[SOLVED] Setting up native IPv6 connectivity
-
Allocated blocks:
2001:2060:4f:c::1/64 (In use.)2001:2060:4f:d::1/64
2001:2060:4f:e::1/64
(These two for pfSense.)The question is how should I add these?
WAN => Works.
PING6(56=40+8+8 bytes) 2001:2060:4f:d::2 --> 2a00:1450:400f:805::2003 16 bytes from 2a00:1450:400f:805::2003, icmp_seq=0 hlim=54 time=13.780 ms 16 bytes from 2a00:1450:400f:805::2003, icmp_seq=1 hlim=54 time=13.306 ms 16 bytes from 2a00:1450:400f:805::2003, icmp_seq=2 hlim=54 time=13.496 ms --- google.fi ping6 statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 13.306/13.527/13.780/0.195 ms
How do I need to add the LAN IPv6 address? With gateway or without? How do I configure the DHCPv6 server and Router Advertisement?
Sorry, but I'm pretty noob with IPv6.
-
No different than IPv4.
Pick an address in one of those blocks, set it as the LAN IPv6 address, no need for a gateway (e.g. 2001:2060:4f:d::1/64).
Enable DHCPv6 and put in a range of addresses inside the range for the LAN IPv6 subnet (e.g. 2001:2060:4f:d:FFFF:0000 - 2001:2060:4f:d:FFFF:FFFF)
Enable router advertisements in whatever mode you want. If you use Assisted it will do both DHCPv6 and allow clients to use SLAAC -
No different than IPv4.
Pick an address in one of those blocks, set it as the LAN IPv6 address, no need for a gateway (e.g. 2001:2060:4f:d::1/64).
Enable DHCPv6 and put in a range of addresses inside the range for the LAN IPv6 subnet (e.g. 2001:2060:4f:d:FFFF:0000 - 2001:2060:4f:d:FFFF:FFFF)
Enable router advertisements in whatever mode you want. If you use Assisted it will do both DHCPv6 and allow clients to use SLAACOkey, they now get IPv6 addresses. IPv6 traffic from LAN does not get out however.
Routes:
[Check attachment named IPV6_routes.JPG, it's from pfSense.]Routes & Ping6 to google from linux host:
[Check attachment named: ipv6_not_working_linux.JPG]
-
Do you have rules to pass out IPv6 from the local interface(s)? Can the local devices ping their gateway? What about the gateway one hop up from pfSense? (the pfSense WAN gateway)
-
Do you have rules to pass out IPv6 from the local interface(s)? Can the local devices ping their gateway? What about the gateway one hop up from pfSense? (the pfSense WAN gateway)
I think that I have the rules to pass out the IPv6.
[Attachment named, Firewall_rules.JPG]Local devices cannot ping their gateway nor the WAN gateway.
[Attachment named, cannot_ping_new.JPG]
I corrected it.Are these correct?
[Attachment named, Interfaces.JPG]
-
In cannot_ping.jpg you appear to be mistakenly using ping, not ping6.
-
In cannot_ping.jpg you appear to be mistakenly using ping, not ping6.
Yeah, I have. I was tired when making that probably, but the problem still is there.
-
The screenshot shows the LAN IP address ending in ::1 but the ping test was going to ::3, which is correct?
-
The screenshot shows the LAN IP address ending in ::1 but the ping test was going to ::3, which is correct?
Which screenshot?
The LAN IP address on pfSense does not end in ::1, but rather ::3 which is the thing I'm trying to ping.
IPv6 gateway ends in ::1 which is unreacheable from the local devices.The ping does work to pfSense.
[Check attachment called, Ping_to_pfsense_works.JPG]Traceroute6 to google.fi fails.
[Attachment named, traceroute6_fails.JPG]
-
Way back at the beginning you said…
Allocated blocks:
2001:2060:4f:c::1/64 (In use.)2001:2060:4f:d::1/64
2001:2060:4f:e::1/64
(These two for pfSense.)You haven't mentioned anything about the 2001:2060:4f:c::/64 block, but from the discussions, it looks like whatever is routing traffic to 2001:2060:4f:d::/64 isn't routing 2001:2060:4f:e::/64 to 2001:2060:4f:d::1.
Without that, its never going to work.
–A.
-
Way back at the beginning you said…
Allocated blocks:
2001:2060:4f:c::1/64 (In use.)2001:2060:4f:d::1/64
2001:2060:4f:e::1/64
(These two for pfSense.)You haven't mentioned anything about the 2001:2060:4f:c::/64 block, but from the discussions, it looks like whatever is routing traffic to 2001:2060:4f:d::/64 isn't routing 2001:2060:4f:e::/64 to 2001:2060:4f:d::1.
Without that, its never going to work.
–A.
