

@s_d I'm with Zen too and also had issues with IPv6 on my local lans today

Did your WAN IPv6 address change and it was still in the /64 ND range, mine did.

I could ping the WAN IPv6 from the internet but not any of my LAN IPv6 addresses.

I'm sure I previously had the DHCPv6 Prefix Delegation size set to /48.

ND Prefix: 2a02:xxxx:xxxx:d8::/64
PD Prefix: 2a02:zzzz:zzzz::/48

I have my LANs set as static /64's and now seem to have resolved the issue with the following, I still don't think it's right though.

Screenshot 2022-06-07 at 20.27.37.png

@Bob-Dig It should be "Track Interface", no it doesn't have to be set to "Track Interface"

S_D

@nogbadthebad said in IPv6 works fine to internet from pfsense, but not from LAN devices.:

@s_d I'm with Zen too and also had issues with IPv6 on my local lans today

Did your WAN IPv6 address change and it was still in the /64 ND range, mine did.

I could ping the WAN IPv6 from the internet but not any of my LAN IPv6 addresses.

I'm sure I previously had the DHCPv6 Prefix Delegation size set to /48.

ND Prefix: 2a02:xxxx:xxxx:d8::/64
PD Prefix: 2a02:zzzz:zzzz::/48

I have my LANs set as static /64's and now seem to have resolved the issue with the following, I still don't think it's right though.

@Bob-Dig It should be "Track Interface", no it doesn't have to be set to "Track Interface"

BOOM!

Amazing! THANK YOU. That setting 'dhcp6c will send a release to the ISP on exit, some ISPs then release the allocated address or prefix. This option prevents that signal ever being sent' fixed it for me! Didn't need Dhcp debug mode, but setting this release option then flapping the WAN interface manually brought everything up nicely. Now my IPv6 is working again! Woot!

Bob.Dig

@nogbadthebad said in IPv6 works fine to internet from pfsense, but not from LAN devices.:

@Bob-Dig It should be "Track Interface", no it doesn't have to be set to "Track Interface"

Until something changes... Track should be the safer setting for DHCPv6 in my opinion.

NogBadTheBad

@s_d Think Zen may have had an issue with the DHCP6 DUID.

Changed the DUID type, did a save then changed the DUID type back, effectively creating a new DUID-LLT and its now working as it should with the PD set to /48.

Screenshot 2022-06-07 at 21.10.16.png

zennb1

@s_d would someone mind sharing what other settings are required to get clients to pick up an address. I seem to have a valid address on the wan side but my lan clients aren't getting anything. Any help appreciated. Thanks (zen customer too)

JKnott

@zennb1

Clients rely on router advertisements to learn the LAN prefix and they append the suffix to it. Run Packet Capture, filtering on icmpv6, to see if you have them. You could also run Wireshark on a computer to do the same thing.