No ipv6 forwarding



  • Hello.

    I have setup pfsense to isolate the fritzbox router from the inner network.
    The fritzbox distributes ipv4 and ipv6 as dhcp. The pfsense gets both ips.
    pfsense is set up to distribute ips for the inner network. That works fine.
    The DHCPv4 deamon is working properly. All pcs from the inner network can connect to the internet.
    The distribution of ipv6 works also. The pcs get individual ipv6, correct inner DNS and gateway ipv6.
    ping6 can ping all ips.

    From pcs:
    ping google.com works fine
    ping6 ipv6.google.com can contact server

    From pfsense with the ping command
    both servers can be pinged

    I have the impression that the traffic isn't forwarded by pfsense.

    The same configaration with Kerio Connect works fine.

    What have I ignored in pfsense?

    THX



  • @eljot:


    I have the impression that the traffic isn't forwarded by pfsense.

    Specific what ?
    If you mean TCP traffic, explicit allow rules LAN outbound for IPv6 ? pfSense is default Deny, no rules no entry.



  • Via Status -> Rules there are many IPv6 rules shown.

    Is there a difference between ipv4 and ipv6 outbound traffic?
    I have not configured any outbound ipv4 rules myself, but it works fine.

    In the firewall -> rules setup there is a ipv6 default route like the ipv4 default route,which both are active.



  • OK. And is System: Advanced: Networking(Allow IPv6) true ?



  • Yes, also checked



  • Can you explain "impression" by facts from log or typical trial from a host, What do you mean with forwarding ?

    Can we see screenshot
    Status: Interfaces ?
    Interfaces: LAN ?



  • Get a constant ping6 running from something on LAN. Go to Diag>Packet Capture, capture on WAN. Traffic there? Guessing so and your upstream routing isn't getting the reply traffic back to you.



  • @hda:

    Can you explain "impression" by facts from log or typical trial from a host, What do you mean with forwarding ?

    Can we see screenshot
    Status: Interfaces ?
    Interfaces: LAN ?

    I can ping6 from the pfsense webpage all extern ipv6-hosts like ipv6.google.com and also all intern hosts.
    But a ping or any other connection via ipv6 from intern hosts to extern receive the error message: Connection timeout

    ipv4 works perfect.










  • @cmb:

    Get a constant ping6 running from something on LAN. Go to Diag>Packet Capture, capture on WAN. Traffic there? Guessing so and your upstream routing isn't getting the reply traffic back to you.

    Yes, there is a lot of traffic.
    But not specific ping6 requests and answer. A lot of neiborhood request, http traffic.



  • There is a special crafted LAN IPv6, could you still post the Interfaces: LAN. ?

    Do you have an ISP prefix for several subnets i.e. >64 (like 48, 56 or 60) (Germany)?
    How do you request pfSense subnet from FB ?

    Cascading routers of FB7360 & pfSense are cumbersome. For instance carefull serial booting up, first ISP site then pfSense.
    But if not fiber, a bridged PPPoA/PPPoE Draytek-V130 & pfSense(PPPoE) is great.



  • I have a firtzbox running at 192.168.0.1 and corresponding ipv6 as router.

    The pfsense is for the inner network to seperate public services.






  • I thought i saw the WAN, sorry but

    You MUST ask the FB for subnet value with pfSense dhcp6, not with static.
    The FB is the boss. :)

    Try with LAN as Track Interface.





  • The ipv6 forwarding didn't work.
    With track an LAN, no ipv6 connection to other inner members is possible anymore.

    Connections from the web interface like ping6 still work.

    I have compared the config from kerio with pfsense and haven't found any difference, exept the interface configuration for the LAN interface.
    In Kerio, the LAN is static, but the routed prefix is determined automatically.


  • LAYER 8 Global Moderator

    "In Kerio, the LAN is static, but the routed prefix is determined automatically."

    Huh??  How could you set a static if you don't now what network/prefix to put that static in?

    What I would suggest if you want ipv6 connectivity is go with a tunnel.. HE you get a /48 stable, works, free..  Why continue to dick with the nonsense that is most isp ipv6 implementation? Come on lets get real here, there is no real need for ipv6 as of yet..  Unless your in a DC and providing ipv6 to your customers or serving up something to public? That should not be done off some home connection anyway!  So why go through the pain of your native isp connectivity until they are ready for prime time for some home connection?



  • @johnpoz:

    What I would suggest if you want ipv6 connectivity is go with a tunnel.. HE you get a /48 stable, works, free..  Why continue to dick with the nonsense that is most isp ipv6 implementation? Come on lets get real here, there is no real need for ipv6 as of yet..  Unless your in a DC and providing ipv6 to your customers or serving up something to public? That should not be done off some home connection anyway!  So why go through the pain of your native isp connectivity until they are ready for prime time for some home connection?

    Just as a sidenote here, i see loads of people promoting HE tunnel as it "just works". Fine.. But there are loads of sites using ipv6 atm (google, facebook, youtube+++), all of theese sites having a priority if you use windows to browse. Ie. if windows has both ipv6 and ipv4 addresses, the prio is ipv6 > ipv4, thus connecting to facebook and uploading an album or whatnot will "force" all the traffic through your HE tunnel. If you have 100mbit or better fiber/cable network, and force all traffic through a ipv6 "tunnel", im not at all convinced you get max performance out of your network… or am i totally off now you think?

    Reason for using ISP ipv6 has been in my mind to get "full performance", not slower speeds :) You can ofc argue that "meh.. ipv6 is just for testing.. dont use it, you dont need it", but that mindset wont make isp's or large sites start to use it faster imo. Progress comes from ppl starting to use new products right? Better to start using isp ipv6 and "make" them fix their shit, than to just think of it as either a) Dont need it, or b) Use a different solution if you want to test it.

