IPv6 tunnel interface incorrectly configured?

bmah

I recently upgraded from a 7 Feb snapshot to "Fri Feb 15 15:43:49 EST 2013" and discovered that my IPv6 tunnel to Hurricane Electric stopped working, as in I couldn't even ping6 the other end of the tunnel.

Upon some investigation, I saw that although the tunnel interface still had the local IPv6 address and a /128 prefix (as per Hurricane Electric's documentation), it didn't have the remote IPv6 address configured as is necessary for a point-to-point tunnel interface.  In other words, gif0 looked like:

inet6 2001:xxxx:yyyy:zzzz::2 prefixlen 128

This is wrong because there's no way to express what's on the other end of the tunnel or set a default route.  When I reconfigured the interface manually (and correctly) and added a default route:

ifconfig gif0 inet6 2001:xxxx:yyyy:zzzz::2 2001:xxxx:yyyy:zzzz::1 prefixlen 128
route -n add -inet6 default 2001:xxxx:yyyy:zzzz::1

Things started working again.  I presume (but have not verified) that I'd need to repeat this reconfiguration on the next reboot.

Have there been any changes in the way that interfaces get configured that might particularly affect IPv6 point-to-point tunnels?

Thanks,

Bruce.

jimp

No changes that I can recall for sure but it's possible it was collateral damage from some other change.

My HE.net tunnels are configured as /64's with the assigned interface configured to match and a gateway setup in the GUI, though it's supposed to work either way.

mrzaz

I also have a HE.net (Tunnelbroker.net) tunnel and up and working for a long time and that is also /64.
And gateway setup in GUI as jimp.

/Danne

bmah

Thanks for the replies!  Upon re-reading the documentation at Hurricane Electric, I see where they specify /64 for the tunnel interface in one place and /128 in another place.  Nothing like consistency!  :-)

I'll try switching the netmask for my tunnel interface and see if that helps, just as soon as I can find some downtime.

Bruce.

jimp

They have recommended both in the past, as have we. Using /128 avoids having NDP and link-local traffic on the tunnel interface itself. It also cuts down on potential address scanning on the tunnel interface. It just has other UI quirks like this at times. :-)

bmah

@jimp:

They have recommended both in the past, as have we. Using /128 avoids having NDP and link-local traffic on the tunnel interface itself. It also cuts down on potential address scanning on the tunnel interface. It just has other UI quirks like this at times. :-)

Ah, got it.  This also vaguely reminds me of a release (six years ago) when FreeBSD just had broken behavior in scenarios like this, although this clearly isn't the same problem.  I remember this because it was just after my son was born and it was pretty darn hard trying to troubleshoot this between all the diaper changes and no sleep.  :-)

Bruce.

bmah

OK, I've got my tunnel interface reconfigured as a /64 and all is well, even after a reboot.  Thanks jimp and mrzaz for the hints!

Bruce.

bmah

Perhaps I spoke too soon…I can talk to the other end of the tunnel fine, but I have no IPv6 default route.  This seems somewhat like the problem in this thread:

http://forum.pfsense.org/index.php/topic,58731.0.html

If I manually add a default IPv6 route with route(8), everything seems OK.

Bruce.

jimp

Was your IPv6 route under System > Routing marked as default there?

I have two HE.net tunnels (one out DSL, one out Cable) and I get a default route. I'm on a snap from yesterday though. There was a problem with routes sometime in the last week or so though, but it was fixed.

bmah

@jimp:

Was your IPv6 route under System > Routing marked as default there?

Yes it was (is).  Just to make sure I've got the latest and greatest, I did another update, and am now running this:

2.1-BETA1 (i386) built on Sat Feb 16 22:33:24 EST 2013

Still no default IPv6 route until I SSH in to the pfSense box and add it manually.  My IPv4 default route is fine, but that comes via DHCP from my ISP.

UPDATE:  Just for kicks I went to System -> Routing and re-saved the entry for my IPv6 gateway, without making any changes.  After a reboot (one out of one tries) I got my IPv6 default route back.  So I've got a fully-working IPv6 once again, but I don't know exactly why.  :-)

Thanks!

Bruce.

Roots0

I'm having the same problem on:
2.1-BETA1 (i386)
built on Sat Feb 23 05:06:42 EST 2013
FreeBSD 8.3-RELEASE-p6

I'm using a /128 prefix from HE.NET

Re configuring the route solved the problem.

Cino

I've noticed the same issue on box today after a firmware/gitsync update this weekend. Default route for IPv6 disappeared.  I went to System-Routing and re-saved the default route for my HE tunnel and that resolved the issue.. I'm using a HE tunnel setup as /64.

I haven't rebooted but hopefully it will stick instead of me re-saving the route/gateway config…  Last time something like this happen, was when the IPv6 code in pfsense was first implement.

Roots0

I can't re save my Gateway when i go to re-save the un edited page I get the following error:

The gateway address 2001:xxxx:yyyy:zzzz::1 does not lie within the chosen interface's subnet '2001:xxxx:yyyy:zzzz::2/128'.

Also I just reset my cable modem to fix some packet loss due to an ISP problem, and it appears to have lost the IPV6 route again.

jimp

on the assigned interface page, use /126, not /128, that should let it past the gateway error.
Leave it /128 on the GIF config page though.

tebeve

I know this is a week old or so… but I was having this issue as well.

2.1-BETA1 (i386)
built on Thu Feb 21 06:47:29 EST 2013
FreeBSD 8.3-RELEASE-p6

Re-saving the default route config page got my IPv6 back as well.

I'll update my snap and see if anything changes, but I'm assuming since no one has posted in a few days it's good now...

jcyr

Not my experience!

Having followed the instructions at http://doc.pfsense.org/index.php/Using_IPv6_on_2.1_with_a_Tunnel_Broker verbatim,  I can attest that either these instruction are incorrect or incomplete or that the latest build does not provide IPV6 connectivity.

BTW. The above documentation makes no mention of setting:

Router Advertisements: Managed

jimp

The page does mention that setting in text and in a screenshot (though that screenshot is from an older version of the page before RA was split off to its own tab).

If you missed that, you likely missed something else. I've followed that nearly to the letter several times and it's always worked for me.

jcyr

Ok, redid the whole thing from scratch… still not working

Perhaps you can explain the following? When I do an ipconfig on my Win 7 64 box, I see the following for the enabled IPV6 interface:

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix  . : dillobits.lan
  Link-local IPv6 Address . . . . . : fe80::810e:f844:426a:d714%14
  IPv4 Address. . . . . . . . . . . : 192.168.1.32
  Subnet Mask . . . . . . . . . . . : 255.255.252.0
  Default Gateway . . . . . . . . . : 2001:470:xxxx:xxxx::3
                                      2001:470:xxxx:xxxx:2::1
                                      192.168.0.1

Why am I getting 2001:470:xxxx:xxxx::3 as a gateway address? That address is not used anywhere??? I would have thought that 2001:470:xxxx:xxxx:2::1 would have been the appropriate gateway!

eri--

Can you describe your setup and paste radvd.conf and dhcpd6 config files?