6RD not working
-
6RD has not worked in the builds from the past week. The snapshot I fall back to is from 1/22 but I'm not sure when it actually started. Tried the most current build today: 2.1-BETA1 (i386) built on Fri Feb 1 01:15:41 EST 2013
Once upgraded, there is no IPv6 over the WAN. IPv6 tests fail, any sites requiring it do not load. Downgrading back to 1/22/13 immediately fixes it. I'm not sure what logs to look for. Everything looks ok in the interfaces screen and no obvious error messages in the system log.
-
I would drop to command line and see if wan_stf has been created. There was some change made to 6rd and 6to4 IPv6. You might need to use gitsync to fix it or wait for the next build.
Try this.
If the wan_stf is not there, drop to command line and run this:ifconfig stf create
<is should="" return="" with="" stf0="">ifconfig stf0 name wan_stfThen in the GUI save the WAN properties and apply. This will reload the WAN stuff including the 6rd. It should all work then. This will work until a reboot. It is not loading the stf kernel module on startup and there is a fix for that in the repositories.</is>
-
wan_stf already exists.
-
Does it have the correct ipv6 address?
-
Yeah it's the right IP. Here's the info:
wan_stf: flags=4001 <up,link2>metric 0 mtu 1280 inet6 2602:100:xxxx:xxxx:: prefixlen 32 nd6 options=3<performnud,accept_rtadv></performnud,accept_rtadv></up,link2> -
Can you check the FW logs to see if anything is getting blocked? Try a "tcpdump -nnvvi <wan iface="">proto 41" and see if traffic is being generated. You can check on LAN as well for IPv6 traffic with "tcpdump -nnvvi <lan iface="">ip6".
Just need to find where the traffic is getting to so that you can determine where the problem is. You also want to check that the radvd service is started.</lan></wan> -
Nothing in the firewall logs.
tcpdump -nnvvi em0 proto 41 showed nothing
tcpdump -nnvvi em1 ip6 showed trafficradvd is started
-
This would tell me that packets are being dropped when moving from LAN to WAN. What rules do you have setup in LAN for IPv6 traffic?
Also, check /tmp/rules.debug as there should be 4 rules created by script for 6rd type traffic. Please make sure those are in there. They are labeled something like "# allow our proto 41 traffic from the 6RD border relay in" with the rules underneath. -
My LAN rules is a copy of the IPv4 rule except for IPv6 traffic (allow lan to any rule).
In rules.debug it had the following under the comment for proto 41 traffic:
allow our proto 41 traffic from the 6RD border relay in
pass in on $WAN proto 41 from 68.114.165.1 to any label "Allow 6in4 traffic in for 6rd on WAN"
pass out on $WAN proto 41 from any to 68.114.165.1 label "Allow 6in4 traffic out for 6rd on WAN"
pass in on $WAN inet6 from any to 2602
xxxx:xxxx::/32 label "Allow 6rd traffic in for 6rd on WAN"
pass out on $WAN inet6 from 2602xxxx:xxxx::/32 to any label "Allow 6rd traffic out for 6rd on WAN"
antispoof for em1 -
There were some stf fixes that went in late last week, would be best to try things again on a current snapshot.
-
Hi jimp,
I've been having a similar problem. Using the Jan 22nd snap my 6RD connection to Charter works great. I usually update once a week, but since then (around the end of January) none of the snaps I've tried have worked. I get an ipv6 address on the outside interface but my gateway monitor never comes up and none of my ipv6 traffic seems to pass through the firewall.
There are a couple of other users in a thread in the 2.1 forum reporting the same thing. Honestly I have no idea how to debug this, up till now all my adventures into ipv6 have "just worked", but if there are some specific things you need me to provide I would be happy to update to the current snap and provide the results for you.
-Will
-
Hi guys,
Is there anything I can provide you with that would help get 6RD working again?
Should I open a ticket or something?
-Will
-
There is already a ticket open at http://redmine.pfsense.org/issues/2882 that links back to this and other threads.
