Ping resolves IPv6 address but browsing http is with IPv4 https works with IPv6

Rocco · Sep 17, 2013, 6:33 AM

I hope someone can help me with this strange problem. I have a new pfSense 2.1 installed with clean config. I followed https://doc.pfsense.org/index.php/Using_IPv6_on_2.1_with_a_Tunnel_Broker
for setting up an IPv6 tunnel with tunnelbroker.net. Everything works fine. I can ping to different websites with IPv6 addresses and all resolves to these IPv6 IP's. But when I test with a browser (Chrome, IE10 or Firefox) they all browse the website through the IPv4 address except for one: www.google.com. What am I missing?

Rocco · Sep 16, 2013, 9:06 PM

I can now see that when I browse https websites with IPv6 my browsers are using the IPv6 address. Only http websites can only be browsed with the IPv4 address. Does somebody else have this problem?

razzfazz · Sep 16, 2013, 11:42 PM

Most modern browsers will prefer the faster (according to some metric) of the two protocols on a dual-stack machine; look up "happy eyeballs". Try opening an IPv6-only website such as http://ipv6.test-ipv6.com.

Rocco · Sep 17, 2013, 6:29 AM

I already tried opening ipv6 only websites and none of them showed in the browser. I got the same sort of time-out on all IPv6 websites. Also on http://ipv6.test-ipv6.com. I got this error: No acccess to network on chrome. So it seems all http websites don't work with ipv6 but all https websites work fine and I can see the connection is made through the HE IPv6 tunnel.

doktornotor · Sep 17, 2013, 6:36 AM

Yeah, so you have some broken transparent proxy somewhere.

Rocco · Sep 17, 2013, 1:09 PM

But how can I see what is broken? It's a brand new install with nothing configured yet. Only the tunnelbroker.net IPv6 tunnel is configured and some things work with IPv6 and somethings like http over IPv6 dont work. I have an alix 2d3 board with pfsense 2.1 release installed.

doktornotor · Sep 17, 2013, 2:30 PM

I have no idea what broken proxy you happen to have where. This obviously has nothing to do with IPv6 support on pfSense.

Rocco · Sep 17, 2013, 3:38 PM

Why has this nothing to do with IPv6 support on pfSense. It's the only thing I changed in my network. Before 21. I had pfSense 2.03 with no IPv6 tunnel and a seperate m0n0wall with the tunnelbroker.net IPv6 tunnel configured through pfSense. Everything worked fine with that setup. All IPv6 websites worked great. I coud even access all my IPv6 devices from the WAN side. Now with pfSense 2.1 realse I thought I could get rid of the extra m0n0wall in my network because I want to setup the tunnel with pfSense. Now only http IPv6 websites cannot be accessed.

doktornotor · Sep 17, 2013, 6:54 PM

Because pfSense does not give a damn whether you try to browser Google or anything else via HTTP or HTTPS unless you blocked either the destionation port, or the destination IP, or both. The DNS resolution works, as you said, even www.google.com works over HTTPS. Now, care to explain to us what do you think a packet filter has to do with other sites not working over IPv6 unless encrypted?

Rocco · Sep 18, 2013, 10:23 AM

The problem is not the firewall in pfSense. I have opened up all ports for IPv4 and IPv6 as I already had done with my m0n0wall what worked fine. I can see in the firewall logs of pfSense nothing is blocked from the LAN. But still no IPv6 traffic to http IPv6 websites. I was wondering if anybody else has this strange behaviour on 2.1 release.

doktornotor · Sep 18, 2013, 10:27 AM

Yeah, good. The firewall is indeed not the problem and blocks nothing there. So, you need to starting looking somewhere else than at pfSense (packages, proxies, browsers, some security crap on workstations.)

Rocco · Sep 18, 2013, 8:01 PM

But I have several different machines with this strange behaviour: One laptop with windows 8, one PC with Windows 7, one laptop with windows 7. One iPad 3 and a samsung android smartphone. They all could browse IPv6 websites over http through the tunnel with m0n0wall behind pfSense 2.0.3. Since the day I replaced this setup with pfSense 2.1 and configured the tunnel on that device without the m0n0wall none of the devices work with IPv6 over http. Is it strange to think it's some problem with pfSense and the tunnelbroker.net tunnel? If I have some time this week I will replace the pfSense on the alix with m0n0wall 1.34 and try the tunnel again.

cmb · Sep 19, 2013, 12:54 AM

Your browser and/or OS (depending on specifics) determine whether you will access a site via HTTP or HTTPS. The firewall can't impact that decision. If you have functional IPv6 connectivity, the firewall is out of the picture at that point. Check for why your OS and/or browser would prefer v4 over v6. Make sure it's doing an AAAA lookup and that it's getting a proper response as well (via packet capture probably best).

kejianshi · Sep 19, 2013, 1:14 AM

Maybe the browsers on the client machines are preferring DHCP with IPV4 DHCP servers.