Problems with IPv6

henrik242

I posted Static IPv6 Problems earlier, but I still have some problems getting IPv6 to work.

We have a /64 link net for the WAN (em2 with gateway xxxx:270:1:1 and interface address xxxx:270:1:2), and a /48 net for the LAN (em1 with interface address xxxx:270:2016::1).

The ISP is routing the whole /48 towards the link net.   I'm able to ping external IPv6 hosts from pfSense's WAN interface, but not from the LAN interface.

The interfaces:

# ifconfig
em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
	options=42098 <vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso>ether 00:04:a7:0c:16:06
	inet 10.110.0.1 netmask 0xfffffe00 broadcast 10.110.1.255
	inet6 fe80::204:a7ff:fe0c:1606%em1 prefixlen 64 scopeid 0x2 
	inet6 xxxx:270:2016::1 prefixlen 48 
	nd6 options=1 <performnud>media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
em2: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
	options=42098 <vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso>ether 00:04:a7:0c:16:07
	inet xx.175.7.58 netmask 0xfffffff8 broadcast xx.175.7.63
	inet6 fe80::204:a7ff:fe0c:1607%em2 prefixlen 64 scopeid 0x3 
	inet6 xxxx:270:1:b::2 prefixlen 64 
	nd6 options=1 <performnud>media: Ethernet autoselect (100baseTX <full-duplex>)
	status: active</full-duplex></performnud></vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso></up,broadcast,running,simplex,multicast></full-duplex></performnud></vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwtso></up,broadcast,running,simplex,multicast> 

The routing table:

# netstat -r
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            gw.xxxx.no      UGS         0   251092    em2
10.10.166.0        10.10.166.2        UGS         0        0 ovpns1
10.10.166.1        link#18            UHS         0        0    lo0
10.10.166.2        link#18            UH          0        0 ovpns1
10.110.0.0/23      link#2             U           0   208688    em1
zero               link#2             UHS         0        0    lo0
xx.175.7.56/29     link#3             U           0     1585    em2
login.xxxx.no   link#3             UHS         0        0    lo0
localhost          link#14            UH          0       82    lo0
webproxy.yyyy.no    gw.xxxx.no      UGHS        0        0    em2

Internet6:
Destination        Gateway            Flags      Netif Expire
default            xxxx:270:1:b::1    UGS         em2
localhost          localhost          UH          lo0
xxxx:270:1:b::     link#3             U           em2
xxxx:270:1:b::2    link#3             UHS         lo0
xxxx:270:2016::    link#2             U           em1
xxxx:270:2016::1   link#2             UHS         lo0
fe80::%em1         link#2             U           em1
fe80::204:a7ff:fe0 link#2             UHS         lo0
fe80::%em2         link#3             U           em2
fe80::204:a7ff:fe0 link#3             UHS         lo0
fe80::%em3         link#4             U           em3
fe80::204:a7ff:fe0 link#4             UHS         lo0
fe80::%lo0         link#14            U           lo0
fe80::1%lo0        link#14            UHS         lo0
fe80::%ovpns1      link#18            U        ovpns1
fe80::204:a7ff:fe0 link#18            UHS         lo0
ff01::%em1         fe80::204:a7ff:fe0 U           em1
ff01::%em2         fe80::204:a7ff:fe0 U           em2
ff01::%em3         fe80::204:a7ff:fe0 U           em3
ff01::%lo0         localhost          U           lo0
ff01::%ovpns1      fe80::204:a7ff:fe0 U        ovpns1
ff02::%em1         fe80::204:a7ff:fe0 U           em1
ff02::%em2         fe80::204:a7ff:fe0 U           em2
ff02::%em3         fe80::204:a7ff:fe0 U           em3
ff02::%lo0         localhost          U           lo0
ff02::%ovpns1      fe80::204:a7ff:fe0 U        ovpns1

Ping connectivity:

# ping6 -I em1 -c1 vg.no  ## Ping from the LAN
PING6(56=40+8+8 bytes) xxxx:270:2016::1 --> 2001:67c:21e0::16
ping6: sendmsg: No route to host
ping6: wrote vg.no 16 chars, ret=-1

--- vg.no ping6 statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss

# ping6 -I em2 -c1 vg.no  ## Ping from the WAN
PING6(56=40+8+8 bytes) xxxx:270:1:b::2 --> 2001:67c:21e0::16
16 bytes from 2001:67c:21e0::16, icmp_seq=0 hlim=56 time=1.162 ms

--- vg.no ping6 statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.162/1.162/1.162/0.000 ms

The ISP has the following route for our LAN:

Routing entry for xxxx:270:2016::/48
  Known via "static", distance 1, metric 0
  Route count is 1/1, share count 0

  Routing paths:
    xxxx:270:1:B::2

Does anyone know what we're doing wrong?

