IPv6 Blocked Since Upgrade to 2.2 - TWC



  • Hello everyone,

    I have TWC and I switched from a Mikrotik router to pfsense 2.1.5 last year.  Native IPv6 worked great for me until I upgraded to 2.2 however.  I did the automated upgrade, and after upgrading I would get an IPv6 address and delegated space over DHCP like normal, but nothing on my network could connect over IPv6 anymore.  I can ping ipv6 addresses from pfsense and I can ping pfsense from devices on the LAN, but nothing else can ping out anymore.  I exported my config and reinstalled 2.1.5, and IPv6 worked again, but when I upgraded to 2.2 a second time it stopped working.

    This is the IPv6 configuration setup I use (/56 delegation, though only one subnet in use right now)
    https://forum.pfsense.org/index.php?topic=87623.msg481615#msg481615

    Any idea what could cause pfsense to have connectivity, but none of my clients since upgrading to 2.2?

    em1 is my LAN interface, em0 is my WAN.

    
    [2.2.2-RELEASE][admin@hostname]/root: ifconfig em0
    em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    	options=209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic>ether be:be:ec:d1:5f:1a
    	inet6 fe80::bcbe:ecff:fed1:5f1a%em0 prefixlen 64 scopeid 0x1 
    	inet 72.177.23.2 netmask 0xffffe000 broadcast 255.255.255.255 
    	inet6 2605:6000:ffc0:7b:4cbb:b614:46a5:38a1 prefixlen 128 
    	nd6 options=23 <performnud,accept_rtadv,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
    	status: active</full-duplex></performnud,accept_rtadv,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic></up,broadcast,running,simplex,multicast> 
    
    
    [2.2.2-RELEASE][admin@hostname]/root: ifconfig em1
    em1: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
    	options=209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic>ether 46:ba:e6:4b:47:a8
    	inet 10.100.55.2 netmask 0xffffff00 broadcast 10.100.55.255 
    	inet 10.100.55.1 netmask 0xffffff00 broadcast 10.100.55.255 vhid 1 
    	inet6 2605:6000:ef42:e100:44ba:e6ff:fe4b:47a8 prefixlen 64 
    	inet6 fe80::1:1%em1 prefixlen 64 scopeid 0x2 
    	nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
    	status: active
    	carp: MASTER vhid 1 advbase 1 advskew 0</full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic></up,broadcast,running,promisc,simplex,multicast> 
    
    
    [2.2.2-RELEASE][admin@hostname]/root: netstat -rn
    Routing tables
    
    Internet:
    Destination        Gateway            Flags      Netif Expire
    default            72.177.0.1         UGS         em0
    10.15.0.0/24       link#4             U           em3
    10.15.0.1          link#4             UHS         lo0
    10.15.0.2          link#4             UHS         lo0
    10.16.0.0/24       link#3             U           em2
    10.16.0.2          link#3             UHS         lo0
    10.100.0.0/14      10.100.55.11       UGS         em1
    10.100.55.0/24     link#2             U           em1
    10.100.55.1        link#2             UHS         lo0
    10.100.55.2        link#2             UHS         lo0
    10.104.0.0/14      10.100.55.11       UGS         em1
    72.177.0.0/19      link#1             U           em0
    72.177.23.2        link#1             UHS         lo0
    127.0.0.1          link#7             UH          lo0
    172.31.0.0/16      10.100.55.11       UGS         em1
    
