Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't reach IPv6 Websites

    Scheduled Pinned Locked Moved
    IPv6
    4
    9
    329
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      zingbats
      last edited by

      I am experiencing a weird issue where I can ping any IPv6 address, but not reach some websites when IPv6 enabled. I do NOT run into this issue with OPNSense.

      To troubleshoot, I have disabled IPv4 on my workstation, and I'm using Google's DNS Server (2001:4860:4860::8888). I also made sure to ONLY test websites which have an IPv6 DNS record. Google.com loads perfectly fine, but www.ipv6-test.com does not.

      Below is a traceroute for those pings:

      Tracing route to google.co.uk [2a00:1450:4009:820::2003]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  2a0a::REDACTED 
  2     3 ms     3 ms     3 ms  2a0a:ef40:ffff:a::1 
  3     5 ms     5 ms     *     2a0a:ef40:ffff:f00::1 
  4     4 ms     5 ms     5 ms  ae15-100-xcr1.slo.cw.net [2001:5000:1300:6::1] 
  5     4 ms     6 ms     5 ms  ae16-xcr1.lnd.cw.net [2001:5000:0:225::1] 
  6     4 ms     5 ms     8 ms  ae15-xcr1.lns.cw.net [2001:5000:0:1e9::2] 
  7     5 ms     5 ms     5 ms  as15169-gw-xcr1.lns.cw.net [2001:5000:1100:7::2] 
  8     5 ms     6 ms     5 ms  2a00:1450:80fc::1 
  9     5 ms     5 ms     5 ms  2001:4860:0:1::248e 
 10     6 ms     5 ms     5 ms  2001:4860:0:1::54d3 
 11     4 ms     5 ms     5 ms  lhr25s34-in-x03.1e100.net [2a00:1450:4009:820::2003] 

Trace complete.

      And

      Tracing route to ipv6-test.com [2001:41d0:701:1100::29c8]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  REDACTED
  2     4 ms     4 ms     3 ms  2a0a:ef40:ffff:a::1 
  3     *        *        *     Request timed out.
  4    25 ms    15 ms     9 ms  tu-602.sar1.Amsterdam1.Level3.net [2001:1900:5:3::1d] 
  5     7 ms     8 ms     7 ms  be103.lon-drch-pb1-nc5.uk.eu [2001:41d0::26e2] 
  6    21 ms    19 ms    20 ms  2001:41d0:aaaa:100::7 
  7    24 ms    20 ms    30 ms  2001:41d0:aaaa:100::7 
  8     8 ms     6 ms     7 ms  2001:41d0:aaaa:100::6 
  9     *       14 ms     *     be101.rbx-g3-nc5.fr.eu [2001:41d0::25f1] 
 10     *        *       19 ms  fra-fr5-sbb1-nc5.de.eu [2001:41d0::25f2] 
 11    19 ms     *        *     be10.fra-fr5-sbb2-nc5.de.eu [2001:41d0::2581] 
 12     *        *        *     Request timed out.
 13    21 ms    19 ms    20 ms  2001:41d0:0:50::5:f945 
 14    20 ms    19 ms    19 ms  2001:41d0:0:50::5:3915 
 15    19 ms    19 ms    19 ms  2001:41d0:0:1:3::4881 
 16    21 ms    19 ms    19 ms  2001:41d0:0:1:3::5017 
 17    21 ms    20 ms    19 ms  2001:41d0:0:1:3::4aa3 
 18     *        *        *     Request timed out.
 19    26 ms    21 ms    23 ms  2001:41d0:701:1100::29c8 

Trace complete.

      I can provide traceroutes from OPNSense or other diagnostics if it'll help

      1 Reply Last reply Reply Quote 0
      • Bob.DigB
        Bob.Dig LAYER 8
        last edited by Bob.Dig

        Then stick with OPNsense, it is working fine here.

        1 Reply Last reply Reply Quote 1
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          How do those tests differ when running OPN?

          Try running a pcap when connecting to the site. What's failing?

          I'm not aware of anything that would be different in OPN for a simple routed IPv6 connection. Do you have anything odd in that connection? PPPoE? VPN?

          Steve

          Z 1 Reply Last reply Reply Quote 0
          • Z
            zingbats @stephenw10
            last edited by

            @stephenw10 It's a PPPoE connection which gets its prefix via IPv4. Both tests have run on a clean install of pfsense / OPNsense with no extra config enabled.

            I have attached the http traffic for the ipv6 domain which fails. I haven't done TLS decryption on it, so let me know if that's required.

            ipv6 tcp.pcapng.gz

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              Was that filtered? There is only outgoing traffic shown there but there clearly is reply traffic as the connections are succeeding in terms of at least the basic handshake. For some reason the replies are not shown. Are replies coming back via some other interface somehow?

              Z 1 Reply Last reply Reply Quote 0
              • Z
                zingbats @stephenw10
                last edited by

                @stephenw10 looking at wireshark it seems as though google works via IPv6 because it's using UDP packets. Here's the TLS log for the ipv6 test website as best as I can get. The website timesout. Not included in here, is that a previous capture did a request for http://www.ipv6-test.com and got a permanently moved response directing it to https. Not sure why this response was received and https isn't.

                decrypted ipv6.pcapng.gz

                Something of note: my LAN firewall rule for outbound WAN allows all v4 and v6 and uses "LAN Subnets" as the source. Is it possible that the v6 subnet is not included in this? Seems unlikely because ping works, and google v6 works, but just thought I'd ask.

                GertjanG 1 Reply Last reply Reply Quote 0
                • GertjanG
                  Gertjan @zingbats
                  last edited by

                  @zingbats said in Can't reach IPv6 Websites:

                  uses "LAN Subnets" as the source

                  Like this : (don't mind the first and second rule) :

                  8ec2bbcf-1179-4323-ad9d-15ccd20da887-image.png

                  "LAN Address" includes both the LAN network (for me : 192.168.1.0/24) and whatever is needed so that is "IPv6 - LAN network" passes.
                  It's the rule that you've found when you installed pfSense.
                  I've split them out in a "IPv4" and a "IPv6" version so I can see how much traffic is using each protocol.

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    'LAN subnets' should definitely include IPv6.

                    Things that work for UDP (and ICMP) but not TCP also points toward some routing asymmetry.

                    1 Reply Last reply Reply Quote 0
                    • Z
                      zingbats
                      last edited by

                      Issue resolved. The MTU needed to be 1500 not 1492. Thanks for the help, guys.

                      1 Reply Last reply Reply Quote 1
                      • First post
                        Last post