MultiWAN IPv6 using SIXXS



  • I've succesfully set up 2.1-RELEASE using two pppoe WAN links and load balancing for IPv4 using this guide: https://doc.pfsense.org/index.php/Multi-WAN_2.0

    Now I'm trying to setup two SIXXS tunnel and load balancing for IPv6 using those guides:

    https://doc.pfsense.org/index.php/Using_IPv6_on_2.1_with_a_Tunnel_Broker
    https://doc.pfsense.org/index.php/Multi-WAN_for_IPv6

    My problem is, that only one my v6 gateways is reachable. After I setup up the first tunnel, the first gateway was working. After setting up the second tunnel (and the second gateway as default) the second gateway was working, but the first was unreachable.

    I've set up the whole box from scratch two times and always have the same behaviour (only one v6 gateway working, but not always the same).

    I've already patched the interfaces.inc (missing "/" for prefixlen on gif interfaces).

    My last step was to capture the traffic on all involved interfaces while pinging both gateway directly from pfsense ssh console and now I'm totally confused. I see my ICMPv6 packets encapsulated in v4 packets on the corresponding pppoe interfaces ans also the replies from the gateway. The ICMPv6 requests are also visible on both gif interfaces but the replies are only visible on one gif interface.

    
    #tcpdump -n -i pppoe0 host 78.35.24.124 or host 212.224.0.188
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on pppoe0, link-type NULL (BSD loopback), capture size 96 bytes
    12:51:04.509909 IP 93.220.xx.xx > 78.35.24.124: IP6 2001:4dd0:ff00:12a9::2 > 2001:4dd0:ff00:12a9::1: ICMP6, echo request, seq 19470, length 24
    12:51:04.540057 IP 78.35.24.124 > 93.220.xx.xx: IP6 2001:4dd0:ff00:12a9::1 > 2001:4dd0:ff00:12a9::2: ICMP6, echo reply, seq 19470, length 24
    12:51:05.522582 IP 93.220.xx.xx > 78.35.24.124: IP6 2001:4dd0:ff00:12a9::2 > 2001:4dd0:ff00:12a9::1: ICMP6, echo request, seq 19726, length 24
    12:51:05.553248 IP 78.35.24.124 > 93.220.xx.xx: IP6 2001:4dd0:ff00:12a9::1 > 2001:4dd0:ff00:12a9::2: ICMP6, echo reply, seq 19726, length 24
    12:51:06.534635 IP 93.220.xx.xx > 78.35.24.124: IP6 2001:4dd0:ff00:12a9::2 > 2001:4dd0:ff00:12a9::1: ICMP6, echo request, seq 19982, length 24
    12:51:06.564812 IP 78.35.24.124 > 93.220.xx.xx: IP6 2001:4dd0:ff00:12a9::1 > 2001:4dd0:ff00:12a9::2: ICMP6, echo reply, seq 19982, length 24
    12:51:06.594756 IP 78.35.24.124 > 93.220.xx.xx: IP6 2001:4dd0:ff00:12a9::1 > 2001:4dd0:ff00:12a9::2: ICMP6, echo request, seq 3969, length 988
    12:51:06.594890 IP 93.220.xx.xx > 78.35.24.124: IP6 2001:4dd0:ff00:12a9::2 > 2001:4dd0:ff00:12a9::1: ICMP6, echo reply, seq 3969, length 988
    
    
    
    #tcpdump -n -i pppoe1 host 78.35.24.124 or host 212.224.0.188
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on pppoe1, link-type NULL (BSD loopback), capture size 96 bytes
    12:51:04.509744 IP 62.226.xx.xx > 212.224.0.188: IP6 2001:6f8:900:10da::2 > 2001:6f8:900:10da::1: ICMP6, echo request, seq 59914, length 24
    12:51:04.539208 IP 212.224.0.188 > 62.226.xx.xx: IP6 2001:6f8:900:10da::1 > 2001:6f8:900:10da::2: ICMP6, echo reply, seq 59914, length 24
    12:51:05.522416 IP 62.226.xx.xx > 212.224.0.188: IP6 2001:6f8:900:10da::2 > 2001:6f8:900:10da::1: ICMP6, echo request, seq 60170, length 24
    12:51:05.552192 IP 212.224.0.188 > 62.226.xx.xx: IP6 2001:6f8:900:10da::1 > 2001:6f8:900:10da::2: ICMP6, echo reply, seq 60170, length 24
    12:51:06.534465 IP 62.226.xx.xx > 212.224.0.188: IP6 2001:6f8:900:10da::2 > 2001:6f8:900:10da::1: ICMP6, echo request, seq 60426, length 24
    12:51:06.546602 IP 62.226.xx.xx > 212.224.0.188: IP6 2001:6f8:900:10da::2 > 2001:6f8:900:10da::1: ICMP6, neighbor solicitation, who has 2001:6f8:900:10da::1, length 24
    12:51:06.564419 IP 212.224.0.188 > 62.226.xx.xx: IP6 2001:6f8:900:10da::1 > 2001:6f8:900:10da::2: ICMP6, echo reply, seq 60426, length 24
    12:51:06.576261 IP 212.224.0.188 > 62.226.xx.xx: IP6 2001:6f8:900:10da::1 > 2001:6f8:900:10da::2: ICMP6, neighbor advertisement, tgt is 2001:6f8:900:10da::1, length 24
    