    Internet6:
    Destination                       Gateway                       Flags      Netif Expire
    default                           fe80::217:10ff:fe86:c259%em0  UGS         em0
    ::1                               link#7                        UH          lo0
    2605:6000:400:7b::/64             link#1                        U           em0
    2605:6000:700:7b::/64             link#1                        U           em0
    2605:6000:c00:7b::/64             link#1                        U           em0
    2605:6000:ef42:e100::/64          link#2                        U           em1
    2605:6000:ef42:e100:44ba:e6ff:fe4b:47a8 link#2                        UHS         lo0
    2605:6000:ffc0:7b::/64            link#1                        U           em0
    2605:6000:ffc0:7b:4cbb:b614:46a5:38a1 link#1                        UHS         lo0
    fe80::%em0/64                     link#1                        U           em0
    fe80::bcbe:ecff:fed1:5f1a%em0     link#1                        UHS         lo0
    fe80::%em1/64                     link#2                        U           em1
    fe80::1:1%em1                     link#2                        UHS         lo0
    fe80::%em2/64                     link#3                        U           em2
    fe80::2408:c5ff:fead:1a15%em2     link#3                        UHS         lo0
    fe80::%em3/64                     link#4                        U           em3
    fe80::a87e:18ff:fe6c:775%em3      link#4                        UHS         lo0
    fe80::%lo0/64                     link#7                        U           lo0
    fe80::1%lo0                       link#7                        UHS         lo0
    ff01::%em0/32                     fe80::bcbe:ecff:fed1:5f1a%em0 U           em0
    ff01::%em1/32                     2605:6000:ef42:e100:44ba:e6ff:fe4b:47a8 U           em1
    ff01::%em2/32                     fe80::2408:c5ff:fead:1a15%em2 U           em2
    ff01::%em3/32                     fe80::a87e:18ff:fe6c:775%em3  U           em3
    ff01::%lo0/32                     ::1                           U           lo0
    ff02::%em0/32                     fe80::bcbe:ecff:fed1:5f1a%em0 U           em0
    ff02::%em1/32                     2605:6000:ef42:e100:44ba:e6ff:fe4b:47a8 U           em1
    ff02::%em2/32                     fe80::2408:c5ff:fead:1a15%em2 U           em2
    ff02::%em3/32                     fe80::a87e:18ff:fe6c:775%em3  U           em3
    ff02::%lo0/32                     ::1                           U           lo0
    
    
    
    [2.2.2-RELEASE][admin@hostname]/root: pfctl -sr | egrep 'inet6|icmp6'
    block drop in log inet6 all label "Default deny rule IPv6"
    block drop out log inet6 all label "Default deny rule IPv6"
    pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
    pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
    block drop log quick inet6 proto tcp from any port = 0 to any
    block drop log quick inet6 proto udp from any port = 0 to any
    block drop log quick inet6 proto tcp from any to any port = 0
    block drop log quick inet6 proto udp from any to any port = 0
    pass in quick on em0 inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state label "allow dhcpv6 client in WAN"
    block drop in log on ! em0 inet6 from 2605:6000:ffc0:7b:4cbb:b614:46a5:38a1 to any
    block drop in log inet6 from 2605:6000:ffc0:7b:4cbb:b614:46a5:38a1 to any
    block drop in log on em0 inet6 from fe80::bcbe:ecff:fed1:5f1a to any
    block drop in log quick on em0 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
    block drop in log on ! em1 inet6 from 2605:6000:ef42:e100::/64 to any
    block drop in log inet6 from 2605:6000:ef42:e100:44ba:e6ff:fe4b:47a8 to any
    block drop in log on em1 inet6 from fe80::1:1 to any
    pass quick on em1 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
    pass quick on em1 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
    pass quick on em1 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
    pass quick on em1 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
    pass in quick on em1 inet6 proto udp from fe80::/10 to 2605:6000:ef42:e100:44ba:e6ff:fe4b:47a8 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
    pass out quick on em1 inet6 proto udp from 2605:6000:ef42:e100:44ba:e6ff:fe4b:47a8 port = dhcpv6-server to fe80::/10 keep state label "allow access to DHCPv6 server"
    block drop in log on em2 inet6 from fe80::2408:c5ff:fead:1a15 to any
    block drop in log on em3 inet6 from fe80::a87e:18ff:fe6c:775 to any
    pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
    pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
    pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
    pass out route-to (em0 fe80::217:10ff:fe86:c259) inet6 from 2605:6000:ffc0:7b:4cbb:b614:46a5:38a1 to ! 2605:6000:ffc0::/56 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass in quick on em1 inet6 from 2605:6000:ef42:e100::/64 to any flags S/SA keep state label "USER_RULE: Default allow LAN IPv6 to any rule"
    
    


  • So I tried going back to 2.1.5 again, and as expected it started working again.  I compared the firewall settings, and they were effectively identical (aside from differing IP ranges provided by DHCP).  The only differences I noticed was that auto_linklocal is turned on in 2.2, but not in 2.1.



  • After doing some more digging and clearing out all the deprecated ipv6 addresses on my client, I noticed I was getting two separate, but similar address ranges.  Somehow during the upgrade radvd.conf found itself with two subnet advertisements, one for the valid address range and another for an older range that I had not received in quite some time.  I manually removed the old range from radvd.conf, HUP'ed radvd, and after a reboot to ensure a clean network slate my client is connecting again.


Log in to reply