IPv6 testing
-
Yes, I did reboot.
I will now test on other freshly reinstalled pfSense machine.Edit: Same issue on other machine :(
-
I've been making some progress here. In my last post, I mention I had to go into the WAN interface and save it to route to the internet… The issue with "Unable to check for updates." is related I think. Over the weekend I setup a 3G Wan for failover. Because now I have gateway rules define for the LAN firewall tab, my clients can route to the internet without having to save the Wan interface config. The pfsense default gateway is getting messed up some how which causes the "Unable to check for updates" error and i'm unable to ping www.yahoo.com from pfsense but i can from the clients. When I save the WAN interface page, the pfsense default gateway is corrected, the IPv6 tunnels comes up, able to ping to ip4 websites from the shell.
The "The gateway address 2001:470:1f0a:XXXX::1 does not lie within the chosen interface's subnet." error: I recieved the same error when I follow the how-to write up. I ended up with the same error. In the how-to, we are using a /128 subnet. The gateway doesn't like this unless you put the subnet as /64. Was I changed the gif/wan interface to /64, I was able to put the gateway address in. But then this error poped up in my syslog
php: /interfaces.php: The command '/sbin/ifconfig gif0 inet6 2001:470:1f06:e7f::2 2001:470:xxxx:xxxx::1 prefixlen 64 ' returned exit code '1', the output was 'ifconfig: ioctl (SIOCAIFADDR): Invalid argument'
After the gateway was selected in the WANIPv6 interface, i changed the subnet back to /128 and the above error went away. I need to do some more testing to see if either /64 or /128 works… I left it at as /128 becuz i dont see the above error. HE.net tunnel info pages says its a /64 address...
I have to do some futher testing but I can't ping ipv6.google.com but i'm able to browse to the site(test-ipv6.com gave me 9/10, dns dont have ipv6 from my isp) if i ping ipv6.google.com from pfsense, "ping6: UDP connect: No route to host" from Windows 7, "Destination net unreachable"
Also there is a php error on the firewall rules page.. The page works, see screen shot:
-
The subnet check on the gif interface should now properly work again. Have not verified yet, gitsync your install to get it.
You also get (hopefully) working traffic counters for ipv6 traffic.
IPv6 packet counts are logged but not graphed yet.
Menu banner shows IPv6 addresses now too.
ICMP6 rules have been relaxed so that we might have a shot at getting dhcp v6 messages out.
I also added unblockable ICMP6 rules to make sure basic connectivity is never blocked.
Addition of Bogon support for IPv6 prefixes, although a tad large at 30k entriesdatabeestje great work so far!! Where can I find the traffic counters you are talking about? Under 'Status: Interfaces' the counters dont increase but 'Status: Traffic Graph' is graphing traffic.. The Interface widget on the main page shows that the WANIPv6 is up but it doesn't show the IPv6 address. 'Status: Interfaces' does sure the IP address tho.
I went to http://ipv6-speedtest.net/ to test the speed of the tunnel, wow its slow! 1m/.5m on a 50m/5m cable modem… But hey we are only testing this out to be ready for ipv6 when we will need it....
-
I'm seeing similar issues with the default route. I've gotten around it by just throwing the route in the cli.
I'm also seeing issues with rtadvd not working right, but that could be an artifact of the box having some of my crufty old IPv6 stuff hacked into it, not sure yet. I'll look more at this tomorrow.nb
-
It also appears as if soem of the other routing bits are broken. After a reboot, I had no v4 default route but it clearly showed up as there and "alive" in the status_gateways. I added that manually in the CLI just to get it working before I sleep.
nb
-
Thank you Cino, I've got it working following your instructions.
But yes as buraglio says there must be some issue with IPv4 default route. For example whenever I change something on one of the interfaces page, default IPv4 route gets lost and I have to click "Save" on WAN interface to get IPv4 route working again. Also, after each reboot you also have to click "Save" on WAN interface page to get IPv4 route working.
