Problems with IPv6



  • I posted Static IPv6 Problems earlier, but I still have some problems getting IPv6 to work.

    We have a /64 link net for the WAN (em2 with gateway xxxx:270:1ūüÖĪ:1 and interface address xxxx:270:1ūüÖĪ:2), and a /48 net for the LAN (em1 with interface address xxxx:270:2016::1).

    The ISP is routing the whole /48 towards the link net.   I'm able to ping external IPv6 hosts from pfSense's WAN interface, but not from the LAN interface.

    The interfaces:

    
    # ifconfig
    em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    	options=42098 <vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso>ether 00:04:a7:0c:16:06
    	inet 10.110.0.1 netmask 0xfffffe00 broadcast 10.110.1.255
    	inet6 fe80::204:a7ff:fe0c:1606%em1 prefixlen 64 scopeid 0x2 
    	inet6 xxxx:270:2016::1 prefixlen 48 
    	nd6 options=1 <performnud>media: Ethernet autoselect (1000baseT <full-duplex>)
    	status: active
    em2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    	options=42098 <vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso>ether 00:04:a7:0c:16:07
    	inet xx.175.7.58 netmask 0xfffffff8 broadcast xx.175.7.63
    	inet6 fe80::204:a7ff:fe0c:1607%em2 prefixlen 64 scopeid 0x3 
    	inet6 xxxx:270:1:b::2 prefixlen 64 
    	nd6 options=1 <performnud>media: Ethernet autoselect (100baseTX <full-duplex>)
    	status: active</full-duplex></performnud></vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso></up,broadcast,running,simplex,multicast></full-duplex></performnud></vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso></up,broadcast,running,simplex,multicast> 
    

    The routing table:

    
    # netstat -r
    Routing tables
    
    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            gw.xxxx.no      UGS         0   251092    em2
    10.10.166.0        10.10.166.2        UGS         0        0 ovpns1
    10.10.166.1        link#18            UHS         0        0    lo0
    10.10.166.2        link#18            UH          0        0 ovpns1
    10.110.0.0/23      link#2             U           0   208688    em1
    zero               link#2             UHS         0        0    lo0
    xx.175.7.56/29     link#3             U           0     1585    em2
    login.xxxx.no   link#3             UHS         0        0    lo0
    localhost          link#14            UH          0       82    lo0
    webproxy.yyyy.no    gw.xxxx.no      UGHS        0        0    em2
    
    Internet6:
    Destination        Gateway            Flags      Netif Expire
    default            xxxx:270:1:b::1    UGS         em2
    localhost          localhost          UH          lo0
    xxxx:270:1:b::     link#3             U           em2
    xxxx:270:1:b::2    link#3             UHS         lo0
    xxxx:270:2016::    link#2             U           em1
    xxxx:270:2016::1   link#2             UHS         lo0
    fe80::%em1         link#2             U           em1
    fe80::204:a7ff:fe0 link#2             UHS         lo0
    fe80::%em2         link#3             U           em2
    fe80::204:a7ff:fe0 link#3             UHS         lo0
    fe80::%em3         link#4             U           em3
    fe80::204:a7ff:fe0 link#4             UHS         lo0
    fe80::%lo0         link#14            U           lo0
    fe80::1%lo0        link#14            UHS         lo0
    fe80::%ovpns1      link#18            U        ovpns1
    fe80::204:a7ff:fe0 link#18            UHS         lo0
    ff01::%em1         fe80::204:a7ff:fe0 U           em1
    ff01::%em2         fe80::204:a7ff:fe0 U           em2
    ff01::%em3         fe80::204:a7ff:fe0 U           em3
    ff01::%lo0         localhost          U           lo0
    ff01::%ovpns1      fe80::204:a7ff:fe0 U        ovpns1
    ff02::%em1         fe80::204:a7ff:fe0 U           em1
    ff02::%em2         fe80::204:a7ff:fe0 U           em2
    ff02::%em3         fe80::204:a7ff:fe0 U           em3
    ff02::%lo0         localhost          U           lo0
    ff02::%ovpns1      fe80::204:a7ff:fe0 U        ovpns1
    
    

    Ping connectivity:

    
    # ping6 -I em1 -c1 vg.no  ## Ping from the LAN
    PING6(56=40+8+8 bytes) xxxx:270:2016::1 --> 2001:67c:21e0::16
    ping6: sendmsg: No route to host
    ping6: wrote vg.no 16 chars, ret=-1
    
    --- vg.no ping6 statistics ---
    1 packets transmitted, 0 packets received, 100.0% packet loss
    
    # ping6 -I em2 -c1 vg.no  ## Ping from the WAN
    PING6(56=40+8+8 bytes) xxxx:270:1:b::2 --> 2001:67c:21e0::16
    16 bytes from 2001:67c:21e0::16, icmp_seq=0 hlim=56 time=1.162 ms
    
    --- vg.no ping6 statistics ---
    1 packets transmitted, 1 packets received, 0.0% packet loss
    round-trip min/avg/max/std-dev = 1.162/1.162/1.162/0.000 ms
    
    

    The ISP has the following route for our LAN:

    
    Routing entry for xxxx:270:2016::/48
      Known via "static", distance 1, metric 0
      Route count is 1/1, share count 0
    
      Routing paths:
        xxxx:270:1:B::2
    
    

    Does anyone know what we're doing wrong?

