Netgate SG-1000 microFirewall

Author Topic: IPv6-test.com  (Read 1082 times)

0 Members and 1 Guest are viewing this topic.

Offline bimmerdriver

  • Sr. Member
  • ****
  • Posts: 509
  • Karma: +21/-3
    • View Profile
IPv6-test.com
« on: June 13, 2017, 01:51:11 pm »
ipv6-test.com has been my go-to website for ensuring I've got good dual-stack connectivity. I have two separate networks, one running pfsense 2.3.4 and one running 2.4 beta. (I have 50+ Mbps down and 10+ Mbps up.) I have icmp echo-request enabled for ipv4 and ipv6 and on the windows 10 clients, I have the windows firewall "Virtual Machine Monitoring (Echo Request - ICMPv6-In)" rule enabled. With this configuration, normally, I get 20/20 on both networks and the ping test also works for both protocols. (I normally only use chrome.)

Lately (as in the last month or so), however, I've found the website to give inconsistent results. Often, the ipv6 icmp test says filtered or not tested and often, the one or more of the three dns tests are slow to respond or come back as unreachable. If I refresh the dns test several times, a different one of the three dns tests may fail. Less often, the website reports the browser default protocol is ipv4 instead of ipv6. If I refresh the website a few times, it usually will eventually report 20/20. Maybe I have to come back in a while.

To my knowledge, nothing has changed on either of my networks, aside from updates to the pfsense 2.4 beta snapshot. My other network is more stable, since I'm using pfsense 2.3.X release.

I'm wondering if anyone else is seeing these problems.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14839
  • Karma: +1377/-202
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: IPv6-test.com
« Reply #1 on: June 13, 2017, 01:55:17 pm »
No not seeing any issues.. You have mentioned these 2 pfsense in your other thread - but have yet to see how they are connected.  To me one is downstream of the other?  Are they both natting?  Are they in parallel.

A drawing would be most helpful in helping you.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline bimmerdriver

  • Sr. Member
  • ****
  • Posts: 509
  • Karma: +21/-3
    • View Profile
Re: IPv6-test.com
« Reply #2 on: June 13, 2017, 03:23:11 pm »
No not seeing any issues.. You have mentioned these 2 pfsense in your other thread - but have yet to see how they are connected.  To me one is downstream of the other?  Are they both natting?  Are they in parallel.

A drawing would be most helpful in helping you.
I don't have a drawing, but hopefully I can explain it.

1. VDSL2 Modem, with ipv4 address and ipv6 prefix
2. Bridged port,  IP set top boxes are connected to LAN ports
3. Physical NIC on Windows hyper-v server 2012R2 connected to bridged port
4. Virtual WAN switch
5. 2 x pfsense guest (2.3.4 a, 2.4 beta b), each with separate MAC, DUID and ipv4 address and ipv6 prefix (not NATed by modem).
6a. / 6b. separate virtual LAN switches
7a. other windows and linux guests and physical NIC
7b. other windows and linux guests
8a. physical LAN switch with numerous devices

We have been using this configuration for several years with no problems. (Previously, we had separate HE tunnels for ipv6, before native ipv6 was available.)

Does that help?

The strange results I'm getting only from ipv6-test.com, lead me to wonder if there is something wrong with their website or the route between my isp and their website. Sometimes it says ipv6 is not supported, but shows that dns4 and dhs6 are reachable with ipv6 and the browser is defaulted to ipv6. If there is no ipv6, how could those results be correct? Immediately after receiving such a result, I can run the ping test and speed test and both protocols work fine. test-ipv6.com doesn't report any problems. This is why I'm wondering if there's a problem with the website (or the route between my isp and the website).

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14839
  • Karma: +1377/-202
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: IPv6-test.com
« Reply #3 on: June 13, 2017, 03:47:24 pm »
So your public IPv4 you are getting are they in the same netblock or different.  Your IPv6 that you get are they different prefixes behind your pfsense?

So they are completely separate parallel setups just using the same ISP.    Or do these pfsense have rfc1918 on their wan so they are behind a nat?  You say not natted by modem so I assume your ISP is giving you different public ipv4 and different ipv6 prefixes behind the 2 pfsense boxes.

If so then 1 has zero to do with the other.

I can tell you that ipv6 test works just fine on 2.4 beta that is for sure.. 
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline bimmerdriver

  • Sr. Member
  • ****
  • Posts: 509
  • Karma: +21/-3
    • View Profile
Re: IPv6-test.com
« Reply #4 on: June 13, 2017, 05:39:30 pm »
So your public IPv4 you are getting are they in the same netblock or different.  Your IPv6 that you get are they different prefixes behind your pfsense?

