IPv6 with HE Issues



  • Hi!

    I've been fighting with IPv6 for a few days now.  My ISP assigned me just one /64 address range, and I've been trying to get it working.  I got it working on my pfsense box, but can't get it to my local LAN.  After fighting with this for a few days, I thought I would sign up with HE.net and see if I can get it working through there first, then once I understand the basics, attempt to get it to work with the /64 my ISP assigned.  I figured that lots of people have it working with HE.net, so maybe try that first and see what happens.

    Now I am having issues with getting HE.net to work with my pfsense box.  I've followed the directions here…

    http://iserv.nl/files/pfsense/ipv6/

    and went through all the pages of the ipv6 thread here as well.  I've triple checked everything, but for some reason, I can't get it to work.  I've configured everything through the GUI, and it all exists there.  Upon reboot though, it seems like it doesn't exist all the way.  Here is my configuration...

    --
    $ ifconfig gif0
    gif0: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1280
    tunnel inet 192.x.x.x --> 209.51.181.2
    inet6 fe80::219:bbff:fe2e:3ebc%gif0 prefixlen 64 scopeid 0xb
    nd6 options=3 <performnud,accept_rtadv>options=1 <accept_rev_ethip_ver>--
    $ netstat -anr (just ipv6 stuff)

    Internet6:
    Destination                      Gateway                      Flags      Netif Expire
    ::1                              ::1                          UH          lo0
    2001:470:<foo>:c57::/64            link#7                        U      bge1_vla
    2001:470:<foo>:c57::1              link#7                        UHS        lo0
    fe80::%bge0/64                    link#1                        U          bge0
    fe80::219:bbff:fe2e:3ebc%bge0    link#1                        UHS        lo0
    fe80::%bge1/64                    link#2                        U          bge1
    fe80::219:bbff:fe2e:3ebb%bge1    link#2                        UHS        lo0
    fe80::%lo0/64                    link#3                        U          lo0
    fe80::1%lo0                      link#3                        UHS        lo0
    fe80::%bge1_vlan101/64            link#7                        U      bge1_vla
    fe80::219:bbff:fe2e:3ebc%bge1_vlan101 link#7                        UHS        lo0
    fe80::%bge1_vlan140/64            link#8                        U      bge1_vla
    fe80::219:bbff:fe2e:3ebc%bge1_vlan140 link#8                        UHS        lo0
    fe80::%bge1_vlan130/64            link#9                        U      bge1_vla
    fe80::219:bbff:fe2e:3ebc%bge1_vlan130 link#9                        UHS        lo0
    fe80::%bge1_vlan120/64            link#10                      U      bge1_vla
    fe80::219:bbff:fe2e:3ebc%bge1_vlan120 link#10                      UHS        lo0
    fe80::%gif0/64                    link#11                      U          gif0
    fe80::219:bbff:fe2e:3ebc%gif0    link#11                      UHS        lo0
    ff01:1::/32                      fe80::219:bbff:fe2e:3ebc%bge0 U          bge0
    ff01:2::/32                      fe80::219:bbff:fe2e:3ebb%bge1 U          bge1
    ff01:3::/32                      ::1                          U          lo0
    ff01:7::/32                      fe80::219:bbff:fe2e:3ebc%bge1_vlan101 U      bge1_vla
    ff01:8::/32                      fe80::219:bbff:fe2e:3ebc%bge1_vlan140 U      bge1_vla
    ff01:9::/32                      fe80::219:bbff:fe2e:3ebc%bge1_vlan130 U      bge1_vla
    ff01🅰:/32                      fe80::219:bbff:fe2e:3ebc%bge1_vlan120 U      bge1_vla
    ff01🅱:/32                      fe80::219:bbff:fe2e:3ebc%gif0 U          gif0
    ff02::%bge0/32                    fe80::219:bbff:fe2e:3ebc%bge0 U          bge0
    ff02::%bge1/32                    fe80::219:bbff:fe2e:3ebb%bge1 U          bge1
    ff02::%lo0/32                    ::1                          U          lo0
    ff02::%bge1_vlan101/32            fe80::219:bbff:fe2e:3ebc%bge1_vlan101 U      bge1_vla
    ff02::%bge1_vlan140/32            fe80::219:bbff:fe2e:3ebc%bge1_vlan140 U      bge1_vla
    ff02::%bge1_vlan130/32            fe80::219:bbff:fe2e:3ebc%bge1_vlan130 U      bge1_vla
    ff02::%bge1_vlan120/32            fe80::219:bbff:fe2e:3ebc%bge1_vlan120 U      bge1_vla
    ff02::%gif0/32                    fe80::219:bbff:fe2e:3ebc%gif0 U          gif0

    --
    $ ping6 2001:470:c116:4f20:216:3eff:fe1d:4a1a
    ping6: UDP connect: No route to host
    $

    OK, it looks like all the addresses and routes aren't being filled in properly.  Again, all my info exists in the GUI, but for whatever reason, it's not working.  With that aside, I've attempted to put the information in by hand...

