Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help with IPv6 Firewall rules on pfSense + Cox Cable

    Scheduled Pinned Locked Moved IPv6
    6 Posts 6 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      spoonsphere
      last edited by

      Greetings!

      I am trying to get IPv6 setup.

      I am getting an v6 address via DHCP from my provider (Cox Cable).

      From the pfSense firewall, I can ping a v6 address on the Internet and get a response (tried google.com / 2607:f8b0:4004:807::1008).

      I can also ssh to a v6 address on the Internet from the pfSense firewall.

      I am assigning v6 addresses to clients on my LAN.

      I can ping and ssh from a client on my LAN to the LAN interface of the pfSense firewall.

      However, when I try to connect to from a client on my LAN to a v6 address on the Internet, we run into problems.

      When I run tcpdump on the target host on the Internet, I see, for example, the ICMP echo coming in from the LAN Client IP, and I see the ICMP replies going back. So the packet is getting from the Client on the LAN to the host on the Internet. However, the pfSense firewall isn't allowing the packets coming back to the Client on the LAN.

      WAN and LAN firewall rules attached.

      What am I forgetting?

      Thanks so much!

      Edit:

      I ran some packet captures on the pfSense Firewall (WAN and LAN interfaces), as well as on the LAN client. We see the ICMP echo go out and the ICMP reply come back on the WAN interface. That ICMP reply doesn't show up on the pfSense Firewall LAN interface, however; and consequently, it doesn't make it back to the client.

      Packet capture from LAN Client:
      17:41:51.365142 IP6 Client_LAN_IPv6_address:314a > iad23s24-in-x03.1e100.net: ICMP6, echo request, seq 0, length 16
      17:41:52.367876 IP6 Client_LAN_IPv6_address:314a > iad23s24-in-x03.1e100.net: ICMP6, echo request, seq 1, length 16
      17:41:53.366475 IP6 Client_LAN_IPv6_address:314a > iad23s24-in-x03.1e100.net: ICMP6, echo request, seq 2, length 16
      17:41:54.366761 IP6 Client_LAN_IPv6_address:314a > iad23s24-in-x03.1e100.net: ICMP6, echo request, seq 3, length 16
      17:41:55.367049 IP6 Client_LAN_IPv6_address:314a > iad23s24-in-x03.1e100.net: ICMP6, echo request, seq 4, length 16

      Packet capture from pfSense Firewall on WAN interface:

      22:41:50.873049 IP6 (flowlabel 0xb06c0, hlim 63, next-header ICMPv6 (58) payload length: 16) Client_LAN_IPv6_address:314a > 2607:f8b0:4004:807::1003: [icmp6 sum ok] ICMP6, echo request, seq 0
      22:41:50.880157 IP6 (hlim 57, next-header ICMPv6 (58) payload length: 16) 2607:f8b0:4004:807::1003 > Client_LAN_IPv6_address:314a: [icmp6 sum ok] ICMP6, echo reply, seq 0
      22:41:51.874852 IP6 (flowlabel 0xb06c0, hlim 63, next-header ICMPv6 (58) payload length: 16) Client_LAN_IPv6_address:314a > 2607:f8b0:4004:807::1003: [icmp6 sum ok] ICMP6, echo request, seq 1
      22:41:51.882085 IP6 (hlim 57, next-header ICMPv6 (58) payload length: 16) 2607:f8b0:4004:807::1003 > Client_LAN_IPv6_address:314a: [icmp6 sum ok] ICMP6, echo reply, seq 1
      22:41:52.872986 IP6 (flowlabel 0xb06c0, hlim 63, next-header ICMPv6 (58) payload length: 16) Client_LAN_IPv6_address:314a > 2607:f8b0:4004:807::1003: [icmp6 sum ok] ICMP6, echo request, seq 2
      22:41:52.880611 IP6 (hlim 57, next-header ICMPv6 (58) payload length: 16) 2607:f8b0:4004:807::1003 > Client_LAN_IPv6_address:314a: [icmp6 sum ok] ICMP6, echo reply, seq 2
      22:41:53.872874 IP6 (flowlabel 0xb06c0, hlim 63, next-header ICMPv6 (58) payload length: 16) Client_LAN_IPv6_address:314a > 2607:f8b0:4004:807::1003: [icmp6 sum ok] ICMP6, echo request, seq 3
      22:41:53.882139 IP6 (hlim 57, next-header ICMPv6 (58) payload length: 16) 2607:f8b0:4004:807::1003 > Client_LAN_IPv6_address:314a: [icmp6 sum ok] ICMP6, echo reply, seq 3
      22:41:53.910287 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 64) pfSense_Firewall_WAN_Interface:ffc6 > 2607:f8b0:4004:807::1003: [icmp6 sum ok] ICMP6, destination unreachable, unreachable address Client_LAN_IPv6_address:314a
      22:41:54.872773 IP6 (flowlabel 0xb06c0, hlim 63, next-header ICMPv6 (58) payload length: 16) Client_LAN_IPv6_address:314a > 2607:f8b0:4004:807::1003: [icmp6 sum ok] ICMP6, echo request, seq 4
      22:41:54.883785 IP6 (hlim 57, next-header ICMPv6 (58) payload length: 16) 2607:f8b0:4004:807::1003 > Client_LAN_IPv6_address:314a: [icmp6 sum ok] ICMP6, echo reply, seq 4
      22:41:57.911314 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 64) pfSense_Firewall_WAN_Interface:ffc6 > 2607:f8b0:4004:807::1003: [icmp6 sum ok] ICMP6, destination unreachable, unreachable address Client_LAN_IPv6_address:314a

