Native IPv6 routing problem, can't leave subnet

mqudsi

Hello everyone,

I feel horrible asking this question since I have already come across countless threads regarding the same matter, but unfortunately nowhere is the precise solution for this problem documented.

I have a Comcast internet connection with a working, native IPv6 configuration. With my previous router, I had full IPv6 connectivity. Currently with pfSense, I have full IPv6 connectivity from the router but computers on the subnet cannot get IPv6 traffic out of the network.

I suspect it is a routing issue because logging all traffic to/from the firewall does not reveal any issues.

IPv6 traffic is enabled on pfSense, the router gets a /128 IPv6 address and a /64 for the LAN, and all computers get their assigned address from the /64 just fine and dandy. The IPv6 on LAN is set to track the WAN, with a prefix ID of 0.

I have gone as far as creating a WAN rule allowing IPv6 traffic from any to any on any protocol to PASS and the same for LAN, but to no effect.

On the router:

em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
	options=4019b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,vlan_hwtso>ether 00:26:55:d0:50:27
	inet6 fe80::226:55ff:fed0:5027%em1 prefixlen 64 scopeid 0x2 
	inet 98.228.96.134 netmask 0xfffff800 broadcast 255.255.255.255 
	inet6 2001:558:6033:3:94a:c618:4b3e:cdb8 prefixlen 128 
	nd6 options=23 <performnud,accept_rtadv,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active</full-duplex></performnud,accept_rtadv,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,vlan_hwtso></up,broadcast,running,simplex,multicast>

$ netstat -rn
Internet6:
Destination                       Gateway                       Flags      Netif Expire
default                           fe80::201:5cff:fe6f:6046%em1  UGS         em1
::1                               link#6                        UH          lo0
2001:558:6033:3:94a:c618:4b3e:cdb8 link#2                        UHS         lo0
2601:d:180:150d::/64              link#1                        U           em0
2601:d:180:150d:226:55ff:fed0:5026 link#1                        UHS         lo0
fe80::%em0/64                     link#1                        U           em0
fe80::1:1%em0                     link#1                        UHS         lo0
fe80::%em1/64                     link#2                        U           em1
fe80::226:55ff:fed0:5027%em1      link#2                        UHS         lo0
fe80::%lo0/64                     link#6                        U           lo0
fe80::1%lo0                       link#6                        UHS         lo0
ff01::%em0/32                     2601:d:180:150d:226:55ff:fed0:5026 U           em0
ff01::%em1/32                     fe80::226:55ff:fed0:5027%em1  U           em1
ff01::%lo0/32                     ::1                           U           lo0
ff02::%em0/32                     2601:d:180:150d:226:55ff:fed0:5026 U           em0
ff02::%em1/32                     fe80::226:55ff:fed0:5027%em1  U           em1
ff02::%lo0/32                     ::1                           U           lo0

On my client PC:

en9: flags=8863 <up,broadcast,smart,running,simplex,multicast>mtu 1500
	ether 00:e0:4c:68:28:b8 
	inet6 fe80::2e0:4cff:fe68:28b8%en9 prefixlen 64 scopeid 0xb 
	inet 192.168.1.101 netmask 0xffffff00 broadcast 192.168.1.255
	inet6 fd61:9de9:cb17::2e0:4cff:fe68:28b8 prefixlen 64 autoconf 
	inet6 fd61:9de9:cb17::3dad:b96f:49e3:e665 prefixlen 64 autoconf temporary 
	inet6 fd61:9de9:cb17::199 prefixlen 64 dynamic 
	nd6 options=1 <performnud>media: autoselect (1000baseT <full-duplex>)
	status: active</full-duplex></performnud></up,broadcast,smart,running,simplex,multicast> 

