Can't ping link local address



  • I am running pfsense 2.3 on a SG-2440. I am just starting to get into IPv6. I am using a free IPv6 tunnel from Hurricane Electriic. All my global IPv6 addresses assigned to me from HE work great.

    The issue I am having is with link local addresses. Currently on my pfsense LAN interface I have the following address: fe80::208:a2ff:fd0a:6226

    Yet, I can't ping this IP from ANY machine on my LAN. I also can't ping from the pfsense firewall to any link local address on my LAN.

    I can ping between hosts on the LAN using their link local address and they reply (so I know no Windows firewall is blocking ICMP). This appears to be an issue with my pfsense config.

    I tried adding a very open firewall rule to allow ICMP/ANY from any host on the LAN to the firewall but I still can't ping a link local IPv6 address on the firewall or ping a link local address from the firewall to the LAN. This works 100% with the globally assigned addresses.

    What am I missing??



  • You need to suffix the link local address with "%if", for example:

    
    [2.3-RELEASE][admin@firewall.rdnzl.fi]/root: ping6 fe80::230:18ff:fea9:66cb%rl0
    
    

    Where rl0 is my LAN interface.



  • @kpa:

    You need to suffix the link local address with "%if", for example:

    
    [2.3-RELEASE][admin@firewall.rdnzl.fi]/root: ping6 fe80::230:18ff:fea9:66cb%rl0
    
    

    Where rl0 is my LAN interface.

    Thanks for your help but I just found out what it is  :o I had set the virtual IP of fe80::1 to have a subnet mask of 128. Oops. Changed it to /64 and all is good now.

    My next question is, how can I tell the router advertisement (or however it is done) to tell clients to use fe80::1 as the default gateway? I'd much rather use a shorter simpler address like fe80::1 than fe80::230:18ff:fea9:66cb!

    Thank you!


  • LAYER 8 Global Moderator

    what does it matter how long the address is to the gateway, if the client finds it??  Your not having to hand code it..



  • @johnpoz:

    what does it matter how long the address is to the gateway, if the client finds it??  Your not having to hand code it..

    If I am troubleshooting, pinging fe80::1 is easy and convenient. Can this be done in pfesense?


  • LAYER 8 Global Moderator

    why would you not just ping name anyway?  Or do a simple traceroute to see what the first hop is going to, etc.

    Or just copy paste anyway if IP is long.. What your asking to do is hard code the link local address in pfsense?

    Sure you could do that via ifconfig you could add any address you want to an interface - see example attached.




  • I agree with the above - in both cases, I also usually configure (on Cisco hardware) short link local addresses for simplicity, but, IPv6 addresses are long - get used to it - use DNS ;)



  • @johnpoz:

    why would you not just ping name anyway?  Or do a simple traceroute to see what the first hop is going to, etc.

    Or just copy paste anyway if IP is long.. What your asking to do is hard code the link local address in pfsense?

    Sure you could do that via ifconfig you could add any address you want to an interface - see example attached.

    I agree, use DNS wherever you can. But there will be times when I want to ping the routers IP address. fe80::1 is WAY simpler to use (and remember). Also, I can set each subnet to use the SAME IPv6 link local address of fe80::1 so it doesn't matter what machine I sit at for troubleshooting purposes or what subnet I am on as I will just know that the routers link local address is fe80::1.  :) I know I can copy and paste the long address but I still want to use the short fe80::1 for each interfaces link local address.

    So, how can I configure pfsense with a fe80::1 address on each LAN interface AND tell the router advertisement to use THIS short link local address rather than the long link local address? Can this be done? Currently I have just added a virtual IP under the firewall menu of fe80::1 on the LAN interface but on my test clients I am still only seeing the long link local address as the gateway address. (I can ping fe80::1 from my test clients)

    Thanks for all your comments  ;)



  • can it be done - yeah sure, I've done this in FreeBSD before, so sure its do-able.
    Is the option available in the GUI - no, I can't find it either.

    Its normal that the link local address is generated from the MAC address, so you could ghetto it into your hosts file ;)



  • I think if you look in your NDP table, you might find that fe80::1:1 is listed there… and there should be an entry for each of your internal network interfaces (for example, my NDP table shows fe80::1:1%igb1 and %igb2).

    Those two interfaces on my box are "Track Interface: WAN" networks, so it's possible that it might not do it for a static IPv6 network.



  • I think what I'll do is leave it as is and just keep in the back of my mind that each subnets gateway address is fe80::1 AND the long link local address. I'll create a DNS entry for the long link local address for each gateway address on each subnet.

    Thanks for the help  :)



  • @virgiliomi:

    I think if you look in your NDP table, you might find that fe80::1:1 is listed there… and there should be an entry for each of your internal network interfaces (for example, my NDP table shows fe80::1:1%igb1 and %igb2).

    Those two interfaces on my box are "Track Interface: WAN" networks, so it's possible that it might not do it for a static IPv6 network.

    pfSense uses fe80::1:1 for link local addresses if Track Interface is in use. In other IPv6 scenarios, pfSense likely uses an interface ID (the lower 64 bits) derived from the MAC address of one of the NICs in the machine, as per the IPv6 RFCs.

    There are relatively few scenarios where you need to type a link local address manually. Unless the tool you intend to use gives some way other than the address of providing the scope, such as ping6's -I parameter, a link local address from DNS will not work as the scope (interface) is ambiguous. All machines are likely to have at least two interfaces - loopback and a physical NIC.



  • @David_W:

    @virgiliomi:

    I think if you look in your NDP table, you might find that fe80::1:1 is listed there… and there should be an entry for each of your internal network interfaces (for example, my NDP table shows fe80::1:1%igb1 and %igb2).

    Those two interfaces on my box are "Track Interface: WAN" networks, so it's possible that it might not do it for a static IPv6 network.

    pfSense uses fe80::1:1 for link local addresses if Track Interface is in use. In other IPv6 scenarios, pfSense likely uses an interface ID (the lower 64 bits) derived from the MAC address of one of the NICs in the machine, as per the IPv6 RFCs.

    There are relatively few scenarios where you need to type a link local address manually. Unless the tool you intend to use gives some way other than the address of providing the scope, such as ping6's -I parameter, a link local address from DNS will not work as the scope (interface) is ambiguous. All machines are likely to have at least two interfaces - loopback and a physical NIC.

    Yeah, I'm beginning to realise that link local addresses are limited and not used that much. I still think its "pretty" to use fe80::1 on the routers interface on each LAN.

    Pardon my ignorance but what do you mean by: pfSense uses fe80::1:1 for link local addresses if Track Interface is in use



  • @zarje:

    Pardon my ignorance but what do you mean by: pfSense uses fe80::1:1 for link local addresses if Track Interface is in use

    If you receive a prefix from your ISP via DHCP then any inside interfaces (LAN, OPT1, etc.) that want to use a /64 from that prefix need to be configured for IPv6 as "Track Interface", then selecting the WAN interface as the interface being tracked, and the prefix ID to be used. With this setup, the pfSense interface will use a SLAAC address with the prefix, as well as configure itself as fe80::1:1 for link-local.

    But if your interface has IPv6 configured static, then the fe80::1:1 link-local address isn't configured by pfSense.


Log in to reply