4. Native ipv6 and ISP modem bridge issues

Native ipv6 and ISP modem bridge issues

  • I

    Hi All,

    I've ran for over 1 year an IPV6 tunnel on my pfsense without any issue. Finally my ISP has managed to release the native ipv6 for their customers and I've tried to configure it on my appliance.

    1. I've completely removed the ipv6 tunnel configuration
    2. rebooted the pfsense
    3. configured the WAN interface with DHCP6 as follow:
          - DHCPv6 Prefix Delegation size: 64
          - Send an IPv6 prefix hint to indicate the desired prefix size for delegation: TICKED
          - Block bogon networks: UNTICKED
    4. configured my LAN with Track Interface
    5. rebooted the pfsense

    The modem provided by the ISP is a cable modem, put in bridge mode, the ISP only provided a /64 subnet
    I successfully get an ipv6 address on WAN and LAN, but I can't ping anything on internet, here the details:

    WAN:
    Status up
    DHCP
    up    Release
    MAC address XX:XX:XX:XX:XX:XX
    IPv4 address xxx.xxx.xxx.xxx
    Subnet mask IPv4 xxx.xxx.xxx.xxx
    Gateway IPv4 xxx.xxx.xxx.xxx
    IPv6 Link Local fe80::208:a2ff:fe09:3553
    IPv6 address 2804:14d:ca80:0:4836:f225:e222:1145
    Subnet mask IPv6 128
    Gateway IPv6 fe80::230:b8ff:fecf:4410
    MTU 1500
    Media 1000baseT <full-duplex>LAN
    Status up
    MAC address xx:xx:xx:xx:xx:xx
    IPv4 address 192.168.2.1
    Subnet mask IPv4 255.255.255.0
    IPv6 Link Local fe80::1:1
    IPv6 address 2804:14d:ca80:12af:208:a2ff:fe09:354e
    Subnet mask IPv6 64
    MTU 1500
    Media 1000baseT <full-duplex>Can't really figure out what's wrong with that…do I missing something in the configuration?
    The firewall allow ipv6 traffic from the LAN network
    Note that if I plug my PC directly into the ISP modem, I'm able to ping/browse any ipv6 site.

    Thanks in advance :-)</full-duplex></full-duplex>

    0

  • 2 Questions:

    1. Where are you pinging from to test?
    Try Diagnostics -> Ping
    Host: 2001:4860:4860::8888  [Google IPv6 of 8.8.8.8]
    Protocol: IPv6
    Select LAN interface

    2. Is your machine on the LAN side getting an IPv6 in the same subnet as your LAN interface, and does it have the correct default gateway?  Since pfSense is broadcasting router advertisements, you'll probably see fe80::1:1 as the default gateway.

    0
  • I

    @awebster:

    2 Questions:

    1. Where are you pinging from to test?
    Try Diagnostics -> Ping
    Host: 2001:4860:4860::8888  [Google IPv6 of 8.8.8.8]
    Protocol: IPv6
    Select LAN interface

    2. Is your machine on the LAN side getting an IPv6 in the same subnet as your LAN interface, and does it have the correct default gateway?  Since pfSense is broadcasting router advertisements, you'll probably see fe80::1:1 as the default gateway.

    Thanks for your answer awebster, here the tests you've asked for:

    Source LAN:
    PING6(56=40+8+8 bytes) 2804:14d:ca80:12af:208:a2ff:fe09:354e –> 2001:4860:4860::8888

    --- 2001:4860:4860::8888 ping6 statistics ---
    3 packets transmitted, 0 packets received, 100.0% packet loss

    Test's machine network configuration:

    eth1      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX 
              inet addr:192.168.2.5  Bcast:192.168.2.255  Mask:255.255.255.0
              inet6 addr: 2804:14d:ca80:12b0:12bf:48ff:fe8a:2b07/64 Scope:Global
              inet6 addr: 2804:14d:ca80:12af:12bf:48ff:fe8a:2b07/64 Scope:Global
              inet6 addr: 2804:14d:ca80:12af::2000/128 Scope:Global
              inet6 addr: fe80::12bf:48ff:fe8a:2b07/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:64765793 errors:0 dropped:321 overruns:0 frame:6
              TX packets:56610801 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:84293835593 (78.5 GiB)  TX bytes:51728229846 (48.1 GiB)
              Interrupt:17

    0

  • So since ping from LAN side isn't working, check these things:

    • Repeat ping test from WAN interface, I'm guessing it works.

    • IPv6 is enabled on pfSense System -> Advanced -> Networking tab: Allow IPv6 box is checked.

    • You have a LAN firewall rule Proto: IPv6, Source: LAN net, Port *, Destination: *, Port *.

    If both the above are good, I suspect that your ISP's modem or something upstream isn't creating a route for the delegated prefix on their side.
    When you plug directly into the ISP modem you are not using a delegated prefix, you are using the subnet of modem.

    0
  • I

    @awebster:

    So since ping from LAN side isn't working, check these things:

    • Repeat ping test from WAN interface, I'm guessing it works.

    • IPv6 is enabled on pfSense System -> Advanced -> Networking tab: Allow IPv6 box is checked.

    • You have a LAN firewall rule Proto: IPv6, Source: LAN net, Port *, Destination: *, Port *.

    If both the above are good, I suspect that your ISP's modem or something upstream isn't creating a route for the delegated prefix on their side.
    When you plug directly into the ISP modem you are not using a delegated prefix, you are using the subnet of modem.

    Same results pinging from WAN:

    PING6(56=40+8+8 bytes) 2804:14d:ca80:0:4836:f225:e222:1145 –> 2001:4860:4860::8888

    --- 2001:4860:4860::8888 ping6 statistics ---
    3 packets transmitted, 0 packets received, 100.0% packet loss

    Point 2 and 3 YES and YES.

    Your assumption about the subnet on the modem makes sense. I thought that a modem in bridge mode was enough :-/
    Anything I could try to replicate manually on pfsense or do you think is worthless at this point and I should back to use the tunnel (which is a shame since I've finally got a native ipv6 support:-)) ?

    0

  • Strange that the ping didn't work from the WAN side,
    What sort of Internet connection do you have, is it PPPoE, or Cable?

    0
  • I

    Cable one, and this was the saddest point :-) I could try different ways to distribute the addresses to the LAN, but even the WAN doesn't work, looks like it just gets the IP address, but no routes were being set :-/

    0

  • @infinityz:

    … Finally my ISP has managed to release the native ipv6 for their customers ...

    I guess they need to un-release native IPv6 until they can get it working properly.  As many others have stated on this forum, just stick with the HE.NET (or equivalent) free tunnel.  I predict that it is still going to take years before IPv6 is working well for everyone.

    0
  • I

    @awebster:

    @infinityz:

    … Finally my ISP has managed to release the native ipv6 for their customers ...

    I guess they need to un-release native IPv6 until they can get it working properly.  As many others have stated on this forum, just stick with the HE.NET (or equivalent) free tunnel.  I predict that it is still going to take years before IPv6 is working well for everyone.

    Will do :-) many thanks for your help here, much appreciated

    0
  • I

    I don't know how this would be right or even makes sense! But I've got it working once added this rule on the WAN interface firewall:

    IPV6 TCP  *  *  *  *  *

    IPV6 working like a charm now on all my clients

    0

  • You DO realise that that rule allows the WHOLE IPv6 Internet INSIDE your network, right ?!

    0
  • I

    Yes, but the point is why do I ever need this rule in first place, in order to get the ipv6 connectivity to work :-/

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy