Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Native IPv6 routing problem, can't leave subnet

    IPv6
    3
    5
    1077
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mqudsi last edited by

      Hello everyone,

      I feel horrible asking this question since I have already come across countless threads regarding the same matter, but unfortunately nowhere is the precise solution for this problem documented.

      I have a Comcast internet connection with a working, native IPv6 configuration. With my previous router, I had full IPv6 connectivity. Currently with pfSense, I have full IPv6 connectivity from the router but computers on the subnet cannot get IPv6 traffic out of the network.

      I suspect it is a routing issue because logging all traffic to/from the firewall does not reveal any issues.

      IPv6 traffic is enabled on pfSense, the router gets a /128 IPv6 address and a /64 for the LAN, and all computers get their assigned address from the /64 just fine and dandy. The IPv6 on LAN is set to track the WAN, with a prefix ID of 0.

      I have gone as far as creating a WAN rule allowing IPv6 traffic from any to any on any protocol to PASS and the same for LAN, but to no effect.

      On the router:

      em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
	options=4019b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,vlan_hwtso>ether 00:26:55:d0:50:27
	inet6 fe80::226:55ff:fed0:5027%em1 prefixlen 64 scopeid 0x2 
	inet 98.228.96.134 netmask 0xfffff800 broadcast 255.255.255.255 
	inet6 2001:558:6033:3:94a:c618:4b3e:cdb8 prefixlen 128 
	nd6 options=23 <performnud,accept_rtadv,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active</full-duplex></performnud,accept_rtadv,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,vlan_hwtso></up,broadcast,running,simplex,multicast>

      $ netstat -rn
Internet6:
Destination                       Gateway                       Flags      Netif Expire
default                           fe80::201:5cff:fe6f:6046%em1  UGS         em1
::1                               link#6                        UH          lo0
2001:558:6033:3:94a:c618:4b3e:cdb8 link#2                        UHS         lo0
2601:d:180:150d::/64              link#1                        U           em0
2601:d:180:150d:226:55ff:fed0:5026 link#1                        UHS         lo0
fe80::%em0/64                     link#1                        U           em0
fe80::1:1%em0                     link#1                        UHS         lo0
fe80::%em1/64                     link#2                        U           em1
fe80::226:55ff:fed0:5027%em1      link#2                        UHS         lo0
fe80::%lo0/64                     link#6                        U           lo0
fe80::1%lo0                       link#6                        UHS         lo0
ff01::%em0/32                     2601:d:180:150d:226:55ff:fed0:5026 U           em0
ff01::%em1/32                     fe80::226:55ff:fed0:5027%em1  U           em1
ff01::%lo0/32                     ::1                           U           lo0
ff02::%em0/32                     2601:d:180:150d:226:55ff:fed0:5026 U           em0
ff02::%em1/32                     fe80::226:55ff:fed0:5027%em1  U           em1
ff02::%lo0/32                     ::1                           U           lo0

      On my client PC:

      en9: flags=8863 <up,broadcast,smart,running,simplex,multicast>mtu 1500
	ether 00:e0:4c:68:28:b8 
	inet6 fe80::2e0:4cff:fe68:28b8%en9 prefixlen 64 scopeid 0xb 
	inet 192.168.1.101 netmask 0xffffff00 broadcast 192.168.1.255
	inet6 fd61:9de9:cb17::2e0:4cff:fe68:28b8 prefixlen 64 autoconf 
	inet6 fd61:9de9:cb17::3dad:b96f:49e3:e665 prefixlen 64 autoconf temporary 
	inet6 fd61:9de9:cb17::199 prefixlen 64 dynamic 
	nd6 options=1 <performnud>media: autoselect (1000baseT <full-duplex>)
	status: active</full-duplex></performnud></up,broadcast,smart,running,simplex,multicast> 

