Help with IPv6 Firewall rules on pfSense + Cox Cable



  • Greetings!

    I am trying to get IPv6 setup.

    I am getting an v6 address via DHCP from my provider (Cox Cable).

    From the pfSense firewall, I can ping a v6 address on the Internet and get a response (tried google.com / 2607:f8b0:4004:807::1008).

    I can also ssh to a v6 address on the Internet from the pfSense firewall.

    I am assigning v6 addresses to clients on my LAN.

    I can ping and ssh from a client on my LAN to the LAN interface of the pfSense firewall.

    However, when I try to connect to from a client on my LAN to a v6 address on the Internet, we run into problems.

    When I run tcpdump on the target host on the Internet, I see, for example, the ICMP echo coming in from the LAN Client IP, and I see the ICMP replies going back. So the packet is getting from the Client on the LAN to the host on the Internet. However, the pfSense firewall isn't allowing the packets coming back to the Client on the LAN.

    WAN and LAN firewall rules attached.

    What am I forgetting?

    Thanks so much!

    Edit:

    I ran some packet captures on the pfSense Firewall (WAN and LAN interfaces), as well as on the LAN client. We see the ICMP echo go out and the ICMP reply come back on the WAN interface. That ICMP reply doesn't show up on the pfSense Firewall LAN interface, however; and consequently, it doesn't make it back to the client.

    Packet capture from LAN Client:
    17:41:51.365142 IP6 Client_LAN_IPv6_address:314a > iad23s24-in-x03.1e100.net: ICMP6, echo request, seq 0, length 16
    17:41:52.367876 IP6 Client_LAN_IPv6_address:314a > iad23s24-in-x03.1e100.net: ICMP6, echo request, seq 1, length 16
    17:41:53.366475 IP6 Client_LAN_IPv6_address:314a > iad23s24-in-x03.1e100.net: ICMP6, echo request, seq 2, length 16
    17:41:54.366761 IP6 Client_LAN_IPv6_address:314a > iad23s24-in-x03.1e100.net: ICMP6, echo request, seq 3, length 16
    17:41:55.367049 IP6 Client_LAN_IPv6_address:314a > iad23s24-in-x03.1e100.net: ICMP6, echo request, seq 4, length 16

    Packet capture from pfSense Firewall on WAN interface:

    22:41:50.873049 IP6 (flowlabel 0xb06c0, hlim 63, next-header ICMPv6 (58) payload length: 16) Client_LAN_IPv6_address:314a > 2607:f8b0:4004:807::1003: [icmp6 sum ok] ICMP6, echo request, seq 0
    22:41:50.880157 IP6 (hlim 57, next-header ICMPv6 (58) payload length: 16) 2607:f8b0:4004:807::1003 > Client_LAN_IPv6_address:314a: [icmp6 sum ok] ICMP6, echo reply, seq 0
    22:41:51.874852 IP6 (flowlabel 0xb06c0, hlim 63, next-header ICMPv6 (58) payload length: 16) Client_LAN_IPv6_address:314a > 2607:f8b0:4004:807::1003: [icmp6 sum ok] ICMP6, echo request, seq 1
    22:41:51.882085 IP6 (hlim 57, next-header ICMPv6 (58) payload length: 16) 2607:f8b0:4004:807::1003 > Client_LAN_IPv6_address:314a: [icmp6 sum ok] ICMP6, echo reply, seq 1
    22:41:52.872986 IP6 (flowlabel 0xb06c0, hlim 63, next-header ICMPv6 (58) payload length: 16) Client_LAN_IPv6_address:314a > 2607:f8b0:4004:807::1003: [icmp6 sum ok] ICMP6, echo request, seq 2
    22:41:52.880611 IP6 (hlim 57, next-header ICMPv6 (58) payload length: 16) 2607:f8b0:4004:807::1003 > Client_LAN_IPv6_address:314a: [icmp6 sum ok] ICMP6, echo reply, seq 2
    22:41:53.872874 IP6 (flowlabel 0xb06c0, hlim 63, next-header ICMPv6 (58) payload length: 16) Client_LAN_IPv6_address:314a > 2607:f8b0:4004:807::1003: [icmp6 sum ok] ICMP6, echo request, seq 3
    22:41:53.882139 IP6 (hlim 57, next-header ICMPv6 (58) payload length: 16) 2607:f8b0:4004:807::1003 > Client_LAN_IPv6_address:314a: [icmp6 sum ok] ICMP6, echo reply, seq 3
    22:41:53.910287 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 64) pfSense_Firewall_WAN_Interface:ffc6 > 2607:f8b0:4004:807::1003: [icmp6 sum ok] ICMP6, destination unreachable, unreachable address Client_LAN_IPv6_address:314a
    22:41:54.872773 IP6 (flowlabel 0xb06c0, hlim 63, next-header ICMPv6 (58) payload length: 16) Client_LAN_IPv6_address:314a > 2607:f8b0:4004:807::1003: [icmp6 sum ok] ICMP6, echo request, seq 4
    22:41:54.883785 IP6 (hlim 57, next-header ICMPv6 (58) payload length: 16) 2607:f8b0:4004:807::1003 > Client_LAN_IPv6_address:314a: [icmp6 sum ok] ICMP6, echo reply, seq 4
    22:41:57.911314 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 64) pfSense_Firewall_WAN_Interface:ffc6 > 2607:f8b0:4004:807::1003: [icmp6 sum ok] ICMP6, destination unreachable, unreachable address Client_LAN_IPv6_address:314a