-
It also appears as if soem of the other routing bits are broken. After a reboot, I had no v4 default route but it clearly showed up as there and "alive" in the status_gateways. I added that manually in the CLI just to get it working before I sleep.
nb
A few other observations, it appears as if (at least on my setup) I'm getting firewall blocking the all routers multicast address, which isn't really a good thing. I have a rule that allows all ipv6 from any to any on the LAN. It would also be useful to have ndp on the boxes to view neighbor status. I can work on adding ndp when I get some time if you're interested.
-
I've noticed that with latest Beta Snapshot (built on Wed Feb 2 04:04:51 EST 2011) hitting "Save" button on WAN interface after reboot isn't needed anymore…so it looks like droping default IPv4 route is fixed.
-
Nice. I'll to an update.
-
@|DSI|:
I've noticed that with latest Beta Snapshot (built on Wed Feb 2 04:04:51 EST 2011) hitting "Save" button on WAN interface after reboot isn't needed anymore…so it looks like droping default IPv4 route is fixed.
I just updated my box and I still have hit save. It could because that I have multi-wan (3G USB for backup when i'm home and dont need it for my laptop).
-
I've been runnning pfSense 1.2.3 with a hacked config to get a IPv6 tunnnel to work for a while. Worked okay, but most of the web GUI wasn't usable anymore with the custom modified config files. Several forums, of which this one, speak joy about 2.0 beta and IPv6 tunnels through HE, so I'm trying to get it to work here. Unfortunately it does not seem to be able to set up a tunnel to HE. I've followed the walktrough exactly and don't see what I'm doing wrong.
Could somebody that did get it to work please post their ifconfig output of the WAN, LAN and GIF0 interfaces here please? Perhaps that shows what's wrong with my setup.
-
It does work with the HE tunnel. I, too, had hacked in support for it with rudimentary gui bits well over a year ago but this is far superior, even knowing that it is beta.
My guess is that you don't have a default v6 route.netstat -rn should look something like this in the v6 section:
Internet6:
Destination Gateway Flags Netif Expire
default 2001:xxx:xxx:xxx::1 UGS gif0
::1 ::1 UH lo0
2001:xxx:xxx:xxx::1 2001:xxx:xxx:xxx::2 UH gif0
2001:xxx:xxx:xxx::/64 link#1 U rl0
2001:xxx:xxx:xxx::1 link#1 UHS lo0
fe80::%rl0/64 link#1 U rl0
fe80::2e0:4dff:fe83:1569%rl0 link#1 UHS lo0Do you have an entry for "default"?
-
Do you have an entry for "default"?
I dont have a default route. When I reboot, i dont any have defaults. When I save the WAN interface, a default route is added for IPv4. I tried doing the same thing for my WANIPv6 but it doesn't create a default for IPv6.
Did you enter the route manually? If so, how did you add it for IPv6?
-
Yeah, I'm entering it manually for now. For IPv6 on the CLI enter:
route -n add -inet6 default 2001:xx:xx:xx::1
where 2001:xx:xx:xx::1 is the other side of your HE tunnel.
-
buraglio, thanks for your help. Í surely believe you IPv6 tunneling will be much better in 2.0, so I'm hoping I can get it to work like you guys.
The manual databeestje provided at his website must contain an error somewhere. It kind of jumps from the left to the right with missing the step in the middle. For example when configuring the WANIPv6 interface he all of a sudden already has a gateway while adding that is dealt with after configuring the interface. And configuring the gateway gives the address not within range error like others already have reported here. Can't believe it did work for some people. They must have done something different. I'm wondering what.
My setup indeed lacked a default route. I already tried adding it manually, but to no avail. I also saw a difference between the assigned IPv6 tunnel addresses between my hacked pfSense 1.2.3 setup and this pfSense 2.0b5 setup. Before I could add the default IPv6 route on the command line, I needed to assign the IPv6 tunnel addresses to my GIF0 at the command line first. What I did:
ifconfig gif0 inet6 2001:470:1f14:xxx::2 2001:470:1f14:xxx::1prefixlen 128
after that, I could manually add the default route for IPv6 using:
route -n add -inet6 default 2001:470:1f14:xxx::1
I can send out a ping6 to ipv6.google.com now, but it does not get a reply. Still no working IPv6 tunnel. Is there somewhere where I can look to find out why it can not connect?
