LAN devices can ping IPv6 site but pfSense itself cannot
-
@left4apple said in LAN devices can ping IPv6 site but pfSense itself cannot:
seemingly possible solution is to assign the only, precious /64
Or you could just not use your isp nonsense and get a free ipv6 tunnel from HE. Have had one from them since like 2011.. Once you get one it stays, so need of worry about changing prefixes, and they also allow you to set PTR for you ipv6 space, etc.
Unless your isp gave you a /48 that never changes, not sure why anyone would deal with normally very bad ipv6 deployments designed for users that really have little clue to what an IP is in the first place and use their isp device with everything on 1 network.
-
@johnpoz HE is definitely a great service. However, since I'm uploading probably 500GB stuffs through IPv6 each month, I feel guilty for using their service for free. And didn't see any place for individual donation to HE..
-
@left4apple said in LAN devices can ping IPv6 site but pfSense itself cannot:
Sure I'm fine with only one LAN has IPv6 address. Just don't know how to let the LAN use it instead of giving everything to just WAN.
Reply
I thought you said you could ping from LAN, but not WAN. If your LAN is getting a prefix, then you're good.
-
@JKnott Yes with the current setup, the LAN is able to get IPv6 address, yet IPv6 doesn't work on pfSense OS itself though there is an IPv6 address assigned to it. This causes some troubles with, e.g., Tailscale but doesn't overall affects the usability.
-
@left4apple said in LAN devices can ping IPv6 site but pfSense itself cannot:
@JKnott Yes with the current setup, the LAN is able to get IPv6 address, yet IPv6 doesn't work on pfSense OS itself though there is an IPv6 address assigned to it. This causes some troubles with, e.g., Tailscale but doesn't overall affects the usability.
This is getting confusing. At one point you're saying you don't get a WAN address and then you do. By IPv6 address, are you referring to a link local address, which starts with fe80? Or a global address that starts with a 2?
If only a link local address, then you won't be able to do anything as that address is used just for routing. As I mentioned earlier, while some ISPs provide a global address, you don't need one.
-
It must have an IP address from the delegated /64 on the LAN interface if other devices on the LAN do and work.
What does the LAN status look like without the IPAlias on WAN?
-
@left4apple said in LAN devices can ping IPv6 site but pfSense itself cannot:
causes some troubles with, e.g., Tailscale but doesn't overall affects the usability.
There is nothing in tailscale that "requires" ipv6. Do you not have a public ipv4 address?
As to HE and 500GB a month - I doubt that would even show up as a blip on their traffic graphs ;)
-
@JKnott said in LAN devices can ping IPv6 site but pfSense itself cannot:
This is getting confusing. At one point you're saying you don't get a WAN address and then you do. By IPv6 address, are you referring to a link local address, which starts with fe80? Or a global address that starts with a 2?
Sorry if the description wasn't clear. The WAN does got an IPv6 address assigned to it,
2600:xxxx:xxxx:e10::
. Yet with the above setting I cannot ping any Internet IPv6 address on pfSense. The LAN interface is set to track the WAN for IPv6, and LAN devices works with IPv6. Trying to figure out how to let the WAN and LAN share the same /64. -
@left4apple said in LAN devices can ping IPv6 site but pfSense itself cannot:
Trying to figure out how to let the WAN and LAN share the same /64.
For what possible reason? Why would think that would be a thing? Your routers wan, would either just use its link-local address to route your /64 you put behind it. Or it would get some IP in a different GUA address space and still route your /64 behind it... But with the gua address on its wan - it could use that for its own traffic needs, like talking to ns via IPv6, etc. Talking to pfsense update servers to check for updates, packages, that sort of thing.
-
@left4apple said in LAN devices can ping IPv6 site but pfSense itself cannot:
Yet with the above setting I cannot ping any Internet IPv6 address on pfSense.
If you don't have a WAN global address, that is normal. If your LAN works OK, then you're good. As mentioned earlier, you have to request a WAN address, assuming your ISP will provide one. If not, don't worry about it as you don't need one.
