LAN Interface ping problem



  • I have a problem ping pfsense from client by IPv6 address
    LAN interface (lan, em1)
    Status up
    MAC address 90:e2:ba:54:ff:eb - Intel Corporate
    IPv4 address 192.168.0.1
    Subnet mask IPv4 255.255.255.0
    IPv6 Link Local fe80::1:1 
    IPv6 address HIDE:HIDE:8e83:3::1:1 
    Subnet mask IPv6 64
    MTU 1500

    On client

    eth0      Link encap:Ethernet  HWaddr 60:a4:4c:60:66:d9 
              inet addr:192.168.0.100  Bcast:10.0.255.255  Mask:255.255.0.0
              inet6 addr: HIDE:HIDE:8e83:3:62a4:4cff:fe60:66d9/64 Scope:Global
              inet6 addr: fe80::62a4:4cff:fe60:66d9/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

    If I ping6 fe80::1:1%eth0 everything ok.
    But ping6 HIDE:HIDE:8e83:3::1:1

    ping6 HIDE:HIDE:8e83:3::1:1
    PING HIDE:HIDE:8e83:3::1:1(HIDE:HIDE:8e83:3::1:1) 56 data bytes
    From HIDE:HIDE:8e83:3:62a4:4cff:fe60:66d9 icmp_seq=1 Destination unreachable: Address unreachable

    Fails. Why.
    HIDE:HIDE::8e83:3::/64 dev eth0  proto kernel  metric 256  expires 86397sec pref medium
    fe80::/64 dev eth1  proto kernel  metric 256  pref medium
    fe80::/64 dev eth0  proto kernel  metric 256  pref medium
    default via fe80::1:1 dev eth0  proto ra  metric 1024  expires 57sec hoplimit 64 pref medium



  • Your client device appears to be Linux of some sort.
    1. Check ipv6 neighbor table to be sure address resolution is working properly (ip -6 nei)
    2. Check that ip6tables configuration isn't blocking ipv6 that isn't on link-local (fe80::/64) addresses


  • Rebel Alliance Global Moderator

    what are you lan rules on pfsense?

    Yeah I would check to see if your get mac via NDP..

    pfsense
    em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
            options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:00:00:02
            inet6 fe80::250:56ff:fe00:2%em1 prefixlen 64 scopeid 0x2
            inet 192.168.9.253 netmask 0xffffff00 broadcast 192.168.9.255
          inet6 2001:470:xxxx:xxxx::1 prefixlen 64
            nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
            status: active

    linux client
    user@clean:~$ ifconfig
    eth0      Link encap:Ethernet  HWaddr 00:0c:29:f0:74:06
              inet addr:192.168.9.7  Bcast:192.168.9.255  Mask:255.255.255.0
              inet6 addr: 2001:470:xxxx:xxxx::7/64 Scope:Global
              inet6 addr: fe80::20c:29ff:fef0:7406/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:375795 errors:0 dropped:0 overruns:0 frame:0
              TX packets:97489 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:158553951 (158.5 MB)  TX bytes:7798582 (7.7 MB)

    user@clean:~$ ping6 2001:470:xxxx:xxxx::1
    PING 2001:470:1f11:9c4::1(2001:470:xxxx:xxxx::1) 56 data bytes
    64 bytes from 2001:470:xxxx:xxxx::1: icmp_seq=2 ttl=64 time=0.741 ms

    user@clean:~$ ip -6 nei
    2001:470:xxxx:xxxx::40 dev eth0 lladdr 00:1f:29:54:17:14 STALE
    fe80::21f:29ff:fe54:1714 dev eth0 lladdr 00:1f:29:54:17:14 STALE
    2001:470:xxxx:xxxx::1 dev eth0 lladdr 00:50:56:00:00:02 router REACHABLE
    fe80::250:56ff:fe00:2 dev eth0 lladdr 00:50:56:00:00:02 router STALE

    is internet via ipv6 working from the client? Can you ping say google via ipv6?

