[SOLVED] Setting up native IPv6 connectivity



  • Allocated blocks:
    2001:2060:4f:c::1/64 (In use.)

    2001:2060:4f:d::1/64
    2001:2060:4f:e::1/64
    (These two for pfSense.)

    The question is how should I add these?

    WAN => Works.

    
    PING6(56=40+8+8 bytes) 2001:2060:4f:d::2 --> 2a00:1450:400f:805::2003
    16 bytes from 2a00:1450:400f:805::2003, icmp_seq=0 hlim=54 time=13.780 ms
    16 bytes from 2a00:1450:400f:805::2003, icmp_seq=1 hlim=54 time=13.306 ms
    16 bytes from 2a00:1450:400f:805::2003, icmp_seq=2 hlim=54 time=13.496 ms
    
    --- google.fi ping6 statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss
    round-trip min/avg/max/std-dev = 13.306/13.527/13.780/0.195 ms
    
    

    How do I need to add the LAN IPv6 address? With gateway or without? How do I configure the DHCPv6 server and Router Advertisement?

    Sorry, but I'm pretty noob with IPv6.


  • Rebel Alliance Developer Netgate

    No different than IPv4.

    Pick an address in one of those blocks, set it as the LAN IPv6 address, no need for a gateway (e.g. 2001:2060:4f:d::1/64).
    Enable DHCPv6 and put in a range of addresses inside the range for the LAN IPv6 subnet (e.g. 2001:2060:4f:d:FFFF:0000 - 2001:2060:4f:d:FFFF:FFFF)
    Enable router advertisements in whatever mode you want. If you use Assisted it will do both DHCPv6 and allow clients to use SLAAC



  • @jimp:

    No different than IPv4.

    Pick an address in one of those blocks, set it as the LAN IPv6 address, no need for a gateway (e.g. 2001:2060:4f:d::1/64).
    Enable DHCPv6 and put in a range of addresses inside the range for the LAN IPv6 subnet (e.g. 2001:2060:4f:d:FFFF:0000 - 2001:2060:4f:d:FFFF:FFFF)
    Enable router advertisements in whatever mode you want. If you use Assisted it will do both DHCPv6 and allow clients to use SLAAC

    Okey, they now get IPv6 addresses. IPv6 traffic from LAN does not get out however.

    Routes:
    [Check attachment named IPV6_routes.JPG, it's from pfSense.]

    Routes & Ping6 to google from linux host:
    [Check attachment named: ipv6_not_working_linux.JPG]





  • Rebel Alliance Developer Netgate

    Do you have rules to pass out IPv6 from the local interface(s)? Can the local devices ping their gateway? What about the gateway one hop up from pfSense? (the pfSense WAN gateway)



  • @jimp:

    Do you have rules to pass out IPv6 from the local interface(s)? Can the local devices ping their gateway? What about the gateway one hop up from pfSense? (the pfSense WAN gateway)

    I think that I have the rules to pass out the IPv6.
    [Attachment named, Firewall_rules.JPG]

    Local devices cannot ping their gateway nor the WAN gateway.
    [Attachment named, cannot_ping_new.JPG]
    I corrected it.

    Are these correct?
    [Attachment named, Interfaces.JPG]








  • In cannot_ping.jpg you appear to be mistakenly using ping, not ping6.



  • @David_W:

    In cannot_ping.jpg you appear to be mistakenly using ping, not ping6.

    Yeah, I have. I was tired when making that probably, but the problem still is there.


  • Rebel Alliance Developer Netgate

    The screenshot shows the LAN IP address ending in ::1 but the ping test was going to ::3, which is correct?



  • @jimp:

    The screenshot shows the LAN IP address ending in ::1 but the ping test was going to ::3, which is correct?

    Which screenshot?

    The LAN IP address on pfSense does not end in ::1, but rather ::3 which is the thing I'm trying to ping.
    IPv6 gateway ends in ::1 which is unreacheable from the local devices.

    The ping does work to pfSense.
    [Check attachment called, Ping_to_pfsense_works.JPG]

    Traceroute6 to google.fi fails.
    [Attachment named, traceroute6_fails.JPG]






  • Way back at the beginning you said…

    Allocated blocks:
    2001:2060:4f:c::1/64 (In use.)

    2001:2060:4f:d::1/64
    2001:2060:4f:e::1/64
    (These two for pfSense.)

    You haven't mentioned anything about the 2001:2060:4f:c::/64 block, but from the discussions, it looks like whatever is routing traffic to 2001:2060:4f:d::/64 isn't routing 2001:2060:4f:e::/64 to 2001:2060:4f:d::1.

    Without that, its never going to work.

    –A.



  • @awebster:

    Way back at the beginning you said…

    Allocated blocks:
    2001:2060:4f:c::1/64 (In use.)

    2001:2060:4f:d::1/64
    2001:2060:4f:e::1/64
    (These two for pfSense.)

    You haven't mentioned anything about the 2001:2060:4f:c::/64 block, but from the discussions, it looks like whatever is routing traffic to 2001:2060:4f:d::/64 isn't routing 2001:2060:4f:e::/64 to 2001:2060:4f:d::1.