    
    
    #tcpdump -n -i gif0
    tcpdump: WARNING: gif0: no IPv4 address assigned
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on gif0, link-type NULL (BSD loopback), capture size 96 bytes
    12:51:05.522569 IP6 2001:4dd0:ff00:12a9::2 > 2001:4dd0:ff00:12a9::1: ICMP6, echo request, seq 19726, length 24
    12:51:05.553266 IP6 2001:4dd0:ff00:12a9::1 > 2001:4dd0:ff00:12a9::2: ICMP6, echo reply, seq 19726, length 24
    12:51:06.534624 IP6 2001:4dd0:ff00:12a9::2 > 2001:4dd0:ff00:12a9::1: ICMP6, echo request, seq 19982, length 24
    12:51:06.564826 IP6 2001:4dd0:ff00:12a9::1 > 2001:4dd0:ff00:12a9::2: ICMP6, echo reply, seq 19982, length 24
    12:51:06.594769 IP6 2001:4dd0:ff00:12a9::1 > 2001:4dd0:ff00:12a9::2: ICMP6, echo request, seq 3969, length 988
    12:51:06.594875 IP6 2001:4dd0:ff00:12a9::2 > 2001:4dd0:ff00:12a9::1: ICMP6, echo reply, seq 3969, length 988
    12:51:07.547113 IP6 2001:4dd0:ff00:12a9::2 > 2001:4dd0:ff00:12a9::1: ICMP6, echo request, seq 20238, length 24
    12:51:07.577503 IP6 2001:4dd0:ff00:12a9::1 > 2001:4dd0:ff00:12a9::2: ICMP6, echo reply, seq 20238, length 24
    
    
    
    #tcpdump -n -i gif1
    tcpdump: WARNING: gif1: no IPv4 address assigned
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on gif1, link-type NULL (BSD loopback), capture size 96 bytes
    12:51:05.522385 IP6 2001:6f8:900:10da::2 > 2001:6f8:900:10da::1: ICMP6, echo request, seq 60170, length 24
    12:51:06.534446 IP6 2001:6f8:900:10da::2 > 2001:6f8:900:10da::1: ICMP6, echo request, seq 60426, length 24
    12:51:06.546581 IP6 2001:6f8:900:10da::2 > 2001:6f8:900:10da::1: ICMP6, neighbor solicitation, who has 2001:6f8:900:10da::1, length 24
    12:51:07.546931 IP6 2001:6f8:900:10da::2 > 2001:6f8:900:10da::1: ICMP6, echo request, seq 60682, length 24
    12:51:07.559631 IP6 2001:6f8:900:10da::2 > 2001:6f8:900:10da::1: ICMP6, neighbor solicitation, who has 2001:6f8:900:10da::1, length 24
    
    
    
