No Internet on Local IPv6 node



  • Hello,
    After much digging around, ISP support call and spending days trying to figure out this issue, i am now asking the pfsense community to help me sort out this issue.
    The issue is my pfsense firewall can talk to IPv6 just fine, but no computer behind the pfsense has internet connectivity. All local machines can ping each other and the firewall on IPv6 just fine.
    I was on support call with my ISP and they helped ensure that IPv6 working from outside world to the pfsense firewall. They could not help me further since my local network is behind the firewall. I can ping6 to ipv6.google.com from the firewall just fine.
    I have /48 static IPv6 which is routed by my ISP to a /64 interconnect.
    Since i can reach outside on IPv6 from my pfsense, i am assuming there is something i am missing in the configuration. I have a rule for IPv6* from LAN -> Any. DHCP disabled, RA is Routed Only. All nodes are on static IPv6.
    Any pointer would be greatly appreciated!



  • Please post screenshots of interface config LAN and WAN, routes, and rules.
    Also on your clients what IPv6 addresses are you getting?
    Are client getting correct default gateway?
    ipv6 traceroute from client to ipv6.google.com produces what result?



  • @awebster:

    Please post screenshots of interface config LAN and WAN, routes, and rules.
    Also on your clients what IPv6 addresses are you getting?
    Are client getting correct default gateway?
    ipv6 traceroute from client to ipv6.google.com produces what result?

    Screenshot attached for LAN, WAN, Routes, Rules.

    My ISP side Gateway is 2607:XXXX:XXXX:XXXX::1
    My own /64 is 2606:XXXX:XXXX:XXXX:XXXX::

    pfSense WAN : 2607:XXXX:XXXX:XXXX::254

    pfSense LAN : 2606:XXXX:XXXX:XXXX::254

    PC : 2606:XXXX:XXXX:XXXX::3521

    When i run traceroute6 from the PC it seems to go straight to the ISP gateway and not my pfsense gateway 2606:XXXX:XXXX:XXXX::254












  • You indicated that your LAN and WAN IPs end in 254, but the screenshots show 252.
    Your ISP must be routing the 2606:XXXX:XXXX::/48 to 2607:XXXX::252 address or it won't work.

    Assuming you have setup logging on your inbound drop rule, if you ping from a known IPv6 address on the Internet to any IP in your 2606:XXXX:XXXX::/48 subnet, you should see the packets hitting your WAN interface and being dropped.  If you don't see at least that, then the problem lies upstream.

    I don't see how the first hop in the traceroute could produce a 2607:XXXX::1 answer since the pfSense would either have to answer with its LAN or WAN interface, neither of which end in 1.
    You also might want to investigate why you have blocked packets arriving into the LAN interface.  It is a small number, but but make sure that it isn't going up when using IPv6.



  • @awebster:

    You indicated that your LAN and WAN IPs end in 254, but the screenshots show 252.
    Your ISP must be routing the 2606:XXXX:XXXX::/48 to 2607:XXXX::252 address or it won't work.

    You are correct. The LAN interface itself is ::252 but the Virtual IP is ::254. It is 2 node pfsense cluster setup. node 1 LAN  is ::253 and node 2 LAN is ::252. Carp Virtual IP between the LAN interface is ::254. This is what all client node uses as LAN side gateway.
    For WAN side i have a carp virtual IP 2607:X:X:X:X::2. This is the ISP IP where the /48 being routed to. My ISP can reach the carp virtual IP 2607:X:X:X:X::2 from their side.

    @awebster:

    Assuming you have setup logging on your inbound drop rule, if you ping from a known IPv6 address on the Internet to any IP in your 2606:XXXX:XXXX::/48 subnet, you should see the packets hitting your WAN interface and being dropped.  If you don't see at least that, then the problem lies upstream.

    Based on your tips i just pinged myself from this site: http://www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-ping.php
    Surprisingly it can ping to 2607:XXXX::1 just fine but no response when ping to 2607:X:X:X:X::2. So obviously nothing is reaching my firewall even though my ISP said they can ping ::2 no problem.

    @awebster:

    I don't see how the first hop in the traceroute could produce a 2607:XXXX::1 answer since the pfSense would either have to answer with its LAN or WAN interface, neither of which end in 1.

    I just tried to ping out from my network and all client node can still reach my ISP 2607:X:X:X::1. I am not understanding how i can ping out to ISP but nothing coming to the pfsense.
    Going to contact them while i double check to make sure my configurations are right.



  • Two things to check..if the /48 was issued recently, the bogon list might not have been updated yet.
    Check under System -> Advanced -> Firewall/NAT, scroll down to bogon networks, I think it defaults to Monthly.
    Second thing is if you traceroute from outside does the traffic at least get to your ISP?



  • New development…..
    It seems like i can ping my pfsense WAN interface itself on 2607:X:X:X::252 from outside just fine on IPv6. But no response to carp VIP 2607:X:X:X::2 which is suppose to be the interconnect for /48 routing.
    Do i need to do anything special for IPv6 to work with Virtual IP?



  • With CARP, you will need additional rules to make this work.
    Typically, create an alias which contains VIP+WAN IP for each firewall, then use that alias in firewall rules, for example to allow ping.
    Something like this…




  • @awebster:

    With CARP, you will need additional rules to make this work.
    Typically, create an alias which contains VIP+WAN IP for each firewall, then use that alias in firewall rules, for example to allow ping.
    Something like this…

    I am happy to say that the issue is now fixed! It turns out the main problem was with ISP. They have assigned wrong /48 to the routing. As soon as they gave me the correct block IPv6 came to life in the network behind pfsense.

    Thanks to you awebster i was able to pin point the issue and confront my ISP by running traceroute and ping from outside through an online website. I tried everything from inside and did not even think of testing it from outside.
    Also thanks to the pointer about alias of VIP+WAN IP for rules. That actually solved the Ping issue from outside into client node.


Log in to reply