Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv6 and /etc/resolv.conf

    Scheduled Pinned Locked Moved Cache/Proxy
    28 Posts 4 Posters 3.1k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JonathanLeeJ Online
      JonathanLee
      last edited by

      Hello fellow, pfsense users and community members can you please help?

      I have noticed that the resolved.com file seems to be missing the IPv6 loop back.

      For pure IPV6 to function inside of squid proxy should this also contain a loop back for IPV6? Well researching I have noticed the dns_nameservers directive for squid utilizes this file.

      Currently, I could not get IPv6 only clients to function with squid however they would function if I removed squid from the equation hence isolated it to a squid configuration issue for DNS resolving as the errors are 409 errors dual stack clients do not have this issue as if the system only accepts requests from IPV4 two IPV6 websites. therefore IPv6 only clients cannot access web traffic but IPv4 clients can access IPv6 sites. If I make an any any rule IPV6 clients can access anything so it is not pfsense that is configured wrong it is the Squid package.

      I suspect that for IPv6 only clients you must also utilize the dns_nameservers directive.

      Has anyone else seen this?

      Screenshot 2024-07-30 at 13.37.40.png

      Make sure to upvote

      1 Reply Last reply Reply Quote 0
      • JonathanLeeJ Online
        JonathanLee
        last edited by

        As quoted from Squid The Definitive Guide by O'Reilly Duane Wessels

        "By default, squid sends DNS queries to the name servers listed in the /etc/resolv.conf file. If you want squid to use a different set of name servers, you must specify them with this directive."

        Make sure to upvote

        johnpozJ 1 Reply Last reply Reply Quote 0
        • johnpozJ Online
          johnpoz LAYER 8 Global Moderator @JonathanLee
          last edited by johnpoz

          @JonathanLee why would you think what your talking to locally for dns when something asks your proxy to go to somewhere.domain.tld would have to talk to ipv6 link local or some other ipv6 dns to work?

          you can for sure resolve AAAA over IPv4.. There is little need for your local to local communication to use ipv6 to resolve dns.

          Sure your ipv6 only client can talk to the proxy via IPv6.. But how the proxy actually looks up somewhere.domain.tld that the client is asking for sure doesn't have to also be done over ipv6 be that the proxy just asking the local dns on the machine its running, or some other NS not on the host the proxy is running.. It just needs to be able to talk to it.

          But yeah if they are going to start adding ::1 as a local NS, they should prob show that in resolv.conf as well.. There have a been a few threads lately related to that new ::1 you see in NS listed in pfsense on the widget, and timeouts, etc. in the web diag dns lookup gui, etc.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

          JonathanLeeJ 1 Reply Last reply Reply Quote 0
          • JonathanLeeJ Online
            JonathanLee @johnpoz
            last edited by

            @johnpoz thanks for the reply. Currently.it will not work with the current configuration and I suspect that it has to do with DNS as it will show 409 errors for IPV six only clients. my question is now I'm attempting to utilize this directive and I don't know what else to put in there so that the system will use this socket.

            Screenshot 2024-07-30 at 13.55.53.png

            ::1:53?

            fe80:

            dns_nameservers 127.0.0.1 192.168.1.1 2001:redacted:192::
            

            If I remove squid IPv6 clients work perfectly, suspect it has to do with the resolver settings inside of squid.

            Just for a quick test, what would I? What would you put in there for that directive?

            Make sure to upvote

            johnpozJ 1 Reply Last reply Reply Quote 0
            • U Offline
              Uglybrian
              last edited by

              Here is what i get.

              Screenshot from 2024-07-30 13-57-48.png

              1 Reply Last reply Reply Quote 1
              • johnpozJ Online
                johnpoz LAYER 8 Global Moderator @JonathanLee
                last edited by

                @JonathanLee what is that even from? You going to show some info - you need to state where you got that info..

                All that is IPs to 53 dns and 853 (dot)

                Is that your client trying to go there?

                Again that would have ZERO to do with what is in your resolve.conf - because clearly your resolve.conf only has 127.0.0.1 and none of that is going there - so clearly it didn't read it from your resolv.conf file.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                JonathanLeeJ 1 Reply Last reply Reply Quote 0
                • JonathanLeeJ Online
                  JonathanLee @johnpoz
                  last edited by

                  @johnpoz That is from diagnostics sockets showing that there is pfsense listening going on for the DNS port.

                  Make sure to upvote

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ Online
                    johnpoz LAYER 8 Global Moderator @JonathanLee
                    last edited by

                    @JonathanLee again so? what does that have to do with price of tea in china or your issue? Let see oh yeah nothing ;)

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                    JonathanLeeJ 1 Reply Last reply Reply Quote 0
                    • JonathanLeeJ Online
                      JonathanLee @johnpoz
                      last edited by JonathanLee

                      @johnpoz I can't get squid to resolve ipv6 only to ipv6

                      it resolves ipv4 to ipv6 only.

