Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't ping (or pass traffic) behind pfsense

    Scheduled Pinned Locked Moved
    IPv6
    2
    6
    5.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wiz561
      last edited by

      Hi,

      I'm attempting to configure IPv6 on my pfsense box.  My setup is a little different than most because I am not going through a 3rd party ipv4 to ipv6.  My ISP has given me the following information…

      net: 2001:<foo>:<something>:99::/64
      gw: 2001:<foo>:<something>:99::1
      range: 2001:<foo>:<something>:99::2 - FFFF

      That's all I have.  I've attempted to follow the instructions at...

      http://remcobressers.nl/2009/08/configuring-native-ipv6-pfsense/

      but it seems like they changed the address from the internal to external, and I'm not totally sure I could do that.  So, I just used the "2001:<foo>:<something>:99::2" address for the IFIN and IFOUT lines.

      I'm able to get an ipv6 address on my gateway/pfsense box and then on my workstation.  On the pfsense box, I can run ping6 and get out.  On my workstation, I can ping but I get no responses.  I'm also pinging the straight ipv6 address and not the dns name.

      I've checked and I have the forwarding in sysctl set to '1', and in the GUI, I have changed the 'allow ipv6' option to on.  I'm running pfsense 1.2.3.  The other thing that makes my setup a little more complicated is that I have two interfaces; bge0 and bge1.  On bge1, I have it setup for multiple VLAN's (vlan0, vlan1, vlan2, etc).  In the 00_config-ipv6-if.sh file, I used 'vlan0' instead of 'bge1' because I figured you want to use the interface that you want to use ipv6 on.

      So, I know that this is really new, but I was hoping to figure something out.  It seems to me as if my traffic isn't being forwarded from my vlan subnet out to the internet.

      Thanks!</something></foo></something></foo></something></foo></something></foo>

      1 Reply Last reply Reply Quote 0
      • D
        databeestje
        last edited by

        You can't use the same subnet or IP address on both interfaces.

        Normally the ISP gives you a subnet for the WAN interface of your router, e.g. <something>:99::/64. Then they direct another network to be used behind the router, e.g. <something>💯:/64.

        The most common case I see though is that they assign you a /56 or /48 to use for networks behind the router.

        Normally they use the ::1 for the gateway of the ISP, ::2 for the router that is connecting to the network and they then assign the <something>::/48 via a static route to your ::2 of the router.

        You can properly assign IPv6 addresses for native static connectivity in the 2.0 pfSense-smos git tree from the Forum welcome.</something></something></something>

        1 Reply Last reply Reply Quote 0
        • W
          wiz561
          last edited by

          Thanks for the response.  I'm brand new to IPv6 so this is an experience.

          So, it sounds like I need another address range to use behind the pfsense box.  I'll ask our networking folks to see if they could spare another range.  I guess I'm just surprised (and I'm sure I'll get questioned) as to why they gave me a /64 and I want more.

          Another question….can they route two IPv6 "subnets" on the same VLAN?  With IPv4, in my experience, each VLAN represents it's own subnet.

          Thanks!

          1 Reply Last reply Reply Quote 0
          • D
            databeestje
            last edited by

            Well, in the brave new world of IPv6 everything is routed, and nothing is using NAT.

            That means that they must provide you with networks to use behind your router, and they must setup a route in their network so that said networks find your router.

            Yes, you need a /64 subnet for each VLAN. Although it is technically possible to use smaller, some software expects a /64 and stateless autoconfig requires it.

            1 Reply Last reply Reply Quote 0
            • W
              wiz561
              last edited by

              Another newbie question….

              You can't "bridge" the interface to just pass the ipv6 traffic through?

              I know I'm thinking in terms of IPv4.  You can set the one machine to just bridge eth0 and eth1 so it just passes IP information?  I tried to assign the ipv6 address to the internal interface and keep the external one unset, but that didn't work.  I suppose I'm just shocked that you would have to assign a /64 to just one machine, then another /64 to each of  subnets behind it.  I know IPv6 address space is suppose to be massive, but that's a lot of addresses to waste for just the gateway.

              Nonetheless, thank you for the responses.  This is all new to me, and I have a feeling that we will all be seeing more of it in the near future.

              1 Reply Last reply Reply Quote 0
              • D
                databeestje
                last edited by

                The link local addressing (fe80::) will have something to do with that, so that won't work.

                I'll add bridging to the Todo

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post