[SOLVED] IPv6 'routing' issue (WAN <-> LAN)
-
Hi everybody!
Yesterday i set up pfSense 2.2 RELEASE (amd64) with 2 NICs (WAN = em0 / LAN = em1) and everything regarding IPv4 functionality is working fine. I just can't get IPv6 to work properly. My IPv6 prefix is [2a01:170:110c::]/48, the LAN interface on my modem/router is configured to use [2a01:170:110c:1::1]/64 which is connected to the WAN port of pfSense. I configured pfSense's WAN port to use [2a01:170:110c:1::2]/64 (GW [2a01:170:110c:1::1]/64) , it's LAN port uses [2a01:170:110c:2::1]/64 (no GW). With this setup i can ping6 my modem/router and inet addresses from pfSense's WAN side, but i can't reach anything from the LAN side (except machines on my local network). I added test rules to the firewall which allow all IPv6 traffic on all interfaces in both directions but it still doesn't work. I was looking for people with similar issues but it seems most people use either tunnels or don't use a modem/router in front of their pfSense machines. What am i doing wrong with my setup?Thanks a lot for your help!
Frank
-
…
What am i doing wrong with my setup?Cascading setup where pfSense becomes dependent (slave) on MoDem/router, as you indicated.
You could try with opening up MoDem for its firewall rulings. Make the correct settings for IPv6 in the MoDem config.
[Typical need for a box like the AVM/FritzBox!-73xx] -
@hda:
Cascading setup where pfSense becomes dependent (slave) on MoDem/router, as you indicated.
You could try with opening up MoDem for its firewall rulings. Make the correct settings for IPv6 in the MoDem config.
[Typical need for a box like the AVM/FritzBox!-73xx]Do you mean a cascading setup is impossible? The modem/router is a Draytek Vigor 130 and there are no
IPv6 related firewall rules. Could you elaborate a bit further?
The only possible issue i can see right now is that i set the modem/router's global IPv6 as gateway address
for pfSense's WAN interface instead of the link-local one. That's the only thing i haven't checked yet, will
do that later (at work atm). -
@hda:
Cascading setup where pfSense becomes dependent (slave) on MoDem/router, as you indicated.
You could try with opening up MoDem for its firewall rulings. Make the correct settings for IPv6 in the MoDem config.
[Typical need for a box like the AVM/FritzBox!-73xx]Do you mean a cascading setup is impossible? The modem/router is a Draytek Vigor 130 and there are no
IPv6 related firewall rules. Could you elaborate a bit further?Cascading is possible, but cumbersome, and double NAT IPv4.
But OK, you have DTv130, so you can pass-tru the MoDem to pfSense-WAN !
This is just transparent pfSense <-> ISP-node as if DTv130 is not there. -
@hda:
@hda:
Cascading setup where pfSense becomes dependent (slave) on MoDem/router, as you indicated.
You could try with opening up MoDem for its firewall rulings. Make the correct settings for IPv6 in the MoDem config.
[Typical need for a box like the AVM/FritzBox!-73xx]Do you mean a cascading setup is impossible? The modem/router is a Draytek Vigor 130 and there are no
IPv6 related firewall rules. Could you elaborate a bit further?Cascading is possible, but cumbersome, and double NAT IPv4.
But OK, you have DTv130, so you can pass-tru the MoDem to pfSense-WAN !
This is just transparent pfSense <-> ISP-node as if DTv130 is not there.I will set the Draytek to pass-through mode later and see how it goes from there, i was hoping i could avoid that step… (the Draytek's firmware
has various bugs, it was a pain to get IPv6 working, support was helpful though) -
I will set the Draytek to pass-through mode later and see how it goes from there, i was hoping i could avoid that step… (the Draytek's firmware has various bugs, it was a pain to get IPv6 working, support was helpful though)
With Pass-through you have only to worry about the correct ISP-protocol. So get your full public IPv4 & IPv6 on the pfSense-WAN. [set pass-tru & standard settings on DTv130, so no VLAN or IPv6 stuff to do there]
If DT-firmware is the point, then complain to them for improvement.