    $ ifconfig gif0 inet6 2001:470:<foo>:c57::2 2001:470:<foo>:c57::1 prefixlen 128
    $ route -n add -inet6 default 2001:470:<foo>:c57::1
    add net default: gateway 2001:470:<foo>:c57::1
    $ ifconfig gif0 down
    $ ifconfig gif0 up
    $ ifconfig gif0
    gif0: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1280
    tunnel inet 192.x.x.x --> 209.51.181.2
    inet6 fe80::219:bbff:fe2e:3ebc%gif0 prefixlen 64 scopeid 0xb
    inet 192.x.x.x --> 209.51.181.2 netmask 0xffffff00
    inet6 2001:470:<foo>:c57::2 --> 2001:470:<foo>:c57::1 prefixlen 128
    nd6 options=3 <performnud,accept_rtadv>options=1 <accept_rev_ethip_ver>$


    But now when I do a ping on the pfsense box, I get the following....

    $ ping6 2001:470:c116:4f20:216:3eff:fe1d:4a1a
    PING6(56=40+8+8 bytes) 2001:470:1f10:c57::2 --> 2001:470:c116:4f20:216:3eff:fe1d:4a1a
    ping6: sendmsg: Network is unreachable
    ping6: wrote 2001:470:c116:4f20:216:3eff:fe1d:4a1a 16 chars, ret=-1
    ping6: sendmsg: Network is unreachable
    ping6: wrote 2001:470:c116:4f20:216:3eff:fe1d:4a1a 16 chars, ret=-1
    ping6: sendmsg: Network is unreachable
    ping6: wrote 2001:470:c116:4f20:216:3eff:fe1d:4a1a 16 chars, ret=-1
    ping6: sendmsg: Network is unreachable
    ping6: wrote 2001:470:c116:4f20:216:3eff:fe1d:4a1a 16 chars, ret=-1
    ping6: sendmsg: Network is unreachable
    ping6: wrote 2001:470:c116:4f20:216:3eff:fe1d:4a1a 16 chars, ret=-1
    ^C
    --- 2001:470:c116:4f20:216:3eff:fe1d:4a1a ping6 statistics ---
    13 packets transmitted, 0 packets received, 100.0% packet loss

    $


    Does anybody happen to have any ideas of what to look for or diagnose?

    Thanks in advanced...</accept_rev_ethip_ver></performnud,accept_rtadv></foo></foo></up,pointopoint,running,multicast></foo></foo></foo></foo></foo></foo></accept_rev_ethip_ver></performnud,accept_rtadv></up,pointopoint,running,multicast>



  • @wiz561:

    Hi!

    I've been fighting with IPv6 for a few days now.  My ISP assigned me just one /64 address range, and I've been trying to get it working.  I got it working on my pfsense box, but can't get it to my local LAN.  After fighting with this for a few days, I thought I would sign up with HE.net and see if I can get it working through there first, then once I understand the basics, attempt to get it to work with the /64 my ISP assigned.  I figured that lots of people have it working with HE.net, so maybe try that first and see what happens.

    So you have a WAN from your isp with a native /64 network on it and a gateway. That's good. If you can't ping ipv6.google.com you can stop here.

    If this works and the isp doesn't send you another network to use behind the router you can use this 1:1 nat hack below.

    boo hiss

    Go to the tab on the NAT page that says "network prefix translation (NPT)".
    Generate a random /64 network from the fc00::/10 range at sixxs.net here http://www.sixxs.net/tools/grh/ula/

    Use a generated /64 network from that range on the LAN, then add a network mapping for the WAN interface that would translate the fc something network to your public /64 something. Try that.



  • interesting….thank you for the tips.  I will definitely try this out.  One question.  You mention about generating a random /64 net from the fc00 range at sixxs.  I plugged my mac in and got...

    Generated ULA= fdbc:0c93:<foo>::/48

    is that what I want to plugin the "random /64 NPT" page?

    thanks again for the help!</foo>



  • I attempted to create a NPt rule, but that did not work.  I used…

    Int: LAN
    Internal IPv6 Prefix: fd9a.....  (one I got from the sixxs web page after I put my MAC in)
    Destination IPv6 Prefix: 2001...  (one of the addresses from the space allocated to me)

    It seems like my machine never receives an IPv6 IP when doing it this way.  I don't know if I have to configure rtadvd in order for my machine to see an IPv6, but it didn't work...

    thanks



  • You have to enable dhcpv6 on the lan to enable radvd on the lan so that it will autoconfigure.



