Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv6 Blocked Since Upgrade to 2.2 - TWC

    Scheduled Pinned Locked Moved IPv6
    3 Posts 1 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      torchpeppers
      last edited by

      Hello everyone,

      I have TWC and I switched from a Mikrotik router to pfsense 2.1.5 last year.  Native IPv6 worked great for me until I upgraded to 2.2 however.  I did the automated upgrade, and after upgrading I would get an IPv6 address and delegated space over DHCP like normal, but nothing on my network could connect over IPv6 anymore.  I can ping ipv6 addresses from pfsense and I can ping pfsense from devices on the LAN, but nothing else can ping out anymore.  I exported my config and reinstalled 2.1.5, and IPv6 worked again, but when I upgraded to 2.2 a second time it stopped working.

      This is the IPv6 configuration setup I use (/56 delegation, though only one subnet in use right now)
      https://forum.pfsense.org/index.php?topic=87623.msg481615#msg481615

      Any idea what could cause pfsense to have connectivity, but none of my clients since upgrading to 2.2?

      em1 is my LAN interface, em0 is my WAN.

      
      [2.2.2-RELEASE][admin@hostname]/root: ifconfig em0
      em0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
      	options=209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic>ether be:be:ec:d1:5f:1a
      	inet6 fe80::bcbe:ecff:fed1:5f1a%em0 prefixlen 64 scopeid 0x1 
      	inet 72.177.23.2 netmask 0xffffe000 broadcast 255.255.255.255 
      	inet6 2605:6000:ffc0:7b:4cbb:b614:46a5:38a1 prefixlen 128 
      	nd6 options=23 <performnud,accept_rtadv,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
      	status: active</full-duplex></performnud,accept_rtadv,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic></up,broadcast,running,simplex,multicast> 
      
      
      [2.2.2-RELEASE][admin@hostname]/root: ifconfig em1
      em1: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
      	options=209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic>ether 46:ba:e6:4b:47:a8
      	inet 10.100.55.2 netmask 0xffffff00 broadcast 10.100.55.255 
      	inet 10.100.55.1 netmask 0xffffff00 broadcast 10.100.55.255 vhid 1 
      	inet6 2605:6000:ef42:e100:44ba:e6ff:fe4b:47a8 prefixlen 64 
      	inet6 fe80::1:1%em1 prefixlen 64 scopeid 0x2 
      	nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
      	status: active
      	carp: MASTER vhid 1 advbase 1 advskew 0</full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic></up,broadcast,running,promisc,simplex,multicast> 
      
      
      [2.2.2-RELEASE][admin@hostname]/root: netstat -rn
      Routing tables
      
      Internet:
      Destination        Gateway            Flags      Netif Expire
      default            72.177.0.1         UGS         em0
      10.15.0.0/24       link#4             U           em3
      10.15.0.1          link#4             UHS         lo0
      10.15.0.2          link#4             UHS         lo0
      10.16.0.0/24       link#3             U           em2
      10.16.0.2          link#3             UHS         lo0
      10.100.0.0/14      10.100.55.11       UGS         em1
      10.100.55.0/24     link#2             U           em1
      10.100.55.1        link#2             UHS         lo0
      10.100.55.2        link#2             UHS         lo0
      10.104.0.0/14      10.100.55.11       UGS         em1
      72.177.0.0/19      link#1             U           em0
      72.177.23.2        link#1             UHS         lo0
      127.0.0.1          link#7             UH          lo0
      172.31.0.0/16      10.100.55.11       UGS         em1
      
      Internet6:
      Destination                       Gateway                       Flags      Netif Expire
      default                           fe80::217:10ff:fe86:c259%em0  UGS         em0
      ::1                               link#7                        UH          lo0
      2605:6000:400:7b::/64             link#1                        U           em0
      2605:6000:700:7b::/64             link#1                        U           em0
      2605:6000:c00:7b::/64             link#1                        U           em0
      2605:6000:ef42:e100::/64          link#2                        U           em1
      2605:6000:ef42:e100:44ba:e6ff:fe4b:47a8 link#2                        UHS         lo0
      2605:6000:ffc0:7b::/64            link#1                        U           em0
      2605:6000:ffc0:7b:4cbb:b614:46a5:38a1 link#1                        UHS         lo0
      fe80::%em0/64                     link#1                        U           em0
      fe80::bcbe:ecff:fed1:5f1a%em0     link#1                        UHS         lo0
      fe80::%em1/64                     link#2                        U           em1
      fe80::1:1%em1                     link#2                        UHS         lo0
      fe80::%em2/64                     link#3                        U           em2
      fe80::2408:c5ff:fead:1a15%em2     link#3                        UHS         lo0
      fe80::%em3/64                     link#4                        U           em3
      fe80::a87e:18ff:fe6c:775%em3      link#4                        UHS         lo0
      fe80::%lo0/64                     link#7                        U           lo0
      fe80::1%lo0                       link#7                        UHS         lo0
      ff01::%em0/32                     fe80::bcbe:ecff:fed1:5f1a%em0 U           em0
      ff01::%em1/32                     2605:6000:ef42:e100:44ba:e6ff:fe4b:47a8 U           em1
      ff01::%em2/32                     fe80::2408:c5ff:fead:1a15%em2 U           em2
      ff01::%em3/32                     fe80::a87e:18ff:fe6c:775%em3  U           em3
      ff01::%lo0/32                     ::1                           U           lo0
      ff02::%em0/32                     fe80::bcbe:ecff:fed1:5f1a%em0 U           em0
      ff02::%em1/32                     2605:6000:ef42:e100:44ba:e6ff:fe4b:47a8 U           em1
      ff02::%em2/32                     fe80::2408:c5ff:fead:1a15%em2 U           em2
      ff02::%em3/32                     fe80::a87e:18ff:fe6c:775%em3  U           em3
      ff02::%lo0/32                     ::1                           U           lo0
      
