Native ipv6 and ISP modem bridge issues

infinityz

Hi All,

I've ran for over 1 year an IPV6 tunnel on my pfsense without any issue. Finally my ISP has managed to release the native ipv6 for their customers and I've tried to configure it on my appliance.

1. I've completely removed the ipv6 tunnel configuration
2. rebooted the pfsense
3. configured the WAN interface with DHCP6 as follow:
       - DHCPv6 Prefix Delegation size: 64
       - Send an IPv6 prefix hint to indicate the desired prefix size for delegation: TICKED
       - Block bogon networks: UNTICKED
4. configured my LAN with Track Interface
5. rebooted the pfsense

The modem provided by the ISP is a cable modem, put in bridge mode, the ISP only provided a /64 subnet
I successfully get an ipv6 address on WAN and LAN, but I can't ping anything on internet, here the details:

WAN:
Status up
DHCP
up    Release
MAC address XX:XX:XX:XX:XX:XX
IPv4 address xxx.xxx.xxx.xxx
Subnet mask IPv4 xxx.xxx.xxx.xxx
Gateway IPv4 xxx.xxx.xxx.xxx
IPv6 Link Local fe80::208:a2ff:fe09:3553
IPv6 address 2804:14d:ca80:0:4836:f225:e222:1145
Subnet mask IPv6 128
Gateway IPv6 fe80::230:b8ff:fecf:4410
MTU 1500
Media 1000baseT <full-duplex>LAN
Status up
MAC address xx:xx:xx:xx:xx:xx
IPv4 address 192.168.2.1
Subnet mask IPv4 255.255.255.0
IPv6 Link Local fe80::1:1
IPv6 address 2804:14d:ca80:12af:208:a2ff:fe09:354e
Subnet mask IPv6 64
MTU 1500
Media 1000baseT <full-duplex>Can't really figure out what's wrong with that…do I missing something in the configuration?
The firewall allow ipv6 traffic from the LAN network
Note that if I plug my PC directly into the ISP modem, I'm able to ping/browse any ipv6 site.

Thanks in advance :-)</full-duplex></full-duplex>

awebster

2 Questions:

1. Where are you pinging from to test?
Try Diagnostics -> Ping
Host: 2001:4860:4860::8888  [Google IPv6 of 8.8.8.8]
Protocol: IPv6
Select LAN interface

2. Is your machine on the LAN side getting an IPv6 in the same subnet as your LAN interface, and does it have the correct default gateway?  Since pfSense is broadcasting router advertisements, you'll probably see fe80::1:1 as the default gateway.

infinityz

@awebster:

2 Questions:

1. Where are you pinging from to test?
Try Diagnostics -> Ping
Host: 2001:4860:4860::8888  [Google IPv6 of 8.8.8.8]
Protocol: IPv6
Select LAN interface

2. Is your machine on the LAN side getting an IPv6 in the same subnet as your LAN interface, and does it have the correct default gateway?  Since pfSense is broadcasting router advertisements, you'll probably see fe80::1:1 as the default gateway.

Thanks for your answer awebster, here the tests you've asked for:

Source LAN:
PING6(56=40+8+8 bytes) 2804:14d:ca80:12af:208:a2ff:fe09:354e –> 2001:4860:4860::8888

--- 2001:4860:4860::8888 ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

Test's machine network configuration:

eth1      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX 
          inet addr:192.168.2.5  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: 2804:14d:ca80:12b0:12bf:48ff:fe8a:2b07/64 Scope:Global
          inet6 addr: 2804:14d:ca80:12af:12bf:48ff:fe8a:2b07/64 Scope:Global
          inet6 addr: 2804:14d:ca80:12af::2000/128 Scope:Global
          inet6 addr: fe80::12bf:48ff:fe8a:2b07/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:64765793 errors:0 dropped:321 overruns:0 frame:6
          TX packets:56610801 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:84293835593 (78.5 GiB)  TX bytes:51728229846 (48.1 GiB)
          Interrupt:17

awebster

So since ping from LAN side isn't working, check these things:

• Repeat ping test from WAN interface, I'm guessing it works.

• IPv6 is enabled on pfSense System -> Advanced -> Networking tab: Allow IPv6 box is checked.

• You have a LAN firewall rule Proto: IPv6, Source: LAN net, Port *, Destination: *, Port *.

If both the above are good, I suspect that your ISP's modem or something upstream isn't creating a route for the delegated prefix on their side.
When you plug directly into the ISP modem you are not using a delegated prefix, you are using the subnet of modem.

infinityz

@awebster:

So since ping from LAN side isn't working, check these things:

• Repeat ping test from WAN interface, I'm guessing it works.

• IPv6 is enabled on pfSense System -> Advanced -> Networking tab: Allow IPv6 box is checked.

• You have a LAN firewall rule Proto: IPv6, Source: LAN net, Port *, Destination: *, Port *.

If both the above are good, I suspect that your ISP's modem or something upstream isn't creating a route for the delegated prefix on their side.
When you plug directly into the ISP modem you are not using a delegated prefix, you are using the subnet of modem.

Same results pinging from WAN:

PING6(56=40+8+8 bytes) 2804:14d:ca80:0:4836:f225:e222:1145 –> 2001:4860:4860::8888

--- 2001:4860:4860::8888 ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

Point 2 and 3 YES and YES.

Your assumption about the subnet on the modem makes sense. I thought that a modem in bridge mode was enough :-/
Anything I could try to replicate manually on pfsense or do you think is worthless at this point and I should back to use the tunnel (which is a shame since I've finally got a native ipv6 support:-)) ?

awebster

Strange that the ping didn't work from the WAN side,
What sort of Internet connection do you have, is it PPPoE, or Cable?

infinityz

Cable one, and this was the saddest point :-) I could try different ways to distribute the addresses to the LAN, but even the WAN doesn't work, looks like it just gets the IP address, but no routes were being set :-/

awebster

@infinityz:

… Finally my ISP has managed to release the native ipv6 for their customers ...

I guess they need to un-release native IPv6 until they can get it working properly.  As many others have stated on this forum, just stick with the HE.NET (or equivalent) free tunnel.  I predict that it is still going to take years before IPv6 is working well for everyone.

infinityz

@awebster:

@infinityz:

… Finally my ISP has managed to release the native ipv6 for their customers ...

I guess they need to un-release native IPv6 until they can get it working properly.  As many others have stated on this forum, just stick with the HE.NET (or equivalent) free tunnel.  I predict that it is still going to take years before IPv6 is working well for everyone.

Will do :-) many thanks for your help here, much appreciated

infinityz

I don't know how this would be right or even makes sense! But I've got it working once added this rule on the WAN interface firewall:

IPV6 TCP  *  *  *  *  *

IPV6 working like a charm now on all my clients

awebster

You DO realise that that rule allows the WHOLE IPv6 Internet INSIDE your network, right ?!

infinityz

Yes, but the point is why do I ever need this rule in first place, in order to get the ipv6 connectivity to work :-/