-
@hda:
I will set the Draytek to pass-through mode later and see how it goes from there, i was hoping i could avoid that step… (the Draytek's firmware has various bugs, it was a pain to get IPv6 working, support was helpful though)
With Pass-through you have only to worry about the correct ISP-protocol. So get your full public IPv4 & IPv6 on the pfSense-WAN. [set pass-tru & standard settings on DTv130, so no VLAN or IPv6 stuff to do there]
If DT-firmware is the point, then complain to them for improvement.
Right now i'm still hoping to be able to tell the draytek to pass-through IPv6 only. I have 5 static IPv4 addresses which are
managed by the draytek (fritzbox and many other modem/routers only support one IPv4 on the WAN side), at first glance
i couldn't find an option in pfSense to handle several IPv4 addresses on WAN side. I need to try this later.The firmware is working as it should but the diagnostic functions for IPv6 don't really work (ping6 on the draytek is
broken, PPPoE section in IPv6 overview shows 'errors' were there are none, etc.), the support
knows about this since august last year and the new version from november (which the support guys
'promised' to not have the bugs mentioned) is still faulty. So i had quite some trouble to get IPv6
working the 'traditional' way because i was trying to fix non-existent errors. So that's why i don't
really trust the Draytek firmware and suspected it to be the culprit of my actual problem. Let's just
hope the pass-through does work/is existent. -
…
Right now i'm still hoping to be able to tell the draytek to pass-through IPv6 only.
...There is no special pass-tru capability for IPv6 needed. One could even do well with a DTv120 which has no IPv6 capa. at all !
Pass-tru means no interference from DT(v130) with communication between pfSense and ISP-node.
-
I just looked through the WAN interface IPv6 settings on pfSense and the only possible alternative
to static is DHCP6. The Draytek modem/router is set to PPP on it's WAN IPv6 side since the connection
type is PPPoE and this is the only way it works for the Draytek (my ISP told me the settings), DHCP6
doesn't work with my ISP. So what happens when i set the WAN IPv6 setting of the Draytek to 'offline'
and disable RA and DHCP6 on it's LAN side? pfSense shouldn't get the addresses via DHCP6 as my
ISP doesn't use it on their side..
But i tried it, Draytek IPv6 offline, pfSense to DHCP6, i didn't remove the Draytek's link-local IPv6 yet and
with this setup pfSense shows a link-local IPv6 and the Draytek's link-local address as gateway, so
i removed every IPv6 entry from the Draytek's LANside. After that pfSense only has a link-local address,
i tried several different setting (obtain IPv6 addresses via IPv4, prefix only, etc.) all to no avail.
There must be a way to route IPv6 from WAN to LAN on pfsense with a static setup… -
Forgetting about your routed /48 for a minute, what happens if you put the modem in bridge mode, use PPPoE for IPv4 and SLAAC for IPv6?
-
sideline IPv6 for a while. First IPv4.
AIUI, you connect DT130 to ISP as PPPoE, then have tested pass-tru/("bridge") for IPv4 and cannot get IPv4 on pfSense-WAN ?
-
Oh no, IPv4 is working fine. I didn't set the Draytek to PPPoE pass-through yet, because like i said
that's not really an option because of my 4 additional static IPv4 addresses (they're more important
than IPv6) unless pfsense has the ability to do that.
Isn't there a way to route IPv6 traffic from WAN to LAN with static addresses, just like it works with
IPv4? -
You want to look at Firewall > Virtual IPs to see about multiple IP addresses on your WAN interface. Chances are you can do what you need as long as the IPs are routed to you.
https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses
You'll probably need to post more specific information if you want more specific help.
I think you're out of luck with IPv6 until you get your modem into bridge mode.
-
Oh no, IPv4 is working fine. I didn't set the Draytek to PPPoE pass-through yet,….
One needs to do tests to inform oneself. :D
Then very likely the IPv6 will be supplied by using IPv4 PPPoE at pfSense-WAN,
-
You're both right, there really is no way i can pull this off without setting the Draytek to PPPoE pass-throught. I accept my defeat.
