IPv6 configured properly but can't configure hosts in the LAN



  • Hi,

    I'm running pfSense 2.1.1 PRERELEASE on an Alix Box.

    I managed to configre a tunnelbroker IPv6 interface and finally works well but only between the router and tunnelbroker.

    Now I'm trying to assign IPv6 addresses to hosts on my LAN but I can't make it work yet.

    Hosts are configured to take addresses via DHCP and I configured DHCPv6 Server/RA as in the how to, but no IP address is taken.

    I didn't even been able to make it work via static IP addresses.

    May be I'm a little missed concept on IPv6  :(

    I'm using a Windows 8.1 host and a Windows 7 one.

    UPDATE:
    I found a typing error on the LAN address that, of course, caused the routing problem.

    Then I found that my ISP DNSs, apparently, are filtering AAAA querys so I had to prefere static DNSs.

    Now, IPv6 is working, but still with static lan addresses.

    For some reason I can't understand, DHCPv6 Server/RA in not assigning IPs to LAN interfaces.

    Thanks…



  • Hi muchacha_grande

    I have some questions:

    1. Are all you hosts computers, mobile phones (wifi) etc.
      Or are some of your hosts also home routers?

    That is e.g. my case with home routers. Here manually (meaning by you) static routes defined in pfSense will solve the problem to allow the home router to get to pfSense LAN hosts and pfSense LAN hosts getting to the home routers and their clients, because pfSense issues ICMP Redirects. However I am (when I get some time) investigating how to use RA together with "Default Router List" defined in RFC2461 which to my understanding is called "config route" in radvd e.g. look here http://wiki.openwrt.org/doc/uci/radvd

    To my understanding pfSense 2.1 does not give any GUI option to define the route list in RA and I am also not sure if pfSense supplies the e.g. home routers with routes (that they can add to their own route list) e.g. when a static route has been defined or supplied by DHCPv6 (but I don't think so in either case).
    According to RFC2461 ICMP redirects are not allowed to change the router route table (if you look in chapter 8.2.  Router Specification). It would however be kind of nice if pfSense automatically added static routes whenever e.g. DHCP-PD together with DHCPv6 issues network and prefix as well as a WAN ip for e.g. a (sub) home router. I have really considered to make a feature report for pfSense redmine. However I first have to make some tests so I know how it all works regarding RA and DHCPv6/DHCP-PD. Also isc.org plans to update DHCPv6 to my understanding that should give DHCPv6 some additional features regarding passing on route information, but I have not investigated that further yet.

    If you like you can read about some of my experiences here:
    https://forum.pfsense.org/index.php/topic,71557.0.html as well as http://forums.dlink.com/index.php?topic=57422.0 (it is long, but is about that the netadministrator of a pfSense-router needs to specify a static route to a sub network as well as limit the prefix of pfSenses own LAN to a /64 prefix (e.g. from /48 to /64 in my case.))

    1. If you use RA alone it is the host that configures itself.
      If you use DHCPv6 you need to set RA accordingly e.g. Router Advertisements to "Managed" (DHCPv6 only) or "Assisted" for DHCPv6 Server assignment combined with Stateless Autoconfig (meaning the client can configure itself with a temporary IPv6 address for anonymity purposes.)

    2. Regarding static dns - do you mean you had to choose e.g. googls dns servers or opendns?

    3. Regarding dns it can be helpful to use pfSense DNS forwarder because your clients then get your pfSense as ipv6 dns-server whereas you can define in pfsense what dns server pfSense should use. It can even have a IPv4 address because your pfSense will give the clients pfSenses own IPv4 and IPv6 addresses which will function as dns-server for the clients.

    I use pfSense 2.1 and for now will wait to upgrade to any pre-release of pfSense 2.1.1 or pfSense 2.2



  • Hi al,

    First of all, thank you for your answer.

    About your first question, I have only have computer hosts in my LAN, but not other routers so I suppose that is the most simple case.

    So I have to learn a little more to achieve a better understanding on what you are experimenting.

    As far as I've been testing, I turned on DHCPv6/RA Service on pfSense, setted an address range and configured RA to managed. So I was expecting that when I first connect to my LAN with a host, it immediately gets a new IPv6 Address from the range configured in pfSense, just like it works on IPv4 DHCP Service. My hosts are IPv6 enabled and configured to get addresses automatically via DHCP.

