After backup-restore HW-upgrade, IPv6 traffic is no longer routed to LAN
Yesterday I set up a new Hardware box to replace an older one by installing pfSense 2.6 and restore a full backup just created on the old box.
So the only change is Hardware and hence the MAC addresses seen from the Uplink is different.
On the old box everything worked and the new box seems to upgrade correctly including packet reinstall. However, new box will not pass IPv6 traffic:
I have setup
[WS] <---LAN---> [FW] <---WAN---> [Uplink] <---Internet---> [Google.com]
When pinging google from WS using IPv4 everything works.
When pinging google from WS using IPv6 reply is not received by WS:
- tcpdumping LAN shows that ICMP requests are passing towards google
- tcpdumping WAN shows that ICMP requests AND replys are passing out and in resp.
Somehow psSense or FreeBSD rejects forwarding the reply to the LAN WS.
All routes are in place and no rules are blocking.
IPv6 TCP and UDP is processed same way as ICMP
From pfSense I can ping WS using IPv6.
From pfSense I cannot ping google.com using IPv6.
Any ideas ?
When I look in "states" in pfSense, all states shows the attempted pings and outgoing requests are counted and displayed, but ingoing packages are zero despite I can see those using tcpdump on my WAN interface. State is NO_TRAFFIC:NO_TRAFFIC for ipv6-icmp protocol. The state is the same for LAN and WAN state.
@cb831 Issue solved. Apparently my ISP had locked my WAN-MAC address for IPv6 communication but NOT for IPv4 communication.
When I set the WAN-MAC of my new firewall to the WAN-MAC of the old one - everything worked for IPv6.
For the info the uplink at my ISP is Juniper Networks and they had some problems before supporting especially FreeBSD based routers because the Juniper communication is doing some tricks that FreeBSD does not accept.
Months ago I had to add the tunable
net.inet6.icmp6.nd6_onlink_ns_rfc4861 To fix broken DHCP6 against Juniper 1
because Juniper DHCP6 answers from another IPv6 address than the edge IP.