    Without that, its never going to work.

    –A.

    I haven't mentioned about the 2001:2060:4f:c::/64 block as it's irrelevant for this discussion. It has absolutely nothing to do with pfSense configuration. I don't even know why I mentioned it in the first place. So the problem basically is on the ISP/Provider side or what should I do? Add a route in pfSense from 2001:2060:4f:d::/64 to 2001:2060:4f:e::/64?



  • We could use 3 more GUI screenshots from you, to confirm the total situation:

    • Interfaces: WAN
    • Interfaces: LAN
    • Status: Interfaces


  • @samip537:

    I haven't mentioned about the 2001:2060:4f:c::/64 block as it's irrelevant for this discussion. It has absolutely nothing to do with pfSense configuration. I don't even know why I mentioned it in the first place. So the problem basically is on the ISP/Provider side or what should I do? Add a route in pfSense from 2001:2060:4f:d::/64 to 2001:2060:4f:e::/64?

    Ok, but how does the traffic get from the Internet to 2001:2060:4f:d::/64 and 2001:2060:4f:e::/64 ?

    If I traceroute this from outside, it stops at 2001:2060:4f::2
    So somehow there is filtering or a routing missing at 2001:2060:4f::2 to get it any further.



  • @hda:

    We could use 3 more GUI screenshots from you, to confirm the total situation:

    • Interfaces: WAN
    • Interfaces: LAN
    • Status: Interfaces

    Here are the screenshots requested in the attachments. You should be able to identify each file by file name.

    P.S IPv4 related WAN properties and information has been censored for privacy and server security purposes.

    @awebster:

    @samip537:

    I haven't mentioned about the 2001:2060:4f:c::/64 block as it's irrelevant for this discussion. It has absolutely nothing to do with pfSense configuration. I don't even know why I mentioned it in the first place. So the problem basically is on the ISP/Provider side or what should I do? Add a route in pfSense from 2001:2060:4f:d::/64 to 2001:2060:4f:e::/64?

    Ok, but how does the traffic get from the Internet to 2001:2060:4f:d::/64 and 2001:2060:4f:e::/64 ?

    If I traceroute this from outside, it stops at 2001:2060:4f::2
    So somehow there is filtering or a routing missing at 2001:2060:4f::2 to get it any further.

    What do you mean by "but how does the traffic get from the Internet to 2001:2060:4f:d::/64 and 2001:2060:4f:e::/64"? I don't understand your point here.

    The one at  2001:2060:4f::2 is not over my control as you can see from the reverse. (turku-ipv6-gw.woima.eu (2001:2060:4f::2))










  • Talk to your provider, the routing is messed up…

    traceroute6 -n 2001:2060:4f:d::1


    7  2001:2000:6028:2003::1  155.319 ms  145.846 ms  144.258 ms
    8  2001:2000:6028:2003::2  148.698 ms  142.799 ms  149.023 ms
    9  2001:2060:4f:d::1  142.449 ms  148.295 ms  150.436 ms

    Looks good.

    traceroute6 -n 2001:2060:4f:d::2


    7  2001:2000:6028:2003::1  167.166 ms  142.889 ms  146.229 ms
    8  2001:2000:6028:2003::2  144.331 ms  144.679 ms  144.495 ms
    9  2001:2060:4f::2  153.608 ms  148.259 ms  143.434 ms
    10  * * *
    11  * * *

    Looks good, especially if you aren't allowing inbound traceroute requests.  If you see a bunch from …::55, it's me.
    And

    ping6 2001:2060:4f:d::2

    PING 2001:2060:4f:d::2(2001:2060:4f:d::2) 56 data bytes
    64 bytes from 2001:2060:4f:d::2: icmp_seq=1 ttl=50 time=151 ms
    64 bytes from 2001:2060:4f:d::2: icmp_seq=2 ttl=50 time=143 ms

    Seems to confirm that it is working.

    traceroute6 -n 2001:2060:4f:e::1


    7  2001:2000:6028:2003::1  154.028 ms  143.610 ms *
    8  2001:2000:6028:2003::2  149.536 ms  154.901 ms  154.917 ms
    9  2001:2060:4f:e::1  150.610 ms  155.257 ms  141.915 ms

    ping6 2001:2060:4f:e::1

    PING 2001:2060:4f:e::1(2001:2060:4f:e::1) 56 data bytes
    64 bytes from 2001:2060:4f:e::1: icmp_seq=1 ttl=51 time=166 ms
    64 bytes from 2001:2060:4f:e::1: icmp_seq=2 ttl=51 time=138 ms

    But wait!  You said your device is on 2001:2060:4f:e::3, so who is answering ::1 address ?!

    traceroute6 -n 2001:2060:4f:e::3


    7  2001:2000:6028:2003::1  163.236 ms  142.555 ms  152.851 ms
    8  2001:2000:6028:2003::2  153.137 ms  153.784 ms  153.791 ms
    9  2001:2060:4f::2  154.282 ms  149.070 ms  148.692 ms
    10  2001:2060:4f::2  2180.388 ms !H * *

    ping6 2001:2060:4f:e::3

    PING 2001:2060:4f:e::3(2001:2060:4f:e::3) 56 data bytes
    From 2001:2060:4f::2 icmp_seq=1 Destination unreachable: Address unreachable

    Also not correct, …e::1 works (but maybe it shouldn't be), and ...e::3 goes somewhere completely different?!