Does the Gateway status page (/status_gateways.php) show the HE_NET gateway as online like on the screenshot of databeestje? Here it keeps showing gathering data.
I have attached the output of my interfaces. DE0 is my internet facing NIC. It's on a private range DMZ that connects to the outside world. So it's behind NAT. DE1 is my LAN facing NIC and GIF0 obviously is the bridge. I am able to ping the HE IPv6 gateway from the console and on the border gateway I have enabled ping echo replies. I also already tried setting the pfSense instance as the default DMZ host to see if the problem was NAT related, but no results either. Maybe something is wrong in my ifconfig?
-
Can't believe it did work for some people. They must have done something different. I'm wondering what.
You are right that some people did something different.
I was having the wrong subnet error when trying to add the gateway, so I edited the config.xml file directly using expandrive to mount the sftp as a drive and editing the file directly so I could see whether my edits were having the desired effect.
Having added the gateway manually, the tunnel came online and I was able to add the gateway to the interface WANIPv6 as is shown in the guide.
Lastly, I added the anycasted he.net ipv6 dns server to the dns server list in general.The result is a 10/10 score on http://test-ipv6.com/ and a generally fast IPv6 internet connection (20/8 mbits).
Also, lots of rebooting!
images:
(sorry about the white space)
-
iFloris, your screenshots make me jealous ;D I'm coming from the Microsoft world, so all this Linux stuff is fairly unknown territory for me. Would you be willing to help me troubleshoot? Possibly via MSN contact? In return I will put an updated howto online which will show all the steps to get it to work :)
-
Would you be willing to help me troubleshoot?
Of course I'm willing to help, but I fear that I have may have inadvertently led you to believe that I am rather more proficient at all this than I am.
As I wrote in an earlier post, I simply followed the steps that Databeestje wrote up in his howto but sidestepped the issues I ran into somewhat.
The issue that I had, was that I couldn't get past the part of the howto telling me to edit the gateway as pfSense complained that the v6 address that I entered was outside the chosen interface subnet.
I skipped that step for the time being and finished the howto. Then, I manually edited the gateway in the config.xml file on my pfSense machine and entered the proper v6 address. Having done that I was able to select the gateway in the WANIPv6 interface and the tunnel became operational.Also, I'm coming from the Mac OS X world, so all this Linux (well, BSD Unix really) stuff is fairly unknown territory for me as well!
-
No problem.. two minds always know more than one ;) I appreciate you taking the time to think along.
Where is this config.xml located? Can I simply edit it using vi at the console? Could you show me a sample of what you put in there?
Could you perhaps have a look at the screenshots I posted earlier today with the output of my network interfaces and compare those with yours? Maybe I'm missing something crucial in the interface config.
What ISP are you on anyway? I was using Alice ADSL before a month ago and my hacked pfSense 1.2.3 IPv6 setup worked like a charm on it. Took me a loooong time to get to work, but when it worked, it worked really well. Ever since I moved to Ziggo Alles in 1 Extra, only 1 out of 100 times the IPv6 tunnel to HE gets built up and then also works without any problems. Only thing is.. the other 99 times I can't get it to connect and I haven't got the slightest idea why. I'm missing some logging that tells me what the problem is.
Are you using pfSense behind NAT or directly attachted to your internet line with a public IP?
-
Where is this config.xml located? Can I simply edit it using vi at the console? Could you show me a sample of what you put in there?
Could you perhaps have a look at the screenshots I posted earlier today with the output of my network interfaces and compare those with yours? Maybe I'm missing something crucial in the interface config.
What ISP are you on anyway?
Are you using pfSense behind NAT or directly attachted to your internet line with a public IP?