So they are completely separate parallel setups just using the same ISP.    Or do these pfsense have rfc1918 on their wan so they are behind a nat?  You say not natted by modem so I assume your ISP is giving you different public ipv4 and different ipv6 prefixes behind the 2 pfsense boxes.

If so then 1 has zero to do with the other.

I can tell you that ipv6 test works just fine on 2.4 beta that is for sure..
Effectively, I have three completely separate dual-stack networks. One for the modem and one for each of the pfsense routers. The ipv4 addresses are all public (not private) in separate /30 subnets. The ipv6 are separate /56 prefixes. It's been a while since I wiresharked the WAN switch. I don't recall if I could see packets from the modem, but I could see packets from both pfsense routers.

Just trying to get behind why the results from ipv6-test.com are so inconsistent. One time it refreshes almost instantly with 20/20. The next time, one or more of the tests either take a while and pass or fail.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14839
  • Karma: +1377/-202
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: IPv6-test.com
« Reply #5 on: June 14, 2017, 05:28:53 am »
"The ipv6 are separate /56 prefixes."

Huh??  You mean your delegated 3 different /56's that you then subnet down to /64s
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline bimmerdriver

  • Sr. Member
  • ****
  • Posts: 509
  • Karma: +21/-3
    • View Profile
Re: IPv6-test.com
« Reply #6 on: June 14, 2017, 01:07:34 pm »
"The ipv6 are separate /56 prefixes."

Huh??  You mean your delegated 3 different /56's that you then subnet down to /64s
Yes. Sorry, thought that was obvious. My ISP delegates /56 prefixes. That's all. I have three, one for my modem / router and one for each of my pfsense routers and their associated LANs. I haven't tried to get another, but I suppose it's possible.

Offline JKnott

  • Hero Member
  • *****
  • Posts: 1093
  • Karma: +43/-9
    • View Profile
Re: IPv6-test.com
« Reply #7 on: June 14, 2017, 01:10:45 pm »
Only 3 /56s???  I hope that's enough addresses!   ;)

Offline bimmerdriver

  • Sr. Member
  • ****
  • Posts: 509
  • Karma: +21/-3
    • View Profile
Re: IPv6-test.com
« Reply #8 on: August 07, 2017, 12:46:37 pm »
This problem has been continuing intermittently. I looked at the source of the ipv6-test.com webpage and noticed that they use the address v6.ipv6-test.com for the ipv6 icmp test. I found that when the test is working, I can ping the address and when it's not working, I can't ping it.

Here is the output of traceroute with the problem. In this case, I'm using my Telus isp connection.

C:\Users\VPN>tracert -6 v6.ipv6-test.com Tracing route to v6.ipv6-test.com [2001:41d0:8:e8ad::1] over a maximum of 30 hops:
1    <1 ms    <1 ms    <1 ms  pfSense.localdomain [2001:*:*:*:215:5dff:fe5c:e205]
2    10 ms     9 ms    11 ms  node-1w7jr9n36nixrvaceajc2pstq.ipv6.telus.net [2001:569:2:f::2e]
3     *        *        *     Request timed out.
4   224 ms    86 ms    61 ms  po9.mtl-1-6k.qc.ca [2607:5300::9c]
5    63 ms    63 ms    63 ms  2607:5300::1ca
6    62 ms    62 ms    62 ms  2607:5300::1c3
7     *        *        *     Request timed out.
8   142 ms     *      143 ms  vl5.vss-10b-6k.routers.ovh.net [2001:41d0::b1e]
9     *        *        *     Request timed out.
...
30     *        *        *     Request timed out.
Trace complete.

Here is the output of traceroute without the problem. In this case, I'm using my vpn connection.

You can see that the last hop before the host is within OVH.

C:\Users\VPN>tracert -6 v6.ipv6-test.com Tracing route to v6.ipv6-test.com [2001:41d0:8:e8ad::1] over a maximum of 30 hops:
 
1 20 ms 18 ms 18 ms fdda:d0d0:cafe:1194::
2 26 ms 29 ms 25 ms 2605:80:18::1
3 58 ms 49 ms 36 ms 2605:8c80:0:2::9
4 52 ms 39 ms 28 ms 2001:504:19::27
5 80 ms 53 ms 58 ms 100ge10-2.core1.sea1.he.net [2001:470:0:3ac::1]
6 72 ms 78 ms 70 ms 100ge11-1.core1.sjc2.he.net [2001:470:0:1fe::1]
7 * * * Request timed out.
8 106 ms 109 ms 120 ms be100-1365.lax-la1-bb1-a9.ca.us [2607:5300::36]
9 105 ms 105 ms 110 ms be100-1367.ash-1-a9.va.us [2607:5300::47]
10 * 95 ms * be100-1007.nwk-5-a9.nj.us [2607:5300::2]
11 176 ms 174 ms 168 ms be100-1298.ldn-5-a9.uk.eu [2607:5300::190]
12 189 ms * 188 ms 2001:41d0::10fe
13 194 ms 183 ms 187 ms po100.rbx-g2-a75.fr.eu [2001:41d0::b91]
14 182 ms * * vl7.vss-10b-6k.routers.ovh.net [2001:41d0::b92]
15 195 ms 199 ms 209 ms agaric.t0x.net [2001:41d0:8:e8ad::1]
 
Trace complete.

