No IPv6 WAN connectivity on pfSense box itself -- LAN works fine.
-
Does your WAN interface have a GUA or just a link local address? If link local, you may have to ping from a different interface that has a GUA.
PfSense running on Qotom mini PC
i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
UniFi AC-Lite access pointI haven't lost my mind. It's around here...somewhere...
-
@jknott hi! It does have a GUA, yes — that 2a0e:… address which the ping is originating from.
(at least to my understanding… I’m still picking up v6 knowledge as I go, so apologies if I’m getting anything wrong here!)
-
@displaced Maybe try it via the webinterface and show your "settings".
-
Also a packet capture on the WAN interface might help.
-
Yeah, that would be a global address. Global Unique addresses start with 2 or 3, but I haven't seen one starting with 3 yet. Try running Packet Capture on the WAN interface, filtering on ping, to see what's happening.
-
Okay, so...
I've run a capture, and I see packets going out, but nothing coming back:
21:04:11.156914 IP6 2a0e:xxxx:0:65::299 > 2606:4700:4700::1111: ICMP6, echo request, seq 1440, length 9 21:04:11.680851 IP6 2a0e:xxxx:0:65::299 > 2606:4700:4700::1111: ICMP6, echo request, seq 1441, length 9 21:04:12.193973 IP6 2a0e:xxxx:0:65::299 > 2606:4700:4700::1111: ICMP6, echo request, seq 1442, length 9 21:04:12.705116 IP6 2a0e:xxxx:0:65::299 > 2606:4700:4700::1111: ICMP6, echo request, seq 1443, length 9 21:04:13.219222 IP6 2a0e:xxxx:0:65::299 > 2606:4700:4700::1111: ICMP6, echo request, seq 1444, length 9And I've kept an eye on the firewall logs whilst that was running. Nothing was being logged.
Here's the info from my Status > Interfaces page. I think it all looks fine, but would appreciate another pair of more-IPv6-savvy eyes on it if someone wouldn't mind!
WAN IPv6 Link Local fe80::xxx:xxxx:xxxx:xxxx%igb0 IPv6 Address 2a0e:xxxx:0:65::299 Subnet mask IPv6 128 Gateway IPv6 fe80::xxx:xxxx:xxxx:xxxx%igb0 LAN IPv6 Link Local fe80::1:1%igb1 IPv6 Address 2a0e:xxxx:402:f900:2xx:xxff:fexx:xxcb Subnet mask IPv6 64Now, this might be a clue to what's going on... but I'm not clued-up enough just yet to know for sure...
When I
traceroute6 google.comfrom the pfSense shell, I get:[2.6.0-RELEASE][admin@heimdall.home]/root: traceroute6 google.com traceroute6 to google.com (2a00:1450:4009:815::200e) from 2a0e:xxxx:0:65::299, 64 hops max, 20 byte packets 1 2a0e:xxxx:0:65::1 1.812 ms 1.986 ms 1.592 ms 2 * *^CNow, that first hop - 0:65::1 - that's a gateway address I think, but I'm unsure about what mechanism's providing it. It seems that pfSense doesn't know what to do when a packet arrives there, whatever!
Again, apologies if this is all basic stuff -- I'm still at the "knows enough to be dangerous" stage, trying to map what I'm seeing to what I've learned so far!
-
That /128 mask simply means that address is an identifier and can be used for things like VPNs. However, it also means it can't be used for routing. What happens if you use the LAN address to ping from? You have to use the -I <interface> option to do that.
What do packet captures of pings from other addresses or devices show?
-
@jknott Thanks for your help!
So, pinging from the LAN interface gives:
[2.6.0-RELEASE][admin@heimdall.home]/root: ping6 -I igb1 google.com PING6(56=40+8+8 bytes) 2a0e:xxxx:402:f900:2e0:67ff:fe2d:90cb --> 2a00:1450:4009:81f::200e ping6: sendmsg: No route to host ping6: wrote google.com 16 chars, ret=-1 ping6: sendmsg: No route to host ping6: wrote google.com 16 chars, ret=-1I'll run the captures this evening once I'm done at work!
-
@jknott What could you do if all you have is an LL or UL address if there weren't global addresses for the firewall itself? :O
My ISP only handles out delegations it seems, and on its interface the firewall only gets a link-local address if DHCP6 is used, and a unique local if SLAAC is used.
But in the past, pfSense has gotten a global address on that interface, and the ISP-loaned ONTs and modems do get a global address in addition to a delegated prefix. Maybe there's some special config. :/
-
@skilledinept
If you want to connect to the firewall with a VPN, etc., you can use another interface address, such as the LAN.
Perhaps if you mentioned your ISP, someone else might be able to help.
