I can't visit the https sites

yon

now when I use pfsense router, I can't many web sites. even I can't visit the forum.pfsense.org. I am using he.net ipv6 and local ipv4 network.

I can tracert ipv6 site is normal. but just I can't open these sites. Please how find anf fix it? :-[

KOM

What errors are you getting when you try to go to those sites? Are you using any filtering packages like Squid & SquidGuard?

yon

@KOM:

What errors are you getting when you try to go to those sites? Are you using any filtering packages like Squid & SquidGuard?

if only use ipv4 visit is normal. use ipv6 visit not normal.

No. I have no use its.

I can always normal visit http://test-ipv6.com/. maybe ipv6 tunnel cofing has some questions.

KOM

I don't know. I don't use IPv6. Do you have a firewall rule allowing that IPv6 traffic to pass out?

kejianshi

I'm using HE and I can visit any site no problems.

What are you using for ipv6 DNS?

Derelict

I have never used it in that manner (ipv6 outside, ipv4 inside). Is it even supposed to work? Wouldn't you have to NAT to IPv6 addresses?

Why not roll dual-stack inside your network and go all-in?

Create a /48 on tunnelbroker.net, and assign a /64 out of that to your LAN, and turn on RA.

And set some IPv6 name servers such as 2001:470:20::2

![Screen Shot 2014-09-13 at 3.50.43 PM.png](/public/imported_attachments/1/Screen Shot 2014-09-13 at 3.50.43 PM.png)
![Screen Shot 2014-09-13 at 3.50.43 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-09-13 at 3.50.43 PM.png_thumb)
![Screen Shot 2014-09-13 at 3.51.25 PM.png](/public/imported_attachments/1/Screen Shot 2014-09-13 at 3.51.25 PM.png)
![Screen Shot 2014-09-13 at 3.51.25 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-09-13 at 3.51.25 PM.png_thumb)

kejianshi

I think he is just saying he is running native IPV4 and not native IPV6.

Not sure what other issues he is having.

My HE is set up same as yours, except I'm accessing it via a Openvpn Tunnel that supplies me a dual stack here, so I have to provide a route to the VPN.

Other than that its identical to what your pics show. Works.

I think he should also post his configs and firewall rules.

yon

@kejianshi:

I think he is just saying he is running native IPV4 and not native IPV6.

Not sure what other issues he is having.

My HE is set up same as yours, except I'm accessing it via a Openvpn Tunnel that supplies me a dual stack here, so I have to provide a route to the VPN.

Other than that its identical to what your pics show. Works.

I think he should also post his configs and firewall rules.

yes. I am running native IPV4 and not native IPV6.

I using ipv6 /48 for lan. just visit test-ipv6.com is normal work.

1611_1.png_thumb

1612_2.png_thumb

1613_3.png_thumb

1613_4.png_thumb

1613_5.png_thumb

Derelict

The IPv6 address on your IPv6LAX interface AND the local address on your GIF tunnel should be 2001:470:c:1089::2 and the netmask /64.

Assign /64 subnets from your routed /48 to your LAN interfaces, not /48. Carefully look at the two examples already provided.

In short, your IPv6 config is completely wrong. You might want to delete it and start over.

https://doc.pfsense.org/index.php/Using_IPv6_on_2.1_with_a_Tunnel_Broker

kejianshi

When you get that up and working on the LANs and you want it to also work for openvpn clients, let me know - Its not much more to do.

Derelict

And there's a /48 on the DHCPv6 config which should probably be /64 to match the /64 you have converted your LAN to. unmanaged works just fine. It might be good to reduce the complexity at first and just use that. I've never configured DHCPv6.

yon

Iwant to use short /48ip address, before it was normal work in /48

yon

I try setup MSS to 1220, just /48 ipv6 work..

yon

https://forum.pfsense.org/index.php?topic=81698.0

yon

I think best setup is MTU 1472 and MSS 1412.

The maximum segment size (MSS) is a parameter of the TCP protocol that specifies the largest amount of data, specified in octets, that a computer or communications device can receive in a single TCP segment. It does not count the TCP header or the IP header.[1] The IP datagram containing a TCP segment may be self-contained within a single packet, or it may be reconstructed from several fragmented pieces; either way, the MSS limit applies to the total amount of data contained in the final, reconstructed TCP segment.

The default TCP Maximum Segment Size is 536.[2] Where a host wishes to set the maximum segment size to a value other than the default, the maximum segment size is specified as a TCP option, initially in the TCP SYN packet during the TCP handshake. Because the maximum segment size parameter is controlled by a TCP option, a host can change the value in any later segment.

Each direction of data flow can use a different MSS.

To avoid fragmentation in the IP layer, a host must specify the maximum segment size as equal to the largest IP datagram that the host can handle minus the IP header size and TCP header sizes.[3] Therefore IPv4 hosts are required to be able to handle an MSS of 536 octets (= 576[4] - 20 - 20) and IPv6 hosts are required to be able to handle an MSS of 1220 octets (= 1280[5] - 40 - 20).

Low MSS values will reduce or eliminate IP fragmentation, but will result in higher overhead.[6]

For most computer users, the MSS option is established by the operating system.

2217_6.png_thumb

Derelict

@yon:

Iwant to use short /48ip address, before it was normal work in /48

Ok. Good luck.