    #netstat -nr
    Internet6:
    Destination                       Gateway                       Flags      Netif Expire
    default                           2001:6f8:900:10da::1          UGS        gif1
    ::1                               ::1                           UH          lo0
    2001:6f8:900:10da::/64            link#14                       U          gif1
    2001:6f8:900:10da::2              link#14                       UHS         lo0
    2001:4dd0:ff00:12a9::/64          link#13                       U          gif0
    2001:4dd0:ff00:12a9::2            link#13                       UHS         lo0
    ff01::%pppoe0/32                  fe80::222:4dff:fea4:ec30%pppoe0 U        pppoe0
    ff01::%pppoe1/32                  fe80::222:4dff:fea4:ec30%pppoe1 U        pppoe1
    ff01::%gif0/32                    fe80::222:4dff:fea4:ec30%gif0 U          gif0
    ff01::%gif1/32                    fe80::222:4dff:fea4:ec30%gif1 U          gif1
    ff02::%pppoe0/32                  fe80::222:4dff:fea4:ec30%pppoe0 U        pppoe0
    ff02::%pppoe1/32                  fe80::222:4dff:fea4:ec30%pppoe1 U        pppoe1
    ff02::%gif0/32                    fe80::222:4dff:fea4:ec30%gif0 U          gif0
    ff02::%gif1/32                    fe80::222:4dff:fea4:ec30%gif1 U          gif1
    
    
    
    #pfctl -sr | grep gif
    scrub on gif0 all fragment reassemble
    scrub on gif1 all fragment reassemble
    block drop in log quick on gif0 from <bogons>to any label "block bogon IPv4 networks from SIXXS"
    block drop in log quick on gif0 from <bogonsv6>to any label "block bogon IPv6 networks from SIXXS"
    block drop in on ! gif0 inet6 from 2001:4dd0:ff00:12a9::/64 to any
    block drop in on gif0 inet6 from fe80::222:4dff:fea4:ec30 to any
    block drop in log quick on gif0 inet from 10.0.0.0/8 to any label "Block private networks from SIXXS block 10/8"
    block drop in log quick on gif0 inet from 127.0.0.0/8 to any label "Block private networks from SIXXS block 127/8"
    block drop in log quick on gif0 inet from 100.64.0.0/10 to any label "Block private networks from SIXXS block 100.64/10"
    block drop in log quick on gif0 inet from 172.16.0.0/12 to any label "Block private networks from SIXXS block 172.16/12"
    block drop in log quick on gif0 inet from 192.168.0.0/16 to any label "Block private networks from SIXXS block 192.168/16"
    block drop in log quick on gif0 inet6 from fc00::/7 to any label "Block ULA networks from SIXXS block fc00::/7"
    block drop in log quick on gif1 from <bogons>to any label "block bogon IPv4 networks from SIXXS2"
    block drop in log quick on gif1 from <bogonsv6>to any label "block bogon IPv6 networks from SIXXS2"
    block drop in on ! gif1 inet6 from 2001:6f8:900:10da::/64 to any
    block drop in on gif1 inet6 from fe80::222:4dff:fea4:ec30 to any
    block drop in log quick on gif1 inet from 10.0.0.0/8 to any label "Block private networks from SIXXS2 block 10/8"
    block drop in log quick on gif1 inet from 127.0.0.0/8 to any label "Block private networks from SIXXS2 block 127/8"
    block drop in log quick on gif1 inet from 100.64.0.0/10 to any label "Block private networks from SIXXS2 block 100.64/10"
    block drop in log quick on gif1 inet from 172.16.0.0/12 to any label "Block private networks from SIXXS2 block 172.16/12"
    block drop in log quick on gif1 inet from 192.168.0.0/16 to any label "Block private networks from SIXXS2 block 192.168/16"
    block drop in log quick on gif1 inet6 from fc00::/7 to any label "Block ULA networks from SIXXS2 block fc00::/7"
    pass out route-to (gif0 2001:4dd0:ff00:12a9::1) inet6 from 2001:4dd0:ff00:12a9::2 to ! 2001:4dd0:ff00:12a9::/64 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (gif1 2001:6f8:900:10da::1) inet6 from 2001:6f8:900:10da::2 to ! 2001:6f8:900:10da::/64 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass in quick on em1_vlan1 route-to (gif0 2001:4dd0:ff00:12a9::1) inet6 from 2001:4dd0:xxxx:xxxx::/64 to any flags S/SA keep state label "USER_RULE: Default allow LAN IPv6 to any rule"
    pass in quick on em1_vlan13 route-to (gif0 2001:4dd0:ff00:12a9::1) inet6 all flags S/SA keep state label "USER_RULE"
    pass in log quick on gif0 inet proto icmp all keep state label "USER_RULE"
    pass in log quick on gif0 inet6 proto ipv6-icmp all keep state label "USER_RULE"
    pass in log quick on gif1 inet proto icmp all keep state label "USER_RULE"
    pass in log quick on gif1 inet6 proto ipv6-icmp all keep state label "USER_RULE"</bogonsv6></bogons></bogonsv6></bogons> 
    






  • Were you ever able to solve this? I just ran into the same problems with 2 GIF tunnels to HE.net terminated on different WAN interfaces (Cable/DSL). Only one gateway is seen as up.



