Problems getting IPv6 working

YannTKO

@mvuille
Did you choose your default gateway IPV6 in system routing ?

mvuille

@YannTKO
Yes, I did, but forgot to include that in the original post.

JKnott

@mvuille said in Problems getting IPv6 working:

"DHCPv6 Prefix Delegation size" is set to "62"

Is that the correct number? That would allow only 4 /64s. 56 is often used.

In Status/Interfaces, for WAN I see a global-scope IPv6 Address, "Subnet mask IPv6" is 128, and "Gateway IPv6" is a link-scope IPv6 address.
For LAN I see a global-scope IPv6 Address and "Subnet mask IPv6" is "64". WAN and LAN global-scope IPv6 addresses have different
prefixes from each other.

Entirely normal

For a basic LAN, I didn't have to set up any firewall rules. What did you add?

YannTKO

@mvuille

1. What did you setup in router advertisement ?
2. Do you use SLAAC or DHCPV6 ?

mvuille

@YannTKO said in Problems getting IPv6 working:

1. What did you setup in router advertisement ?

Nothing, didn't know about that one.

2. Do you use SLAAC or DHCPV6 ?

For the clients on the LAN, SLAAC

YannTKO

@mvuille said in Problems getting IPv6 working:

router advertisement

https://docs.netgate.com/pfsense/en/latest/services/dhcp/ipv6-ra.html

mvuille

@JKnott said in Problems getting IPv6 working:

Is that the correct number? That would allow only 4 /64s. 56 is often used.

I believe that my ISP supports 56, but I only need three subnets, including one future, so picked 62 intentionally.

Entirely normal

Yes, I presume prefix in WAN is ISP's and prefix in LAN is the one delegated to me.

For a basic LAN, I didn't have to set up any firewall rules. What did you add?

I only created one briefly for testing, to confirm that it would resolve the ping issue.

mvuille

@YannTKO
Thanks!
I have configured the RA with Router Mode as Unmanaged.

But still unable to ping the pfSense global-scope LAN address from the Linux box.
I don't think the lack of RA would make a difference there.
And, I don't understand why, but IPv6 address and routes were correct on the Linux box even without RA.

mvuille

It looks like the ping part of the issue is a red herring.
I looked at the firewall rules in /tmp/rules.debug and it appears that the firewall only allows Echo Request/Reply
to/from link-scope addresses.

For another test, I ran "curl -6 ipv6.google.com" again on the Linux box on the LAN.
On pfSense, using tcpdump, I can see the traffic from the Linux box arriving at the LAN interface.
But I do not see any corresponding traffic showing up on the WAN interface.

Looking at the firewall logs, I can see that all the traffic from the Linux box is being blocked.

mvuille

To close this out...

Apparently a firewall rule has to be manually added to allow IPv6 traffic to pass
between the LAN and the WAN. And I completely missed that requirement in my
"research".

Having added said rule, things are working swimmingly.

Thanks for your patience and sorry for the noise.