It looks like there is an intermittent problem within OVH or where their edge router connects to the network where the host is located.

Offline awebster

  • Sr. Member
  • ****
  • Posts: 356
  • Karma: +54/-0
    • View Profile
Re: IPv6-test.com
« Reply #9 on: August 07, 2017, 03:02:07 pm »
Intermittent for me too with native IPv6.  Personally, I use http://test-ipv6.com which gives me consistent results.
Do you really expect OVH to be properly hosting IPv6?  Other threads on this forum seem to indicate otherwise!
--A.

Offline bimmerdriver

  • Sr. Member
  • ****
  • Posts: 509
  • Karma: +21/-3
    • View Profile
Re: IPv6-test.com
« Reply #10 on: August 07, 2017, 03:40:52 pm »
Intermittent for me too with native IPv6.  Personally, I use http://test-ipv6.com which gives me consistent results.
Do you really expect OVH to be properly hosting IPv6?  Other threads on this forum seem to indicate otherwise!
I agree that test-ipv6.com does give consistent results.

I have no expectations of OVH good or bad. Until now, I had never even heard of them.

Offline bimmerdriver

  • Sr. Member
  • ****
  • Posts: 509
  • Karma: +21/-3
    • View Profile
Re: IPv6-test.com
« Reply #11 on: November 26, 2017, 12:13:40 pm »
Just to provide an update on this. I did try reporting it to OVH. Their support organization support@ovh.ca did not reply to my emails so I phoned them. Hard as it is to believe, they told me to try reporting it to their abuse website. They said there might be better response. I did get a response, but as is plain to see, they still have not fixed the problem. I guess the lesson here is if you are looking for a company to host your website, don't use OVH. Their network is broken and their service sucks.

I guess the other lesson is to not bother using ipv6-test.com, because they apparently don't care about it working enough to select a hosting provider that provides a network that supports ipv6. They also don't reply to email. On the other hand, test-ipv6.com reliably works and the maintainer even responds to email.

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2311
  • Karma: +176/-9
    • View Profile
Re: IPv6-test.com
« Reply #12 on: November 29, 2017, 07:41:38 am »
Just to provide an update on this. I did try reporting it to OVH. Their support organization support@ovh.ca did not reply to my emails so I phoned them. Hard as it is to believe, they told me to try reporting it to their abuse website. They said there might be better response. I did get a response, but as is plain to see, they still have not fixed the problem. I guess the lesson here is if you are looking for a company to host your website, don't use OVH. Their network is broken and their service sucks.
..
Their (OVH) transit router replied to the ping, some routers before, and some afterwards (not OVH) didn't.

Not very related, but :
I don't know if OVH is a good host for a web site - I can't tell. I have some 10 web sites with them and several dedicated servers - never used comparable services else where for the last 10 years, so,. So, I can't compare  ;) Never contacted their commercial or technical support (ok, may once or twice in 10 years).  Of course, my sites are up with a pretty 99,999 % uptime for the mentioned time span.
Btw : replying to ICMP (ping) is important when IPv6 comes into play, for IPv4 it was less important.
It's said that OVH isn't following all 'official' guidelines concerning IPv6 implementation - this is probably true when we talk about them as an ISP, but on my dedicated servers, IPv6 (a classic /64 each) works great for the last several years. Same thing for the basic site hosting services.

True is that OVH is investing like no other company in networking, except for Google probably. See http://weathermap.ovh.net/#europe for Europe, USA and the rest.
When they have an issue like two weeks ago : 2 independent high tension lines went down (in theory, in France, not possible  ;D) AND a main backup diesel power supply  didn't start, all their boarding routers went down (my servers stayed up btw) and most of their data centers became unreachable. It create a huge hole on the Internet map ....
BIG == vulnerable.

edit : OVH is one of the companies that offered a "host a WordPress or commercial site yourself" for a coupe of a year. So, even my grandmother thought its was time to build her own site ... She neither wasn't aware that some knowledge was needed to actually 'run' a site and 'send that mail'  (and OVH wasn't and isn't selling knowledge ...).

edit2 : as johnpoz :
( I don't know why my navigators prefer IPv4 now, before switching to IPv6. Normally, they do it the other way around (I use he.net for IPv6). Whatever ...)
« Last Edit: November 29, 2017, 07:57:12 am by Gertjan »