IPv6 works on pfsense but not on LAN side



  • Hello

    I have an alix2d3 board with "2.1-RELEASE (i386)" installed.
    Recently I started experimenting with ipv6.I have followed the suggestions mentioned on the forum and I can successfully obtain a /56 block address on the LAN interface and a /64 address on WAN interface.
    From pfsense -> diagnostics I can successfully ping all ipv6 address and DNS also works.
    The problem is on the LAN side where although name resolution works on ipv6 address, it doesn't seems to route the packets (request timed out).Tried different machines and O/S (win,linux).
    On the ethernet if of each computer I can see that they obtain only a link local ip (  fe80::xxx).I suspect that there is the problem.
    Below I am attaching some screenshots:



    ![](http://s18.postimg.org/6j57kxvft/Screen_Hunter_05_Sep_29_11_55.gif[/img<br />[img]http://s18.postimg.org/88eat0b55/Screen_Hunter_06_Sep_29_11_55.gif)






  • Go to Firewall > Rules > Lan and see if you have an IPV6 that allows any IPV6 address on LAN, just like the IPV4 rule. If not, add a new rule based on the IPV4 rule and change the TCI/IP version to IPV6.

    Also, thank you for posting screenshots. I have been trying to get IPV6 working for a week, and noticed you had the option "Request IPV6 information through IPV4", so I tried that option. Now everything works!



  • It is already enabled by default.Also tried to recreate it.



  • Try setting your WAN connection like this, Save, then REBOOT the router. I found these settings work even better on my configuration.

    It seems like for ipv6 configuration changes a full reboot is sometimes necessary.




  • Tried that but without "Request a IPv6 prefix/information through the IPv4 connectivity link" option enabled I cannot connect even from pfsense box.

    [Edit]
    Looks like radvd service does not advertise /56 block on my LAN network.
    I can ping from my pc:

    IPv6 Link Local fe80::1:1%vr0  
    IPv6 address 2a02:214d:8005:f100:20d:b9ff:fe17:b7

    which correspond to the LAN interface of pfsense but not anything else beyond that (like ipv6.google.com).

    C:\windows\system32>ping -6  ipv6.google.com

    Pinging ipv6.l.google.com [2a00:1450:4017:800::1013] with 32 bytes of data:
    General failure.

    Ping statistics for 2a00:1450:4017:800::1013:
        Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),



  • Under Status > Interfaces and Status > Gateways what does it say about your ipv6 address? And what does your computer ipv6 address say? Have you tried checking all the options in the WAN configuration (IPv4 connectivity as parent, request prefix only, send hint) and then rebooting the router?

    Also what are you using radvd service for? Is that an addon you got for pfsense, or is it on another device? It may be conflicting with what you're trying to do.



  • On pfsense:
    –--------------

    Gateways:

    IPv4: GW_WAN 213.xx.xx.x 213.xx.xxx.x
    IPv6: WAN_DHCP6 fe80::2a94:fff:xxxx:xxxx

    LAN interface: IPv6 address 2a02:214d:8005:f100:20d:xxxx:xxxx:xxx Subnet mask IPv6: 56

    On Computer:

    LAN Interface: Link Local IP: fe80::4045:8288:a6fb:b7be

    radvd is enabled by default as a service on pfsense.I think it is used to advertise the ipv6 subnet 
    on LAN.



  • Where does the /56 on the LAN interface come from? In your earlier WAN configuration screenshot, you had set the delegation size to /64, so you don't actually have a delegated /56 to begin with; also, I believe track interface will generally cause a /64 (possibly one of multiple that make up a larger delegated prefix) to be advertised. Did you do any additional manual configuration?



  • @acidrop:

    On pfsense:
    –--------------

    Gateways:

    IPv4: GW_WAN 213.xx.xx.x 213.xx.xxx.x
    IPv6: WAN_DHCP6 fe80::2a94:fff:xxxx:xxxx

    LAN interface: IPv6 address 2a02:214d:8005:f100:20d:xxxx:xxxx:xxx Subnet mask IPv6: 56

    On Computer:

    LAN Interface: Link Local IP: fe80::4045:8288:a6fb:b7be

    radvd is enabled by default as a service on pfsense.I think it is used to advertise the ipv6 subnet 
    on LAN.

    In your WAN configuration it says 64 bit prefix delegation size, yet you're saying you have a 56bit delegation. Did you switch to 56bit? Is there a reason? Standard practice is to have a 64 bit network prefix for the network, and then 64bits for all the devices.

