Can access IPv6 Internet from pfSense box, but not from LAN clients



  • Short version:
    ISP has native IPv6. WAN is set to DHCP6, LAN is set to static IP with unmanaged RA. LAN clients get IPv6 addresses, the pfSense box can access the IPv6 Internet, but LAN clients cannot access the IPv6 Internet (only other clients on the LAN).

    Long version:

    Edit: Forgot to include hardware/software. APU-1C running pfSense 2.2.4-release.

    Here’s how I have things configured:

    (In the addresses below, xxxx:yyyy is always represents the same string.)

    WAN interface: DHCP6
    DHCPv6 Prefix Delegation size: 60 (supposedly the ISP gives out a /56, and I’ve tried that as well)
    Send IPv6 prefix hint: Yes

    LAN interface: Static IPv6
    IPv6 address: 2604:xxxx:yyyy:1a0::1

    Once enabled, my gateway is an address of the form:
    fe80::–--:----:----:----

    And the gateway appears to be connected.

    And the IPv6 address assigned to the WAN port is of the form:
    2604:xxxx:yyyy:0:----:----:----:----

    RA mode is set to Unmanaged.

    IPv6 clients on the LAN get addresses (of the form 2604:xxxx:yyyy:1a0:----:----:----:----) and can ping each other. They can also ping the LAN and WAN IPv6 address of the pfSense box.

    I am also able to access the IPv6 Internet when ssh'd into the pfSense box, e.g. ping6 ipv6.google.com and links ipv6.google.com both work.

    However, I am unable to access the IPv6 Internet from any clients on my LAN. ping6 2001:4860:4860::8888 (Google’s DNS server) has 100% packet loss. If I look at pftop I can see packets entering and exiting, but I never get responses back on my client:

    pfTop: Up State 1-100/190, View: default, Order: packets
    PR    D SRC                   DEST                 STATE   AGE   EXP  PKTS BYTES
    ...
    ipv6- I 2604:4080:115e:1a0:-- 2001:4860:4860::8888  0:0     66    10    67  3752
    ipv6- O 2604:4080:115e:1a0:-- 2001:4860:4860::8888  0:0     66    10    67  3752
    ...
    
    

    I’ve tried various combinations of enabling the DHCPv6 server, changing the RA mode, changing the Prefix Delegation size, setting LAN interface to “track”, changing the DHCP6 settings on the WAN interface, and so-on. “track” never seems to work.

    The logs are pretty quiet. Under “routing”, all I see is:

    
    radvd[46286]: version 1.9.1 started
    
    

    Here is an excerpt from my routing tables:

    
    Internet6:
    Destination                       Gateway                       Flags      Netif Expire
    default                           <gateway-address>%re1  UGS         re1
    ::1                               link#6                        UH          lo0
    2604:xxxx:yyyy::/64               link#2                        U           re1
    2604:xxxx:yyyy:0:... <insert rest="" of="" the="" wan="" address="" here="">link#2                        UHS         lo0
    2604:xxxx:yyyy:1a0::/64           link#3                        U           re2
    2604:xxxx:yyyy:1a0::1             link#3                        UHS         lo0</insert></gateway-address> 
    

    I recently moved and switched ISPs. Previously I was successfully using 6rd with Charter (all I had to do was set the LAN interface to “track”).

    Finally, if I use an Airport Extreme instead, tell it to use “native” IPv6, and enable “IPv6 Connection Sharing”, it auto-configures with the following:

    IPv6 WAN Address: (blank)
    IPv6 Default Route: (blank)
    IPv6 Delegated Prefix: 2604:xxxx:yyyy:1a0::/60
    IPv6 LAN Address: 2604:xxxx:yyyy:1a0:–--:----:----:----

    Then my client (running OS X) auto configures two IPv6 addresses of the form:
    2604:xxxx:yyyy:1a0:----:----:----:----

    And everything works correctly.



  • Hi

    I have the same problem since I updated from 2.2.3 to 2.2.4

    My Firewall Log does not contain any connection except dns request.

    ipv6 ping from pfsense works but doesn't from LAN or any VLAN.

    Maybe it's a bug in 2.2.4?



  • some screenshots of my config

















  • LAYER 8 Global Moderator

    so why did you set a static on your lan?  And what did you set it too?  If your isp ipv6 via dhcp why would you not just track on your lan?  Are they giving more than a /64?



  • @johnpoz:

    so why did you set a static on your lan?  And what did you set it too?  If your isp ipv6 via dhcp why would you not just track on your lan?  Are they giving more than a /64?

    I get a /48 net.
    Maybe I've to downgrade my box. If the issue disappears, it's a bug in 2.2.4.
    I didn't change my configuration.



  • @johnpoz:

    so why did you set a static on your lan?  And what did you set it too?  If your isp ipv6 via dhcp why would you not just track on your lan?  Are they giving more than a /64?

    The AirPort suggested I was getting a /60, and supposedly they give out a /56 (but it's not clear if that's only when a customer requests a static IPv4 address).

    I initially tried Track on LAN and it did not work.

    However, Track on LAN did work when I was with my old ISP using 6rd.

    I'll give Track on LAN another shot tonight.



  • @Phobos:

    @johnpoz:

    so why did you set a static on your lan?  And what did you set it too?  If your isp ipv6 via dhcp why would you not just track on your lan?  Are they giving more than a /64?

    The AirPort suggested I was getting a /60, and supposedly they give out a /56 (but it's not clear if that's only when a customer requests a static IPv4 address).

    I initially tried Track on LAN and it did not work.

    However, Track on LAN did work when I was with my old ISP using 6rd.

    I'll give Track on LAN another shot tonight.

    So, I tried setting the LAN interface to track the WAN interface (again). Like before, the LAN interface lacks an IPv6 address, and none of my LAN clients get IPv6 addresses.


  • LAYER 8 Global Moderator

    I am running ipv6 on 2.2.4 without any issues.  But I use a tunnel from Hurricane Electric, FREE, STABLE, FAST - WORKS!! Easy to setup and you get a /48 from them.  If you ask me most of the isp are not quite ready for ipv6..

    This way doesn't matter!

    And you can even setup PTR for your ipv6 addresses..  Does your isp let you do that ;)


Log in to reply