I have it all set up now and IPv4 works fine, IPv6 not yet. As Derelict suggested, on the WAN side (pfsense) i've set IPv4 to PPPoE and SLAAC
for IPv6, the LAN side has static entries for both. I've put a screenshot of the interfaces page in the attachment as well as a shot of the LAN
configurations. I only get link-local IPv6 addresses on the WAN side, no ping6.
-
Link local addresses on interfaces are OK.
Looks like it's getting close to you:
traceroute6 to 2a01:170:110c:1::1 (2a01:170:110c:1::1) from 2001:470:…, 64 hops max, 12 byte packets
1 2001:470:... 0.444 ms 0.365 ms 0.311 ms
2 2001:470:... 20.509 ms 18.493 ms 27.693 ms
3 2001:470:... 26.365 ms 18.327 ms 25.308 ms
4 2001:470:0:10e::2 84.479 ms 89.593 ms 73.084 ms
5 2001:470:0:2cf::1 152.046 ms 138.959 ms 140.712 ms
6 2001:7f8:4::33b5:1 143.464 ms 147.377 ms 141.665 ms
7 2001:7f0:0:28::2 153.165 ms 153.688 ms 154.670 ms
8 2001:7f0:1:2::2 153.532 ms 157.187 ms 157.728 ms
9 2a01:170::1:2:7:0:2 159.198 ms 157.267 ms 155.856 msPut a rule on WAN passing IPv6 ICMP from any to 2a01:170:110c:1::1
You can't ping6 to the gateway address from the pfSense node itself?
-
You have set the LAN Static. That's OK. It needs Services: Router advertisements(Router Only) or including SLAAC RA needs (Unmanaged)
-
You want to look at Firewall > Virtual IPs to see about multiple IP addresses on your WAN interface. Chances are you can do what you need as long as the IPs are routed to you.
https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses
You'll probably need to post more specific information if you want more specific help.
I think you're out of luck with IPv6 until you get your modem into bridge mode.
Thank you, i had a quick look at it and it looks very promising. I will look further into it when/if IPv6
is working (in bridge mode) -
Can we see your pfSense-WAN config screenshot ?
-
Link local addresses on interfaces are OK.
Looks like it's getting close to you:
traceroute6 to 2a01:170:110c:1::1 (2a01:170:110c:1::1) from 2001:470:…, 64 hops max, 12 byte packets
1 2001:470:... 0.444 ms 0.365 ms 0.311 ms
2 2001:470:... 20.509 ms 18.493 ms 27.693 ms
3 2001:470:... 26.365 ms 18.327 ms 25.308 ms
4 2001:470:0:10e::2 84.479 ms 89.593 ms 73.084 ms
5 2001:470:0:2cf::1 152.046 ms 138.959 ms 140.712 ms
6 2001:7f8:4::33b5:1 143.464 ms 147.377 ms 141.665 ms
7 2001:7f0:0:28::2 153.165 ms 153.688 ms 154.670 ms
8 2001:7f0:1:2::2 153.532 ms 157.187 ms 157.728 ms
9 2a01:170::1:2:7:0:2 159.198 ms 157.267 ms 155.856 msPut a rule on WAN passing IPv6 ICMP from any to 2a01:170:110c:1::1
You can't ping6 to the gateway address from the pfSense node itself?
The firewall is completely open, i can't ping6 the gateway or any external addresses from pfSense…
@hda:
You have set the LAN Static. That's OK. It needs Services: Router advertisements(Router Only) or including SLAAC RA needs (Unmanaged)
I tried both setting, no change. It is set to Router Only at the moment, see attachment (i've added the DNS entries manually, ISP doesn't provide
any for IPv4/6).@hda:
Can we see your pfSense-WAN config screenshot ?
Sure, a screenshot is in the attachment.
–-----------------
I've also attached a screenshot of the interface assignment page and the first network card (em0, which is connected to the Draytek)
is shown as unassigned. just because i'm curious, is that normal? Looks odd.
