IPv6 Issues since upgrading
-
@stephenw10 said in IPv6 Issues since upgrading:
You must have a globally routable IPv6 address somewhere though.
Yes, I can understand that and I can ping IPv6 addresses from pfSense but not from any of the LAN clients. The LAN clients to have IPv6 addresses. I enabled "Do not wait for RA" in the WAN DHCP6 Options and this is how my system looks now.
[2.7.0-RELEASE][admin@pfSense.localdomain]/root: ifconfig re0 re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 description: WAN options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE> ether 00:e0:4c:68:1b:b2 inet6 fe80::2e0:4cff:fe68:1bb2%re0 prefixlen 64 scopeid 0x1 inet6 2402:7940:f000:200::111 prefixlen 128 inet 103.85.37.84 netmask 0xfffffc00 broadcast 103.85.39.255 media: Ethernet autoselect (1000baseT <full-duplex>) status: active nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL> [2.7.0-RELEASE][admin@pfSense.localdomain]/root:
The IPv6 gateway address shown for the WAN gateway in the GUI does not appear in the ifconfig results. Surely something is wrong here.
-
The gateway would be in the routing table not the ifconfig output. The only time you'd see it there is if it's a point to point connection like ovpn or ppp.
Can you ping out from pfSense's LAN side IPv6 address? If you can but not from clients it's probably a missing firewall rule. If not it's probably a missing route.
-
@stephenw10 said in IPv6 Issues since upgrading:
The gateway would be in the routing table not the ifconfig output.
OK, that makes sense. Here's the netstat output:
[2.7.0-RELEASE][admin@pfSense.localdomain]/root: netstat -rn Routing tables Internet: Destination Gateway Flags Netif Expire default 103.85.36.1 UGS re0 1.1.1.1 103.85.36.1 UGHS re0 10.0.8.0/24 link#7 U ovpns2 10.0.8.1 link#4 UHS lo0 10.10.10.1 link#4 UH lo0 103.85.36.0/22 link#1 U re0 103.85.36.1 link#1 UHS re0 103.85.37.84 link#4 UHS lo0 127.0.0.1 link#4 UH lo0 192.168.10.0/24 link#2 U re1 192.168.10.1 link#4 UHS lo0 Internet6: Destination Gateway Flags Netif Expire default fe80::9a49:25ff:fe0c:6d8b%re0 UGS re0 ::1 link#4 UHS lo0 2001:4860:4860::8888 fe80::9a49:25ff:fe0c:6d8b%re0 UGHS re0 2402:7940:f000:200::111 link#4 UHS lo0 2402:7940:f021:2900::/56 link#2 U re1 2402:7940:f021:2900:2e0:4cff:fe68:1bb3 link#4 UHS lo0 fe80::%re0/64 link#1 U re0 fe80::2e0:4cff:fe68:1bb2%lo0 link#4 UHS lo0 fe80::%re1/64 link#2 U re1 fe80::1:1%lo0 link#4 UHS lo0 fe80::2e0:4cff:fe68:1bb3%lo0 link#4 UHS lo0 fe80::%lo0/64 link#4 U lo0 fe80::1%lo0 link#4 UHS lo0 fe80::%ovpns2/64 link#7 U ovpns2 fe80::2e0:4cff:fe68:1bb2%lo0 link#4 UHS lo0 [2.7.0-RELEASE][admin@pfSense.localdomain]/root:
@stephenw10 said in IPv6 Issues since upgrading:
Can you ping out from pfSense's LAN side IPv6 address?
Not sure what you mean here. If I log into pfSense via SSH I get replies with "ping -6 google.com"However I cannot ping from any LAN Clients that do have IPv6 addresses. Any ideas appreciated.
-
But can you ping out from pfSense using the LAN address as source?
It could be whatever is upstream from pfSense does not have route for that /56 it's passing. -
@stephenw10 said in IPv6 Issues since upgrading:
But can you ping out from pfSense using the LAN address as source?
I'm sorry @stephenw10 but I still don't understand. Can you give me an example?
-
Like this:
-
@stephenw10 - Yep, here are the results.
PING google.com (142.250.66.238) from 192.168.10.1: 56 data bytes 64 bytes from 142.250.66.238: icmp_seq=0 ttl=121 time=6.247 ms 64 bytes from 142.250.66.238: icmp_seq=1 ttl=121 time=6.232 ms 64 bytes from 142.250.66.238: icmp_seq=2 ttl=121 time=6.627 ms --- google.com ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 6.232/6.369/6.627/0.183 ms
So I need to find the issue with the LAN clients not being able to ping IPv6 addresses.