$ netstat -rn
Internet6:
Destination                             Gateway                         Flags         Netif Expire
default                                 fe80::1:1%en9                   UGc             en9
::1                                     ::1                             UHL             lo0
2601:d:180:150d::/64                    link#11                         UC              en9
fd61:9de9:cb17::199                     0:e0:4c:68:28:b8                UHL             lo0
fd61:9de9:cb17::2e0:4cff:fe68:28b8      0:e0:4c:68:28:b8                UHL             lo0
fd61:9de9:cb17::3dad:b96f:49e3:e665     0:e0:4c:68:28:b8                UHL             lo0
fe80::%lo0/64                           fe80::1%lo0                     UcI             lo0
fe80::1%lo0                             link#1                          UHLI            lo0
fe80::%en9/64                           link#11                         UCI             en9
fe80::1:1%en9                           0:26:55:d0:50:26                UHLWIir         en9
fe80::7a:ab93:98d0:ebe3%en9             9c:20:7b:ac:2c:d4               UHLWI           en9
fe80::201:5cff:fe6f:6046%en9            link#11                         UHLWI           en9
fe80::21b:a9ff:fe7d:64e8%en9            0:1b:a9:7d:64:e8                UHLWI           en9
fe80::226:55ff:fed0:5027%en9            link#11                         UHLWI           en9
fe80::2e0:4cff:fe68:28b8%en9            0:e0:4c:68:28:b8                UHLI            lo0
fe80::baf6:b1ff:fe1a:db9d%en9           b8:f6:b1:1a:db:9d               UHLWI           en9
fe80::eade:27ff:fe4a:fe6c%en9           e8:de:27:4a:fe:6c               UHLWI           en9
ff01::%lo0/32                           ::1                             UmCI            lo0
ff01::%en0/32                           link#4                          UmCI            en0
ff01::%en9/32                           link#11                         UmCI            en9
ff02::%lo0/32                           ::1                             UmCI            lo0
ff02::%en0/32                           link#4                          UmCI            en0
ff02::%en9/32                           link#11                         UmCI            en9

Your help is greatly appreciated.

azzido

I assume em1 is your LAN interface. It has prefix 2001:558:6033:3::, but your client machine has prefix fd61:9de9:cb17:: and at least one IP fd61:9de9:cb17::199 seems to be assigned by DHCPv6 server. Where is fd61:9de9:cb17:: coming from and are you running DHCPv6 server on LAN?

doktornotor

@mqudsi:

all computers get their assigned address from the /64 just fine and dandy

No, they don't. Just look at what you posted. You have some ULA stuff there. Nothing from the /64.

mqudsi

I am terribly sorry, I'm not sure what was wrong when I posted that - I didn't even bother checking it because it was the same previously. Somehow the problem resolved itself and I have IPv6 connectivity. Unfortunately as the routing tables I previously posted were incorrect, this is going to be one of those "it took a while but I now have IPv6 connectivity and I can't explain how it happened" posts.

For reference, working client configuration:

en9: flags=8863 <up,broadcast,smart,running,simplex,multicast>mtu 1500
	ether 00:e0:4c:68:28:b8 
	inet6 fe80::2e0:4cff:fe68:28b8%en9 prefixlen 64 scopeid 0xb 
	inet6 2601:d:180:150d::188e prefixlen 64 dynamic 
	inet 192.168.1.101 netmask 0xffffff00 broadcast 192.168.1.255
	inet6 fd61:9de9:cb17::2e0:4cff:fe68:28b8 prefixlen 64 detached autoconf 
	inet6 fd61:9de9:cb17::b12a:8293:3147:5d9e prefixlen 64 detached deprecated autoconf temporary 
	inet6 fd61:9de9:cb17::4da4:9621:380:65ca prefixlen 64 detached autoconf temporary 
	nd6 options=1 <performnud>media: autoselect (1000baseT <full-duplex>)
	status: active</full-duplex></performnud></up,broadcast,smart,running,simplex,multicast>

