IPv6 behavior changed?



  • After reinstalling and restoring the configuration that e.g. at
    http://test-ipv6.com/
    gave me 10/10 for IPv6, now I have no IPv6 connectivity, even though my tunnelbroker (HE) tunnel is up, IPv6 addresses are assigned, Google's IPv6 DNS servers are set, etc.

    I also made sure in System:Advanced:Networking the "Allow IPv6" option is turned on.

    However I don't remember seeing the "IPv6 over IPv4 Tunneling" option before (maybe I didn't pay attention).
    Do I need that, given that I have an explicitly configured tunnel for IPv6? And if so, what IP address would have to go into the field?



  • Any messages about DHCP or DNS forwarder in the logs? (DNS forwarder assumed here due to Google DNS and ipv6-test refs in OP.)

    I've had to restart DHCP in times past, when I couldn't get DNS after a config change or reboot.



  • @allpoints:

    Any messages about DHCP or DNS forwarder in the logs? (DNS forwarder assumed here due to Google DNS and ipv6-test refs in OP.)

    I've had to restart DHCP in times past, when I couldn't get DNS after a config change or reboot.

    Well, I've given up on DHCPv6 for now. Thing seems more odd as I keep testing…
    All hosts are statically configured, and have also statically configured DNS servers (Google), just like the pfSense box itself. IPv6 traffic is possible from pfSense, e.g. I can ping an IPv6 address there. I can't however ping my LAN hosts by their IPv6 address, nor can I ping the pfSense box by its IPv6 address from any host on the LAN, but the LAN hosts can ping each other.

    The firewall shouldn't be the issue, because I have a floating rule in there (for testing purposes while I set up other aspects) that allows any traffic on any protocol from any source to any destination on all interfaces that can/should do IPv6

    ![Screen Shot 2012-06-15 at 18.24.27.png](/public/imported_attachments/1/Screen Shot 2012-06-15 at 18.24.27.png)
    ![Screen Shot 2012-06-15 at 18.24.27.png_thumb](/public/imported_attachments/1/Screen Shot 2012-06-15 at 18.24.27.png_thumb)



  • I have a similar issue as well..
    Maybe someone can chime in on this :)

    My v6 Gateway is Online and active as there is a slight amount of traffic on it.
    However I don't have a valid v6 IP assigned to clients as it start with the infamous fe80:
    Followed the guide down to a T and still no success.
    Set up the rules to allow all V6 traffic from LAN1 to WAN and vice versa and same for my SERVER's LAGG



  • Allpoints, do you have a wireless router or switch that is dropping multicast traffic? That would cause it.

    Adrian make sure that the LAN rule is from LAN to any, and specific to IPv6.

    The combined IPv4/IPv6 rules are currently broken in that only a v4 rule is created for the "LAN subnet", and not the v6 LAN subnet.



  • @databeestje:

    Allpoints, do you have a wireless router or switch that is dropping multicast traffic? That would cause it.

    Indeed. Thank you for your reply DB.
    The Dell managed switch and bridged dd-wrt wireless device pass multicast. The wireless is mainly for phones and laptops, and passes all packets to its ethernet port (no filtering at all).
    I have not encountered a DHCP problem in recent builds of pfSense FULL i386, but older builds (March and April) running Unbound as resolver, DHCP server would sometimes need a restart.

    If it happens again, I'll look for dropped packets on port 5353 first, then report it here.



  • This issue still isn't resolved, and more importantly, I have no clue how to narrow it down.

    To sum it up: I have a tunnelbroker.net dynamic endpoint tunnel up and running. I can ping IPv6 hosts from the pfSenese box. I have all my LAN hosts statically configured with IPv6 addresses, and they can ping6 each other.
    They just no longer get out to the internet, even though I have essentially only a pass anything rule in the firewall rule set (since I don't want to start closing up the box until I have basic connectivity solved).

    So what keeps the traffic from flowing?
    It's crazy, this worked all just fine until I had to reinstall pfSense, and then restore the backed-up configuration.
    Have upgraded to more recent builds a few time since, no change.

    Seems like a pretty serious issue to me, either I'm seriously not seeing something important, or some key functionality in pfSense doesn't work as expected.



  • Well, I can partially answer my own question, but it's not yet fully cleared up.

    Messing around with Snort (downloading new rule sets), which showed as NOT being active on any interface in the GUI, IPv6 connectivity suddenly came back. Then it went away again. So I turned off any blocking through Snort, and it remained there for a while, but then, even without any blocking enabled through Snort, all of a sudden the Gateway would always go down, even though the tunnel was/is up…

    So something is ill-behaved with Snort. I also can get snort showing as active on at most three out of my four interfaces, doesn't really matter much with three, but the moment I activate a fourth interface, one or more of the others go red.

    So I'll reboot the system once, and like deinstall snort until that can at least be installed and not block anything when it's told not to block anything...

    ...hopefully then I'll have IPv6 back.


Log in to reply