So close on IPv6 yet so far away - Can't get to internet over IPv6 despite everything seeming to be in place.
-
I am trying to get my LAN IPv6 to route properly over my WAN IPv6 and seem to be running into a wall.
I can ping IPv6 addresses from the wan interface of the firewall using Diagnostics -> ping but I can do the same with the LAN interface.
If this is something obvious I apologies I just can't seem to formulate the right question to find the answer
Version info:
PfSense CE 2.7.2ISP info
Rogers (former Shaw)Using DHCPv6 to pull IPv6 successfully
With "Request a IPv6 prefix/information through the IPv4 connectivity link" enabled
With "DHCPv6 Prefix Delegation size" set to none
(I know that Rogers doles out /128 prefix addresses (I can see this using with other client who use FortiGate routers to do IPv6) so I can't specify a proper prefix
PfSense is coming up with a gateway address from Link-Local (fe80::201:XXXXX:XXXX:8445%vmx0)
Gateway monitoring says it is up even if I put in a Public IPv6 address to verify with.
LAN info
I am using Kea DHCP on the LAN to dole out 2001:XXXX:XXXX:8e01::/64 addresses
Systems are getting addresses properly but when I look at the IPv6 Gateway on my systems they come back with another Link-Local address which I think is weird. On my Fortinet Clients this would come back as the IPv6 address of the LAN interface.
I can ping other IPv6 addresses on my LAN.
I can ping the IPv6 interface on the firewall.
I can ping the IPv6 address on the WANI cannot ping any public IPv6 address
External hosts can ping my public IPv6 address.
I have a IPv6 rule in the firewall for outbound traffic that seems to be working as far as I can tell. The counter are going up.
So I don't know where to look next. This feels like a routing issue with the weird gateway address, but I can't seem to figure out what to do next.
UPDATE: So I turned on logging on the IPv6 rule and it is not recording traffic from the LAN to internet, but to a OpenVPN tunnel I also have on this firewall. Irritatingly enough traffic works over the VPN just fine, just not from my internal LAN to Internet
-
Is your modem in bridge mode? That's what you need for pfSense to handle IPv6 properly. I don't know what modem you have, but with Rogers modems it's trivial to switch to bridge mode. As soon as you login to the modem, the button is right in front of you.
BTW, unless you have a specific need for DHCP, you're better off using SLAAC, as thanks to some genius at Google, Android devices won't work with DHCPv6.
-
The modem is definitely in Bridge Mode
I operate with a static IPv4 assigned by my ISP.
Rogers does not provide static IPv6 address, as as I mentioned earlier I am getting an IPv6 address successfully using DHCPv6.
When I switch to SLAAC I get no IPv6
-
Here's Rogers pfSense configuration. How does it compare with what you have?
-
Have you enabled dhcp IPv6 and router advertising? Do your DNS server list contain some IPv6 servers to resolve with? Does your LAN have IPv6 also assigned to it?
-
@JKnott
Changes made to WAN as per your recommendation
I am still getting the same IPv6 address as before.
Changes made to LAN as per your recommendation
Eventually I do get a LAN IPv6 address to show, but as expected it is a address of external origin.
Since I think the ISP is providing me the range?Is the take away from this? You can't run a different internal range for IPv6 than the external range or you can't route on PfSense? That seems wrong.... :(
Worse yet is the results when I test the implementation.
https://www.whatismyip.com/ give me my devices IPv6 not the external IPv6 of my firewall.Feels like I'm hanging my bum out on the internet for all to see rather than directing them to the firewall, but maybe I'm just been sensitive.
-
Yes indeed. The setting changes recommended by @JKnott did work, I'm just pouting about having the IPv6 range dictated inside my network, but I can get over that.
DHCPv6
Router Advertisement
DNS
Yes on LAN IPv6
Also IPv6 is not turned off on the firewall
-
Change the DHCPv6 delegation size to 56 or whatever your ISP provides. With 64 you'll only get a single /64. I just realized 64 was from back in the days when Rogers only offered a single /64. Now they provide a /56. I have corrected that link.
Eventually I do get a LAN IPv6 address to show, but as expected it is a address of external origin.
Since I think the ISP is providing me the range?Is the take away from this? You can't run a different internal range for IPv6 than the external range or you can't route on PfSense? That seems wrong.... :(
Yes, you will get public IP addresses, which is what the Internet gods intended, before NAT messed things up.
-
@JKnott
I guess I will have to adapt to the new way of things.:Thanks for all your help!
-
Delete these two hardcoded DNS entries :
you don't need them.
And the day your ISP decides to give you another prefix, you've broken DNS ... -
So you are aware I am running windows Domain controllers at this site. I modified them as required for the Prefix provided by the earlier steps.
DNS is working just fine
Back here I left myself some IP's for use on static devices
And I'm using this IPv6 address as the gateway address on the statically assigned systems
-
This post is deleted! -
This post is deleted! -
All screen look, fine to me.
IPv6 uses 'prefixes' for the LANs, your ISP has 00->ff = 256 available.
Can't see if that worked out fine, as you've hidden them ^^Where I've difference :
where the third gateway is my OpenVPN server, so that's valid.
But my WAN has an Ipv4 and IPv6 mode DHCP.I don't understand your LAN gateway ... neither the 3 ? WAN gateways.
You have DHCP for IPv4 and DHCP6 for IPv6 - so the first two are the correct ones.
Btw : just for the fun : don't ping 2001:4860:4860::8888 (and 8.8.8.8 and 8.8.4.4) as that's a DNS server IP. Not a ping answering machine.
The day 'they' decide not to answer to a ping because this costs them a lot of bandwidth and bandwith == expensive they will shut down the ping answer. Result : your networks go down.
Solution : ping a nearby ISP-based IPv4 and IPv6 upstream device that answers to ping.
You pay your ISP (right ?) : they are payed to answer to your traffic, your pings so your pfSense can "test" the connection.Image the situation : Google 8.8.8.8 goes down. As a result, half the planet will lose it's Internet connection (as dpinger will detect the ping loss, and continuously restart the WAN interface).
That will be the day I will be ROFL all day long.
It happened : remember Facebook being down all day ? -
@Gertjan
Thank you for the reply.In the end it was pfBlocker that was causing the problem. I didn't have to change any configuration, since they were not blocking anything. But I turned it off and on... now it all works.
I will try and find the correct pings to monitor. Not really sure, but I will as the ISP. Thanks.
-
@br8bruno said in So close on IPv6 yet so far away - Can't get to internet over IPv6 despite everything seeming to be in place.:
Not really sure, but I will as the ISP
They will ask you to execute a traceroute to, for example, 8.8.8.8
The second, third, maybe fourth IP listed is theirs - on of their equipment. Pick any of these, as long as they answer to ping.
Further on, you'll will find the main 'highway Internet core routers'.
