only ICMP protocol works !!!
-
Good Afternoon
I have ICMP traffic on the network sending and receiving echo, however I have no http or https or ssh or any other connection, except ICMP, both from pfsense itself and from the internal network.
I have already disabled pfblocker, snort, but nothing has worked. PFsense version: 2.7.2-RELEASE (amd64) built on Wed Dec 6 17:10:00 -03 2023 FreeBSD 14.0 CURRENT
My WAN Static: 2001:XXXX:XXXX:9f00::2/56 - Pfsense
My GW Static :2001:XXXX:XXXX:9f00::1/56 - Pfsense
My LAN Static: 2001:XXXX:XXXX:ffff::3/64 - PfsenseDHCP distributing addresses normally
Every station pings any address on the Internet, but does not browse or anything.
If anyone has a guide to give me, I would appreciate it.
-
@tchello Could be DNS, or firewall rules. Verify DNS is working and if so post your rules for LAN.
-
@SteveITS Dear Steve
My DNS is:
And my rules is:
I guess that dns is working:
-
@tchello FWIW your block rules will not trigger because they are below the allow-to-any rules. Note they are all "0/0 B".
-
@SteveITS
Yes, I agree, but I not use this rules, and I forgetd it of erase. My faultI think it's my provider's problem, my friend. What do you think?
-
@tchello why do you have a /56 mask on your wan? That is not how delegation works.. Did your isp tell you to but a /56 on the wan interface.. Which overlaps with your lan interface?
a /56 is not a mask you would put on a actual interface, that is a route prefix or delegation prefix not an interface prefix.
-
@tchello said in only ICMP protocol works !!!:
My WAN Static: 2001:XXXX:XXXX:9f00::2/56 - Pfsense
If they provide a WAN address, it normally has a /128 prefix length. You would also have a /64 on a link local address. You'd use the /56 to request the prefix size, if that's what the ISP provides.
-
@johnpoz
Thank you JohnThey gave it to me like this:
The block was configured and the ping is ok. Please validate with the client by providing them with the configured IPs as below.
ipv6 from 2001:xxxx:xxxx:9F00::2/56
IPv6 gateway 2001:xxxx:xxxx:9F00::1
ipv6 dns server 2804:7F4:2002:1005::98
ipv6 dns server 2804:7F4:2002:1005::99โSo am I wrong in the configuration?
Sorry, I'm not experienced in setting IPv6 statically.
-
This post is deleted! -
This is what the provider gave me
The following is the return:
โThe block has been configured and the ping is ok. Please validate with the client by providing them with the configured IPs as below.ipv6 from 2001:xxxx:xxxx:9F00::2/56
IPv6 gateway 2001:xxxx:xxxx:9F00::1
ipv6 dns server 2804:7F4:2002:1005::98
ipv6 dns server 2804:7F4:2002:1005::99โ -
@tchello yeah that is not right at all.. That is fine if they gave you a /56 that they route to you.. But there would be transit network.. You might sometimes see the first prefix out of the /56 as the transit.
Try setting that first prefix as /64 and then use the next prefix of /64 on your lan.
So your lan side interface would be 2001:xxxx:xxxx:9f01::1/64
That info is pretty bad.. Which is typical of ISP that really have no business doing IPv6 because they have no real clue how to do it ;)
edit:
You asked for a /56 I take it and that is the info you got. Which would work if all your devices were directly connected, but still wrong because you wouldn't use a /56 in that scenario. But some level 1 guy plugged the ticket into some ip allocation form and that is what it spit out.. -
@johnpoz
Ok John, I will todo tomorrow, I talk to uThank a lot
-
@tchello not saying that will work.. But I have seen this method used before.. Its not really a good way to do it, but maybe it will work for you.. Good luck, let us know.
-
@tchello said in only ICMP protocol works !!!:
My WAN Static: 2001:XXXX:XXXX:9f00::2/56 - Pfsense
My GW Static :2001:XXXX:XXXX:9f00::1/56 - PfsenseWAN IPv6 ....:2 and gateway ...:1 Humm, is this a huricane IPv6 tunnel setup ?
-
@johnpoz Good day
I did this setup
WAN: 2001:XXXX:XXXX:9F00::2 /64
LAN : 2001:XXXX:XXXX:9F01:f0ca:4 /64ping OK!
any protocol outside this -> failedIf this setup is what you told me, then the fault is with the provider. I'm trying to contact them.
Thanks a lot brow
-
@tchello yeah like I said it could work that way.. But then again not sure what they are thinking with just giving you that info.. It is not how you would allow a user to use a /56 behind a router. Their info would be for if that /56 was directly attached, and not behind a router. Which you would never do - because its pointless to be honest.. If your only going to directly attach to the isp, a /64 is more than you would ever need.. And you using a /56 over a /64 gets you nothing. It defeats the whole point of /56 that you could break up into multiple /64s
To be honest since your isp seems clueless, would be just a use a tunnel from HE - they will give you a /48 that never changes, and even allow you to create PTRs for the space - something I highly doubt your isp would allow you to do.
Are they charging you for this /56?
-
Are they charging you for this /56?
I'm client for them, have a LP dedicated a far long time. Then now I need it Ipv6 for many cameras that I cant access because the provider only give me cgnat ip . Then I asked about ipv6 to him. Give me without charge.Here in Brazil is known Vivo
-
@tchello What I can tell you is the info they gave you will not work.. They have given you a /56 that is directly attached to them - not routed to you that you can use on prefixes behind a router.
And directly attaching a /56 is borked.. They need to route the /56 to you - so that you can then break up that /56s to use on your networks behind pfsense.
There needs to be a transit network to route to you - be it a /64 or a /128 or even just link-local.. But you can not put a /56 on an interface and expect it to work.
-
@johnpoz
Dear John As I suspected, the error was with the provider, after my request they solved the IPv6 problem. I am very grateful to you for your support.