                      I see the attempts hit the proxy on ipv6 and go to 409 errors. So I showed the sockets to help isolate that there is in fact something listening on ipv6.

                      (/assets/uploads/files/1722377486648-screenshot-2024-07-30-at-13.37.40.png) Screenshot 2024-07-30 at 15.04.09.png Screenshot 2024-07-30 at 15.04.58.png Screenshot 2024-07-30 at 15.05.30.png Screenshot 2024-07-30 at 15.06.06.png

                      Everything is set if i use no proxy it works pure ipv6

                      Make sure to upvote

                      johnpozJ 1 Reply Last reply Reply Quote 0
                      • johnpozJ Online
                        johnpoz LAYER 8 Global Moderator @JonathanLee
                        last edited by johnpoz

                        @JonathanLee Why are you even setting a dns when your client is explicitly pointing to a proxy?

                        When a client points to a proxy explicitly its not the one doing dns..

                        Where did you come up with that address for dns? :: would be the network address more than likely.. Not a host address..

                        2001:xxxx:xxxx:192::/64 or 2001:xxxx:xxxx:192:0:0:0:0 is the wire, not a host.

                        Can pfsense even talk to the internet via IPv6.. Can you ping say ipv6.l.google.com which resolves to 2607:f8b0:4009:819::200e

                        Those are all 443 sites its trying to go to.. so your splicing? This thread doesn't belong in IPv6 - it belongs in the proxy section, moving...

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                        JonathanLeeJ 2 Replies Last reply Reply Quote 1
                        • johnpozJ johnpoz moved this topic from IPv6 on
                        • JonathanLeeJ Online
                          JonathanLee @johnpoz
                          last edited by

                          @johnpoz

                          Thanks for the reply IPv6 is like a new motorcycle that you want to test out on every path to me.

                          Ping6 with dual stack enabled pfsense plus 24.03

                          Screenshot 2024-07-30 at 17.02.07.png

                          You mention that I can't point to the network.. did I assign the interface subnets incorrectly?

                          Screenshot 2024-07-30 at 17.00.31.png

                          Screenshot 2024-07-30 at 17.06.06.png

                          Did I configure the /48 subnet into 2 networks incorrectly on the static assignments on the interfaces? Should it not be the wire?

                          Make sure to upvote

                          1 Reply Last reply Reply Quote 0
                          • JonathanLeeJ Online
                            JonathanLee @johnpoz
                            last edited by JonathanLee

                            @johnpoz Why is it allowing me to assign the full wire and or network to the interface as a host address? If it allows this that could cause issues with other items also, should this be part of error handling, what is weird is it works, everything works like this. Could something be spoofed and have the wire address assigned to it? that could cause confusion..

                            Should the interface static address be the wire or prefix with::10 or something? If I do subnet::1 I loose my full dhcp range

                            Make sure to upvote

                            johnpozJ 1 Reply Last reply Reply Quote 0
                            • johnpozJ Online
                              johnpoz LAYER 8 Global Moderator @JonathanLee
                              last edited by johnpoz

                              @JonathanLee Man its a been awhile since done anything with this, because I just use an actual host address ::253 which lines up with my IPv4 address on the pfsense interface.

                              But I believe all zeros like that :: considered the anycast address with IPv6. And believe is valid is why they don't throw up a warning..

                              I believe rfc5375 is what you prob want to look at..

                              anycast.jpg

                              I would think a "proxy" would want a normal unicast address.

                              Maybe that is causing you some issues? And I think there is something when doing splits and differences in NS used by the proxy and the client..

                              If me I would put a normal unicast host address on your interface.. I am not a big proxy user, I use to do it for a living back in the day.. Ran global web filtering for a fortune 500 company.. And have used pretty much every proxy under the sun.. But I got out of that many years ago and really only do actual networking now. Routing and switching..

                              Reason I moved this to the proxy section, this isn't specific an issue with IPv6 in routing or firewalling or even dns.. You more than likely will find someone else here doing proxy with IPv6 that will be better help than me.

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                              JonathanLeeJ 1 Reply Last reply Reply Quote 1
                              • JonathanLeeJ Online
                                JonathanLee @johnpoz
                                last edited by

                                @johnpoz thanks that helps a ton.

                                Screenshot 2024-07-30 at 18.25.58.png

                                I was using all zeros :(

                                Make sure to upvote

                                johnpozJ 1 Reply Last reply Reply Quote 0
                                • johnpozJ Online
                                  johnpoz LAYER 8 Global Moderator @JonathanLee
                                  last edited by johnpoz

                                  @JonathanLee so its working now? Yeah that is kind of good idea, use the port your using for proxy ;) hahah

                                  I believe I have mentioned this before.. I line up the IPv6 addresses I do use on my network (play and test) to match..