I haven't mentioned about the 2001:2060:4f:c::/64 block as it's irrelevant for this discussion. It has absolutely nothing to do with pfSense configuration. I don't even know why I mentioned it in the first place. So the problem basically is on the ISP/Provider side or what should I do? Add a route in pfSense from 2001:2060:4f:d::/64 to 2001:2060:4f:e::/64?
-
We could use 3 more GUI screenshots from you, to confirm the total situation:
- Interfaces: WAN
- Interfaces: LAN
- Status: Interfaces
-
I haven't mentioned about the 2001:2060:4f:c::/64 block as it's irrelevant for this discussion. It has absolutely nothing to do with pfSense configuration. I don't even know why I mentioned it in the first place. So the problem basically is on the ISP/Provider side or what should I do? Add a route in pfSense from 2001:2060:4f:d::/64 to 2001:2060:4f:e::/64?
Ok, but how does the traffic get from the Internet to 2001:2060:4f:d::/64 and 2001:2060:4f:e::/64 ?
If I traceroute this from outside, it stops at 2001:2060:4f::2
So somehow there is filtering or a routing missing at 2001:2060:4f::2 to get it any further. -
@hda:
We could use 3 more GUI screenshots from you, to confirm the total situation:
- Interfaces: WAN
- Interfaces: LAN
- Status: Interfaces
Here are the screenshots requested in the attachments. You should be able to identify each file by file name.
P.S IPv4 related WAN properties and information has been censored for privacy and server security purposes.
I haven't mentioned about the 2001:2060:4f:c::/64 block as it's irrelevant for this discussion. It has absolutely nothing to do with pfSense configuration. I don't even know why I mentioned it in the first place. So the problem basically is on the ISP/Provider side or what should I do? Add a route in pfSense from 2001:2060:4f:d::/64 to 2001:2060:4f:e::/64?
Ok, but how does the traffic get from the Internet to 2001:2060:4f:d::/64 and 2001:2060:4f:e::/64 ?
If I traceroute this from outside, it stops at 2001:2060:4f::2
So somehow there is filtering or a routing missing at 2001:2060:4f::2 to get it any further.What do you mean by "but how does the traffic get from the Internet to 2001:2060:4f:d::/64 and 2001:2060:4f:e::/64"? I don't understand your point here.
The one at 2001:2060:4f::2 is not over my control as you can see from the reverse. (turku-ipv6-gw.woima.eu (2001:2060:4f::2))
-
Talk to your provider, the routing is messed up…
traceroute6 -n 2001:2060:4f:d::1
…
7 2001:2000:6028:2003::1 155.319 ms 145.846 ms 144.258 ms
8 2001:2000:6028:2003::2 148.698 ms 142.799 ms 149.023 ms
9 2001:2060:4f:d::1 142.449 ms 148.295 ms 150.436 msLooks good.
traceroute6 -n 2001:2060:4f:d::2
…
7 2001:2000:6028:2003::1 167.166 ms 142.889 ms 146.229 ms
8 2001:2000:6028:2003::2 144.331 ms 144.679 ms 144.495 ms
9 2001:2060:4f::2 153.608 ms 148.259 ms 143.434 ms
10Â * * *
11 * * *Looks good, especially if you aren't allowing inbound traceroute requests. If you see a bunch from …::55, it's me.
Andping6 2001:2060:4f:d::2
PING 2001:2060:4f:d::2(2001:2060:4f:d::2) 56 data bytes
64 bytes from 2001:2060:4f:d::2: icmp_seq=1 ttl=50 time=151 ms
64 bytes from 2001:2060:4f:d::2: icmp_seq=2 ttl=50 time=143 msSeems to confirm that it is working.
traceroute6 -n 2001:2060:4f:e::1
…
7 2001:2000:6028:2003::1 154.028 ms 143.610 ms *
8 2001:2000:6028:2003::2 149.536 ms 154.901 ms 154.917 ms
9 2001:2060:4f:e::1 150.610 ms 155.257 ms 141.915 msping6 2001:2060:4f:e::1
PING 2001:2060:4f:e::1(2001:2060:4f:e::1) 56 data bytes
64 bytes from 2001:2060:4f:e::1: icmp_seq=1 ttl=51 time=166 ms
64 bytes from 2001:2060:4f:e::1: icmp_seq=2 ttl=51 time=138 msBut wait! You said your device is on 2001:2060:4f:e::3, so who is answering ::1 address ?!
traceroute6 -n 2001:2060:4f:e::3
…
7 2001:2000:6028:2003::1 163.236 ms 142.555 ms 152.851 ms
8 2001:2000:6028:2003::2 153.137 ms 153.784 ms 153.791 ms
9 2001:2060:4f::2 154.282 ms 149.070 ms 148.692 ms
10Â 2001:2060:4f::2Â 2180.388 ms !H * *ping6 2001:2060:4f:e::3
PING 2001:2060:4f:e::3(2001:2060:4f:e::3) 56 data bytes
From 2001:2060:4f::2 icmp_seq=1 Destination unreachable: Address unreachableAlso not correct, …e::1 works (but maybe it shouldn't be), and ...e::3 goes somewhere completely different?!
