LAN Interface ping problem

a1ien · Feb 4, 2016, 2:07 PM

I have a problem ping pfsense from client by IPv6 address
LAN interface (lan, em1)
Status up
MAC address 90:e2:ba:54:ff:eb - Intel Corporate
IPv4 address 192.168.0.1
Subnet mask IPv4 255.255.255.0
IPv6 Link Local fe80::1:1
IPv6 address HIDE:HIDE:8e83:3::1:1
Subnet mask IPv6 64
MTU 1500

On client

eth0 Link encap:Ethernet HWaddr 60:a4:4c:60:66:d9
inet addr:192.168.0.100 Bcast:10.0.255.255 Mask:255.255.0.0
inet6 addr: HIDE:HIDE:8e83:3:62a4:4cff:fe60:66d9/64 Scope:Global
inet6 addr: fe80::62a4:4cff:fe60:66d9/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

If I ping6 fe80::1:1%eth0 everything ok.
But ping6 HIDE:HIDE:8e83:3::1:1

ping6 HIDE:HIDE:8e83:3::1:1
PING HIDE:HIDE:8e83:3::1:1(HIDE:HIDE:8e83:3::1:1) 56 data bytes
From HIDE:HIDE:8e83:3:62a4:4cff:fe60:66d9 icmp_seq=1 Destination unreachable: Address unreachable

Fails. Why.
HIDE:HIDE::8e83:3::/64 dev eth0 proto kernel metric 256 expires 86397sec pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
default via fe80::1:1 dev eth0 proto ra metric 1024 expires 57sec hoplimit 64 pref medium

awebster · Feb 4, 2016, 2:17 PM

Your client device appears to be Linux of some sort.
1. Check ipv6 neighbor table to be sure address resolution is working properly (ip -6 nei)
2. Check that ip6tables configuration isn't blocking ipv6 that isn't on link-local (fe80::/64) addresses

johnpoz · Feb 4, 2016, 3:09 PM

what are you lan rules on pfsense?

Yeah I would check to see if your get mac via NDP..

pfsense
em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:00:00:02
inet6 fe80::250:56ff:fe00:2%em1 prefixlen 64 scopeid 0x2
inet 192.168.9.253 netmask 0xffffff00 broadcast 192.168.9.255
inet6 2001:470:xxxx:xxxx::1 prefixlen 64
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active

linux client
user@clean:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:f0:74:06
inet addr:192.168.9.7 Bcast:192.168.9.255 Mask:255.255.255.0
inet6 addr: 2001:470:xxxx:xxxx::7/64 Scope:Global
inet6 addr: fe80::20c:29ff:fef0:7406/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:375795 errors:0 dropped:0 overruns:0 frame:0
TX packets:97489 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:158553951 (158.5 MB) TX bytes:7798582 (7.7 MB)

user@clean:~$ ping6 2001:470:xxxx:xxxx::1
PING 2001:470:1f11:9c4::1(2001:470:xxxx:xxxx::1) 56 data bytes
64 bytes from 2001:470:xxxx:xxxx::1: icmp_seq=2 ttl=64 time=0.741 ms

user@clean:~$ ip -6 nei
2001:470:xxxx:xxxx::40 dev eth0 lladdr 00:1f:29:54:17:14 STALE
fe80::21f:29ff:fe54:1714 dev eth0 lladdr 00:1f:29:54:17:14 STALE
2001:470:xxxx:xxxx::1 dev eth0 lladdr 00:50:56:00:00:02 router REACHABLE
fe80::250:56ff:fe00:2 dev eth0 lladdr 00:50:56:00:00:02 router STALE

is internet via ipv6 working from the client? Can you ping say google via ipv6?

user@clean:~$ ping6 ipv6.google.com
PING ipv6.google.com(yk-in-x8a.1e100.net) 56 data bytes
64 bytes from yk-in-x8a.1e100.net: icmp_seq=1 ttl=56 time=32.6 ms
64 bytes from yk-in-x8a.1e100.net: icmp_seq=2 ttl=56 time=34.3 ms
64 bytes from yk-in-x8a.1e100.net: icmp_seq=3 ttl=56 time=31.4 ms

user@clean:~$ ping6 -n ipv6.google.com
PING ipv6.google.com(2607:f8b0:4002:c07::8a) 56 data bytes
64 bytes from 2607:f8b0:4002:c07::8a: icmp_seq=1 ttl=56 time=34.1 ms
64 bytes from 2607:f8b0:4002:c07::8a: icmp_seq=2 ttl=56 time=31.5 ms
64 bytes from 2607:f8b0:4002:c07::8a: icmp_seq=3 ttl=56 time=31.6 ms</full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast>

hda · Feb 4, 2016, 3:45 PM

@a1ien:

eth0 Link encap:Ethernet HWaddr 60:a4:4c:60:66:d9
inet addr:192.168.0.100 Bcast:10.0.255.255 Mask:255.255.0.0
inet6 addr: HIDE:HIDE:8e83:3:62a4:4cff:fe60:66d9/64 Scope:Global
inet6 addr: fe80::62a4:4cff:fe60:66d9/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

Linux: inet6 addr: HIDE:HIDE:8e83:3:62a4:4cff:fe60:66d9 /128 Scope:Global

johnpoz · Feb 4, 2016, 6:19 PM

where ae you seeing /128 ?

hda · Feb 4, 2016, 7:19 PM

Why is a clienthost a /64 ?