      
      
      [2.2.2-RELEASE][admin@hostname]/root: pfctl -sr | egrep 'inet6|icmp6'
      block drop in log inet6 all label "Default deny rule IPv6"
      block drop out log inet6 all label "Default deny rule IPv6"
      pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
      pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
      pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
      pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
      pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
      pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
      pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
      pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
      pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
      pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
      pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
      pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
      pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
      pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
      pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
      pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
      pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
      pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbrsol keep state
      pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type neighbradv keep state
      pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
      pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
      pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
      pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbrsol keep state
      pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type neighbradv keep state
      pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
      pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
      pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
      pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbrsol keep state
      pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type neighbradv keep state
      block drop log quick inet6 proto tcp from any port = 0 to any
      block drop log quick inet6 proto udp from any port = 0 to any
      block drop log quick inet6 proto tcp from any to any port = 0
      block drop log quick inet6 proto udp from any to any port = 0
      pass in quick on em0 inet6 proto udp from fe80::/10 port = dhcpv6-client to fe80::/10 port = dhcpv6-client keep state label "allow dhcpv6 client in WAN"
      block drop in log on ! em0 inet6 from 2605:6000:ffc0:7b:4cbb:b614:46a5:38a1 to any
      block drop in log inet6 from 2605:6000:ffc0:7b:4cbb:b614:46a5:38a1 to any
      block drop in log on em0 inet6 from fe80::bcbe:ecff:fed1:5f1a to any
      block drop in log quick on em0 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
      block drop in log on ! em1 inet6 from 2605:6000:ef42:e100::/64 to any
      block drop in log inet6 from 2605:6000:ef42:e100:44ba:e6ff:fe4b:47a8 to any
      block drop in log on em1 inet6 from fe80::1:1 to any
      pass quick on em1 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
      pass quick on em1 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
      pass quick on em1 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
      pass quick on em1 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
      pass in quick on em1 inet6 proto udp from fe80::/10 to 2605:6000:ef42:e100:44ba:e6ff:fe4b:47a8 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
      pass out quick on em1 inet6 proto udp from 2605:6000:ef42:e100:44ba:e6ff:fe4b:47a8 port = dhcpv6-server to fe80::/10 keep state label "allow access to DHCPv6 server"
      block drop in log on em2 inet6 from fe80::2408:c5ff:fead:1a15 to any
      block drop in log on em3 inet6 from fe80::a87e:18ff:fe6c:775 to any
      pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
      pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
      pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
      pass out route-to (em0 fe80::217:10ff:fe86:c259) inet6 from 2605:6000:ffc0:7b:4cbb:b614:46a5:38a1 to ! 2605:6000:ffc0::/56 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
      pass in quick on em1 inet6 from 2605:6000:ef42:e100::/64 to any flags S/SA keep state label "USER_RULE: Default allow LAN IPv6 to any rule"
      
      
      1 Reply Last reply Reply Quote 0
      • T
        torchpeppers
        last edited by

        So I tried going back to 2.1.5 again, and as expected it started working again.  I compared the firewall settings, and they were effectively identical (aside from differing IP ranges provided by DHCP).  The only differences I noticed was that auto_linklocal is turned on in 2.2, but not in 2.1.

        1 Reply Last reply Reply Quote 0
        • T
          torchpeppers
          last edited by

          After doing some more digging and clearing out all the deprecated ipv6 addresses on my client, I noticed I was getting two separate, but similar address ranges.  Somehow during the upgrade radvd.conf found itself with two subnet advertisements, one for the valid address range and another for an older range that I had not received in quite some time.  I manually removed the old range from radvd.conf, HUP'ed radvd, and after a reboot to ensure a clean network slate my client is connecting again.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.