-
Talk to your provider, the routing is messed up…
traceroute6 -n 2001:2060:4f:d::1
…
7 2001:2000:6028:2003::1 155.319 ms 145.846 ms 144.258 ms
8 2001:2000:6028:2003::2 148.698 ms 142.799 ms 149.023 ms
9 2001:2060:4f:d::1 142.449 ms 148.295 ms 150.436 msLooks good.
traceroute6 -n 2001:2060:4f:d::2
…
7 2001:2000:6028:2003::1 167.166 ms 142.889 ms 146.229 ms
8 2001:2000:6028:2003::2 144.331 ms 144.679 ms 144.495 ms
9 2001:2060:4f::2 153.608 ms 148.259 ms 143.434 ms
10Â * * *
11 * * *Looks good, especially if you aren't allowing inbound traceroute requests. If you see a bunch from …::55, it's me.
Andping6 2001:2060:4f:d::2
PING 2001:2060:4f:d::2(2001:2060:4f:d::2) 56 data bytes
64 bytes from 2001:2060:4f:d::2: icmp_seq=1 ttl=50 time=151 ms
64 bytes from 2001:2060:4f:d::2: icmp_seq=2 ttl=50 time=143 msSeems to confirm that it is working.
traceroute6 -n 2001:2060:4f:e::1
…
7 2001:2000:6028:2003::1 154.028 ms 143.610 ms *
8 2001:2000:6028:2003::2 149.536 ms 154.901 ms 154.917 ms
9 2001:2060:4f:e::1 150.610 ms 155.257 ms 141.915 msping6 2001:2060:4f:e::1
PING 2001:2060:4f:e::1(2001:2060:4f:e::1) 56 data bytes
64 bytes from 2001:2060:4f:e::1: icmp_seq=1 ttl=51 time=166 ms
64 bytes from 2001:2060:4f:e::1: icmp_seq=2 ttl=51 time=138 msBut wait! You said your device is on 2001:2060:4f:e::3, so who is answering ::1 address ?!
traceroute6 -n 2001:2060:4f:e::3
…
7 2001:2000:6028:2003::1 163.236 ms 142.555 ms 152.851 ms
8 2001:2000:6028:2003::2 153.137 ms 153.784 ms 153.791 ms
9 2001:2060:4f::2 154.282 ms 149.070 ms 148.692 ms
10Â 2001:2060:4f::2Â 2180.388 ms !H * *ping6 2001:2060:4f:e::3
PING 2001:2060:4f:e::3(2001:2060:4f:e::3) 56 data bytes
From 2001:2060:4f::2 icmp_seq=1 Destination unreachable: Address unreachableAlso not correct, …e::1 works (but maybe it shouldn't be), and ...e::3 goes somewhere completely different?!
2001:2060:4f:e::1 => Provider's GW. (Working on getting it fixed so it's the pfSense LAN address.)
2001:2060:4f:e::3 => That's the pfSense's LAN interface, pings are not allowed that are originating from WAN interface.Please use ICMP or TCP, but not UDP when trying to traceroute, might work better.
I have talked to my provider today, they will work on it.
-
You should be able to make LAN as 2001:2060:f4:e::1/64, all the 2001:2060:f4:e: numbers should be yours.
[The last 64 bits are required reserved for any host on the LAN, SLAAC or DHCPv6 or Static.]Your gateway for the LAN is obviously 2001:2060:f4:d::1/64
Look in System: (routing) Gateways for your correct route.For Static on hosts use RA + Router Only
For DHCP6-Server (range in last 64 bits) use RA + Managed (be sure to NOT check bogon networks on Interfaces:LAN)
For SLAAC from hosts use RA + Unmanaged[N.B. subnets are important to differentiate, so :d::/64 is for your WAN and :e::/64 is for your LAN.]
-
@hda:
You should be able to make LAN as 2001:2060:f4:e::1/64, all the 2001:2060:f4:e: numbers should be yours.
[The last 64 bits are required reserved for any host on the LAN, SLAAC or DHCPv6 or Static.]Your gateway for the LAN is obviously 2001:2060:f4:d::1/64
Look in System: (routing) Gateways for your correct route.For Static on hosts use RA + Router Only
For DHCP6-Server (range in last 64 bits) use RA + Managed (be sure to NOT check bogon networks on Interfaces:LAN)
For SLAAC from hosts use RA + UnmanagedEverything works now. Ports are reacheable though IPv6.
Final routes can be found from the attachments.
You may do an traceroute6 to mail.sami-mantysaari.com to check. :)