  • Unfortunately not, I'm still having only one of my IPv6 Tunnels working.



  • Did you try the latest snapshots of 2.1.1 they have fixes for this situation.



  • I tried with

    2.1.1-PRERELEASE (i386)
    built on Sat Mar 1 03:30:07 EST 2014
    FreeBSD 8.3-RELEASE-p14

    Thanks for the info, I am going to try a newer one soon when I find the time.



  • Maybe this topic should be moved to the 2.1.1 forum.

    I have now tried with:

    2.1.1-PRERELEASE (i386) 
    built on Sat Mar 8 11:52:39 EST 2014 
    FreeBSD 8.3-RELEASE-p14
    
    

    Setup an additional HE.net tunnel on my second WAN interface. Still only one tunnel works. The problem is still that answers from the IPv6 gateway at HE.net are getting lost somewhere between the WAN and GIF interface.

    tcpdump on the WAN interface looks good:

    tcpdump -s1600 -nvvi em1 host 216.66.80.30
    tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 1600 bytes
    06:50:42.600454 IP (tos 0x0, ttl 30, id 60399, offset 0, flags [none], proto IPv6 (41), length 84)
        5.146.32.147 > 216.66.80.30: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::2 > 2001:470:****:****::1: [icmp6 sum ok] ICMP6, echo request, length 24, seq 22711
    06:50:42.616693 IP (tos 0x0, ttl 247, id 0, offset 0, flags [DF], proto IPv6 (41), length 84)
        216.66.80.30 > 5.146.32.147: IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::1 > 2001:470:****:****::2: [icmp6 sum ok] ICMP6, echo reply, length 24, seq 22711
    06:50:43.603969 IP (tos 0x0, ttl 30, id 44264, offset 0, flags [none], proto IPv6 (41), length 84)
        5.146.32.147 > 216.66.80.30: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::2 > 2001:470:****:****::1: [icmp6 sum ok] ICMP6, echo request, length 24, seq 22967
    06:50:43.620818 IP (tos 0x0, ttl 247, id 0, offset 0, flags [DF], proto IPv6 (41), length 84)
        216.66.80.30 > 5.146.32.147: IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::1 > 2001:470:****:****::2: [icmp6 sum ok] ICMP6, echo reply, length 24, seq 22967
    06:50:44.610546 IP (tos 0x0, ttl 30, id 40805, offset 0, flags [none], proto IPv6 (41), length 84)
        5.146.32.147 > 216.66.80.30: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::2 > 2001:470:****:****::1: [icmp6 sum ok] ICMP6, echo request, length 24, seq 23223
    06:50:44.626985 IP (tos 0x0, ttl 247, id 0, offset 0, flags [DF], proto IPv6 (41), length 84)
        216.66.80.30 > 5.146.32.147: IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::1 > 2001:470:****:****::2: [icmp6 sum ok] ICMP6, echo reply, length 24, seq 23223
    06:50:45.572646 IP (tos 0x0, ttl 30, id 33608, offset 0, flags [none], proto IPv6 (41), length 84)
        5.146.32.147 > 216.66.80.30: IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::2 > 2001:470:****:****::1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 24, who has 2001:470:****:****::1
    06:50:45.585132 IP (tos 0x0, ttl 247, id 0, offset 0, flags [DF], proto IPv6 (41), length 84)
        216.66.80.30 > 5.146.32.147: IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::1 > 2001:470:****:****::2: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is 2001:470:****:****::1, Flags [router, solicited]
    06:50:45.623895 IP (tos 0x0, ttl 30, id 58383, offset 0, flags [none], proto IPv6 (41), length 84)
        5.146.32.147 > 216.66.80.30: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::2 > 2001:470:****:****::1: [icmp6 sum ok] ICMP6, echo request, length 24, seq 23479
    06:50:45.639155 IP (tos 0x0, ttl 247, id 0, offset 0, flags [DF], proto IPv6 (41), length 84)
        216.66.80.30 > 5.146.32.147: IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::1 > 2001:470:****:****::2: [icmp6 sum ok] ICMP6, echo reply, length 24, seq 23479
    06:50:46.572674 IP (tos 0x0, ttl 30, id 59642, offset 0, flags [none], proto IPv6 (41), length 84)
        5.146.32.147 > 216.66.80.30: IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::2 > 2001:470:****:****::1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 24, who has 2001:470:****:****::1
    06:50:46.585204 IP (tos 0x0, ttl 247, id 0, offset 0, flags [DF], proto IPv6 (41), length 84)
