Can access IPv6 Internet from pfSense box, but not from LAN clients
-
Short version:
ISP has native IPv6. WAN is set to DHCP6, LAN is set to static IP with unmanaged RA. LAN clients get IPv6 addresses, the pfSense box can access the IPv6 Internet, but LAN clients cannot access the IPv6 Internet (only other clients on the LAN).Long version:
Edit: Forgot to include hardware/software. APU-1C running pfSense 2.2.4-release.
Here’s how I have things configured:
(In the addresses below, xxxx:yyyy is always represents the same string.)
WAN interface: DHCP6
DHCPv6 Prefix Delegation size: 60 (supposedly the ISP gives out a /56, and I’ve tried that as well)
Send IPv6 prefix hint: YesLAN interface: Static IPv6
IPv6 address: 2604:xxxx:yyyy:1a0::1Once enabled, my gateway is an address of the form:
fe80::–--:----:----:----And the gateway appears to be connected.
And the IPv6 address assigned to the WAN port is of the form:
2604:xxxx:yyyy:0:----:----:----:----RA mode is set to Unmanaged.
IPv6 clients on the LAN get addresses (of the form 2604:xxxx:yyyy:1a0:----:----:----:----) and can ping each other. They can also ping the LAN and WAN IPv6 address of the pfSense box.
I am also able to access the IPv6 Internet when ssh'd into the pfSense box, e.g.
ping6 ipv6.google.comandlinks ipv6.google.comboth work.However, I am unable to access the IPv6 Internet from any clients on my LAN.
ping6 2001:4860:4860::8888(Google’s DNS server) has 100% packet loss. If I look atpftopI can see packets entering and exiting, but I never get responses back on my client:pfTop: Up State 1-100/190, View: default, Order: packets PR D SRC DEST STATE AGE EXP PKTS BYTES ... ipv6- I 2604:4080:115e:1a0:-- 2001:4860:4860::8888 0:0 66 10 67 3752 ipv6- O 2604:4080:115e:1a0:-- 2001:4860:4860::8888 0:0 66 10 67 3752 ...I’ve tried various combinations of enabling the DHCPv6 server, changing the RA mode, changing the Prefix Delegation size, setting LAN interface to “track”, changing the DHCP6 settings on the WAN interface, and so-on. “track” never seems to work.
The logs are pretty quiet. Under “routing”, all I see is:
radvd[46286]: version 1.9.1 startedHere is an excerpt from my routing tables:
Internet6: Destination Gateway Flags Netif Expire default <gateway-address>%re1 UGS re1 ::1 link#6 UH lo0 2604:xxxx:yyyy::/64 link#2 U re1 2604:xxxx:yyyy:0:... <insert rest="" of="" the="" wan="" address="" here="">link#2 UHS lo0 2604:xxxx:yyyy:1a0::/64 link#3 U re2 2604:xxxx:yyyy:1a0::1 link#3 UHS lo0</insert></gateway-address>I recently moved and switched ISPs. Previously I was successfully using 6rd with Charter (all I had to do was set the LAN interface to “track”).
Finally, if I use an Airport Extreme instead, tell it to use “native” IPv6, and enable “IPv6 Connection Sharing”, it auto-configures with the following:
IPv6 WAN Address: (blank)
IPv6 Default Route: (blank)
IPv6 Delegated Prefix: 2604:xxxx:yyyy:1a0::/60
IPv6 LAN Address: 2604:xxxx:yyyy:1a0:–--:----:----:----Then my client (running OS X) auto configures two IPv6 addresses of the form:
2604:xxxx:yyyy:1a0:----:----:----:----And everything works correctly.
-
Hi
I have the same problem since I updated from 2.2.3 to 2.2.4
My Firewall Log does not contain any connection except dns request.
ipv6 ping from pfsense works but doesn't from LAN or any VLAN.
Maybe it's a bug in 2.2.4?
-
some screenshots of my config
-
so why did you set a static on your lan? And what did you set it too? If your isp ipv6 via dhcp why would you not just track on your lan? Are they giving more than a /64?
-
so why did you set a static on your lan? And what did you set it too? If your isp ipv6 via dhcp why would you not just track on your lan? Are they giving more than a /64?
I get a /48 net.
Maybe I've to downgrade my box. If the issue disappears, it's a bug in 2.2.4.
I didn't change my configuration. -
so why did you set a static on your lan? And what did you set it too? If your isp ipv6 via dhcp why would you not just track on your lan? Are they giving more than a /64?
The AirPort suggested I was getting a /60, and supposedly they give out a /56 (but it's not clear if that's only when a customer requests a static IPv4 address).
I initially tried Track on LAN and it did not work.
However, Track on LAN did work when I was with my old ISP using 6rd.
I'll give Track on LAN another shot tonight.
-
so why did you set a static on your lan? And what did you set it too? If your isp ipv6 via dhcp why would you not just track on your lan? Are they giving more than a /64?
The AirPort suggested I was getting a /60, and supposedly they give out a /56 (but it's not clear if that's only when a customer requests a static IPv4 address).
I initially tried Track on LAN and it did not work.
However, Track on LAN did work when I was with my old ISP using 6rd.
I'll give Track on LAN another shot tonight.
So, I tried setting the LAN interface to track the WAN interface (again). Like before, the LAN interface lacks an IPv6 address, and none of my LAN clients get IPv6 addresses.
-
I am running ipv6 on 2.2.4 without any issues. But I use a tunnel from Hurricane Electric, FREE, STABLE, FAST - WORKS!! Easy to setup and you get a /48 from them. If you ask me most of the isp are not quite ready for ipv6..
This way doesn't matter!
And you can even setup PTR for your ipv6 addresses.. Does your isp let you do that ;)