    user@clean:~$ ping6 ipv6.google.com
    PING ipv6.google.com(yk-in-x8a.1e100.net) 56 data bytes
    64 bytes from yk-in-x8a.1e100.net: icmp_seq=1 ttl=56 time=32.6 ms
    64 bytes from yk-in-x8a.1e100.net: icmp_seq=2 ttl=56 time=34.3 ms
    64 bytes from yk-in-x8a.1e100.net: icmp_seq=3 ttl=56 time=31.4 ms

    user@clean:~$ ping6 -n ipv6.google.com
    PING ipv6.google.com(2607:f8b0:4002:c07::8a) 56 data bytes
    64 bytes from 2607:f8b0:4002:c07::8a: icmp_seq=1 ttl=56 time=34.1 ms
    64 bytes from 2607:f8b0:4002:c07::8a: icmp_seq=2 ttl=56 time=31.5 ms
    64 bytes from 2607:f8b0:4002:c07::8a: icmp_seq=3 ttl=56 time=31.6 ms</full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast>



  • @a1ien:

    eth0  Link encap:Ethernet  HWaddr 60:a4:4c:60:66:d9 
              inet addr:192.168.0.100  Bcast:10.0.255.255  Mask:255.255.0.0
              inet6 addr: HIDE:HIDE:8e83:3:62a4:4cff:fe60:66d9/64 Scope:Global
              inet6 addr: fe80::62a4:4cff:fe60:66d9/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

    Linux: inet6 addr: HIDE:HIDE:8e83:3:62a4:4cff:fe60:66d9  /128  Scope:Global


  • Rebel Alliance Global Moderator

    where ae you seeing /128 ?



  • Why is a clienthost  a /64 ?



  • That's the way Linux works; all ipv6 addresses are /64.

    eth0      Link encap:Ethernet  HWaddr 00:0C:29:D7:C8:3A 
              inet addr:A.B.204.61  Bcast:A.B.207.255  Mask:255.255.248.0
              inet6 addr: WWWW:XXXX:YYYY:ZZZZ::4:61**/64** Scope:Global
              inet6 addr: WWWW:XXXX:YYYY:ZZZZ:20c:29ff:fed7:c83a**/64** Scope:Global
              inet6 addr: fe80::20c:29ff:fed7:c83a**/64** Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:44200471 errors:0 dropped:0 overruns:0 frame:0
              TX packets:43513869 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:16773320157 (15.6 GiB)  TX bytes:31831765833 (29.6 GiB)



  • My pfSense supplies as a dhcp6-server. This is the Raspberry(Linux) clienthost pick-up:

    eth0      Link encap:Ethernet  HWaddr b8:27:eb:b8:b3:df
              inet addr:192.168.2.201  Bcast:192.168.2.255  Mask:255.255.255.0
              inet6 addr: 2001:9yx:abcd:2::28/128 Scope:Global
              inet6 addr: fe80::ba27:ebff:feb8:b3df/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:244171 errors:0 dropped:0 overruns:0 frame:0
              TX packets:52845 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:82687246 (78.8 MiB)  TX bytes:12890567 (12.2 MiB)


  • Rebel Alliance Global Moderator

    you shouldn't be getting a /128 on your pi…  The smallest prefix with ipv6 is /64..  And its not just linux that works that way its every OS there is that can work with IPv6..

    anything other /64 is going to break all kinds of shit from working correctly..



  • Maybe just an artifact from PI Linux?
    Just spun up a fresh CentOS 6.7 VM with ipv6 dhcp client, addresses come up as /64 as expected.


  • Rebel Alliance Global Moderator

    my pi is /64

    Also dhcpv6 doesn't hand out a prefix length, that comes from the RA.. So maybe you have a problem there?  What does your configuration on the pi look like for interfaces?




  • @johnpoz
    Out of curiosity, what do you use your PI for?  An actual purpose or just a novelty?


  • Rebel Alliance Global Moderator

    I have done quite a few things with it, currently it monitors one of my UPSes, I did at one time have it logging all the power in my house via a currentcost device plugged into via usb.  I have a project on the back burner to set it up as a stratum 1 ntp server..

    But think I will just do that with the new one I am ordering, and waiting for the new cheaper $5 ones to be off back order ;) For a project to put my cigar humidor online..

    This current ones final home is going to monitor the ups in my AV cabinet in the living room.. If I ever get around to moving it - its currently in my computer room connected the ups on my esxi box.  I got a new bigger ups for the esxi box (more run time)..  Kind of cool when whole block looses power and my internet works and even my wifi (poe) for like an hour.. Normally outages don't last any longer than that..



  • Ok I have another question.

    If ISP give me /64 by SLAAC. How I need configure LAN interface



  • @a1ien:

    If ISP give me /64 by SLAAC. How I need configure LAN interface

    You can't 'give a /64' by SLAAC - SLAAC allows devices to autonomously assign (single) IPv6 addresses within a prefix.