  • Yup, I've enabled dhcpv6 on the lan and rtadvd, and still nothing.

    After being frustrated, I ended up reinstalling and then everything (Hurrican Electric-wise) worked fine.  I had a pretty complicated config with multiple internal vlan's and fw rules between them.  Who knows, maybe something was blocking something else.  Nonetheless, with a fresh install and a single internal vlan, everything worked fine.

    I would still like to get the /64 single space working.  I still have a hard time believing that every vlan internally would require it's own routable block.  I've been reading that comcast will assign every user a /64 ipv6 space, so I would imagine people would run into the same situation I am.

    Addition to all my problems, it turns out that my ISP is upgrading their ipv6 infrastructure to better support something or other.  This might be another reason why I had so many issues.

    Just so I understand things correctly. 
        - Configure the pfsense box with ipv6 and get that working
        - Generate a network space from sixxs.  This is equivalent to a 'private ipv6 network'. 
              - Generated number is fdbc:0c93:<foo>::/48
        - Enable ipv6 forwarding through sysctl. 
        - Assign that sixxs private subnet to the "LAN" interface in the GUI.  Choose "ipv4 + ipv6".
              - Number to assign to LAN IP would be fdbc:0c93:<foo>::1/48 (Add '1' to the sixxs address?)
        - Configure rtadvd.
              - Listen on bge1/internal LAN NIC
              - Address in config would be "fdbc:0c93:<foo>::/48"
        - Configure dhcpv6
              - Just fill in the 'range' section and leave the 'gateway' blank.

    Are these pretty much how you would configure everything, without going through hurricane electric?  I'm still going to try to get it working without going through it, but I'm sure I'll run into additional problems.  Any comments on the above numbers and configuration will help me troubleshoot things easier.

    Thanks</foo></foo></foo>



  • @wiz561:

    I would still like to get the /64 single space working.  I still have a hard time believing that every vlan internally would require it's own routable block.  I've been reading that comcast will assign every user a /64 ipv6 space, so I would imagine people would run into the same situation I am.

    Yes, you will need a routable block for each internal vlan. Comast is deploying with 1 /64 now, in the hopefully near future they will start sending networks your way through dhcp-pd. You will get a /56 or larger. Comcast was not really considering a /60 but is not ruling it out either.

    Addition to all my problems, it turns out that my ISP is upgrading their ipv6 infrastructure to better support something or other.  This might be another reason why I had so many issues.

    Just so I understand things correctly. 
        - Configure the pfsense box with ipv6 and get that working
        - Generate a network space from sixxs.  This is equivalent to a 'private ipv6 network'. 
              - Generated number is fdbc:0c93:<foo>::/48</foo>

    this prefix holds 65k possible prefixes. Pick one by filling in the 4th octet. E.g. fdbc:0c93:<foo>:1010::/64

    • Enable ipv6 forwarding through sysctl.

    This enabled on boot with pfSense 2.0 + v6 branch.

    • Assign that sixxs private subnet to the "LAN" interface in the GUI.  Choose "ipv4 + ipv6".
                - Number to assign to LAN IP would be fdbc:0c93:<foo>::1/48 (Add '1' to the sixxs address?)</foo>

    If you want stateless configuration to work the lan network needs to be a /64 range.

    • Configure rtadvd.
                - Listen on bge1/internal LAN NIC
                - Address in config would be "fdbc:0c93:<foo>::/48"
          - Configure dhcpv6
                - Just fill in the 'range' section and leave the 'gateway' blank.

    Are these pretty much how you would configure everything, without going through hurricane electric?  I'm still going to try to get it working without going through it, but I'm sure I'll run into additional problems.  Any comments on the above numbers and configuration will help me troubleshoot things easier.

    Thanks</foo>

    Because you split /64 networks out of the /48 provided you can assign those to the different vlans. Something to keep note of though. Because using network prefix translation maps one or more private ranges over the outside public /64 you must caution to hit duplicate addresses. So if your gateway on the WAN is ::1, don't use that address on the internal network.

    The rule is that you must not use any static address more then once on any interface right from the network prefix.

    The network mapping would look like this
    Interface WAN, source network fdbc:0c93:<foo>:1010::/64, destination network 2001:<foo>::/64

    The stateless autoconfig uses the mac address plus another 16 bits, the chances of collision on that near nill. Although not mathmetically impossible depending on the number of devices on the LAN.</foo></foo></foo>



  • Thanks all for the help.

    Just a status update.  I've been working with my ISP, who's never really done this before for anybody yet.  They've made a number of changes and assigned me two /64 blocks.

    After I assigned the 64 addresses to the two interfaces, added the default route, and configured rtadvd, everything worked fine.  I'm now able to ipv6.

    Thanks again for the help.  I think the problem was part with me and part with my ISP.


Locked