    Packet capture from pfSense Firewall on LAN interface:

    22:41:50.872974 IP6 (flowlabel 0xb06c0, hlim 64, next-header ICMPv6 (58) payload length: 16) Client_LAN_IPv6_address:314a > 2607:f8b0:4004:807::1003: [icmp6 sum ok] ICMP6, echo request, seq 0
    22:41:51.874813 IP6 (flowlabel 0xb06c0, hlim 64, next-header ICMPv6 (58) payload length: 16) Client_LAN_IPv6_address:314a > 2607:f8b0:4004:807::1003: [icmp6 sum ok] ICMP6, echo request, seq 1
    22:41:52.872957 IP6 (flowlabel 0xb06c0, hlim 64, next-header ICMPv6 (58) payload length: 16) Client_LAN_IPv6_address:314a > 2607:f8b0:4004:807::1003: [icmp6 sum ok] ICMP6, echo request, seq 2
    22:41:53.872845 IP6 (flowlabel 0xb06c0, hlim 64, next-header ICMPv6 (58) payload length: 16) Client_LAN_IPv6_address:314a > 2607:f8b0:4004:807::1003: [icmp6 sum ok] ICMP6, echo request, seq 3
    22:41:54.872743 IP6 (flowlabel 0xb06c0, hlim 64, next-header ICMPv6 (58) payload length: 16) Client_LAN_IPv6_address:314a > 2607:f8b0:4004:807::1003: [icmp6 sum ok] ICMP6, echo request, seq 4

    Thanks!






  • Sorry, I can't answer your question, but are you sure that IPv6 is fully deployed by Cox in your market?  I am a Cox customer, and I recently did some research on this.  Cox has rolled out IPv6 in very few markets, with many others in some sort of "testing" mode.  In a nutshell, it is possible that the ISP is not allowing full IPv6 traffic despite some limited connectivity suggested otherwise.



  • However, when I try to connect to from a client on my LAN to a v6 address on the Internet, we run into problems.

    Are the LAN clients all running with a IPv6 Ip adress too or do they using IPv4 IP addresses?
    Perhaps you should running all in your network with IPv6 IP addresses.

    What am I forgetting?

    You might be trying it out with IPv4 IP addresses only also to verify that this will be working better
    or flawless.



  • Now you can do that ?


  • LAYER 8 Netgate

    What do you have for DHCPv6 Prefix Delegation size on WAN?

    I think Cox will do /60 or /56 else you get one /64 which is lame.

    My advice is change to /56, save, unplug your WAN, reboot your cable modem. When it's all green plug your WAN in again.

    You should get a link-local address on WAN (or something else off a /64 or something) and get a /56 routed to it.

    You might also need to call Cox and have them clear your PD or maybe even wait an unknown interval of time.

    I'm in one of the "Sometime in 2016" markets so I can't give you more than that. Some of this is guessing.



  • Actually, it looks like the setup is ok, your tcpdump is showing ping going out and replies coming back on WAN interface, thanks that helps troubleshoot!

    • What version of pfSense are you running?

    • If <2.2.x have you enabled IPv6 processing (System -> Advanced -> Networking -> Allow IPv6)?

    • Make sure your IPv6 prefix isn't in the IPv6 bogons space.  Either uncheck Bock bogons networks on WAN interface, or Diagnostics -> Tables -> bogonsv6 and make sure its not in the list (or its parent subnet), and if yes, updates bogons list, and if still present, then yell at your ISP.

    • You can also set Status -> System Logs -> Settings -> Filter Descriptions -> Display as column to find out what rule is dropping the traffic.  If it is the default deny rule, then there is a problem in your policy.

    Second, your inbound rule only allows ICMP to the WAN address.  IPv6 by nature allows full routability, so you might want an inbound ping rule on WAN for testing.  It also might allow unsolicited pinging, but that can be controlled by limiting the valid destinations.

    Action: Pass
    Interface: WAN
    TCP/IP Version: IPv6
    Protocol: ICMP
    IPCMPv6 type: Echo request if you want to allow inbound pinging, or Echo reply if you're trying to diagnose non-responses.
    Source: any
    Destination: LAN net or host alias


Log in to reply