EDIT: And the IPv6:
PING6(56=40+8+8 bytes) 2402:7940:f021:2900:2e0:4cff:fe68:1bb3 --> 2404:6800:4006:810::200e 16 bytes from 2404:6800:4006:810::200e, icmp_seq=0 hlim=121 time=6.173 ms 16 bytes from 2404:6800:4006:810::200e, icmp_seq=1 hlim=121 time=6.171 ms 16 bytes from 2404:6800:4006:810::200e, icmp_seq=2 hlim=121 time=6.723 ms --- google.com ping6 statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 6.171/6.356/6.723/0.260 ms
-
Ok so pings from the /56 delegated subnet work so upstream routing is fine. And pfSense knows that subnet is on the LAN. So as long as your have firewall rules to allow it clients should be able to ping out from an address in that subnet.
Check the firewall logs for blocked traffic.
Check the clients have a default v6 route via the pfSense LAN.
-
@stephenw10 said in IPv6 Issues since upgrading:
Check the firewall logs for blocked traffic.
Check the clients have a default v6 route via the pfSense LAN.
Thank you @stephenw10 for your assistance. I will do some checking.
Can you explain how the clients get a v6 route? I have DHCPv6 Server disabled as that is what my ISP told me.
Once again, I appreciate your time.
-
They should see it via router advertisements. If they are getting an IP in that subnet then SLAAC must be working so I'd expect them to get a gateway/route.
Not sure why your ISP told you to disable the dhcpv6 server though. You should be able to use both.
-
@stephenw10 said in IPv6 Issues since upgrading:
If they are getting an IP in that subnet then SLAAC must be working so I'd expect them to get a gateway/route.
This is a typical Windows PC that can't connect to v6 addresses.
Wireless LAN adapter WiFi: Connection-specific DNS Suffix . : localdomain Description . . . . . . . . . . . : Qualcomm Atheros QCA61x4A Wireless Network Adapter Physical Address. . . . . . . . . : D8-C4-97-8B-1F-56 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::f2e3:d343:2681:34fe%9(Preferred) IPv4 Address. . . . . . . . . . . : 192.168.10.182(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Wednesday, 2 August 2023 9:00:55 AM Lease Expires . . . . . . . . . . : Wednesday, 2 August 2023 11:00:49 AM Default Gateway . . . . . . . . . : fe80::2e0:4cff:fe68:1bb3%9 192.168.10.1 DHCP Server . . . . . . . . . . . : 192.168.10.1 DHCPv6 IAID . . . . . . . . . . . : 114869399 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-23-DD-48-A7-D8-C4-97-8B-1F-56 DNS Servers . . . . . . . . . . . : 192.168.10.1 NetBIOS over Tcpip. . . . . . . . : Enabled Connection-specific DNS Suffix Search List :
-
It doesn't have a routable IPv6 address from the /56 subnet so.... it can't work.
Did you also disable router advertisements on the LAN? That needs to be enabled.
-
@stephenw10 said in IPv6 Issues since upgrading:
Did you also disable router advertisements on the LAN? That needs to be enabled.
Is this what you mean?
-
Yes. Try enabling the dhcpv6 server again though.
-
@stephenw10 - That has done the trick, many thanks. I never thought about enabling the DHCPv6 Server as my ISP, and others I've seen, said to keep it disabled. Here's an extract from what my ISP says:
22. Go to Services, DHCPv6 Server & RA 23. Make sure on the first page (DHCPv6 server) the box is unticked – you do not want to enable the DHCPv6 server on the LAN. 24. Select the router advertisements tab on that page. 25. Change router mode to: Assisted – RA Flags [managed, other stateful], Prefix Flags... 26. Router priory set to Normal (it should already be preset to that – if not, change it to normal). 27. Leave everything else on that page blank.
-
@poppadum said in IPv6 Issues since upgrading:
The gateway IPv6 address shown doesn't seem to be valid for interface pppoe0:
I'm not sure where it's getting that gateway address from - it's set to dynamic in the web interface.
After a bit more investigation I've discovered that the default gateway address pfSense is picking up is actually at my ISP's end and is correct.