  • @awebster:

    Talk to your provider, the routing is messed up…

    traceroute6 -n 2001:2060:4f:d::1


    7  2001:2000:6028:2003::1  155.319 ms  145.846 ms  144.258 ms
    8  2001:2000:6028:2003::2  148.698 ms  142.799 ms  149.023 ms
    9  2001:2060:4f:d::1  142.449 ms  148.295 ms  150.436 ms

    Looks good.

    traceroute6 -n 2001:2060:4f:d::2


    7  2001:2000:6028:2003::1  167.166 ms  142.889 ms  146.229 ms
    8  2001:2000:6028:2003::2  144.331 ms  144.679 ms  144.495 ms
    9  2001:2060:4f::2  153.608 ms  148.259 ms  143.434 ms
    10  * * *
    11  * * *

    Looks good, especially if you aren't allowing inbound traceroute requests.  If you see a bunch from …::55, it's me.
    And

    ping6 2001:2060:4f:d::2

    PING 2001:2060:4f:d::2(2001:2060:4f:d::2) 56 data bytes
    64 bytes from 2001:2060:4f:d::2: icmp_seq=1 ttl=50 time=151 ms
    64 bytes from 2001:2060:4f:d::2: icmp_seq=2 ttl=50 time=143 ms

    Seems to confirm that it is working.

    traceroute6 -n 2001:2060:4f:e::1


    7  2001:2000:6028:2003::1  154.028 ms  143.610 ms *
    8  2001:2000:6028:2003::2  149.536 ms  154.901 ms  154.917 ms
    9  2001:2060:4f:e::1  150.610 ms  155.257 ms  141.915 ms

    ping6 2001:2060:4f:e::1

    PING 2001:2060:4f:e::1(2001:2060:4f:e::1) 56 data bytes
    64 bytes from 2001:2060:4f:e::1: icmp_seq=1 ttl=51 time=166 ms
    64 bytes from 2001:2060:4f:e::1: icmp_seq=2 ttl=51 time=138 ms

    But wait!  You said your device is on 2001:2060:4f:e::3, so who is answering ::1 address ?!

    traceroute6 -n 2001:2060:4f:e::3


    7  2001:2000:6028:2003::1  163.236 ms  142.555 ms  152.851 ms
    8  2001:2000:6028:2003::2  153.137 ms  153.784 ms  153.791 ms
    9  2001:2060:4f::2  154.282 ms  149.070 ms  148.692 ms
    10  2001:2060:4f::2  2180.388 ms !H * *

    ping6 2001:2060:4f:e::3

    PING 2001:2060:4f:e::3(2001:2060:4f:e::3) 56 data bytes
    From 2001:2060:4f::2 icmp_seq=1 Destination unreachable: Address unreachable

    Also not correct, …e::1 works (but maybe it shouldn't be), and ...e::3 goes somewhere completely different?!

    2001:2060:4f:e::1 => Provider's GW. (Working on getting it fixed so it's the pfSense LAN address.)
    2001:2060:4f:e::3 => That's the pfSense's LAN interface, pings are not allowed that are originating from WAN interface.

    Please use ICMP or TCP, but not UDP when trying to traceroute, might work better.

    I have talked to my provider today, they will work on it.



  • You should be able to make LAN as 2001:2060:f4:e::1/64, all the 2001:2060:f4:e: numbers should be yours.
    [The last 64 bits are required reserved for any host on the LAN, SLAAC or DHCPv6 or Static.]

    Your gateway for the LAN is obviously 2001:2060:f4:d::1/64
    Look in System: (routing) Gateways for your correct route.

    For Static on hosts use RA + Router Only
    For DHCP6-Server (range in last 64 bits) use RA + Managed (be sure to NOT check bogon networks on Interfaces:LAN)
    For SLAAC from hosts use RA + Unmanaged

    [N.B. subnets are important to differentiate, so :d::/64 is for your WAN and :e::/64 is for your LAN.]



  • @hda:

    You should be able to make LAN as 2001:2060:f4:e::1/64, all the 2001:2060:f4:e: numbers should be yours.
    [The last 64 bits are required reserved for any host on the LAN, SLAAC or DHCPv6 or Static.]

    Your gateway for the LAN is obviously 2001:2060:f4:d::1/64
    Look in System: (routing) Gateways for your correct route.

    For Static on hosts use RA + Router Only
    For DHCP6-Server (range in last 64 bits) use RA + Managed (be sure to NOT check bogon networks on Interfaces:LAN)
    For SLAAC from hosts use RA + Unmanaged

    Everything works now. Ports are reacheable though IPv6.

    Final routes can be found from the attachments.

    You may do an traceroute6 to mail.sami-mantysaari.com to check. :)





Log in to reply