Stuck midway through IPv6 implementation

NickyDoes

Like others here, I'm attempting to learn and implement IPv6 in my homelab. I created a VLAN interface "IPv6_experiments" and routed it to a single port. I have a fresh, clean Ubuntu 24 machine connected to that port. I added a firewall rule on my LAN blocking all in and outbound IPv6 traffic, which I hope keeps my network safe while I'm "hanging my butt out on the internet (credit @MerikFyndhorn).

I'm probably hanging on to IPv4 concepts or not understanding something critical. Here's what I know/can/cannot do so far:

1. On the test machine, I get two IPv6 addresses with prefixes that match the ISP's PD, yet no leases show in Status | DHCPv6 Leases.
2. pfSense's diagnostics | ping6 cannot ping from WAN to an address like google.com. (DNS returns IPv6 AAAA addresses, but all pings are lost).
3. I do not request an IPv6 address for the WAN interface. Status|Interfaces shows only link local IPv6 for WAN. DNSv6 servers are shown.
4. The IPv6_experiments interface shows a link local and an IP. The IP is within the ISP's network, within the delegated prefix.
   5.. The IPv6_experiments interface shows 0 packets in, and 232 packets out (am I blocking too much traffic? Hmm.)

My first goal is to get this local IPv6 test machine to get an address (which it has), ping something, and respond to pings.

Now for my current configuration:
pfSense 2.72
Google Fiber WAN
/56 PD (from DHCPc6 log: IA_PD prefix: 2605:a601:9xx9:2xx0::/56 pltime=64800 vltime=xxxxxxxx )
IPv6 only firewall rule to pass all traffic from IPv6_experiments to all addresses & all ports (on the IPv6_experiments interface)

Here's the new interface:

WAN is configured to get a PD, but not an IPv6 address.

DHCP is enabled, and is providing DNS servers to DHCPv6 clients.

DNS is set in System - General to Cloudflare's IPv6 DNS

Router Advertisement is enabled. RA DNS options are left at the default values

Uglybrian

Hi, Try checking ( Do not wait for a RA) see if that helps. Also, are you resolving or fowarding your DNS?
Do you have any of these checked?

NickyDoes

@Uglybrian Both options are checked.

I'm getting a /PD already and I cannot even ping using the IPv6 address, where no DNS is involved.

keyser

@NickyDoes Since you are using SLAAC, you will not see any activity/leases in your DHCPv6 server service (if you have set that up).

SLAAC is stateless and the client autoprovisions it’s own IPv6 address from the prefix announced by the Router Advertisements (which gets the prefix from the PD assigned by the ISP using DHCPv6-PD on your WAN interface)

You do not necessarily need a public IPv6 address on your WAN side interface - traffic can easily be routed using link-local between the ISP and your pfSense. That all depends on the ISP preferred method of operation.

Make sure to allow ICMPv6 on your WAN interface to WAN itself and any interface containing IPv6 clients.
Make sure to have a allow all IPv6 rule on your experiments interface - if not you specifically need an allow ICMPv6 rule on that interface to allow ping amongst other

Uglybrian

You may want to change this setting

If i remember correctly when i was setting up ipv6 from my isp I also got a PD but no connections.
It wasnt until I checked "do not wate for RA" . As soon as I did that ipv6 started working for me.

NickyDoes

@keyser

Of course SLAAC isn't DHCP. IPv6 concepts are slowly making their way into my thinking.

WAN ruleset (I just added the ICMP6 allow rule)

Experimental Network ruleset

Are there other rules I should be adding for this test?

keyser

@NickyDoes hmm should work.

I would rethink allowing all IPv6 to the firewall on WAN - that will expose the web UI, ssh and what not to the world

Other than that it seems Strange that you cannot even Ping the firewall interfaces. Can you Ping the link addresses of the Experimentarium interface?

the other

@NickyDoes
as @keyser said...delete that "this firewall rule". :)
do you have your pfsense behind a modem or do you have another router in front of it?
here my internetrouter gets a /56 prefix. It delegates a /57 size chunk to pfsense. This is then used by pfsense for LAN and Vlans (each /64) as recommended with v6.
I do not even need that ICMPv6 rule on WAN for IPv6 to work. If I remember correct then by activating IPv6 those rules are set automatically...as said, could be wrong, still here no probs without THAT rule.

So, what is your experimental VLANs interface's IPv6? Does it get one? Can you ping ie google.com from that one (pfsense's experimental VLAN interface)?
Can you ping THAT IP from your ubuntu? Can you ping vice versa (ping from pfsense experimental interface to ubuntu machine)?

NickyDoes

@the-other Back at it, as you saw from [this](link url) post .

Some answers:

pfSense is behind a Google fiber jack 'modem'.
I get a /56 PD per the DHCP6 log.

The IPv6_experimental interface does get an IP, which fits within Google's PD.
Running a fresh Ubuntu, I cannot ping the interface IPv6 from Ubuntu. UFW is not active.

Confirming my command: ping6 <pfsense experiemental VLAN IPv6 address> responds with "Destination unreachable: Address unreachable"

Note: I triple checked the 128-bit address.

The machine gets the address properly, so VLAN is working.

NickyDoes

@keyser I removed that one, which I added in error, so thanks.
No, I cannot ping the Expermiental interface from the machine.

the other

@NickyDoes well,
you DO have a rule to allow ping?
You would need one to test that:
Interface experimental_vlan, allow / source: this exp_vlan subnet / destination: pfsense / protocol: icmp

Set that, try again, post results...please. ;)

NickyDoes

@the-other

Success! This issue was a layer 2 issue: I hadn't configured one VLAN switch port's VLAN ID, a simple oversight. Return traffic wasn't reaching the pfSense interface.

Whittling away the unknowns.