    C


  • LAYER 8 Global Moderator

    Well yeah there will be a hit on sending traffic through a tunnel, that is a given with the overhead of the tunnel..  Just because your OS likes to default to ipv6 if it sees it, doesn't mean you have to leave it like that.. Simple enough to edit the preferences to use ipv4 before ipv6, simple click in browser not to use ipv6 as well if your wanting that extra couple of mbps..

    "but that mindset wont make isp's or large sites start to use it faster imo"

    And they need it now because??  The whole switch to ipv6 is chicken egg thing…  You don't need ipv6 because there is no content, there is no need for content because nobody is on ipv6, etc..

    I am all for moving towards it, if you want to submit yourself to the pain of using a isp broken deployment and complaining to them all you want..  No thanks for me.. I would much rather give a up a couple of mbps in the tunnel overhead for when I purpose use ipv6 to connect to something, since I have my OS set to still use ipv4 over ipv6..  Or I just disable ipv6 all together on it since again there is NO content I need to access via ipv6 that is not available via ipv4..

    So when you solve the chicken egg problem let us know.. Currently there is no need for ipv6..  And they can complain all they want that ipv4 is used up..  If that was the case where is all this content that is only ipv6 accessible??  Sorry its not there because you would then block out most of the planet from accessing it, since ipv6 is not ready for prime time.. That whole chicken egg thing again..

    edit: here I did a simple speed test ipv4 vs ipv6..  While the server was pretty far away..  AK vs near Chicago..  Pretty much the planet is pretty far away from your connection...  From this seems my tunnel is a bit faster than my native ipv4

    pic2 was even farther away.. Again the tunnel is faster ;)  Your speed to anywhere on the planet is going to depend on a lots of different factors..  The tunnel overhead prob not going to cause any real speed hits..  Now where there are peers with your isp and compared to the tunnel provider, etc.  And where you going could make for some drastic differences, sure.. But I don't think the tunnel overhead is going to be the limiting hit here..






  • You are probably right. pfSense should really just ditch the whole ipv6 thing, as it is rather useless. No point in moving forward, aslong as everything works just the way it does :)

    Not really to bash you, but there are A LOT of posts where you "promote" HE tunnel, and any excuse with it not being what ppl want, ends up with the arguement "But, there is no need for ipv6".

    Thanks for nothing :)

    C


  • LAYER 8 Global Moderator

    What???  Where did I say anything about pfsense dropping ipv6??  My point many isp are not ready to actually deploy ipv6…  Why should you put yourself through that pain when you can have good ipv6 connectivity with a simple tunnel..

    If you want to hassle with your isp crappy ipv6 deployment scheme then go right ahead... I just can not be bothered...  Can try again in a few months, as I have been since comcast started rolling it out.. They still don't have it up to speed...  Biggest issue is a PD that changes with the wind.. This is not a viable solution for anyone...  But sure if you want to play with that sort of shit go right ahead..

    But yes at this time for the typical user.. There is no actual need for ipv6...  Show me otherwise..  If anything the current deployment of it causes them way more grief than benefit..

    Is it something that needs to happen, sure, it is something that has to happen tmrw - no..  Do we continue to move forward with it, yes..  The more and more content that comes online the better..  But to your typical home user, they don't really give a shit if the page comes up ipv4 or ipv6..  And currently as of now, since the major OS players and browsers have all decided that if looks like ipv6 connection should use that over ipv4... When the ipv6 is not stable and working correctly it cause more pain than if they users would just use ipv4..



  • Do you asume the "typical home user that dont care if the page comes up with ipv4 or ipv6" actually uses pfSense and not a "out-of-the-box" router OR their ISP default router?

    This forum is for ppl setting up pfSense, and many times to deploy a wee bit more advanced settings than the "typical user". The "typical user" would not understand shi* about setting up pfSense in the first place most likely :)

    I do not consider myself a "typical user", and most of the reason i use pfSense is due to the many advanced features you dont really find in consumer routers. Sure, you can buy one and install dd-wrt or similar, but that moves way past the "typical" again. Setting up ipv6 there with RA or whatever advanced config you can think of has its own issues, as im sure you can find if you go look at the dd-wrt forums :)

    I have an interest in learning. And learning stuff rarely happens if you can just plug in a cable and turn a switch and never touch it again. Id like to set up ipv6 on my pfSense box with my ISP's implementation of IPV6 and their dhcp services and whatnot. That involves a great deal of trial and error.. and sometimes ppl find bugs with pfSense that can be reported. "Concluding" that ipv6 is of little use, and "set up a HE tunnel if you so badly wanna use it" is of no help to the ppl asking. Contributing by asking ppl to post logs so one can find out things IS. So far in numerous threads, you have just ended up stating the same as you have here.. 1. No real point in using ipv6, and 2. If you want ipv6, use HE tunnel.

    How is that helping ME? :)

    C



  • <sarc>About need or grief or learning… Track interface. Once your refrigerator is aware with its MAC, it will talk to kaymart about the eggscontainer because you allowed RA assisted or unmanaged, SLAAC ;). And don't you love it, the 2-way audiovisual SmartTV. Nah, IPv6 will ease national security applications.</sarc>

    ISP-native or cloudy GE-tunnel does it matter ?

    I use IPv6 pfSense for explicit outbound allowance, so create static LAN's and use DHCP6-server an RA managed or just create static server(hosts) for LAN's...


Log in to reply