Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Native ipv6 and ISP modem bridge issues

    Scheduled Pinned Locked Moved IPv6
    12 Posts 2 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      infinityz
      last edited by

      Hi All,

      I've ran for over 1 year an IPV6 tunnel on my pfsense without any issue. Finally my ISP has managed to release the native ipv6 for their customers and I've tried to configure it on my appliance.

      1. I've completely removed the ipv6 tunnel configuration
      2. rebooted the pfsense
      3. configured the WAN interface with DHCP6 as follow:
            - DHCPv6 Prefix Delegation size: 64
            - Send an IPv6 prefix hint to indicate the desired prefix size for delegation: TICKED
            - Block bogon networks: UNTICKED
      4. configured my LAN with Track Interface
      5. rebooted the pfsense

      The modem provided by the ISP is a cable modem, put in bridge mode, the ISP only provided a /64 subnet
      I successfully get an ipv6 address on WAN and LAN, but I can't ping anything on internet, here the details:

      WAN:
      Status up
      DHCP
      up    Release
      MAC address XX:XX:XX:XX:XX:XX
      IPv4 address xxx.xxx.xxx.xxx
      Subnet mask IPv4 xxx.xxx.xxx.xxx
      Gateway IPv4 xxx.xxx.xxx.xxx
      IPv6 Link Local fe80::208:a2ff:fe09:3553
      IPv6 address 2804:14d:ca80:0:4836:f225:e222:1145
      Subnet mask IPv6 128
      Gateway IPv6 fe80::230:b8ff:fecf:4410
      MTU 1500
      Media 1000baseT <full-duplex>LAN
      Status up
      MAC address xx:xx:xx:xx:xx:xx
      IPv4 address 192.168.2.1
      Subnet mask IPv4 255.255.255.0
      IPv6 Link Local fe80::1:1
      IPv6 address 2804:14d:ca80:12af:208:a2ff:fe09:354e
      Subnet mask IPv6 64
      MTU 1500
      Media 1000baseT <full-duplex>Can't really figure out what's wrong with that…do I missing something in the configuration?
      The firewall allow ipv6 traffic from the LAN network
      Note that if I plug my PC directly into the ISP modem, I'm able to ping/browse any ipv6 site.

      Thanks in advance :-)</full-duplex></full-duplex>

      1 Reply Last reply Reply Quote 0
      • awebsterA
        awebster
        last edited by

        2 Questions:

        1. Where are you pinging from to test?
        Try Diagnostics -> Ping
        Host: 2001:4860:4860::8888  [Google IPv6 of 8.8.8.8]
        Protocol: IPv6
        Select LAN interface

        2. Is your machine on the LAN side getting an IPv6 in the same subnet as your LAN interface, and does it have the correct default gateway?  Since pfSense is broadcasting router advertisements, you'll probably see fe80::1:1 as the default gateway.

        –A.

        1 Reply Last reply Reply Quote 0
        • I
          infinityz
          last edited by

          @awebster:

          2 Questions:

          1. Where are you pinging from to test?
          Try Diagnostics -> Ping
          Host: 2001:4860:4860::8888  [Google IPv6 of 8.8.8.8]
          Protocol: IPv6
          Select LAN interface

          2. Is your machine on the LAN side getting an IPv6 in the same subnet as your LAN interface, and does it have the correct default gateway?  Since pfSense is broadcasting router advertisements, you'll probably see fe80::1:1 as the default gateway.

          Thanks for your answer awebster, here the tests you've asked for:

          Source LAN:
          PING6(56=40+8+8 bytes) 2804:14d:ca80:12af:208:a2ff:fe09:354e –> 2001:4860:4860::8888

          --- 2001:4860:4860::8888 ping6 statistics ---
          3 packets transmitted, 0 packets received, 100.0% packet loss

          Test's machine network configuration:

          eth1      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX 
                    inet addr:192.168.2.5  Bcast:192.168.2.255  Mask:255.255.255.0
                    inet6 addr: 2804:14d:ca80:12b0:12bf:48ff:fe8a:2b07/64 Scope:Global
                    inet6 addr: 2804:14d:ca80:12af:12bf:48ff:fe8a:2b07/64 Scope:Global
                    inet6 addr: 2804:14d:ca80:12af::2000/128 Scope:Global
                    inet6 addr: fe80::12bf:48ff:fe8a:2b07/64 Scope:Link
                    UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
                    RX packets:64765793 errors:0 dropped:321 overruns:0 frame:6
                    TX packets:56610801 errors:0 dropped:0 overruns:0 carrier:0
                    collisions:0 txqueuelen:1000
                    RX bytes:84293835593 (78.5 GiB)  TX bytes:51728229846 (48.1 GiB)
                    Interrupt:17

          1 Reply Last reply Reply Quote 0
          • awebsterA
            awebster
            last edited by

            So since ping from LAN side isn't working, check these things:

            • Repeat ping test from WAN interface, I'm guessing it works.