-
Hi jimp,
Indeed, I opened it!
Just trying to get all the bases covered as this is the only problem I've had in 2.1 in a very long time.
-Will
-
See edit at bottom of post!
I'm having the same problem as swinn, and possibly many others.
The 6RD BR that I'm using is provided by my ISP (Telia Sweden).My configuration looks sane to me.
ifconfig shows wan_stf using the correct IPv6 address, netstat shows the correct default IPv6 gateway (at least I believe so - 2001:2002:6RD-BR-IPv4-in-hex:: - where 2001:2002 is my ISP's prefix, using wan_stf as Netif).
My LAN interface is tracking WAN and thus recieves the ::1 address of my subnet, which I can ping from computers on my LAN.But, the webui shows the IPv6 gateway as offline. When I try to ping the gateway from my router I get "Network is down".
As mentioned in http://doc.pfsense.org/index.php/Using_IPv6_on_2.1_with_a_Tunnel_Broker I have added a pass ICMP-rule from my 6RD BR to my WAN address, although I'm not sure if it's working.
IPv4 ICMP 217.209.228.xxx * WAN address * * noneYou see, when I run tcpdump -nnvvXi em0 proto 41, I see a lot of traffic.
Almost all of it is ICMP6 echo requests from my 6RD BR to my WAN address, but I never see my pfSense router replying to any of the echo requests.
217.209.228.xxx is my 6RD BR, 2.248.161.xxx is my WAN IP, 2001:2002:02f8:xxxx is my IPv6 subnet/prefix.tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes 20:55:00.709516 IP (tos 0x0, ttl 250, id 3570, offset 0, flags [none], proto IPv6 (41), length 72) 217.209.228.xxx > 2.248.161.xxx: IP6 (hlim 9, next-header ICMPv6 (58) payload length: 12) 2001:0:5ef5:79fd:855:34ba:2a8d:bebb > 2001:2002:2f8:xxxx:a9ce:2fc1:a2d8:62e6: [icmp6 sum ok] ICMP6, echo request, length 12, seq 44549 20:55:01.176129 IP (tos 0x0, ttl 250, id 5480, offset 0, flags [none], proto IPv6 (41), length 72) 217.209.228.xxx > 2.248.161.xxx: IP6 (hlim 14, next-header ICMPv6 (58) payload length: 12) 2001:0:4137:9e76:182e:2a58:35b6:dbec > 2001:2002:2f8:yyyy:a9ce:2fc1:a2d8:62e6: [icmp6 sum ok] ICMP6, echo request, length 12, seq 50535From what I understand, the 6RD BR's ability to ping my router, decides whether or not I will be granted a 6RD tunnel or not.
Now, since it seems like my pfSense router isn't responding to the ping requests sent by the BR, can this be why I'm not able to connect through it and get IPv6 access to the Internet?
If so, how come my router doesn't respond to the requests sent by my BR? I think this is strange, since I've explicitly allowed ICMP traffic from its IP address.If I add another explicit ICMP pass rule for another IP address, and try to ping my router from that IP, it works without a sigh.
Any suggestions? If you need more information to better track down my problem, just let me know and I'll post it.
EDIT:
Erhm. I took another look at the output from tcpdump.
Yes, the request is coming from my 6RD BR to my WAN address. BUT, the ICMP6 request inside is from 2001:0000:: which is the Teredo prefix, so this might be completely unrelated to the problem with 6RD tunneling.Another thing I noticed is this. If I setup a 6RD tunnel using the gif0 interface in the command line, it works without a problem and I can at least ping IPv6 hosts on the Internet from my router.
Of course it doesn't show up in the webui, and I can't use it for DHCPv6 to provide the prefix for my LAN, so it's no good for a long term solution.ifconfig gif0 create ifconfig gif0 tunnel 2.248.161.xxx 217.209.228.xxx ifconfig gif0 inet6 2001:2002::1 prefixlen 32 route add -inet6 default -interface gif0 -
6rd should work with tomorrow's snapshot, my test system is working now.