    But I think that I must be doing something wrong, may be at my hosts or at pfSense because they don't get IP addresses but only keep configured with the local scope IPv6 addresses, neither they get default gateway or DNS.

    So, I thought that I had some misunderstanding on what DHCP does on IPv6 in contrast to DHCP on IPv4.

    Regarding your second question, I've tested all four options that are present on pfSense 2.1.1 PRERELEASE under RA menu and none of them made a difference. They just didn't work.

    Your third question: I'm using static DNS servers configured under General Setup because when I used the automatic assigned DNSs of my ISP I was getting no IPv6 addresses on AAAA queries. It is known that some ISPs are actually filtering such queries, I believe, just because IPv6 routing is not provided by them yet. So the problem has been solved with static DNSs as Google's ones and Tunnelbroker's ones.

    So as in your fourth comment says, my hosts are receiving pfSense's IPv4 address as DNS server and pfSense is forwarding DNS queries to the outside but that's only working on IPv4 because, again, DHCPv6 is not working for me as I expected.

    May be you can throw me a clue or something to make it work…

    Thank you again and regards....



  • Hi muchacha_grande

    1. It sound like the old bug where pfSense does not reload its filters. I thought the pfSense devs hat fixed that in the 2.1.1 tree.
      Try the menu - Status - Filter Reload - Click the "Reload Filter" button.
      Now try to make one of your hosts ask for an ipv6 address (reboot the host or use its network manager to ask for a connection)
      See what happens. As well check out menu Status - DHCPv6 leases

    2. Keep RA on managed or assisted (regarding privacy)
      What is the prefix of your IPv6 LAN?
      To avoid problems use /64 even if your delegated network prefix of your ISP is /56 or /48.

    3. Super :-)
      there is no way you can fix a broken dns at the ISP, so what you did seems right! Also you cannot be sure how your hosts will look up an AAAA record if it is configured with your ISP DNS from DHCPv4 and e.g. Google DNS through DHCPv6. If you truly wants to find out how you host work you can try to make some tests in a command prompt. Also it is kind of funny (as another test) to deactivate the IPv4 stack and try to surf the net only on IPv6 - you will find out that e.g. Facebook only to some extend works - you will see status updates but the chat does not seem to work. So I can recommend that after you made the http://test-ipv6.com/ test you try on one of your hosts to deactivate the IPv4 stack and see what happens :-)

    4. It will work(!) when DHCPv6 starts working, so I guess the main problem is in 1), but if you also want assisted in RA you must use /64 (to my understanding regarding Stateless Autoconfig.)



  • hi again al,

    ok, I made what you adviced and these are the results:

    1. I pressed "Reload Filter" on the filter reload page

    2. kept RA on managed state using the same prefix /64 that tunnebroker delegated to me.

    3. DNSs AAAA filtering is what I read from test-ipv6.com page so I assumed that 8.8.8.8 is a fully double stack server as many others that are fully supporting IPv6 by now

    4. It worked partially, so Ip address was assigned but not DNS nor default gateway. I'm using DNS forwarder so I think that the router IP should be passed as DNS server to hosts on the LAN. But nothing is passed instead.

    I did the following on the a window 7 host:

    I set the adapter to get IPv6 address from DHCP and then open a cmd window and entered commands to renew the IPv6 address that previously was fixed

    ipconfig /release6 "Local area connection"
    ipconfig /renew6 "Local area connection"

    After that the IP address was assigned from the pool, but unfortunatelly there were no DNS server on default gateway.

    Who knows…

    Any ideas?

    UPDATE:
    just after posting this message I see that now DNS server is assigned as the router IP, but still there is no default gateway visible on the interface

    regards...

    ANOTHER UPDATE:
    I just tested a "ping /6 ipv6.google.com" and voila, it worked so the default gateway is somehow known by the host.
    Now I see that I've been ignoring that in fact, there is a default gateway assigned and is set as the IPv6 Link Local address of the router's LAN interface.
    So I was expecting to see the IPv6 global scope address and instead of that the IPv6 local scope one is passed to the hosts.

    So now I can say that at least DHCPv6 is working for my windows 7 host. Now I'll see on my w8.1 box...

    bye..



  • Happy to hear it worked out in the end :)