I'm using the latest pfSense 2.1 beta, and "pass all" rules for IPv6 on the LAN and WAN networks.

henrik242

Still no connectivity… is there anything in our firewall that could be blocking the traffic?  It looks fairly sane to me:

# pfctl -sr
anchor "relayd/*" all
anchor "openvpn/*" all
anchor "ipsec/*" all
block drop in log inet all label "Default deny rule IPv4"
block drop out log inet all label "Default deny rule IPv4"
block drop in log inet6 all label "Default deny rule IPv6"
block drop out log inet6 all label "Default deny rule IPv6"
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
block drop quick inet proto tcp from any port = 0 to any
block drop quick inet proto tcp from any to any port = 0
block drop quick inet proto udp from any port = 0 to any
block drop quick inet proto udp from any to any port = 0
block drop quick inet6 proto tcp from any port = 0 to any
block drop quick inet6 proto tcp from any to any port = 0
block drop quick inet6 proto udp from any port = 0 to any
block drop quick inet6 proto udp from any to any port = 0
block drop quick from <snort2c>to any label "Block snort2c hosts"
block drop quick from any to <snort2c>label "Block snort2c hosts"
block drop in log quick proto tcp from <sshlockout>to any port = 2222 label "sshlockout"
block drop in log quick proto tcp from <webconfiguratorlockout>to any port = https label "webConfiguratorlockout"
block drop in quick from <virusprot>to any label "virusprot overload table"
block drop in on ! em1 inet6 from xxxx:270:2016::/48 to any
block drop in on em1 inet6 from fe80::204:a7ff:fe0c:1606 to any
block drop in inet6 from xxxx:270:2016::1 to any
block drop in on ! em1 inet from 10.110.0.0/23 to any
block drop in inet from 10.110.0.1 to any
pass in quick on em1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on em1 inet proto udp from any port = bootpc to 10.110.0.1 port = bootps keep state label "allow access to DHCP server"
pass out quick on em1 inet proto udp from 10.110.0.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
block drop in on ! em2 inet6 from xxxx:270:1:b::/64 to any
block drop in on em2 inet6 from fe80::204:a7ff:fe0c:1607 to any
block drop in inet6 from xxxx:270:1:b::2 to any
block drop in on ! em2 inet from xx.175.7.56/29 to any
block drop in inet from xx.175.7.58 to any
pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
pass out route-to (em2 xx.175.7.57) inet from xx.175.7.58 to ! xx.175.7.56/29 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out route-to (em2 xxxx:270:1:b::1) inet6 from xxxx:270:1:b::2 to ! xxxx:270:1:b::/64 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out on enc0 all flags S/SA keep state label "IPsec internal host to host"
pass in quick on em1 proto tcp from any to (em1) port = https flags S/SA keep state label "anti-lockout rule"
pass in quick on em1 proto tcp from any to (em1) port = http flags S/SA keep state label "anti-lockout rule"
pass in quick on em1 proto tcp from any to (em1) port = 2222 flags S/SA keep state label "anti-lockout rule"
pass in inet all flags S/SA keep state label "NAT REFLECT: Allow traffic to localhost" tagged PFREFLECT
anchor "userrules/*" all
pass in quick on em1 all flags S/SA keep state label "USER_RULE"
pass in quick on em1 inet6 all flags S/SA keep state label "USER_RULE"
pass in quick on enc0 all flags S/SA keep state label "USER_RULE: something"
pass in quick on openvpn all flags S/SA keep state label "USER_RULE: something"
pass in quick on em2 reply-to (em2 xx.175.7.57) inet proto tcp from any to 10.110.0.14 port = 61111 flags S/SA keep state label "USER_RULE: something"
pass in quick on em2 reply-to (em2 xx.175.7.57) inet proto udp from any to 10.110.0.14 port = 61111 keep state label "USER_RULE: something"
pass in quick on em2 reply-to (em2 xx.175.7.57) inet proto tcp from any to 10.110.0.2 port = ssh flags S/SA keep state label "USER_RULE: something"
pass in quick on em2 reply-to (em2 xx.175.7.57) inet proto udp from ww.215.128.0/18 to xx.175.7.58 port = 1194 keep state label "USER_RULE: something"
pass in quick on em2 reply-to (em2 xxxx:270:1:b::1) inet6 proto ipv6-icmp all icmp6-type echoreq keep state label "USER_RULE: something"
pass in quick on em2 reply-to (em2 xxxx:270:1:b::1) inet6 all flags S/SA keep state label "USER_RULE"
pass in quick on em2 reply-to (em2 xx.175.7.57) inet proto tcp from any to 10.110.0.13 port = http flags S/SA keep state label "USER_RULE: something"
pass in quick on em2 reply-to (em2 xx.175.7.57) inet proto tcp from any to 10.110.0.16 port = ssh flags S/SA keep state label "USER_RULE: something"
pass in quick on em2 reply-to (em2 xx.175.7.57) inet proto tcp from any to 10.110.0.2 port = http flags S/SA keep state label "USER_RULE: something"
pass out on em2 route-to (em2 xx.175.7.57) inet proto udp from any to zz.62.101.131 port = isakmp keep state label "IPsec: XXX / YYY VPN - outbound isakmp"
pass in on em2 reply-to (em2 xx.175.7.57) inet proto udp from zz.62.101.131 to any port = isakmp keep state label "IPsec: XXX / YYY VPN - inbound isakmp"
pass out on em2 route-to (em2 xx.175.7.57) inet proto esp from any to zz.62.101.131 keep state label "IPsec: XXX / YYY VPN - outbound esp proto"
pass in on em2 reply-to (em2 xx.175.7.57) inet proto esp from zz.62.101.131 to any keep state label "IPsec: XXX / YYY VPN - inbound esp proto"
pass out on em2 route-to (em2 xx.175.7.57) inet proto udp from any to yy.24.36.2 port = isakmp keep state label "IPsec: VPN to DotCom - outbound isakmp"
pass in on em2 reply-to (em2 xx.175.7.57) inet proto udp from yy.24.36.2 to any port = isakmp keep state label "IPsec: VPN to DotCom - inbound isakmp"
anchor "tftp-proxy/*" all
anchor "miniupnpd" all</virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c> 