-
Still not working here with charter's 6rd service.
Version:
2.1-RC0 (amd64)
built on Sun Jul 7 08:43:44 EDT 2013
FreeBSD 8.3-RELEASE-p8After setting up the 6rd on the wan interface, and setting up IPv6 DNS servers, the pfsense unit is unable to ping or trace route any ipv6 address.
-
Hi guys,
Same here, Charter's 6RD isn't working.
Tried both updating my pfSense VM to the latest snap & installing a fresh new VM with the latest snaps.
As always, please let me know if I can provide anything that would help sort this out.
-Will
-
Logs would be good together with ifconfig and routing table output.
Latest snapshot has some automatic rules removed, due to wide covarge of auto rules, so probably check that your firewall rules are correct.
-
Any specific log file you want dumped?
Updated to 7/11/13 morning snapshot, amd64
I also have a firewall rule to allow icmpv6.ifconfig
em0: flags=8c02 <broadcast,oactive,simplex,multicast>metric 0 mtu 1500 options=4219b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol_magic,vlan_hwtso>ether 00:15:17:82:3d:60 media: Ethernet autoselect status: no carrier em1: flags=8c02 <broadcast,oactive,simplex,multicast>metric 0 mtu 1500 options=4219b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol_magic,vlan_hwtso>ether 00:15:17:82:3d:61 media: Ethernet autoselect status: no carrier igb0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=500bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwfilter,vlan_hwtso>ether 00:1b:21:54:db:58 inet6 fe80::21b:21ff:fe54:db58%igb0 prefixlen 64 scopeid 0x3 inet 10.1.7.1 netmask 0xffffff00 broadcast 10.1.7.255 nd6 options=1 <performnud>media: Ethernet autoselect (1000baseT <full-duplex>) status: active igb1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=500bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwfilter,vlan_hwtso>ether 00:1b:21:54:db:59 inet6 fe80::21b:21ff:fe54:db59%igb1 prefixlen 64 scopeid 0x4 inet 10.1.4.1 netmask 0xffffff00 broadcast 10.1.4.255 nd6 options=1 <performnud>media: Ethernet autoselect (1000baseT <full-duplex>) status: active igb2: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500 options=400bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwtso>ether 00:1b:21:54:db:5c inet6 fe80::21b:21ff:fe54:db5c%igb2 prefixlen 64 scopeid 0x5 nd6 options=1 <performnud>media: Ethernet autoselect (1000baseT <full-duplex>) status: active igb3: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500 options=400b8 <vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwtso>ether 00:1b:21:54:db:5d inet6 fe80::21b:21ff:fe54:db5d%igb3 prefixlen 64 scopeid 0x6 inet 24.159.196.98 netmask 0xfffffff0 broadcast 24.159.196.111 inet 24.159.196.99 netmask 0xfffffff0 broadcast 24.159.196.111 nd6 options=1 <performnud>media: Ethernet autoselect (1000baseT <full-duplex>) status: active pflog0: flags=100 <promisc>metric 0 mtu 33144 enc0: flags=0<> metric 0 mtu 1536 pfsync0: flags=0<> metric 0 mtu 1460 syncpeer: 224.0.0.240 maxupd: 128 syncok: 1 lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384 options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0xa