Not able to connect to ipv6 address of host

  • My ISP is comcast and i have ipv6. I believe i set it up correctly as well as my computer gets an ipv6 address and doing tests like ping6 browsing to or running (10/10) all show that my host is configured properly. I have the following addresses

    IPv6 Address: 2601:7:1680:abe:a0ff:76c6:yyyy:xxxx
    Temporary IPv6 Address: 2601:7:1680:abe:10ad:ff4:yyyy:xxxx
    Temporary IPv6 Address: 2601:7:1680:abe:7968:63d0:yyyy:xxxx

    Now what i am trying to do is RDP to that host using any of those ip address but i am not sucessful. I also try to ping them and no dice… i suspect it is a firewall issue but not sure how to configure it so it works.. any help would be appreciated.

  • LAYER 8 Global Moderator

    Where are you trying to rdp to that host from?  Did you allow that traffic on pfsense?  On your wan rules you have to all the traffic, by default all unsolicited traffic is blocked be it ipv4 or ipv6

  • On my WAN rules i have  the following rule which should allow me to RDP into the machines i want using their ipv6 address

    Proto Source Port Destination Port Gateway Queue Schedule Description
    IPv6 TCP/UDP * 3389 (MS RDP) * 3389 (MS RDP) * none ipv6 rdp

    and on the LAN side i allow all ipv6 traffic so not sure what else it could be.

  • LAYER 8 Global Moderator

    Am I reading that correctly you have source port as 3389 as well… Dest sure, but source is going to be something random above 1024..  That rule would never fire because not going to match on source.

  • Wow i think i just learned something new. So just because the RDP services listens on port 3389 doesnt mean that the computer making the connection will be  sending from port 3389? when i removed the source port condition it started to work…

    I also have a couple other rules that i think are not working and maybe you can assist? I also am setting up windows server essentials and usually it would use UPNP to setup the ports it needed. I know pfsense has uPNP but it doesnt seem to work.. the help files say that i can also manually forward ports 80 and 443.... did i make those rules accurately? it seems to still not be happy when i run a test saying the ports are not forwarded but i believe they are...

    if Proto Src. addr Src. ports Dest. addr Dest. ports NAT IP NAT Ports Description
    WAN TCP/UDP * * WAN address 80 (HTTP) 80 (HTTP) ad1
    WAN TCP/UDP * * WAN address 443 (HTTPS) 443 (HTTPS) ad1

  • LAYER 8 Global Moderator

    With IPV4 you would have to create a forward - which unless you uncheck the default will auto create the wan firewall rules for you.  http and https is TCP, so you you don't need to forward UDP for those to work.

    Yeah it rare that source port would be anything specific..  When you connect to service be it ssh, ftp, http, https, rdp, etc. etc..  The source port from the client will almost always be something random above 1024 - this might help

    Different OSes will use different ranges, but ports below 1024 are privileged ports, like your ssh server or http server listening on 22 and 80.  Normally these ports required elevated permissions to run from the OS, etc. etc.

    Now some protocols might use same source as dest, dns with doing zone transfers might be from port 53 to port 53.. NTP can be 123 to 123, etc.  Now is not always the case - normal dns queries are from some random source port.  Same with a ntp client, normally this is random source as well with just dest port of 123 udp.

    Out of the box UPnP is not enabled on pfsense -  you could enable it.  But to be honest not a good security practice to allow UPnP to function - always best to create the specific rules and forwards you want to allow.  With pf upnp you can setup so only specific IPs can request, and even limit what ports they can request, etc.  For example I allow my sons ps3 to use UPnP – but only its IP, that I hand out via dhcp reservation so only it gets that IP can request the ports.

    Keep in mind when you create a forward, to validate it actually working your going to want to come from outside network, if your on the network for example and you hit your public IP expecting to be forwarded back in - this quite often called nat reflection or loopback forwarding, etc.  And would also need to be enabled if you want pfsense to allow that.

    Another common mistake with allowing services into your private network from outside is quite often the host inside is running a firewall and while it might allow traffic from the local network - when it sees traffic from something other than its local network range it might block that - so you quite often need to adjust your host firewalls to allow access even though pfsense is forwarding the traffic to it.

  • Thank you for your informative posts and for answering the question without being a jerk. As someone who has primarily dealt with consumer grade routers these extra parameters/settings are often hidden and assumptions are made … i recently moved into a home where i have a full ethernet lan setup along with a virtualized server and trying to setup a more sophisticated physical/virtual network to handle all of that so this is indeed a learning process.

  • LAYER 8 Global Moderator

    Once you get a feel for pfsense and some exp with it - you will wonder why you ever used that home grade stuff when there is so much power at your finger tips for "free" ;)  Just need some hardware and bit of a learning curve.

    If you have any questions - feel free to post, lots of helpful people here always willing to share info and experience, etc.

    Have Fun!!!

    I run lots of stuff in VM on a esxi host, even pfsense is virtual and have comcast as well.. I got feed up with their native IPv6 so went back to using hurricane electric tunnel for my ipv6 needs.  But can always enable the native stuff if need be for testing, etc.  Feel free if want to PM – always happy to help someone get their network up to speed and learn, etc.

Log in to reply