PFsense box not routing ipv6 traffic coming from LAN into WAN until rebooted
-
My pfsense firewall is doing this weird thing where it's not routing IPv6 traffic from other clients to the internet despite assigning addresses to LAN via dhcp6 and track interface. Sometimes, it can be fixed with a reboot of the box. But other times, it doesn't fix the problem (what prompted me to write this post was that rebooting it recently actually caused the problem to start again). I can ping and access some devices on LAN through their IPv6 address. However, attempting to ping addresses outside of LAN fails unless I do it straight on the pfsense box itself.
test-ipv6.com gives a zero out of ten when it doesn't work. and a perfect score otherwise. I am using a riverbed firewall with Advantech NAMB-3250MB on Spectrum residential internet.
-
@s0ulf3re Also noticing that there seems to be a lot of denied requests to fe80 and fdee. It seems like no matter how many firewall rules I create, these keep blocking things. I'm also seeing stuff like Google's IPv6 DNS servers being blocked as a destination from a source of [fe80::d71:4755:3956:6735]
-
@s0ulf3re
I'm no expert but I do have Spectrum (with their horrible Hitron modem) and have IPV6 up and running here. I had deleted the default allow all rule on LAN and use port rules instead for all the apps and services that need internet or VLAN to VLAN access. So I basically just changed them from IPV4 rules to IPV4/IPV6 rules so that all the typical things work (https, smtp...). IPV6 relies heavily on ICMP from what I understand, so I added an allow rule up near the top of the list, allowing IPV6 ICMP ANY out from the LAN and my VLANS, to any as a test and I haven't changed it since. Maybe one day I will revisit that to only allow what is truly needed for IPV6 but I am inclined to not fix what isn't broken.FE80 is the gateway address and is needed for IPV6 functionality. If that is being blocked somehow you will have problems. The GATEWAY widget on the DASHBOARD should show the WAN_DHCP6 with the gateway fe80 address and if it is online or down...
As for the setup of IPV6 itself, I am using a mix of Windows/MAC/Android/IPAD/security cameras and doorbell junk, and found that STATELESS DHCP works fine for the Windows and MAC computers (almost everything, actually), and I leave the NON-PCs as UNMANAGED, where Android devices seem to work fine, along with my low end printers. This is one of the pluses of having VLANS, you can tailor IPV6 router advertisements based on the client. No need for DHCP6 unless it's a business and they mandate it. I stepped into that one with my IPV4 mindset early on, but gladly woke up and just use the router advertisements now. I would revisit that and see how it is set. It almost sounds like your clients are not possibly getting an IPV6 address or they are losing it and not getting it back... When they stop working in IPV6, do they still have an address? What type of clients are these?
-