awebster · Feb 4, 2016, 7:22 PM

That's the way Linux works; all ipv6 addresses are /64.

eth0 Link encap:Ethernet HWaddr 00:0C:29:D7:C8:3A
inet addr:A.B.204.61 Bcast:A.B.207.255 Mask:255.255.248.0
inet6 addr: WWWW:XXXX:YYYY:ZZZZ::4:61**/64** Scope:Global
inet6 addr: WWWW:XXXX:YYYY:ZZZZ:20c:29ff:fed7:c83a**/64** Scope:Global
inet6 addr: fe80::20c:29ff:fed7:c83a**/64** Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:44200471 errors:0 dropped:0 overruns:0 frame:0
TX packets:43513869 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:16773320157 (15.6 GiB) TX bytes:31831765833 (29.6 GiB)

hda · Feb 4, 2016, 7:44 PM

My pfSense supplies as a dhcp6-server. This is the Raspberry(Linux) clienthost pick-up:

eth0 Link encap:Ethernet HWaddr b8:27:eb:b8:b3:df
inet addr:192.168.2.201 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: 2001:9yx:abcd:2::28/128 Scope:Global
inet6 addr: fe80::ba27:ebff:feb8:b3df/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:244171 errors:0 dropped:0 overruns:0 frame:0
TX packets:52845 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:82687246 (78.8 MiB) TX bytes:12890567 (12.2 MiB)

johnpoz · Feb 4, 2016, 7:59 PM

you shouldn't be getting a /128 on your pi… The smallest prefix with ipv6 is /64.. And its not just linux that works that way its every OS there is that can work with IPv6..

anything other /64 is going to break all kinds of shit from working correctly..

awebster · Feb 4, 2016, 8:01 PM

Maybe just an artifact from PI Linux?
Just spun up a fresh CentOS 6.7 VM with ipv6 dhcp client, addresses come up as /64 as expected.

johnpoz · Feb 4, 2016, 9:02 PM

my pi is /64

Also dhcpv6 doesn't hand out a prefix length, that comes from the RA.. So maybe you have a problem there? What does your configuration on the pi look like for interfaces?

awebster · Feb 4, 2016, 8:58 PM

@johnpoz
Out of curiosity, what do you use your PI for? An actual purpose or just a novelty?

johnpoz · Feb 4, 2016, 9:07 PM

I have done quite a few things with it, currently it monitors one of my UPSes, I did at one time have it logging all the power in my house via a currentcost device plugged into via usb. I have a project on the back burner to set it up as a stratum 1 ntp server..

But think I will just do that with the new one I am ordering, and waiting for the new cheaper $5 ones to be off back order ;) For a project to put my cigar humidor online..

This current ones final home is going to monitor the ups in my AV cabinet in the living room.. If I ever get around to moving it - its currently in my computer room connected the ups on my esxi box. I got a new bigger ups for the esxi box (more run time).. Kind of cool when whole block looses power and my internet works and even my wifi (poe) for like an hour.. Normally outages don't last any longer than that..

a1ien · Feb 5, 2016, 1:37 PM

Ok I have another question.

If ISP give me /64 by SLAAC. How I need configure LAN interface

David_W · Feb 5, 2016, 5:35 PM

@a1ien:

If ISP give me /64 by SLAAC. How I need configure LAN interface

You can't 'give a /64' by SLAAC - SLAAC allows devices to autonomously assign (single) IPv6 addresses within a prefix.

Typically SLAAC is used to get a global IPv6 address for the ISP facing interface (the WAN interface of your device) and DHCP-PD is used to delegate IPv6 prefixes to your local interfaces. This is one variant of the typical ISP configuration defined in TR-187.

If you use PPPoE or PPP to access your ISP, there's several important IPv6 fixes in 2.3.

hda · Feb 7, 2016, 7:00 PM

Maybe just an artifact from PI Linux?

my pi is /64

Thanks guys, a bit OT, but hey maybe you like the info:
The /etc/network/interfaces !did contain (iface eth0 inet6 dhcp), this controls a /64 address with /etc/wide-dhcp6c/dhcp6c.conf.
In /etc/default/wide-dhcpv6-client there was (INTERFACES="eth0"), this gets/adds an (second) address as a /128.
If the pfSense DHCPv6-Server allows a clienthost a /64, it is not showing up in Status-DHCPv6-leases, while as a /128 it is :) //2.2.6

hda · Feb 5, 2016, 6:24 PM

@David_W:

This is one variant of the typical ISP configuration defined in TR-187.

That' s interesting ! Thank you David :)

maverick_slo · Feb 5, 2016, 7:02 PM

Yup, my ISP has it exactly like this.
Was nightmare to configure on early 2.2.X and 2.3 builds via GUI, via conf file went just fine.

a1ien · Feb 8, 2016, 9:38 AM

Ok. My ISP say it's name eui-64
And when I set SLAAC on WAN interface type I get IP.

David_W · Feb 8, 2016, 11:39 AM

@hda:

@David_W:

This is one variant of the typical ISP configuration defined in TR-187.

That' s interesting ! Thank you David :)

For completeness, the other variant of TR-187 is WAN IPv6 address via DHCPv6, prefixes delegated to local network(s) via DHCP-PD. In other words, the ISP has a choice of whether to use DHCPv6 or SLAAC for allocating WAN IP addresses. My ISP, Zen Internet, uses SLAAC.

If you configure pfSense to use DHCP6 with prefix delegation, it will work with both the DHCPv6 and SLAAC variants of TR-187.