HE Tunnel, pfSense gateway rejecting internal addresses
-
I have a HE tunnel set up and from an internal router on the LAN side I can reach the outside world via IPv6. However, all other internal addresses are rejected by the IPv6 WAN side with an ICMPv6 Destination Unreachable message to the Internet side from the HE tunnel client IPv6 address (i.e. the address on my GIF tunnel local address).
Note my internal router is doing NPT from an internal prefix to the /64 prefix provided by the HE tunnel.
Any suggestions? I did follow the Netgate guide and have been through a few times to check it.
2.5.2-RELEASE (amd64)
FreeBSD 12.2-STABLE
Thanks in advance,
Jeff
-
@jbannister said in HE Tunnel, pfSense gateway rejecting internal addresses:
2.5.2-RELEASE (amd64)
Yeah, sure, that might have been an issue back then.
A suggestion was offered a long time ago, but not useful ( ? ) to you ?Check here : https://www.pfsense.org/download/ : your missing a lot of bug fixes. Your using ancient software.
Btw : a GIF tunnel from a router chained to a router chained to router (... etc ... ) is possible and not an issue. The IPv4 'tunnel', not really IPv4 traffic, it's the 6in4 protocol that's being used has to be able to go 'out' to the he.net POP.
Your WAN IP should be
This is your WAN IP : http://checkip.dyndns.org and that's the one that should be registered here :
and he.net will only accept your IP if it answer to ping (ICMPv4).
@jbannister said in HE Tunnel, pfSense gateway rejecting internal addresses:
Note my internal router is doing NPT from an internal prefix to the /64 prefix provided by the HE tunnel.
I've used he.net for many years.
I don't know what you lean. Never needed 'NPT'.
I've used the pfSense GIF connection to he.net.
My pfSense is behind a ISP router, that, in the past, routed the protocol '6in4' just fine. -
@gertjan Thanks for your reply & assistance.
Yes I have now updated:
2.6.0-RELEASE (amd64)
FreeBSD 12.3-STABLE
Still same issue.
Anyway I will go back to the start and try to fix. Here's the cap file for your info:
Capture.gif0.pcap
The Source Address: 2001:470:36:318:9592:f7f7:c90c:26c2 is a client on my internal network. This ping doesn't work and the pfSense interface (gif0) rejects it saying "Destination Unreachable" (2001:470:35:318::2 is the Client IPv6 Address given by HE).
The Source Address: 2001:470:36:318::101 is my internal router on the LAN. This ping does work!
Jeff -
How can a client obtain an address like this :
@jbannister said in HE Tunnel, pfSense gateway rejecting internal addresses:
2001:470:36:318:9592:f7f7:c90c:26c2 is a client
You have used this Configuring IPv6 Through A Tunnel Broker Service
where the LAN side of things asks you to set up a pool of IPv6 like :
Enter a range of IPv6 IP addresses inside the new LAN IPv6 prefix
Like :
2001:470:36:318:1::2 => 2001:470:36:318:1::100I don't understand where your "2001:470:36:318:9592:f7f7:c90c:26c2" comes from.
Your not using SLAAC, are you ?@jbannister said in HE Tunnel, pfSense gateway rejecting internal addresses:
"Destination Unreachable" (2001:470:35:318::2 is the Client IPv6 Address given by HE).
I presume 2001:470:35:318::2 is the pfSense side of the GIF tunnel.
You should be able to ping that IP from pfSense itself (using IPv6 ping, right !) - and also from pfSense, Diagnostics > Ping selecting LAN as a ping source, and 2001:470:35:318::2 as a destination.
2001:470:35:318::1, the other side should also work.If you have the default LAN firewall rule on the LAN interface, IPv6 should pass.
-
@gertjan said in HE Tunnel, pfSense gateway rejecting internal addresses:
I don't understand where your "2001:470:36:318:9592:f7f7:c90c:26c2" comes from.
Your not using SLAAC, are you ?I am using SLAAC on the internal network from the LAN router to allocate out a Unique Local net address (so the net address is nice and simple: fd08:1::/64). Then at the router, I am using NPT (NAT66) to change the prefix to the one given by HE (2001:470:36:318::) so the lower 64 bits are created by the internal clients (in Linux, based on the MAC).
@gertjan said in HE Tunnel, pfSense gateway rejecting internal addresses:
I presume 2001:470:35:318::2 is the pfSense side of the GIF tunnel.
Yes it is
@gertjan said in HE Tunnel, pfSense gateway rejecting internal addresses:
You should be able to ping that IP from pfSense itself (using IPv6 ping, right !) - and also from pfSense, Diagnostics > Ping selecting LAN as a ping source, and 2001:470:35:318::2 as a destination.
2001:470:35:318::1, the other side should also work.Yes all of these work as does a ping to the IPv6 address of my internal router.
@gertjan said in HE Tunnel, pfSense gateway rejecting internal addresses:
If you have the default LAN firewall rule on the LAN interface, IPv6 should pass.
These are my LAN rules:
-
@Gertjan it must be something with my internal router as if I set another machine there with a static IP, it can reach the Internet no issue. I will investigate further.
Thanks for your help. -
SLAAC .... NPT ....
Never used these, as they are 'not needed' ( ? )I followed the pfsense documentation as mentioned above, and was a happy IPv6 user for many years.
I advise you to validate the pfsense documentation. There is no SLAAC, even as it promises beautiful things. No NPT.
This boils down to : set up a DHCPv6 server on every LAN - with a pool, so you can static DHCP map, as the old DHCPv4 days, your devices.I'm saying this with any in depth knowledge, but : as soon as I read NPT, there are issues .... so, it must be a complex thing.
And I tend to keep things "simple", especially my Ethernet networks and everything that is related to it.