    Typically SLAAC is used to get a global IPv6 address for the ISP facing interface (the WAN interface of your device) and DHCP-PD is used to delegate IPv6 prefixes to your local interfaces. This is one variant of the typical ISP configuration defined in TR-187.

    If you use PPPoE or PPP to access your ISP, there's several important IPv6 fixes in 2.3.



  • Maybe just an artifact from PI Linux?

    my pi is /64

    Thanks guys, a bit OT, but hey maybe you like the info:
    The /etc/network/interfaces !did contain (iface eth0 inet6 dhcp), this controls a /64 address with /etc/wide-dhcp6c/dhcp6c.conf.
    In /etc/default/wide-dhcpv6-client there was (INTERFACES="eth0"), this gets/adds an (second) address as a /128.
    If the pfSense DHCPv6-Server allows a clienthost a /64, it is not showing up in Status-DHCPv6-leases, while as a /128 it is :)  //2.2.6



  • @David_W:

    This is one variant of the typical ISP configuration defined in TR-187.

    That' s interesting ! Thank you David :)



  • Yup, my ISP has it exactly like this.
    Was nightmare to configure on early 2.2.X and 2.3 builds via GUI, via conf file went just fine.



  • Ok. My ISP say it's name eui-64
    And when I set SLAAC on WAN interface type I get IP.



  • @hda:

    @David_W:

    This is one variant of the typical ISP configuration defined in TR-187.

    That' s interesting ! Thank you David :)

    For completeness, the other variant of TR-187 is WAN IPv6 address via DHCPv6, prefixes delegated to local network(s) via DHCP-PD. In other words, the ISP has a choice of whether to use DHCPv6 or SLAAC for allocating WAN IP addresses. My ISP, Zen Internet, uses SLAAC.

    If you configure pfSense to use DHCP6 with prefix delegation, it will work with both the DHCPv6 and SLAAC variants of TR-187.



  • @johnpoz:

    you shouldn't be getting a /128 on your pi…  The smallest prefix with ipv6 is /64..  And its not just linux that works that way its every OS there is that can work with IPv6..

    anything other /64 is going to break all kinds of shit from working correctly..

    I dusted off my raspberry pi over the weekend, and installed latest NOOBS + raspbian, sure enough it comes up with /128 in addition to /64.
    The /128 is the address assigned by the DHCP server; the /64, I guess it is deciding thru SLAAC on its own because of RA.  I have some android clients on the network, so need SLAAC too.
    radvd on pfsense 2.2.4 is set to Assisted, with the RA Subnet set to WWWW:XXXX:YYYY:ZZZZ::/64
    Win2K8 DHCP server is handing out IPs in WWWW:XXXX:YYYY:ZZZZ::/64
    Resolv.conf on PI ends up with Domain Controller IPv4+IPv6 IP as well as pfSense IPv6 IP, not ideal since it doesn't have any knowledge of the domain.  Strange that it ended up with the pfSense IPv6 IP because the DNS Servers entry is blank in the RA config tab.

    
    eth0      Link encap:Ethernet  HWaddr b8:27:eb:35:53:31  
              inet addr:10.2.95.18  Bcast:10.2.95.255  Mask:255.255.254.0
              inet6 addr: WWWW:XXXX:YYYY:ZZZZ:fcef:f7d6:12c3:f393/64 Scope:Global
              inet6 addr: fe80::bd6c:2ed5:a452:1eff/64 Scope:Link
              inet6 addr: WWWW:XXXX:YYYY:ZZZZ:c439:ca13:15f5:31a9/128 Scope:Global
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:80378 errors:0 dropped:5856 overruns:0 frame:0
              TX packets:4106 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:6121679 (5.8 MiB)  TX bytes:662612 (647.0 KiB)
    
    wlan0     Link encap:Ethernet  HWaddr 34:08:04:a0:5d:3d  
              inet addr:10.2.95.20  Bcast:10.2.95.255  Mask:255.255.254.0
              inet6 addr: WWWW:XXXX:YYYY:ZZZZ:927a:28a4:a3e3:73f8/128 Scope:Global
              inet6 addr: fe80::b69e:3850:a1d0:6935/64 Scope:Link
              inet6 addr: WWWW:XXXX:YYYY:ZZZZ:d9d4:1377:f075:8c05/64 Scope:Global
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:315611 errors:0 dropped:17236 overruns:0 frame:0
              TX packets:325 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:121355585 (115.7 MiB)  TX bytes:63491 (62.0 KiB)