No access (ping) from LAN -> Outside



  • Hey!
    I am really new in IPv6, so i had to read a lot about it and also "try and error" ;-)
    But now i stuck somehow…
    My situation:

    Configured WAN with dhcp6
    i receive a global address from that /64 pool from my isp.
    Configured LAN as static IPv6 with "2a02:1y8:xx:xx::2 /64"
    Configured DHCv6 with a range, RA as "assisted", router priority as "low"

    My Clients receive IPv6 addresses from that pool, they can ping each other an the LAN interface.
    BUT nothing outside, no gateway, no google etc..

    I added Firewall rules in LAN & WAN: IPv6 ICMP from any to any

    Any ideas what i forgot?

    Best wishes

    Steve



  • Does anything IPv6 work? Or is it just ICMP?

    Where did you get that static from?  It wouldn't be typical to have DHCP WAN and static LAN for IPv6.
    You would normally set the LAN to 'track' the WAN and then there would be Prefix-Deligation (DHCP-PD) to assign the LAN net.

    The default firewall rules will allow ICMP out.



  • Well i checked ICMP and with curl the IP.

    My ISP gave me a static IPv4 and an IPv6 Range.
    With IPv4 there is no problem at all, only IPv6.

    Would it be better to set up static IPv6 at WAN, instead of DHCP6?



  • Do you have a rule to allow IPv6 traffic (other than ICMP) in on the LAN interface?



  • Also, what do the firewall logs say?



  • Your ISP should have given you at least one IPv6 address for the WAN interface that is from a different /64 prefix than the one they gave you for LAN if they intended you to configure the WAN with a static address. That makes me suspect that they either left out some information or you're supposed to use "Track" type of IPv6 configuration for WAN.



  • "track interface" is for LAN interfaces, though. He says he's successfully getting a v6 address via DHCP6 on the WAN, so that is almost certainly what his provider wants him to use. He apparently also got a fixed prefix from his provider, so that would suggest that he's not supposed to use DHCP-PD / "track interface" for the LAN side.

    Really, though, the easiest way to figure out what's going on is for him to just check the logs on the pfSense box and maybe use tcpdump to see where packets actually end up being routed (or not, as the case may be).



  • Good Morning Guys!

    This is what my ISP send me:
    IPv6:
    IP Network: 2a02:xxx:10:37::/64
    Gateway: 2a02:xxx:0010:0037:0000:0000:0000:0001
    Network range: 2a02:xxx:0010:0037:0000:0000:0000:0002 - 2a02:xxx:0010:0037:ffff:ffff:ffff:ffff

    I would assume that "Gateway" means the address of ISP's Gateway.

    And about Firewall:
    I added an IPv6  any - any - any rule in WAN and LAN. Just as long i have problems with it.
    This means that firewall doesn't have any influence on traffic because it should allow everything in IPv6.

    I think i have some problems with this WAN settings…But when i change to static IPv6 with an address from that pool it doesn't work either.
    BUT i can reach directly from pfsense (with ping) ipv6 addresses, only LAN makes problems.



  • @fips:

    This is what my ISP send me:
    IPv6:
    IP Network: 2a02:xxx:10:37::/64
    Gateway: 2a02:xxx:0010:0037:0000:0000:0000:0001
    Network range: 2a02:xxx:0010:0037:0000:0000:0000:0002 - 2a02:xxx:0010:0037:ffff:ffff:ffff:ffff

    I would assume that "Gateway" means the address of ISP's Gateway.

    Wait, is the v6 address that you said you received on your WAN interface inside that prefix as well? If that's the case, you can't use the same prefix on the LAN side as well.



  • Out of curiosity, is this a direct fiber or ethernet connection, by any chance? What does your IPv4 configuration look like? Are you sure your ISP actually expects you to use a router (vs. just a switch)?



  • @razzfazz:

    Wait, is the v6 address that you said you received on your WAN interface inside that prefix as well? If that's the case, you can't use the same prefix on the LAN side as well.

    Hmm… I guess this is it.
    I used the same prefix on the LAN side.
    So i have to split up the Network and use for LAN prefix /100 (for example).

    Well i think my ISP know that i am going to use a router, its a datacenter where you can rent rack cages.
    They provide you with an IPv4 subnet and an IPv6 subnet.



  • Yeah sorry, should have written "Track for LAN".

    That configuration looks very strange and chances are you're not going get it working on pfSense. The standard methods for delegating prefixes assume that the WAN network and the LAN network are completely distinct prefixes. Ask again your ISP for precise and exact instructions how you're supposed to use the addresses they gave you.



  • @fips:

    Well i think my ISP know that i am going to use a router, its a datacenter where you can rent rack cages.
    They provide you with an IPv4 subnet and an IPv6 subnet.

    Why do you think you need a router in this case? It seems to me that the usage model intended by your ISP is for you to just directly connect your machines to the provided network port without an additional router in between.



  • @razzfazz:

    Why do you think you need a router in this case? It seems to me that the usage model intended by your ISP is for you to just directly connect your machines to the provided network port without an additional router in between.

    But if i connect it directly how you say it, how should i control traffic than?
    Maybe i don't need a router, but for sure i need a firewall, so i have to connect pfsense in right way to manage it.

    Point is still:
    WAN works, i can ping
    LAN doesn't, even directly on the LAN interface of pfsense.

    There are some articles that user had to add a static route to be a able to use IPv6 on LAN side. Well this didn't work for me, but maybe there is some other things which is important to config, but not obviously to see.



  • If all you want is firewalling, it seems to me that your best bet would be setting up pfSense as a transparent firewall as described here.

    EDIT: Also check out this.



  • @razzfazz:

    If all you want is firewalling, it seems to me that your best bet would be setting up pfSense as a transparent firewall as described here.

    EDIT: Also check out this.

    Thanks, but with this i would loose IPv4 NAT which is an absolutely no-go.



  • Why? I thought your ISP gives you an entire v4 subnet as well?!



  • @razzfazz:

    Why? I thought your ISP gives you an entire v4 subnet as well?!

    Thats true, but its a /29 Subnet so i have 5 IPv4 addresses.



  • Well, as pointed out before, using the same /64 on both the WAN and the LAN interface won't work, and since all you get is a /64, splitting out a sub-prefix will be problematic as well (IPv6 is really designed to use /64 as the maximum prefix size for LAN use; things like SLAAC will not work with anything longer). So, not sure what to tell you at this point.