The strange story of accessing certain websites.
-
@mcury said in The strange story of accessing certain websites.:
What I think that is happening there is that one device is getting a public IPv6 from one of the providers, lets say primary link, and once the primary link goes down, the problem starts because the IPv6 in device is no longer valid but the device doesn't know it.
The theory is good, but it doesn't explain why IPv6 websites actually open on the same device while IPv4 ones don't at the same time. And... this strange loop that the traceroute showed, it only appears when IPv6 is active. I believe that there's some setting or bug responsible for this behavior. As for solving the problem by turning off IPv6, that's what I'll do for now, although it doesn't actually solve the underlying issue.
-
I've had some time to tinker with this problem a bit more. I finally figured out what's going on, at least with the browsers, and why one was working while the other wasn't.
A long time ago, I made changes to the Windows registry, specifically:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters] "DisabledComponents"=dword:00000020
It turns out that Firefox checks and uses this key, while Edge ignores it and prioritizes IPv6.
Also tried to use HE.net tunnel… again… The main issue is gone immediately, as expected, but…
Of course, it wasn't without its issues. In fact, it has more issues than the native IPv6 from the provider. For example, many sites constantly bother with security checks from Cloudflare, and some sites don't even pass these checks. This is likely due to issues with the incorrect geolocation of the address. Well, not incorrect… reliable services identify it correctly, in the same location as the IPv4, but various lists, like those from MaxMind, for example, don't update the information. And some security thinks it's a VPN… crazy...
Youtube just always stuck somewhere in the middle of the video for no reason.
That's the situation. -
@w0w said in The strange story of accessing certain websites.:
Of course, it wasn't without its issues. In fact, it has more issues than the native IPv6 from the provider. For example, many sites constantly bother with security checks from Cloudflare, and some sites don't even pass these checks. This is likely due to issues with the incorrect geolocation of the address. Well, not incorrect…
The Tunnel end points, and the he.tunnel IPv6 ISP, can be seen as a VPN ISP. After all, if it looks like a VPN and smells like a VPN, then it is a VPN.
And that's known as "non acceptable" for some sites. No really Huricane's fault, but that's how things go.
And worse : Hurricane offers their IPv6 for free. They shouldn't do that [ ].
I remember that Netflix didn't accepted any connection from "IPV Huricane" in the past, so pfBlockerng was equipped with a special "if this host name is visited, then block IPv6 = AAAA records" so I could deal with the exceptions. -
@Gertjan
That's why I'm still digging this IPV6 black hole deeper and deeper -
Black hole ?
It might be very possible that these guys https://ipv6.he.net/certification/ are one of the very few that offer 'pure' non f#ck#p up IPv6 access on the entire planet.
They actually own and exploit the word wide interconnection cables, mostly on the bottom of the seas.
I tend to think they somewhat invented the IPv6 Internet (ok, not true of course) but they are one of the few that adhere to all the IPv6 RFCs.A fact it : their access is not 'home' based, they use POPs in every country. And as such, there are some draw backs like speed and, as said above, the connection can be seen as 'VPN'.
Anyway, it us up to us right now to select the right ISP. They are all somewhat IPv4 aware these days - it took them 30 or40 years, but things got ironed out.
Now, up to us, with our choice and out wallet, to vote for the next ISP "that does things right".For me, he.net was, in the past, a no-brain solution.
I would still using them today, if it wasn't for my (and now I should be using a shipload full of angry words) current ISP that can not 'route' (firewall) (handle) protocol 4.
Yeah, great, it does '6' = TCP and '17' = UDP, and "1" = ICMP, but not "4" .... and this "4" is needed to access he.net. As the Ipv6 packets are packed into a IPv4 packet, hence the IP-in-IP or 6to4.I've called and written them, my ISP, Orange, and asked them : your first box supported 6in4, your second also. And version 3, and 4 and 5.
Then I got the box number 6, needed because it had the build in fiber ONT.
But no more 6in4 support.
Ok, this box supports IPv6, but it can only offer one (1 !) prefix. And you can't use it in any firewall rule ....
And this is called their 'Pro Box', because they think that companies have "just one LAN"Ok, so be it - I negotiated a 50 % price cut, as they only do their work "half way".
-
@Gertjan
mean my ISP IPv6, not the HE one. HE is actually very good for a free service. I am still trying to find out what is going on and why IPv4-only (Azure or Microsoft cloud, anyway) sites cannot be accessed when my ISP IPv6 is enabled. It works without pfSense in any combination, but I am still missing something to figure out what is misconfigured. -
Awesome…
Looked for PMTUD problems and analyzed them. Downloaded and tested with mtupath.
I just changed the WAN MSS from blank to 1352 and the MTU already was 1492. Gotcha! The ISP IPv6 is working fine, and sites like micron.com and https://answers.microsoft.com/en-us are opening without any errors. So… problem is solved. The question remains: Is it OK, or is PMTUD broken and needs to be fixed? -
I can't recall having to set something to MMS when using he.net. I must have left it to default : nothing entered.
MTU had to be changed (not being 1500), as this connection is 'tunneled'. -
@Gertjan
It is not HE, it is my ISP PPPoE dual stack now. For the HE I have used MTU only, set to 1472, MSS left empty. -
Check for ISP issues on WAN1 by testing with an alternative DNS server or contact the ISP to resolve potential routing issues, and ensure your pfSense and network settings are correctly configured.