            • IPv6 is enabled on pfSense System -> Advanced -> Networking tab: Allow IPv6 box is checked.

            • You have a LAN firewall rule Proto: IPv6, Source: LAN net, Port *, Destination: *, Port *.

            If both the above are good, I suspect that your ISP's modem or something upstream isn't creating a route for the delegated prefix on their side.
            When you plug directly into the ISP modem you are not using a delegated prefix, you are using the subnet of modem.

            –A.

            1 Reply Last reply Reply Quote 0
            • I
              infinityz
              last edited by

              @awebster:

              So since ping from LAN side isn't working, check these things:

              • Repeat ping test from WAN interface, I'm guessing it works.

              • IPv6 is enabled on pfSense System -> Advanced -> Networking tab: Allow IPv6 box is checked.

              • You have a LAN firewall rule Proto: IPv6, Source: LAN net, Port *, Destination: *, Port *.

              If both the above are good, I suspect that your ISP's modem or something upstream isn't creating a route for the delegated prefix on their side.
              When you plug directly into the ISP modem you are not using a delegated prefix, you are using the subnet of modem.

              Same results pinging from WAN:

              PING6(56=40+8+8 bytes) 2804:14d:ca80:0:4836:f225:e222:1145 –> 2001:4860:4860::8888

              --- 2001:4860:4860::8888 ping6 statistics ---
              3 packets transmitted, 0 packets received, 100.0% packet loss

              Point 2 and 3 YES and YES.

              Your assumption about the subnet on the modem makes sense. I thought that a modem in bridge mode was enough :-/
              Anything I could try to replicate manually on pfsense or do you think is worthless at this point and I should back to use the tunnel (which is a shame since I've finally got a native ipv6 support:-)) ?

              1 Reply Last reply Reply Quote 0
              • awebsterA
                awebster
                last edited by

                Strange that the ping didn't work from the WAN side,
                What sort of Internet connection do you have, is it PPPoE, or Cable?

                –A.

                1 Reply Last reply Reply Quote 0
                • I
                  infinityz
                  last edited by

                  Cable one, and this was the saddest point :-) I could try different ways to distribute the addresses to the LAN, but even the WAN doesn't work, looks like it just gets the IP address, but no routes were being set :-/

                  1 Reply Last reply Reply Quote 0
                  • awebsterA
                    awebster
                    last edited by

                    @infinityz:

                    … Finally my ISP has managed to release the native ipv6 for their customers ...

                    I guess they need to un-release native IPv6 until they can get it working properly.  As many others have stated on this forum, just stick with the HE.NET (or equivalent) free tunnel.  I predict that it is still going to take years before IPv6 is working well for everyone.

                    –A.

                    1 Reply Last reply Reply Quote 0
                    • I
                      infinityz
                      last edited by

                      @awebster:

                      @infinityz:

                      … Finally my ISP has managed to release the native ipv6 for their customers ...

                      I guess they need to un-release native IPv6 until they can get it working properly.  As many others have stated on this forum, just stick with the HE.NET (or equivalent) free tunnel.  I predict that it is still going to take years before IPv6 is working well for everyone.

                      Will do :-) many thanks for your help here, much appreciated

                      1 Reply Last reply Reply Quote 0
                      • I
                        infinityz
                        last edited by

                        I don't know how this would be right or even makes sense! But I've got it working once added this rule on the WAN interface firewall:

                        IPV6 TCP  *  *  *  *  *

                        IPV6 working like a charm now on all my clients

                        1 Reply Last reply Reply Quote 0
                        • awebsterA
                          awebster
                          last edited by

                          You DO realise that that rule allows the WHOLE IPv6 Internet INSIDE your network, right ?!

                          –A.

                          1 Reply Last reply Reply Quote 0
                          • I
                            infinityz
                            last edited by

                            Yes, but the point is why do I ever need this rule in first place, in order to get the ipv6 connectivity to work :-/

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.