Config.xml can be found in /cf/conf/config.xml
As you can see in the picture below, I mounted sftp directly in the Finder because I felt it was easier than using the terminal and especially cp and vi.Then, I edited the xml file directly, did a search for gateway and tried a few different things.
As you can see in the images attached, I ended up with this and it works for me.I've also attached the v6 part of the output of netstat -rn on my pfSense installation, not sure what everything means.
Gif is the tunnel, lo0 is the loopback, reX are my interfaces and I run both an openvpn and a pptp server, so those are mentioned as well.Internet6: Destination Flags Netif Expire default 2001:470:xxxx:xxxx::1 UGS gif0 ::1 ::1 UH lo0 2001:470:xxxx:xxxx::1 2001:470:xxxx:xxxx::2 UH gif0 2001:470:xxxx:xxxx::/64 link#2 U re1 2001:470:xxxx:xxxx::1 link#2 UHS lo0 fe80::%re0/64 link#1 U re0 fe80::290:7fff:fe32:2ef8%re0 link#1 UHS lo0 fe80::%re1/64 link#2 U re1 fe80::290:7fff:fe32:2ef9%re1 link#2 UHS lo0 fe80::%re2/64 link#3 U re2 fe80::290:7fff:fe32:2efa%re2 link#3 UHS lo0 fe80::%re3/64 link#4 U re3 fe80::290:7fff:fe32:2efb%re3 link#4 UHS lo0 fe80::%re4/64 link#5 U re4 fe80::290:7fff:fe32:2efc%re4 link#5 UHS lo0 fe80::%re5/64 link#6 U re5 fe80::290:7fff:fe32:2efd%re5 link#6 UHS lo0 fe80::%lo0/64 link#8 U lo0 fe80::1%lo0 link#8 UHS lo0 fe80::%gif0/64 link#11 U gif0 fe80::290:7fff:fe32:2ef8%gif0 link#11 UHS lo0 fe80::%ovpns1/64 link#12 U ovpns1 fe80::290:7fff:fe32:2ef8%ovpns1 link#12 UHS lo0 fe80::%pptpd0/64 link#13 U pptpd0 fe80::290:7fff:fe32:2ef8%pptpd0 link#13 UHS lo0 ff01:1::/32 fe80::290:7fff:fe32:2ef8%re0 U re0 ff01:2::/32 fe80::290:7fff:fe32:2ef9%re1 U re1 ff01:3::/32 fe80::290:7fff:fe32:2efa%re2 U re2 ff01:4::/32 fe80::290:7fff:fe32:2efb%re3 U re3 ff01:5::/32 fe80::290:7fff:fe32:2efc%re4 U re4 ff01:6::/32 fe80::290:7fff:fe32:2efd%re5 U re5 ff01:8::/32 ::1 U lo0 ff01:b::/32 2001:470:xxxx:xxxx::2 U gif0 ff01:c::/32 fe80::290:7fff:fe32:2ef8%ovpns1 U ovpns1 ff01:d::/32 fe80::290:7fff:fe32:2ef8%pptpd0 U pptpd0 ff02::%re0/32 fe80::290:7fff:fe32:2ef8%re0 U re0 ff02::%re1/32 fe80::290:7fff:fe32:2ef9%re1 U re1 ff02::%re2/32 fe80::290:7fff:fe32:2efa%re2 U re2 ff02::%re3/32 fe80::290:7fff:fe32:2efb%re3 U re3 ff02::%re4/32 fe80::290:7fff:fe32:2efc%re4 U re4 ff02::%re5/32 fe80::290:7fff:fe32:2efd%re5 U re5 ff02::%lo0/32 ::1 U lo0 ff02::%gif0/32 2001:470:xxxx:xxxx::2 U gif0 ff02::%ovpns1/32 fe80::290:7fff:fe32:2ef8%ovpns1 U ovpns1 ff02::%pptpd0/32 fe80::290:7fff:fe32:2ef8%pptpd0 U pptpd0
As for my ISP and connection:
A few months now, I've been using Ziggo so at least you know that your ISP isn't the problem.
pfSense is my NAT, so it has a public v4 address.Images: