IPv6 Blocked Since Upgrade to 2.2 - TWC
-
Hello everyone,
I have TWC and I switched from a Mikrotik router to pfsense 2.1.5 last year. Native IPv6 worked great for me until I upgraded to 2.2 however. I did the automated upgrade, and after upgrading I would get an IPv6 address and delegated space over DHCP like normal, but nothing on my network could connect over IPv6 anymore. I can ping ipv6 addresses from pfsense and I can ping pfsense from devices on the LAN, but nothing else can ping out anymore. I exported my config and reinstalled 2.1.5, and IPv6 worked again, but when I upgraded to 2.2 a second time it stopped working.
This is the IPv6 configuration setup I use (/56 delegation, though only one subnet in use right now)
https://forum.pfsense.org/index.php?topic=87623.msg481615#msg481615Any idea what could cause pfsense to have connectivity, but none of my clients since upgrading to 2.2?
em1 is my LAN interface, em0 is my WAN.
[2.2.2-RELEASE][admin@hostname]/root: ifconfig em0 em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic>ether be:be:ec:d1:5f:1a inet6 fe80::bcbe:ecff:fed1:5f1a%em0 prefixlen 64 scopeid 0x1 inet 72.177.23.2 netmask 0xffffe000 broadcast 255.255.255.255 inet6 2605:6000:ffc0:7b:4cbb:b614:46a5:38a1 prefixlen 128 nd6 options=23 <performnud,accept_rtadv,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>) status: active</full-duplex></performnud,accept_rtadv,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic></up,broadcast,running,simplex,multicast>[2.2.2-RELEASE][admin@hostname]/root: ifconfig em1 em1: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500 options=209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic>ether 46:ba:e6:4b:47:a8 inet 10.100.55.2 netmask 0xffffff00 broadcast 10.100.55.255 inet 10.100.55.1 netmask 0xffffff00 broadcast 10.100.55.255 vhid 1 inet6 2605:6000:ef42:e100:44ba:e6ff:fe4b:47a8 prefixlen 64 inet6 fe80::1:1%em1 prefixlen 64 scopeid 0x2 nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>) status: active carp: MASTER vhid 1 advbase 1 advskew 0</full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic></up,broadcast,running,promisc,simplex,multicast>[2.2.2-RELEASE][admin@hostname]/root: netstat -rn Routing tables Internet: Destination Gateway Flags Netif Expire default 72.177.0.1 UGS em0 10.15.0.0/24 link#4 U em3 10.15.0.1 link#4 UHS lo0 10.15.0.2 link#4 UHS lo0 10.16.0.0/24 link#3 U em2 10.16.0.2 link#3 UHS lo0 10.100.0.0/14 10.100.55.11 UGS em1 10.100.55.0/24 link#2 U em1 10.100.55.1 link#2 UHS lo0 10.100.55.2 link#2 UHS lo0 10.104.0.0/14 10.100.55.11 UGS em1 72.177.0.0/19 link#1 U em0 72.177.23.2 link#1 UHS lo0 127.0.0.1 link#7 UH lo0 172.31.0.0/16 10.100.55.11 UGS em1 Internet6: Destination Gateway Flags Netif Expire default fe80::217:10ff:fe86:c259%em0 UGS em0 ::1 link#7 UH lo0 2605:6000:400:7b::/64 link#1 U em0 2605:6000:700:7b::/64 link#1 U em0 2605:6000:c00:7b::/64 link#1 U em0 2605:6000:ef42:e100::/64 link#2 U em1 2605:6000:ef42:e100:44ba:e6ff:fe4b:47a8 link#2 UHS lo0 2605:6000:ffc0:7b::/64 link#1 U em0 2605:6000:ffc0:7b:4cbb:b614:46a5:38a1 link#1 UHS lo0 fe80::%em0/64 link#1 U em0 fe80::bcbe:ecff:fed1:5f1a%em0 link#1 UHS lo0 fe80::%em1/64 link#2 U em1 fe80::1:1%em1 link#2 UHS lo0 fe80::%em2/64 link#3 U em2 fe80::2408:c5ff:fead:1a15%em2 link#3 UHS lo0 fe80::%em3/64 link#4 U em3 fe80::a87e:18ff:fe6c:775%em3 link#4 UHS lo0 fe80::%lo0/64 link#7 U lo0 fe80::1%lo0 link#7 UHS lo0 ff01::%em0/32 fe80::bcbe:ecff:fed1:5f1a%em0 U em0 ff01::%em1/32 2605:6000:ef42:e100:44ba:e6ff:fe4b:47a8 U em1 ff01::%em2/32 fe80::2408:c5ff:fead:1a15%em2 U em2 ff01::%em3/32 fe80::a87e:18ff:fe6c:775%em3 U em3 ff01::%lo0/32 ::1 U lo0 ff02::%em0/32 fe80::bcbe:ecff:fed1:5f1a%em0 U em0 ff02::%em1/32 2605:6000:ef42:e100:44ba:e6ff:fe4b:47a8 U em1 ff02::%em2/32 fe80::2408:c5ff:fead:1a15%em2 U em2 ff02::%em3/32 fe80::a87e:18ff:fe6c:775%em3 U em3 ff02::%lo0/32 ::1 U lo0[2.2.2-RELEASE][admin@hostname]/root: pfctl -sr | egrep 'inet6|icmp6' block drop in log inet6 all label "Default deny rule IPv6" block drop out log inet6 all label "Default deny rule IPv6" pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state block drop log quick inet6 proto tcp from any port = 0 to any block drop log quick inet6 proto udp from any port = 0 to any block drop log quick inet6 proto tcp from any to any port = 0 block drop log quick inet6 proto udp from any to any port = 0 pass in quick on em0 inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state label "allow dhcpv6 client in WAN" block drop in log on ! em0 inet6 from 2605:6000:ffc0:7b:4cbb:b614:46a5:38a1 to any block drop in log inet6 from 2605:6000:ffc0:7b:4cbb:b614:46a5:38a1 to any block drop in log on em0 inet6 from fe80::bcbe:ecff:fed1:5f1a to any block drop in log quick on em0 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7" block drop in log on ! em1 inet6 from 2605:6000:ef42:e100::/64 to any block drop in log inet6 from 2605:6000:ef42:e100:44ba:e6ff:fe4b:47a8 to any block drop in log on em1 inet6 from fe80::1:1 to any pass quick on em1 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server" pass quick on em1 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server" pass quick on em1 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server" pass quick on em1 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server" pass in quick on em1 inet6 proto udp from fe80::/10 to 2605:6000:ef42:e100:44ba:e6ff:fe4b:47a8 port = dhcpv6-client keep state label "allow access to DHCPv6 server" pass out quick on em1 inet6 proto udp from 2605:6000:ef42:e100:44ba:e6ff:fe4b:47a8 port = dhcpv6-server to fe80::/10 keep state label "allow access to DHCPv6 server" block drop in log on em2 inet6 from fe80::2408:c5ff:fead:1a15 to any block drop in log on em3 inet6 from fe80::a87e:18ff:fe6c:775 to any pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback" pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback" pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself" pass out route-to (em0 fe80::217:10ff:fe86:c259) inet6 from 2605:6000:ffc0:7b:4cbb:b614:46a5:38a1 to ! 2605:6000:ffc0::/56 flags S/SA keep state allow-opts label "let out anything from firewall host itself" pass in quick on em1 inet6 from 2605:6000:ef42:e100::/64 to any flags S/SA keep state label "USER_RULE: Default allow LAN IPv6 to any rule"
-
So I tried going back to 2.1.5 again, and as expected it started working again. I compared the firewall settings, and they were effectively identical (aside from differing IP ranges provided by DHCP). The only differences I noticed was that auto_linklocal is turned on in 2.2, but not in 2.1.
-
After doing some more digging and clearing out all the deprecated ipv6 addresses on my client, I noticed I was getting two separate, but similar address ranges. Somehow during the upgrade radvd.conf found itself with two subnet advertisements, one for the valid address range and another for an older range that I had not received in quite some time. I manually removed the old range from radvd.conf, HUP'ed radvd, and after a reboot to ensure a clean network slate my client is connecting again.