-
@johnpoz said in LAN devices can ping IPv6 site but pfSense itself cannot:
Talking to pfsense update servers to check for updates, packages, that sort of thing.
Does that actually require a global WAN address? Or can the LAN address be used? You can use either for accessing pfSense from elsewhere. With the ping command, you can specify which interface to use as the source address.
-
Yes, it can just use the LAN address as source. If you have a functioning routable /64 on the LAN then just use that for pfSense. There's no need to add an address on WAN and putting an address on WAN that isn't routing correctly will only break it.
-
@stephenw10 So why would pfsense use its lan IPv6 address to talk to the internet, it wouldn't have a gateway set - it is the gateway for the devices using the PD network..
I am missing something? I haven't played with using a tracked interface in years and years. And my wan always got a gua on its wan when I did. And pfsense used that when pfsense itself wanted to talk to something out on the internet via ipv6.
-
It's default route would have to be the link-local address on WAN. My own WAN is like that, the ISP only supplies a PD, I have no routable address on the WAN so pfSense uses the LAN address (or whatever interface it's on).
-
@johnpoz said in LAN devices can ping IPv6 site but pfSense itself cannot:
So why would pfsense use its lan IPv6 address to talk to the internet, it wouldn't have a gateway set - it is the gateway for the devices using the PD network..
It can use any valid global address on the box. With ping, you force the source with the -I option. As @stephenw10 mentioned, the gateway is usually the link local address for it.
One thing to bear in mind is all interfaces are on the same box and it generally doesn't matter which one you use.
-
@stephenw10 ok that makes sense once you state it and think about it for a second. Thanks.
So which one does pfsense use if say you have 3 interfaces with PD on them as source IP when it wants to say check if updates from netgate? Lets say there isn't tracked on the lan but like opt3 and opt4.. What method is used to determine the source IP when no gua on the wan?
What if those interfaces are like em2 on 4 and em3 on 3 - does it use the opt number the lower interface, is there doc on how that is selected? I don't recall running across where this is talked about?
Does it use the lower prefix no matter what interface its on? I can't believe its random where it would use say opt1 for some traffic and opt3 for other traffic - there has to be a selection process?
-
My understanding is that it will use the closest interface to the Internet, if available. I really haven't tested this much, other than with ping. It's also easier to understand on incoming connections, as you specify which you want to connect to. On my notebook computer, there is the metric which is used to choose between LAN and WiFi, when both are connected. When it's running Linux, I can connect to either port, but not with Windows.
One thing those is all the LAN addresses that use the IPv6 prefix are reachable from outside, as all the Internet worries about it the route to the destination address, which passes through the WAN interface to the pfSense system. Another thing, which trips up a lot of people, is the WAN interface does not need a global address.
-
@JKnott but what is the method it uses to determine which is "closer" to the internet?
if say on opt3 I have the 3rd prefix out of a /56 and on opt4 I have the 2nd prefix out of that /56.. Does it always use the lower prefix? does it use the lower interface.. What is the method used to determine the source IP?
Neither of those is "closer" to the internet.. Unless your saying it does some math and say oh this IP is "closer" to my destination address so use opt3, but this other destination address is closer to my opt4 so use that?
-
@johnpoz said in LAN devices can ping IPv6 site but pfSense itself cannot:
So which one does pfsense use if say you have 3 interfaces with PD on them as source IP when it wants to say check if updates from netgate? Lets say there isn't tracked on the lan but like opt3 and opt4.. What method is used to determine the source IP when no gua on the wan?
In my case, the first one. But I'm not sure if that's because it's the first interface or the lowest IP address numerically.
-
@johnpoz said in LAN devices can ping IPv6 site but pfSense itself cannot:
f say on opt3 I have the 3rd prefix out of a /56 and on opt4 I have the 2nd prefix out of that /56.. Does it always use the lower prefix? does it use the lower interface.. What is the method used to determine the source IP?
Couldn't tell you, other than specifying the interface in ping. You'll have to ask someone who knows the FreeBSD internals.