My problem seems to be exactly the same as @jordanp123 has: pfSense is not adding a default ipv6 route:
[2.7.0-RELEASE][admin@pfSense]/root: route -6 get default route: route has not been found
My ISP uses PPPoE so I can temporarily fix it with
route -6 add default -interface pppoe0
But if my PPP connection drops it loses the default route again.Looking at the output of
/etc/rc.newwanipv6
when I rebooted pfSense I'm seeing a few Gateway, NONE AVAILABLE errors:Aug 2 10:12:39 pfSense php-fpm[368]: /rc.newwanipv6: rc.newwanipv6: Info: starting on pppoe0. Aug 2 10:12:39 pfSense php-fpm[368]: /rc.newwanipv6: rc.newwanipv6: on (IP address: 2001:8b0:1111:1111:0:ffff:51bb:1aef) (interface: wan) (real interface: pppoe0). Aug 2 10:12:39 pfSense php-fpm[368]: /rc.newwanipv6: Removing static route for monitor 2001:8b0:1111:1111:0:ffff:51bb:1aef and adding a new route through dynamic Aug 2 10:12:39 pfSense check_reload_status[406]: rc.newwanipv6 starting pppoe0 Aug 2 10:12:40 pfSense php-fpm[86171]: /rc.newwanipv6: rc.newwanipv6: Info: starting on pppoe0. Aug 2 10:12:40 pfSense php-fpm[86171]: /rc.newwanipv6: rc.newwanipv6: on (IP address: 2001:8b0:1111:1111:0:ffff:51bb:1aef) (interface: wan) (real interface: pppoe0). Aug 2 10:12:40 pfSense php-fpm[86171]: /rc.newwanipv6: Removing static route for monitor 2001:8b0:1111:1111:0:ffff:51bb:1aef and adding a new route through fe80::203:97ff:feba:900%pppoe0 Aug 2 10:12:41 pfSense php-fpm[86171]: /rc.newwanipv6: dpinger: status socket /var/run/dpinger_WAN_DHCP6~c91b75a6~2001:8b0:1111:1111:0:ffff:51bb:1aef.sock not found Aug 2 10:12:41 pfSense php-fpm[86171]: /rc.newwanipv6: dpinger: status socket /var/run/dpinger_WAN_PPPOE~81.187.xxx.xxx~81.187.81.187.sock not found Aug 2 10:12:41 pfSense php-fpm[86171]: /rc.newwanipv6: Gateway, none 'available' for inet, use the first one configured. 'WAN_PPPOE' Aug 2 10:12:41 pfSense php-fpm[86171]: /rc.newwanipv6: Gateway, NONE AVAILABLE Aug 2 10:12:41 pfSense php-fpm[368]: /rc.newwanipv6: The command '/usr/local/bin/dpinger -S -r 0 -i WAN_DHCP6 -B 2001:8b0:1111:1111:0:ffff:51bb:1aef -p /var/run/dpinger_WAN_DHCP6~c91b75a6~2001:8b0:1111:1111:0:ffff:51bb:1aef.pid -u /var/run/dpinger_WAN_DHCP6~c91b75a6~2001:8b0:1111:1111:0:ffff:51bb:1aef.sock -C "/etc/rc.gateway_alarm" -d 1 -s 500 -l 2000 -t 60000 -A 1000 -D 500 -L 20 2001:8b0:1111:1111:0:ffff:51bb:1aef >/dev/null' returned exit code '1', the output was '' Aug 2 10:12:41 pfSense php-fpm[368]: /rc.newwanipv6: Error starting gateway monitor for WAN_DHCP6 Aug 2 10:12:42 pfSense php-fpm[368]: /rc.newwanipv6: Gateway, NONE AVAILABLE Aug 2 10:12:42 pfSense php-fpm[368]: /rc.newwanipv6: Gateway, NONE AVAILABLE Aug 2 10:12:43 pfSense php-fpm[86171]: /rc.newwanipv6: rc.newwanipv6: Info: starting on pppoe0. Aug 2 10:12:43 pfSense php-fpm[86171]: /rc.newwanipv6: rc.newwanipv6: on (IP address: 2001:8b0:1111:1111:0:ffff:51bb:1aef) (interface: wan) (real interface: pppoe0). Aug 2 10:12:43 pfSense php-fpm[86171]: /rc.newwanipv6: Removing static route for monitor 2001:8b0:1111:1111:0:ffff:51bb:1aef and adding a new route through fe80::203:97ff:feba:900%pppoe0 Aug 2 10:12:45 pfSense php-fpm[86171]: /rc.newwanipv6: Gateway, NONE AVAILABLE Aug 2 10:12:45 pfSense php-fpm[86171]: /rc.newwanipv6: Gateway, NONE AVAILABLE
Are these likely to be relevant?
-
@stephenw10 said in IPv6 Issues since upgrading:
Try enabling the dhcpv6 server
That doesn't fix the problem for me unfortunately
-
Do you have the default v6 gateway set to WAN_DHCP6 in System > Routing?
-
@stephenw10 said in IPv6 Issues since upgrading:
Do you have the default v6 gateway set to WAN_DHCP6 in System > Routing?
Both ipv4 & ipv6 gateways are set to automatic:
-
Set them both to the specific gateways and retest. See if you still see those gateway log entries.
Though since you only have one valid v4 and v6 gateway it should work in automatic.