Internet6:
Destination                             Gateway                         Flags         Netif Expire
default                                 fe80::1:1%en9                   UGc             en9
default                                 fe80::cd0:8718:918d:fb02%en10   UGcI           en10
::1                                     ::1                             UHL             lo0
2600:1008:b128:50e3::/64                link#12                         UC             en10
2600:1008:b128:50e3:18f6:43ff:fec3:3fd0 1a:f6:43:c3:3f:d0               UHL             lo0
2600:1008:b128:50e3:3c04:15b4:888:748d  1a:f6:43:c3:3f:d0               UHL             lo0
2601:d:180:150d::/64                    link#11                         UC              en9
2601:d:180:150d::188e                   0:e0:4c:68:28:b8                UHL             lo0
2601:d:180:150d:226:55ff:fed0:5026      0:26:55:d0:50:26                UHLWI           en9
fd61:9de9:cb17::2e0:4cff:fe68:28b8      0:e0:4c:68:28:b8                UHL             lo0
fd61:9de9:cb17::4da4:9621:380:65ca      0:e0:4c:68:28:b8                UHL             lo0
fd61:9de9:cb17::b12a:8293:3147:5d9e     0:e0:4c:68:28:b8                UHL             lo0
fe80::%lo0/64                           fe80::1%lo0                     UcI             lo0
fe80::1%lo0                             link#1                          UHLI            lo0
fe80::%en9/64                           link#11                         UCI             en9
fe80::1:1%en9                           0:26:55:d0:50:26                UHLWIir         en9
fe80::21b:a9ff:fe7d:64e8%en9            0:1b:a9:7d:64:e8                UHLWI           en9
fe80::2e0:4cff:fe68:28b8%en9            0:e0:4c:68:28:b8                UHLI            lo0
fe80::1cf7:1d2:c1df:b246%en9            9c:20:7b:ac:2c:d4               UHLWI           en9
fe80::eade:27ff:fe4a:fe6c%en9           e8:de:27:4a:fe:6c               UHLWI           en9
fe80::%en10/64                          link#12                         UCI            en10
fe80::cd0:8718:918d:fb02%en10           3a:f6:43:3c:23:64               UHLWIir        en10
fe80::18f6:43ff:fec3:3fd0%en10          1a:f6:43:c3:3f:d0               UHLI            lo0
ff01::%lo0/32                           ::1                             UmCI            lo0
ff01::%en0/32                           link#4                          UmCI            en0
ff01::%en9/32                           link#11                         UmCI            en9
ff01::%en10/32                          link#12                         UmCI           en10
ff02::%lo0/32                           ::1                             UmCI            lo0
ff02::%en0/32                           link#4                          UmCI            en0
ff02::%en9/32                           link#11                         UmCI            en9
ff02::%en10/32                          link#12                         UmCI           en10

pfSense:

em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 9000
	options=4219b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol_magic,vlan_hwtso>ether 00:26:55:d0:50:26
	inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 
	inet6 2601:d:180:150d:226:55ff:fed0:5026 prefixlen 64 
	inet6 fe80::1:1%em0 prefixlen 64 scopeid 0x1 
	nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
	options=4019b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,vlan_hwtso>ether 00:26:55:d0:50:27
	inet6 fe80::226:55ff:fed0:5027%em1 prefixlen 64 scopeid 0x2 
	inet 98.228.96.134 netmask 0xfffff800 broadcast 255.255.255.255 
	inet6 2001:558:6033:3:94a:c618:4b3e:cdb8 prefixlen 128 
	nd6 options=23 <performnud,accept_rtadv,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active</full-duplex></performnud,accept_rtadv,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,vlan_hwtso></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol_magic,vlan_hwtso></up,broadcast,running,simplex,multicast>

Internet6:
Destination                       Gateway                       Flags      Netif Expire
default                           fe80::201:5cff:fe6f:6046%em1  UGS         em1
::1                               link#6                        UH          lo0
2001:558:6033:3:94a:c618:4b3e:cdb8 link#2                        UHS         lo0
2601:d:180:150d::/64              link#1                        U           em0
2601:d:180:150d:226:55ff:fed0:5026 link#1                        UHS         lo0
fe80::%em0/64                     link#1                        U           em0
fe80::1:1%em0                     link#1                        UHS         lo0
fe80::%em1/64                     link#2                        U           em1
fe80::226:55ff:fed0:5027%em1      link#2                        UHS         lo0
fe80::%lo0/64                     link#6                        U           lo0
fe80::1%lo0                       link#6                        UHS         lo0
ff01::%em0/32                     2601:d:180:150d:226:55ff:fed0:5026 U           em0
ff01::%em1/32                     fe80::226:55ff:fed0:5027%em1  U           em1
ff01::%lo0/32                     ::1                           U           lo0
ff02::%em0/32                     2601:d:180:150d:226:55ff:fed0:5026 U           em0
ff02::%em1/32                     fe80::226:55ff:fed0:5027%em1  U           em1
ff02::%lo0/32                     ::1                           U           lo0

em0 is lan and em1 is wan on pfSense.

mqudsi

In my case, this problem was caused by a wireless access point in the network running OpenWRT trying to hand out IPv6 addresses when it had no business doing so. Hope this helps someone.