        216.66.80.30 > 5.146.32.147: IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::1 > 2001:470:****:****::2: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is 2001:470:****:****::1, Flags [router, solicited]
    06:50:46.633658 IP (tos 0x0, ttl 30, id 44540, offset 0, flags [none], proto IPv6 (41), length 84)
        5.146.32.147 > 216.66.80.30: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::2 > 2001:470:****:****::1: [icmp6 sum ok] ICMP6, echo request, length 24, seq 23735
    06:50:46.649263 IP (tos 0x0, ttl 247, id 0, offset 0, flags [DF], proto IPv6 (41), length 84)
        216.66.80.30 > 5.146.32.147: IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::1 > 2001:470:****:****::2: [icmp6 sum ok] ICMP6, echo reply, length 24, seq 23735
    06:50:47.572683 IP (tos 0x0, ttl 30, id 56542, offset 0, flags [none], proto IPv6 (41), length 84)
        5.146.32.147 > 216.66.80.30: IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::2 > 2001:470:****:****::1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 24, who has 2001:470:****:****::1
    06:50:47.585437 IP (tos 0x0, ttl 247, id 0, offset 0, flags [DF], proto IPv6 (41), length 84)
        216.66.80.30 > 5.146.32.147: IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::1 > 2001:470:****:****::2: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is 2001:470:****:****::1, Flags [router, solicited]
    06:50:47.640561 IP (tos 0x0, ttl 30, id 42701, offset 0, flags [none], proto IPv6 (41), length 84)
        5.146.32.147 > 216.66.80.30: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::2 > 2001:470:****:****::1: [icmp6 sum ok] ICMP6, echo request, length 24, seq 23991
    06:50:47.657396 IP (tos 0x0, ttl 247, id 0, offset 0, flags [DF], proto IPv6 (41), length 84)
        216.66.80.30 > 5.146.32.147: IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::1 > 2001:470:****:****::2: [icmp6 sum ok] ICMP6, echo reply, length 24, seq 23991
    06:50:48.654155 IP (tos 0x0, ttl 30, id 20255, offset 0, flags [none], proto IPv6 (41), length 84)
        5.146.32.147 > 216.66.80.30: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::2 > 2001:470:****:****::1: [icmp6 sum ok] ICMP6, echo request, length 24, seq 24247
    06:50:48.669570 IP (tos 0x0, ttl 247, id 0, offset 0, flags [DF], proto IPv6 (41), length 84)
        216.66.80.30 > 5.146.32.147: IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::1 > 2001:470:****:****::2: [icmp6 sum ok] ICMP6, echo reply, length 24, seq 24247
    06:50:49.660724 IP (tos 0x0, ttl 30, id 10954, offset 0, flags [none], proto IPv6 (41), length 84)
        5.146.32.147 > 216.66.80.30: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::2 > 2001:470:****:****::1: [icmp6 sum ok] ICMP6, echo request, length 24, seq 24503
    06:50:49.675878 IP (tos 0x0, ttl 247, id 0, offset 0, flags [DF], proto IPv6 (41), length 84)
        216.66.80.30 > 5.146.32.147: IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::1 > 2001:470:****:****::2: [icmp6 sum ok] ICMP6, echo reply, length 24, seq 24503
    06:50:50.670905 IP (tos 0x0, ttl 30, id 16076, offset 0, flags [none], proto IPv6 (41), length 84)
        5.146.32.147 > 216.66.80.30: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::2 > 2001:470:****:****::1: [icmp6 sum ok] ICMP6, echo request, length 24, seq 24759
    06:50:50.685841 IP (tos 0x0, ttl 247, id 0, offset 0, flags [DF], proto IPv6 (41), length 84)
        216.66.80.30 > 5.146.32.147: IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::1 > 2001:470:****:****::2: [icmp6 sum ok] ICMP6, echo reply, length 24, seq 24759
    06:50:51.678833 IP (tos 0x0, ttl 30, id 41390, offset 0, flags [none], proto IPv6 (41), length 84)
        5.146.32.147 > 216.66.80.30: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::2 > 2001:470:****:****::1: [icmp6 sum ok] ICMP6, echo request, length 24, seq 25015
    06:50:51.695959 IP (tos 0x0, ttl 247, id 0, offset 0, flags [DF], proto IPv6 (41), length 84)
        216.66.80.30 > 5.146.32.147: IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::1 > 2001:470:****:****::2: [icmp6 sum ok] ICMP6, echo reply, length 24, seq 25015
    