      $ netstat -rn
Internet6:
Destination                             Gateway                         Flags         Netif Expire
default                                 fe80::1:1%en9                   UGc             en9
::1                                     ::1                             UHL             lo0
2601:d:180:150d::/64                    link#11                         UC              en9
fd61:9de9:cb17::199                     0:e0:4c:68:28:b8                UHL             lo0
fd61:9de9:cb17::2e0:4cff:fe68:28b8      0:e0:4c:68:28:b8                UHL             lo0
fd61:9de9:cb17::3dad:b96f:49e3:e665     0:e0:4c:68:28:b8                UHL             lo0
fe80::%lo0/64                           fe80::1%lo0                     UcI             lo0
fe80::1%lo0                             link#1                          UHLI            lo0
fe80::%en9/64                           link#11                         UCI             en9
fe80::1:1%en9                           0:26:55:d0:50:26                UHLWIir         en9
fe80::7a:ab93:98d0:ebe3%en9             9c:20:7b:ac:2c:d4               UHLWI           en9
fe80::201:5cff:fe6f:6046%en9            link#11                         UHLWI           en9
fe80::21b:a9ff:fe7d:64e8%en9            0:1b:a9:7d:64:e8                UHLWI           en9
fe80::226:55ff:fed0:5027%en9            link#11                         UHLWI           en9
fe80::2e0:4cff:fe68:28b8%en9            0:e0:4c:68:28:b8                UHLI            lo0
fe80::baf6:b1ff:fe1a:db9d%en9           b8:f6:b1:1a:db:9d               UHLWI           en9
fe80::eade:27ff:fe4a:fe6c%en9           e8:de:27:4a:fe:6c               UHLWI           en9
ff01::%lo0/32                           ::1                             UmCI            lo0
ff01::%en0/32                           link#4                          UmCI            en0
ff01::%en9/32                           link#11                         UmCI            en9
ff02::%lo0/32                           ::1                             UmCI            lo0
ff02::%en0/32                           link#4                          UmCI            en0
ff02::%en9/32                           link#11                         UmCI            en9

      Your help is greatly appreciated.

      1 Reply Last reply Reply Quote 0
      • A
        azzido last edited by

        I assume em1 is your LAN interface. It has prefix 2001:558:6033:3::, but your client machine has prefix fd61:9de9:cb17:: and at least one IP fd61:9de9:cb17::199 seems to be assigned by DHCPv6 server. Where is fd61:9de9:cb17:: coming from and are you running DHCPv6 server on LAN?

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned last edited by

          @mqudsi:

          all computers get their assigned address from the /64 just fine and dandy

          No, they don't. Just look at what you posted. You have some ULA stuff there. Nothing from the /64.

          1 Reply Last reply Reply Quote 0
          • M
            mqudsi last edited by

            I am terribly sorry, I'm not sure what was wrong when I posted that - I didn't even bother checking it because it was the same previously. Somehow the problem resolved itself and I have IPv6 connectivity. Unfortunately as the routing tables I previously posted were incorrect, this is going to be one of those "it took a while but I now have IPv6 connectivity and I can't explain how it happened" posts.

            For reference, working client configuration:

            en9: flags=8863 <up,broadcast,smart,running,simplex,multicast>mtu 1500
	ether 00:e0:4c:68:28:b8 
	inet6 fe80::2e0:4cff:fe68:28b8%en9 prefixlen 64 scopeid 0xb 
	inet6 2601:d:180:150d::188e prefixlen 64 dynamic 
	inet 192.168.1.101 netmask 0xffffff00 broadcast 192.168.1.255
	inet6 fd61:9de9:cb17::2e0:4cff:fe68:28b8 prefixlen 64 detached autoconf 
	inet6 fd61:9de9:cb17::b12a:8293:3147:5d9e prefixlen 64 detached deprecated autoconf temporary 
	inet6 fd61:9de9:cb17::4da4:9621:380:65ca prefixlen 64 detached autoconf temporary 
	nd6 options=1 <performnud>media: autoselect (1000baseT <full-duplex>)
	status: active</full-duplex></performnud></up,broadcast,smart,running,simplex,multicast>

            Internet6:
Destination                             Gateway                         Flags         Netif Expire
default                                 fe80::1:1%en9                   UGc             en9
default                                 fe80::cd0:8718:918d:fb02%en10   UGcI           en10
::1                                     ::1                             UHL             lo0
2600:1008:b128:50e3::/64                link#12                         UC             en10
2600:1008:b128:50e3:18f6:43ff:fec3:3fd0 1a:f6:43:c3:3f:d0               UHL             lo0
2600:1008:b128:50e3:3c04:15b4:888:748d  1a:f6:43:c3:3f:d0               UHL             lo0
2601:d:180:150d::/64                    link#11                         UC              en9
2601:d:180:150d::188e                   0:e0:4c:68:28:b8                UHL             lo0
2601:d:180:150d:226:55ff:fed0:5026      0:26:55:d0:50:26                UHLWI           en9
fd61:9de9:cb17::2e0:4cff:fe68:28b8      0:e0:4c:68:28:b8                UHL             lo0
fd61:9de9:cb17::4da4:9621:380:65ca      0:e0:4c:68:28:b8                UHL             lo0
fd61:9de9:cb17::b12a:8293:3147:5d9e     0:e0:4c:68:28:b8                UHL             lo0
fe80::%lo0/64                           fe80::1%lo0                     UcI             lo0
fe80::1%lo0                             link#1                          UHLI            lo0
fe80::%en9/64                           link#11                         UCI             en9
fe80::1:1%en9                           0:26:55:d0:50:26                UHLWIir         en9
fe80::21b:a9ff:fe7d:64e8%en9            0:1b:a9:7d:64:e8                UHLWI           en9
fe80::2e0:4cff:fe68:28b8%en9            0:e0:4c:68:28:b8                UHLI            lo0
fe80::1cf7:1d2:c1df:b246%en9            9c:20:7b:ac:2c:d4               UHLWI           en9
fe80::eade:27ff:fe4a:fe6c%en9           e8:de:27:4a:fe:6c               UHLWI           en9
fe80::%en10/64                          link#12                         UCI            en10
fe80::cd0:8718:918d:fb02%en10           3a:f6:43:3c:23:64               UHLWIir        en10
fe80::18f6:43ff:fec3:3fd0%en10          1a:f6:43:c3:3f:d0               UHLI            lo0
ff01::%lo0/32                           ::1                             UmCI            lo0
ff01::%en0/32                           link#4                          UmCI            en0
ff01::%en9/32                           link#11                         UmCI            en9
ff01::%en10/32                          link#12                         UmCI           en10
ff02::%lo0/32                           ::1                             UmCI            lo0
ff02::%en0/32                           link#4                          UmCI            en0
ff02::%en9/32                           link#11                         UmCI            en9
ff02::%en10/32                          link#12                         UmCI           en10

            pfSense:

            em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 9000
	options=4219b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol_magic,vlan_hwtso>ether 00:26:55:d0:50:26
	inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 
	inet6 2601:d:180:150d:226:55ff:fed0:5026 prefixlen 64 
	inet6 fe80::1:1%em0 prefixlen 64 scopeid 0x1 
	nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
	options=4019b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,vlan_hwtso>ether 00:26:55:d0:50:27
	inet6 fe80::226:55ff:fed0:5027%em1 prefixlen 64 scopeid 0x2 
	inet 98.228.96.134 netmask 0xfffff800 broadcast 255.255.255.255 
	inet6 2001:558:6033:3:94a:c618:4b3e:cdb8 prefixlen 128 
	nd6 options=23 <performnud,accept_rtadv,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active</full-duplex></performnud,accept_rtadv,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,vlan_hwtso></up,broadcast,running,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,tso4,wol_magic,vlan_hwtso></up,broadcast,running,simplex,multicast>

            Internet6:
Destination                       Gateway                       Flags      Netif Expire
default                           fe80::201:5cff:fe6f:6046%em1  UGS         em1
::1                               link#6                        UH          lo0
2001:558:6033:3:94a:c618:4b3e:cdb8 link#2                        UHS         lo0
2601:d:180:150d::/64              link#1                        U           em0
2601:d:180:150d:226:55ff:fed0:5026 link#1                        UHS         lo0
fe80::%em0/64                     link#1                        U           em0
fe80::1:1%em0                     link#1                        UHS         lo0
fe80::%em1/64                     link#2                        U           em1
fe80::226:55ff:fed0:5027%em1      link#2                        UHS         lo0
fe80::%lo0/64                     link#6                        U           lo0
fe80::1%lo0                       link#6                        UHS         lo0
ff01::%em0/32                     2601:d:180:150d:226:55ff:fed0:5026 U           em0
ff01::%em1/32                     fe80::226:55ff:fed0:5027%em1  U           em1
ff01::%lo0/32                     ::1                           U           lo0
ff02::%em0/32                     2601:d:180:150d:226:55ff:fed0:5026 U           em0
ff02::%em1/32                     fe80::226:55ff:fed0:5027%em1  U           em1
ff02::%lo0/32                     ::1                           U           lo0

            em0 is lan and em1 is wan on pfSense.

            1 Reply Last reply Reply Quote 0
            • M
              mqudsi last edited by

              In my case, this problem was caused by a wireless access point in the network running OpenWRT trying to hand out IPv6 addresses when it had no business doing so. Hope this helps someone.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post

              Products

              • Platform Overview
              • TNSR
              • pfSense
              • Appliances

              Services

              • Training
              • Professional Services

              Support

              • Subscription Plans
              • Contact Support
              • Product Lifecycle
              • Documentation

              News

              • Media Coverage
              • Press
              • Events

              Resources

              • Blog
              • FAQ
              • Find a Partner
              • Resource Library
              • Security Information

              Company

              • About Us
              • Careers
              • Partners
              • Contact Us
              • Legal
              Our Mission

              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

              Subscribe to our Newsletter

              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

              © 2021 Rubicon Communications, LLC | Privacy Policy