    I'm using the latest pfSense 2.1 beta, and "pass all" rules for IPv6 on the LAN and WAN networks.



  • Still no connectivity‚Ķ is there anything in our firewall that could be blocking the traffic? ¬†It looks fairly sane to me:

    
    # pfctl -sr
    anchor "relayd/*" all
    anchor "openvpn/*" all
    anchor "ipsec/*" all
    block drop in log inet all label "Default deny rule IPv4"
    block drop out log inet all label "Default deny rule IPv4"
    block drop in log inet6 all label "Default deny rule IPv6"
    block drop out log inet6 all label "Default deny rule IPv6"
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
    block drop quick inet proto tcp from any port = 0 to any
    block drop quick inet proto tcp from any to any port = 0
    block drop quick inet proto udp from any port = 0 to any
    block drop quick inet proto udp from any to any port = 0
    block drop quick inet6 proto tcp from any port = 0 to any
    block drop quick inet6 proto tcp from any to any port = 0
    block drop quick inet6 proto udp from any port = 0 to any
    block drop quick inet6 proto udp from any to any port = 0
    block drop quick from <snort2c>to any label "Block snort2c hosts"
    block drop quick from any to <snort2c>label "Block snort2c hosts"
    block drop in log quick proto tcp from <sshlockout>to any port = 2222 label "sshlockout"
    block drop in log quick proto tcp from <webconfiguratorlockout>to any port = https label "webConfiguratorlockout"
    block drop in quick from <virusprot>to any label "virusprot overload table"
    block drop in on ! em1 inet6 from xxxx:270:2016::/48 to any
    block drop in on em1 inet6 from fe80::204:a7ff:fe0c:1606 to any
    block drop in inet6 from xxxx:270:2016::1 to any
    block drop in on ! em1 inet from 10.110.0.0/23 to any
    block drop in inet from 10.110.0.1 to any
    pass in quick on em1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
    pass in quick on em1 inet proto udp from any port = bootpc to 10.110.0.1 port = bootps keep state label "allow access to DHCP server"
    pass out quick on em1 inet proto udp from 10.110.0.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
    block drop in on ! em2 inet6 from xxxx:270:1:b::/64 to any
    block drop in on em2 inet6 from fe80::204:a7ff:fe0c:1607 to any
    block drop in inet6 from xxxx:270:1:b::2 to any
    block drop in on ! em2 inet from xx.175.7.56/29 to any
    block drop in inet from xx.175.7.58 to any
    pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
    pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
    pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
    pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
    pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
    pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
    pass out route-to (em2 xx.175.7.57) inet from xx.175.7.58 to ! xx.175.7.56/29 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (em2 xxxx:270:1:b::1) inet6 from xxxx:270:1:b::2 to ! xxxx:270:1:b::/64 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out on enc0 all flags S/SA keep state label "IPsec internal host to host"
    pass in quick on em1 proto tcp from any to (em1) port = https flags S/SA keep state label "anti-lockout rule"
    pass in quick on em1 proto tcp from any to (em1) port = http flags S/SA keep state label "anti-lockout rule"
    pass in quick on em1 proto tcp from any to (em1) port = 2222 flags S/SA keep state label "anti-lockout rule"
    pass in inet all flags S/SA keep state label "NAT REFLECT: Allow traffic to localhost" tagged PFREFLECT
    anchor "userrules/*" all
    pass in quick on em1 all flags S/SA keep state label "USER_RULE"
    pass in quick on em1 inet6 all flags S/SA keep state label "USER_RULE"
    pass in quick on enc0 all flags S/SA keep state label "USER_RULE: something"
    pass in quick on openvpn all flags S/SA keep state label "USER_RULE: something"
    pass in quick on em2 reply-to (em2 xx.175.7.57) inet proto tcp from any to 10.110.0.14 port = 61111 flags S/SA keep state label "USER_RULE: something"
    pass in quick on em2 reply-to (em2 xx.175.7.57) inet proto udp from any to 10.110.0.14 port = 61111 keep state label "USER_RULE: something"
    pass in quick on em2 reply-to (em2 xx.175.7.57) inet proto tcp from any to 10.110.0.2 port = ssh flags S/SA keep state label "USER_RULE: something"
    pass in quick on em2 reply-to (em2 xx.175.7.57) inet proto udp from ww.215.128.0/18 to xx.175.7.58 port = 1194 keep state label "USER_RULE: something"
    pass in quick on em2 reply-to (em2 xxxx:270:1:b::1) inet6 proto ipv6-icmp all icmp6-type echoreq keep state label "USER_RULE: something"
    pass in quick on em2 reply-to (em2 xxxx:270:1:b::1) inet6 all flags S/SA keep state label "USER_RULE"
    pass in quick on em2 reply-to (em2 xx.175.7.57) inet proto tcp from any to 10.110.0.13 port = http flags S/SA keep state label "USER_RULE: something"
    pass in quick on em2 reply-to (em2 xx.175.7.57) inet proto tcp from any to 10.110.0.16 port = ssh flags S/SA keep state label "USER_RULE: something"
    pass in quick on em2 reply-to (em2 xx.175.7.57) inet proto tcp from any to 10.110.0.2 port = http flags S/SA keep state label "USER_RULE: something"
    pass out on em2 route-to (em2 xx.175.7.57) inet proto udp from any to zz.62.101.131 port = isakmp keep state label "IPsec: XXX / YYY VPN - outbound isakmp"
    pass in on em2 reply-to (em2 xx.175.7.57) inet proto udp from zz.62.101.131 to any port = isakmp keep state label "IPsec: XXX / YYY VPN - inbound isakmp"
    pass out on em2 route-to (em2 xx.175.7.57) inet proto esp from any to zz.62.101.131 keep state label "IPsec: XXX / YYY VPN - outbound esp proto"
    pass in on em2 reply-to (em2 xx.175.7.57) inet proto esp from zz.62.101.131 to any keep state label "IPsec: XXX / YYY VPN - inbound esp proto"
    pass out on em2 route-to (em2 xx.175.7.57) inet proto udp from any to yy.24.36.2 port = isakmp keep state label "IPsec: VPN to DotCom - outbound isakmp"
    pass in on em2 reply-to (em2 xx.175.7.57) inet proto udp from yy.24.36.2 to any port = isakmp keep state label "IPsec: VPN to DotCom - inbound isakmp"
    anchor "tftp-proxy/*" all
    anchor "miniupnpd" all</virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c> 
    


  • # ping6 -I em1 -c1 vg.no¬† ## Ping from the LAN
    PING6(56=40+8+8 bytes) xxxx:270:2016::1 --> 2001:67c:21e0::16
    ping6: sendmsg: No route to host
    ping6: wrote vg.no 16 chars, ret=-1
    
    --- vg.no ping6 statistics ---
    1 packets transmitted, 0 packets received, 100.0% packet loss
    

    Have you also tried from an actual host in the LAN?


  • Rebel Alliance Developer Netgate

    Try a traceroute from the outside to your LAN IP, make sure it's really going to you.

    Also try a packet capture on the WAN looking for the LAN IP you're trying to communicate from.

    The symptoms you describe (works from WAN, not from LAN) in a routed setup are those you would see if your ISP was not actually routing the LAN net to you.



  • @jimp:
    From the above information that "henrik242" has given it looks like he is trying to ping an external host from the pfsense box but over the LAN interface. I believe that if in ping6 an interface is given as an argument it will not only use that interfaces address but also for looking up the route as well as packet sending.

    It is the exact the same behavior I experience here. When he's actually using a host behind the LAN interface it will most likely work.

    Edit:
    I guess I could have made that clearer in the above post.







  • Rebel Alliance Developer Netgate

    Ah, yeah I see.

    Well when you do ping6 with -I it does that, but not with -S.

    If you use -S (ip) then it will send it the right way, but the error is usually a bit different.

    : ping6 -I em0 www.google.com  
    PING6(56=40+8+8 bytes) 2001:xxxx:xxxx:xxxx::1 --> 2607:f8b0:4003:c01::69
    ping6: sendmsg: No route to host
    ping6: wrote www.google.com 16 chars, ret=-1
    ping6: sendmsg: No route to host
    ping6: wrote www.google.com 16 chars, ret=-1
    
    : ping6 -S 2001:xxxx:xxxx:xxxx::1 www.google.com    
    PING6(56=40+8+8 bytes) 2001:xxxx:xxxx:xxxx::1 --> 2607:f8b0:4003:c01::69
    16 bytes from 2607:f8b0:4003:c01::69, icmp_seq=0 hlim=57 time=69.442 ms
    16 bytes from 2607:f8b0:4003:c01::69, icmp_seq=1 hlim=57 time=66.597 ms
    

Locked