    

    tcpdump on the GIF interface is missing all the answer packets from HE.net:

    tcpdump -s1600 -nvvi gif0
    tcpdump: WARNING: gif0: no IPv4 address assigned
    tcpdump: listening on gif0, link-type NULL (BSD loopback), capture size 1600 bytes
    06:50:40.580377 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::2 > 2001:470:****:****::1: [icmp6 sum ok] ICMP6, echo request, length 24, seq 22199
    06:50:41.590159 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::2 > 2001:470:****:****::1: [icmp6 sum ok] ICMP6, echo request, length 24, seq 22455
    06:50:42.600240 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::2 > 2001:470:****:****::1: [icmp6 sum ok] ICMP6, echo request, length 24, seq 22711
    06:50:43.603689 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::2 > 2001:470:****:****::1: [icmp6 sum ok] ICMP6, echo request, length 24, seq 22967
    06:50:44.610307 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::2 > 2001:470:****:****::1: [icmp6 sum ok] ICMP6, echo request, length 24, seq 23223
    06:50:45.572301 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::2 > 2001:470:****:****::1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 24, who has 2001:470:****:****::1
    06:50:45.623676 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::2 > 2001:470:****:****::1: [icmp6 sum ok] ICMP6, echo request, length 24, seq 23479
    06:50:46.572297 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::2 > 2001:470:****:****::1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 24, who has 2001:470:****:****::1
    06:50:46.633439 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::2 > 2001:470:****:****::1: [icmp6 sum ok] ICMP6, echo request, length 24, seq 23735
    06:50:47.572317 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::2 > 2001:470:****:****::1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 24, who has 2001:470:****:****::1
    06:50:47.640302 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::2 > 2001:470:****:****::1: [icmp6 sum ok] ICMP6, echo request, length 24, seq 23991
    06:50:48.653890 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::2 > 2001:470:****:****::1: [icmp6 sum ok] ICMP6, echo request, length 24, seq 24247
    06:50:49.660500 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 24) 2001:470:****:****::2 > 2001:470:****:****::1: [icmp6 sum ok] ICMP6, echo request, length 24, seq 24503
    


  • I'm wondering if your issue and mine (last post in particular) are one in the same.  I haven't tried the 2.1.1 snapshots yet, though.



  • At least both problems are suffering from packets not going where they are supposed to ;) Ermal should take a look at this. Meanwhile I have found a dirty workaround to use 2 IPv6 gateways. If you can work with static IPv6 IPs and an IPv6 enabled router, you can Hide-NAT your IPv6 LAN net behind the secondary IPv6 gateway's address. Outgoing NAT works when you use IPv6 aliases. I originally tried this here: https://forum.pfsense.org/index.php?topic=73693.0 and now I use it on my secondary IPv6 connection.
    I do not recommend this though, because nobody would expect you doing NAT on v6 and it might break things.
    But it's the only way I found to make IPv6 MulitWAN actually work at all.

    • 2 tunnels don't work
    • using DHCPv6 with a delegated prefix on WAN2 won't work, the prefix is lost after approx. an hour. And even if it weren't lost I could not find any way to dynamically Npt the delegated prefix to my LAN net. It would require manual intervention everytime the delegated net changes.
    • 2 IPv6 routers in the same net distributing global addresses should be the solution (at least that's what I learned on a conference 2 years ago), but while Windows 7 has no problem with multiple IPv6 default gws through routers using different priorities, Ubuntu has. I have read Debian works but have not tried. So that is no option either. Have not tried iOS oder OSX though, just gave up on that because the Linux boxes are a showstopper.

    Has anyone found a better way to make IPv6 Multi WAN work with partly or fully dynamic IPv6 nets?



  • Normally you have to use NAT for this.

    It is very dependant and error prone to change prefixes like that on failure.
    That is because definition of failure is very vague.

    Also presently there is no way you can follow(track6) 2 different WANs in pfSense.


Log in to reply