                                  So my IPv6 /48 from HE 2001:470:xxxx:xxxx::/48 I turn that into my /64 by making the 5th segment match so my /64 would be

                                  my lan IP192.168.9.253/24
                                  2001:470:xxxx:xxxx:9::253/64

                                  Another segment of mine
                                  my dmz IP192.168.3.253/24
                                  2001:470:xxxx:xxxx:3::253/64

                                  My roku vlan 192.168.7.253/24
                                  2001:470:xxxx:xxxx:7::253/

                                  etc.. My main pc on my lan is
                                  192.168.9.100/24
                                  2001:470:xxxx:xxxx:9::100/

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                  JonathanLeeJ 2 Replies Last reply Reply Quote 1
                                  • JonathanLeeJ Online
                                    JonathanLee @johnpoz
                                    last edited by

                                    @johnpoz how do you assign a dhcp range if you don mind me asking? I set my interface to end in :1 and my range was all messed up.

                                    "For example, use 2001:db8:1111:2222::1 for the LAN IPv6 address if the Routed /64 is 2001:db8:1111:2222::/64."

                                    "Enter a range of IPv6 IP addresses inside the new LAN IPv6 prefix"

                                    So in my case
                                    2001:xxx:xxxx::192:: - 2001:xxxx:xxxx:192:ffff:ffff:ffff:ffff

                                    I want 2001:xxxx:xxxx:192:168:1:1:a for my interface so i could set my range as
                                    2001:xxx:xxxx:192:168:1::-
                                    2001:xxx:xxxx:192:168:1:ffff:ffff

                                    I am going to have to recreate all my static assignments now

                                    Make sure to upvote

                                    1 Reply Last reply Reply Quote 0
                                    • JonathanLeeJ Online
                                      JonathanLee @johnpoz
                                      last edited by

                                      @johnpoz same issue with the recommendations. I went as far this time to disable IPv4 on the proxy server itself and get a pcap file it is like the proxy doesn’t know where to forward the traffic. It is weird

                                      Make sure to upvote

                                      johnpozJ 1 Reply Last reply Reply Quote 0
                                      • johnpozJ Online
                                        johnpoz LAYER 8 Global Moderator @JonathanLee
                                        last edited by

                                        @JonathanLee well couple things I notice about what you listed there with your 409 errors. They are all cnames, and they have round robin answers on the cname, ie multiple IPs.

                                        And can tell you right now that foxnews one is never going to work because it doesn't have a IPv6 address. So no if trying to do IPv6 with that its never going to work..

                                        My opinion with IPv6 and proxy, just like normal IPv6 is its not really ready for prime time.. There are vast amounts of major player sites that don't even have IPv6 versions. Your going to run into issues - how the client normally handles it is dual stacked, and something that doesn't have IPv6 it uses IPv4.. it makes the switch on its own.. etc..

                                        When doing splice you can have issues with when the host name not matching, etc..

                                        You could also be running into issues with browser doing doh on its own.. And getting different responses for dns, etc..

                                        https://docs.netgate.com/pfsense/en/latest/troubleshooting/squid.html#sites-not-loading-with-splice-error-409-in-access-log

                                        Personally I wouldn't if you really want to proxy, even allow clients to use IPv6.. Its not like its a requirement or anything.. Can you name one major resource that requires IPv6? Just 1?? Not talking about some guys personal website he is hosting only on ipv6 because his isp doesn't have IPv4 address space to give to clients or they use cgnat, etc.

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                        GertjanG 1 Reply Last reply Reply Quote 0
                                        • GertjanG Offline
                                          Gertjan @johnpoz
                                          last edited by

                                          @johnpoz said in IPv6 and /etc/resolv.conf:

                                          Can you name one major resource that requires IPv6? Just 1??

                                          Let me think .... => got it : Humanity !?! 😊

                                          No "help me" PM's please. Use the forum, the community will thank you.
                                          Edit : and where are the logs ??

                                          johnpozJ 1 Reply Last reply Reply Quote 0
                                          • JonathanLeeJ Online
                                            JonathanLee
                                            last edited by

                                            Thanks for the clarification because it works perfectly with dual stack. This was more of a can I make some clients only IPv6. But when in dual stack it only works IPv4 clients to IPv6 sites and never IPv6 to IPv6. I enabled pure IPv6 and Squid terminates with this error..

                                            The error it shows when I activate IPv6 only mode not dual stack is

                                            Error: no forward proxy ports configured

                                            Squid terminated

                                            The errors in the pcap act like they require a udp 443 I have DoH blocked for major DoH servers. Again that is like wack a mole. The IPv6 only works once the proxy is removed. So the error is isolated into Squid. I have tested old packages and knew they seem to have the same issues. I was reading it might require SLLAC enabled and I currently have it set to managed. I might test this out today. Goal is to have it work with IPv6 only mode and proxy traffic.

                                            Some users also added this to the configuration.

                                            acl localnet src fc00::/7
                                            acl localnet src fe80::/10

                                            Make sure to upvote

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.