nd6 options=3 <performnud,accept_rtadv>igb1_vlan4: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=3 <rxcsum,txcsum>ether 00:1b:21:54:db:59 inet6 fe80::215:17ff:fe82:3d60%igb1_vlan4 prefixlen 64 scopeid 0xb nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>) status: active vlan: 4 vlanpcp: 0 parent interface: igb1 igb1_vlan5: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=3 <rxcsum,txcsum>ether 00:1b:21:54:db:59 inet6 fe80::215:17ff:fe82:3d60%igb1_vlan5 prefixlen 64 scopeid 0xc inet 10.1.5.1 netmask 0xffffff00 broadcast 10.1.5.255 nd6 options=1 <performnud>media: Ethernet autoselect (1000baseT <full-duplex>) status: active vlan: 5 vlanpcp: 0 parent interface: igb1 igb0_vlan6: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=3 <rxcsum,txcsum>ether 00:1b:21:54:db:58 inet6 fe80::215:17ff:fe82:3d60%igb0_vlan6 prefixlen 64 scopeid 0xd inet 10.1.6.1 netmask 0xffffff00 broadcast 10.1.6.255 nd6 options=1 <performnud>media: Ethernet autoselect (1000baseT <full-duplex>) status: active vlan: 6 vlanpcp: 0 parent interface: igb0 igb0_vlan7: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=3 <rxcsum,txcsum>ether 00:1b:21:54:db:58 inet6 fe80::215:17ff:fe82:3d60%igb0_vlan7 prefixlen 64 scopeid 0xe nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect (1000baseT <full-duplex>) status: active vlan: 7 vlanpcp: 0 parent interface: igb0 bridge0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 ether 02:94:0a:e6:35:00 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0 member: igb2 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 5 priority 128 path cost 2000000 member: igb3 flags=143 <learning,discover,autoedge,autoptp>ifmaxaddr 0 port 6 priority 128 path cost 2000000 ovpns1: flags=8051 <up,pointopoint,running,multicast>metric 0 mtu 1500 options=80000 <linkstate>inet6 fe80::215:17ff:fe82:3d60%ovpns1 prefixlen 64 scopeid 0x11 inet 10.1.254.1 --> 10.1.254.2 netmask 0xffffffff nd6 options=3 <performnud,accept_rtadv>Opened by PID 28948 wan_stf: flags=4001 <up,link2>metric 0 mtu 1280 inet6 2602:100:189f:c462:: prefixlen 32 nd6 options=3 <performnud,accept_rtadv>v4net 0.0.0.0/0 v4br 68.114.165.1</performnud,accept_rtadv></up,link2></performnud,accept_rtadv></linkstate></up,pointopoint,running,multicast></learning,discover,autoedge,autoptp></learning,discover,autoedge,autoptp></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud></rxcsum,txcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud></rxcsum,txcsum></up,broadcast,running,simplex,multicast></full-duplex></performnud,accept_rtadv></rxcsum,txcsum></up,broadcast,running,simplex,multicast></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></promisc></full-duplex></performnud></vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwtso></up,broadcast,running,promisc,simplex,multicast></full-duplex></performnud></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwtso></up,broadcast,running,promisc,simplex,multicast></full-duplex></performnud></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwfilter,vlan_hwtso></up,broadcast,running,simplex,multicast></full-duplex></performnud></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwfilter,vlan_hwtso></up,broadcast,running,simplex,multicast></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol_magic,vlan_hwtso></broadcast,oactive,simplex,multicast></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol_magic,vlan_hwtso></broadcast,oactive,simplex,multicast>netstat -rn
Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 24.159.196.97 UGS 0 34681 igb3 10.1.4.0/24 link#4 U 0 72897 igb1 10.1.4.1 link#4 UHS 0 0 lo0 10.1.5.0/24 link#12 U 0 12559 igb1_v 10.1.5.1 link#12 UHS 0 0 lo0 10.1.6.0/24 link#13 U 0 983 igb0_v 10.1.6.1 link#13 UHS 0 0 lo0 10.1.7.0/24 link#3 U 0 10 igb0 10.1.7.1 link#3 UHS 0 0 lo0 10.1.254.0/24 10.1.254.2 UGS 0 0 ovpns1 10.1.254.1 link#17 UHS 0 0 lo0 10.1.254.2 link#17 UH 0 0 ovpns1 24.159.196.96/28 link#6 U 0 233 igb3 24.159.196.98 link#6 UHS 0 0 lo0 24.159.196.99 link#6 UHS 0 0 lo0 68.114.165.1 24.159.196.97 UGHS 0 0 igb3 127.0.0.1 link#10 UH 0 359 lo0 Internet6: Destination Gateway Flags Netif Expire default 2602:100:189f:c462::4472:a501 UGS wan_stf ::1 ::1 UH lo0 2602:100::/32 link#15 U wan_stf 2602:100:189f:c462:: link#15 UHS lo0 fe80::%igb0/64 link#3 U igb0 fe80::21b:21ff:fe54:db58%igb0 link#3 UHS lo0 fe80::%igb1/64 link#4 U igb1 fe80::21b:21ff:fe54:db59%igb1 link#4 UHS lo0 fe80::%igb2/64 link#5 U igb2 fe80::21b:21ff:fe54:db5c%igb2 link#5 UHS lo0 fe80::%igb3/64 link#6 U igb3 fe80::21b:21ff:fe54:db5d%igb3 link#6 UHS lo0 fe80::%lo0/64 link#10 U lo0 fe80::1%lo0 link#10 UHS lo0 fe80::%igb1_vlan4/64 link#11 U igb1_vla fe80::215:17ff:fe82:3d60%igb1_vlan4 link#11 UHS lo0 fe80::%igb1_vlan5/64 link#12 U igb1_vla fe80::215:17ff:fe82:3d60%igb1_vlan5 link#12 UHS lo0 fe80::%igb0_vlan6/64 link#13 U igb0_vla fe80::215:17ff:fe82:3d60%igb0_vlan6 link#13 UHS lo0 fe80::%igb0_vlan7/64 link#14 U igb0_vla fe80::215:17ff:fe82:3d60%igb0_vlan7 link#14 UHS lo0 fe80::215:17ff:fe82:3d60%ovpns1 link#17 UHS lo0 ff01::%igb0/32 fe80::21b:21ff:fe54:db58%igb0 U igb0 ff01::%igb1/32 fe80::21b:21ff:fe54:db59%igb1 U igb1 ff01::%igb2/32 fe80::21b:21ff:fe54:db5c%igb2 U igb2 ff01::%igb3/32 fe80::21b:21ff:fe54:db5d%igb3 U igb3 ff01::%lo0/32 ::1 U lo0 ff01::%igb1_vlan4/32 fe80::215:17ff:fe82:3d60%igb1_vlan4 U igb1_vla ff01::%igb1_vlan5/32 fe80::215:17ff:fe82:3d60%igb1_vlan5 U igb1_vla ff01::%igb0_vlan6/32 fe80::215:17ff:fe82:3d60%igb0_vlan6 U igb0_vla ff01::%igb0_vlan7/32 fe80::215:17ff:fe82:3d60%igb0_vlan7 U igb0_vla ff01::%ovpns1/32 fe80::215:17ff:fe82:3d60%ovpns1 U ovpns1 ff02::%igb0/32 fe80::21b:21ff:fe54:db58%igb0 U igb0 ff02::%igb1/32 fe80::21b:21ff:fe54:db59%igb1 U igb1 ff02::%igb2/32 fe80::21b:21ff:fe54:db5c%igb2 U igb2 ff02::%igb3/32 fe80::21b:21ff:fe54:db5d%igb3 U igb3 ff02::%lo0/32 ::1 U lo0 ff02::%igb1_vlan4/32 fe80::215:17ff:fe82:3d60%igb1_vlan4 U igb1_vla ff02::%igb1_vlan5/32 fe80::215:17ff:fe82:3d60%igb1_vlan5 U igb1_vla ff02::%igb0_vlan6/32 fe80::215:17ff:fe82:3d60%igb0_vlan6 U igb0_vla ff02::%igb0_vlan7/32 fe80::215:17ff:fe82:3d60%igb0_vlan7 U igb0_vla ff02::%ovpns1/32 fe80::215:17ff:fe82:3d60%ovpns1 U ovpns1
