Problems getting IPv6 working

mvuille

pfSense+ 23.09.1-RELEASE on a Netgate 1100

Trying to enable IPv6. My understanding is that ISP is using DHCPv6-PD.

In System/Advanced/Networking I have "Allow IPv6" checked, and also "Prefer IPv4 over IPv6" for now until things are working satisfactorily. The issues described below also happen when "Prefer IPv4 over IPv6" is unchecked.

In Interfaces/WAN, "IPv6 Configuration Type" is "DHCP6". "Use IPv4 connectivity as parent interface" is checked, "DHCPv6 Prefix Delegation size" is set to "62", and "Send IPv6 prefix hint" is checked.

In Interfaces/LAN, "IPv6 Configuration Type" is set to "Track Interface", "IPv6 Interface" is set to "WAN", and "IPv6 Prefix ID" is set to "0".

After making those changes, I triggered a reboot.

In Status/Interfaces, for WAN I see a global-scope IPv6 Address, "Subnet mask IPv6" is 128, and "Gateway IPv6" is a link-scope IPv6 address.
For LAN I see a global-scope IPv6 Address and "Subnet mask IPv6" is "64". WAN and LAN global-scope IPv6 addresses have different
prefixes from each other.

In Status/Gateways, there is a new IPv6 gateway and it is showing "online".

From SSH on pfSense, I can ping ipv6.google.com successfully, and "curl -6 ipv6.google.com" returns an HTML document.

Now, on a Linux PC connected to the LAN:

• An IPv6 address has been allocated and the prefix matches the prefix from the pfSense LAN interface
• Appropriate IPv6 routes are in place
• I can ping the pfSense LAN link-scope address from the Linux box successfully
• Trying to ping the pfSense LAN global scope address from the Linux box fails (no response)

In Status/System Logs/Firewall I can see that the ICMPv6 requests from the Linux box are being blocked.
If I create an EasyRule, then the ping from the Linux box is successful.

Not surprisingly, trying to ping ipv6.google.com from the Linux box also doesn't work.

It's as though some default firewall rules for IPv6 are missing.

Any suggestions for a solution or further debugging?

YannTKO

@mvuille
Did you choose your default gateway IPV6 in system routing ?

mvuille

@YannTKO
Yes, I did, but forgot to include that in the original post.

JKnott

@mvuille said in Problems getting IPv6 working:

"DHCPv6 Prefix Delegation size" is set to "62"

Is that the correct number? That would allow only 4 /64s. 56 is often used.

In Status/Interfaces, for WAN I see a global-scope IPv6 Address, "Subnet mask IPv6" is 128, and "Gateway IPv6" is a link-scope IPv6 address.
For LAN I see a global-scope IPv6 Address and "Subnet mask IPv6" is "64". WAN and LAN global-scope IPv6 addresses have different
prefixes from each other.

Entirely normal

For a basic LAN, I didn't have to set up any firewall rules. What did you add?

YannTKO

@mvuille

1. What did you setup in router advertisement ?
2. Do you use SLAAC or DHCPV6 ?

mvuille

@YannTKO said in Problems getting IPv6 working:

1. What did you setup in router advertisement ?

Nothing, didn't know about that one.

2. Do you use SLAAC or DHCPV6 ?

For the clients on the LAN, SLAAC

YannTKO

@mvuille said in Problems getting IPv6 working:

router advertisement

https://docs.netgate.com/pfsense/en/latest/services/dhcp/ipv6-ra.html

mvuille

@JKnott said in Problems getting IPv6 working:

Is that the correct number? That would allow only 4 /64s. 56 is often used.

I believe that my ISP supports 56, but I only need three subnets, including one future, so picked 62 intentionally.

Entirely normal

Yes, I presume prefix in WAN is ISP's and prefix in LAN is the one delegated to me.

For a basic LAN, I didn't have to set up any firewall rules. What did you add?

I only created one briefly for testing, to confirm that it would resolve the ping issue.

mvuille

@YannTKO
Thanks!
I have configured the RA with Router Mode as Unmanaged.

But still unable to ping the pfSense global-scope LAN address from the Linux box.
I don't think the lack of RA would make a difference there.
And, I don't understand why, but IPv6 address and routes were correct on the Linux box even without RA.

mvuille

It looks like the ping part of the issue is a red herring.
I looked at the firewall rules in /tmp/rules.debug and it appears that the firewall only allows Echo Request/Reply
to/from link-scope addresses.

For another test, I ran "curl -6 ipv6.google.com" again on the Linux box on the LAN.
On pfSense, using tcpdump, I can see the traffic from the Linux box arriving at the LAN interface.
But I do not see any corresponding traffic showing up on the WAN interface.

Looking at the firewall logs, I can see that all the traffic from the Linux box is being blocked.

mvuille

To close this out...

Apparently a firewall rule has to be manually added to allow IPv6 traffic to pass
between the LAN and the WAN. And I completely missed that requirement in my
"research".

Having added said rule, things are working swimmingly.

Thanks for your patience and sorry for the noise.