    If you have a delegation size less than 64 bits, that means you're modifying the subnet identifier.




  • Hello again,

    All settings are obtained automatically from my ISP.
    I haven't done any manual configuration on pfsense.

    As per my ISP:

    "The subscriber terminal equipment (CPE / DSL router) must support IPv6. More specifically, SLAAC (Auto-Configuration) is required  to  lease WAN / PPP IPv6 address (/ 64 prefix is given) and the support of DHCPv6-PD to lease  a /56 IPv6 prefix in the LAN (the CPE will deal with  the share of /56 to a /64 per LAN interface). The network which is given for LAN subscriber is the one that is used in computers (whether through SLAAC, or via the  DHCPv6 of CPE)."



  • As per those instructions, you should set "DHCPv6 prefix delegation size" to 56, not to 64. Set all your internal interfaces to "track interface", each with a different "IPv6 prefix ID" between 0 and ff (hex). This should give you a different /64 on each internal interface, all from the /56 that was delegated to you.



  • each with a different "IPv6 prefix ID" between 0 and ff (hex)

    Can you please tell which should be correct for my case?



  • @acidrop:

    each with a different "IPv6 prefix ID" between 0 and ff (hex)

    Can you please tell which should be correct for my case?

    00
    01
    02
    03
    04
    05
    06
    07
    09
    0a
    0b
    0c
    0d
    0e
    0f

    ...
    ...
    fa
    fb
    fc
    fd
    fe
    ff

    ;)



  • I'm using pfSense 2.1 RELEASE.

    On first setup, I,m only using IPv6 on LAN, result work. When I enable IPv4 on same interface, IPv6 cannot not work in same interface.



  • ok I made some progress.

    After changing IPv6 Prefix ID=0e at Interfaces -> LAN now I can obtain an ipv6 on LAN card of my pc:

    and

    For some seconds I could successfully ping and open http://ipv6.google.com and then the same again… :(



  • @acidrop:

    ok I made some progress.

    After changing IPv6 Prefix ID=0e at Interfaces -> LAN now I can obtain an ipv6 on LAN card of my pc:

    You shouldn't have to set it to any "correct" value; with a /56 delegated to you, any value in the given range (0-255, converted to hex) should work.

    The rest of your post sounds like a firewall issue. Do you have a pass rule for IPv6 traffic on the LAN interface (IPv6 from LAN subnet to any)? Anything relevant in the firewall log?



  • Yes that rule exists by default and I have replicated it also.Nothing is logged on firewall logs.
    On systems logs this message is repeated all the time:

    php: rc.newwanipv6: rc.newwanipv6: Failed to update wan IPv6, restarting…
    dhcp6c[59545]: update_ia: status code for NA-0: no addresses



  • Try checking "request only a IPv6 prefix" in the WAN settings.



  • Also, make sure that in status->services, radvd is present and listed as running.



  • Try checking "request only a IPv6 prefix" in the WAN settings.

    Success!  Enabling that option along with 'Use IPv4 connectivity as parent interface'  and prefix size /56 on WAN interface did the trick.Also I should select 'track interface'  and 'IPv6 Prefix ID' something between 00-ff but not 0! (I choose 0e).Finally I rebooted the device and everything is working.
    Thank you all for your help and patience! Cheers!



  • I spoke too fast.Although ipv6 works correctly for 2-3 days, then suddenly it stops.Even if I reboot the device it dozen't work.The only way it can work again is by modifying the value "ipv6 prefix id" on lan to something else for example 6,8,f etc. Any ideas why this could happen?



  • I have the same issue, same hardware and version, different ISP (Hughesnet Gen4).  I have native IPv6, I get a /64 on the WAN side, I can't get the right allocation on the LAN side because they hand out a /61 and that isn't a choice in the pull down menu, but if I pick /62 it all seems to look right.  none of my hosts on the LAN side (pretty much all apple devices at the moment) get an address.

    radvd is running in services, but because I have track interface for LAN, not a static, I can't set anything for the RA, and I don't know what the defaults are.

    I see the RAs in tcpdump from fe80::1:1, which is the LAN interface address, and they have a /63 prefix in 2001: that matches the LAN address on the pfsense box,  but the host never gets an autoconfig address.  I use autoconfig on the same laptop at work every day, and it's fine there.

    I'm new to pfsense, and I've only done IPv6 routing on enterprise-level gear, not home network stuff, but it's the only public address I can get out of Hughesnet, so any ideas are greatly appreciated.


Log in to reply