      Packet capture from pfSense Firewall on LAN interface:

      22:41:50.872974 IP6 (flowlabel 0xb06c0, hlim 64, next-header ICMPv6 (58) payload length: 16) Client_LAN_IPv6_address:314a > 2607:f8b0:4004:807::1003: [icmp6 sum ok] ICMP6, echo request, seq 0
      22:41:51.874813 IP6 (flowlabel 0xb06c0, hlim 64, next-header ICMPv6 (58) payload length: 16) Client_LAN_IPv6_address:314a > 2607:f8b0:4004:807::1003: [icmp6 sum ok] ICMP6, echo request, seq 1
      22:41:52.872957 IP6 (flowlabel 0xb06c0, hlim 64, next-header ICMPv6 (58) payload length: 16) Client_LAN_IPv6_address:314a > 2607:f8b0:4004:807::1003: [icmp6 sum ok] ICMP6, echo request, seq 2
      22:41:53.872845 IP6 (flowlabel 0xb06c0, hlim 64, next-header ICMPv6 (58) payload length: 16) Client_LAN_IPv6_address:314a > 2607:f8b0:4004:807::1003: [icmp6 sum ok] ICMP6, echo request, seq 3
      22:41:54.872743 IP6 (flowlabel 0xb06c0, hlim 64, next-header ICMPv6 (58) payload length: 16) Client_LAN_IPv6_address:314a > 2607:f8b0:4004:807::1003: [icmp6 sum ok] ICMP6, echo request, seq 4

      Thanks!

      pfSense_WAN_Rules.png
      pfSense_WAN_Rules.png_thumb
      pfSense_LAN_Rules.png
      pfSense_LAN_Rules.png_thumb

      1 Reply Last reply Reply Quote 0
      • B
        BillBraskey
        last edited by

        Sorry, I can't answer your question, but are you sure that IPv6 is fully deployed by Cox in your market?  I am a Cox customer, and I recently did some research on this.  Cox has rolled out IPv6 in very few markets, with many others in some sort of "testing" mode.  In a nutshell, it is possible that the ISP is not allowing full IPv6 traffic despite some limited connectivity suggested otherwise.

        1 Reply Last reply Reply Quote 0
        • ?
          Guest
          last edited by

          However, when I try to connect to from a client on my LAN to a v6 address on the Internet, we run into problems.

          Are the LAN clients all running with a IPv6 Ip adress too or do they using IPv4 IP addresses?
          Perhaps you should running all in your network with IPv6 IP addresses.

          What am I forgetting?

          You might be trying it out with IPv4 IP addresses only also to verify that this will be working better
          or flawless.

          1 Reply Last reply Reply Quote 0
          • F
            FlameBaal7
            last edited by

            Now you can do that ?

            sbobet

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              What do you have for DHCPv6 Prefix Delegation size on WAN?

              I think Cox will do /60 or /56 else you get one /64 which is lame.

              My advice is change to /56, save, unplug your WAN, reboot your cable modem. When it's all green plug your WAN in again.

              You should get a link-local address on WAN (or something else off a /64 or something) and get a /56 routed to it.

              You might also need to call Cox and have them clear your PD or maybe even wait an unknown interval of time.

              I'm in one of the "Sometime in 2016" markets so I can't give you more than that. Some of this is guessing.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • awebsterA
                awebster
                last edited by

                Actually, it looks like the setup is ok, your tcpdump is showing ping going out and replies coming back on WAN interface, thanks that helps troubleshoot!

                • What version of pfSense are you running?

                • If <2.2.x have you enabled IPv6 processing (System -> Advanced -> Networking -> Allow IPv6)?

                • Make sure your IPv6 prefix isn't in the IPv6 bogons space.  Either uncheck Bock bogons networks on WAN interface, or Diagnostics -> Tables -> bogonsv6 and make sure its not in the list (or its parent subnet), and if yes, updates bogons list, and if still present, then yell at your ISP.

                • You can also set Status -> System Logs -> Settings -> Filter Descriptions -> Display as column to find out what rule is dropping the traffic.  If it is the default deny rule, then there is a problem in your policy.

                Second, your inbound rule only allows ICMP to the WAN address.  IPv6 by nature allows full routability, so you might want an inbound ping rule on WAN for testing.  It also might allow unsolicited pinging, but that can be controlled by limiting the valid destinations.

                Action: Pass
                Interface: WAN
                TCP/IP Version: IPv6
                Protocol: ICMP
                IPCMPv6 type: Echo request if you want to allow inbound pinging, or Echo reply if you're trying to diagnose non-responses.
                Source: any
                Destination: LAN net or host alias

                –A.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.