bardelot

# ping6 -I em1 -c1 vg.no  ## Ping from the LAN
PING6(56=40+8+8 bytes) xxxx:270:2016::1 --> 2001:67c:21e0::16
ping6: sendmsg: No route to host
ping6: wrote vg.no 16 chars, ret=-1

--- vg.no ping6 statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss

Have you also tried from an actual host in the LAN?

jimp

Try a traceroute from the outside to your LAN IP, make sure it's really going to you.

Also try a packet capture on the WAN looking for the LAN IP you're trying to communicate from.

The symptoms you describe (works from WAN, not from LAN) in a routed setup are those you would see if your ISP was not actually routing the LAN net to you.

bardelot

@jimp:
From the above information that "henrik242" has given it looks like he is trying to ping an external host from the pfsense box but over the LAN interface. I believe that if in ping6 an interface is given as an argument it will not only use that interfaces address but also for looking up the route as well as packet sending.

It is the exact the same behavior I experience here. When he's actually using a host behind the LAN interface it will most likely work.

Edit:
I guess I could have made that clearer in the above post.

jimp

Ah, yeah I see.

Well when you do ping6 with -I it does that, but not with -S.

If you use -S (ip) then it will send it the right way, but the error is usually a bit different.

: ping6 -I em0 www.google.com  
PING6(56=40+8+8 bytes) 2001:xxxx:xxxx:xxxx::1 --> 2607:f8b0:4003:c01::69
ping6: sendmsg: No route to host
ping6: wrote www.google.com 16 chars, ret=-1
ping6: sendmsg: No route to host
ping6: wrote www.google.com 16 chars, ret=-1

: ping6 -S 2001:xxxx:xxxx:xxxx::1 www.google.com    
PING6(56=40+8+8 bytes) 2001:xxxx:xxxx:xxxx::1 --> 2607:f8b0:4003:c01::69
16 bytes from 2607:f8b0:4003:c01::69, icmp_seq=0 hlim=57 time=69.442 ms
16 bytes from 2607:f8b0:4003:c01::69, icmp_seq=1 hlim=57 time=66.597 ms