Netgate SG-1000 microFirewall

Author Topic: WAN and LAN IPv6  (Read 1217 times)

0 Members and 1 Guest are viewing this topic.

Offline pvexed

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: WAN and LAN IPv6
« Reply #15 on: November 29, 2017, 03:38:21 pm »
If you look in Routing/Gateways, there should be two entries, one for ipv4, one for ipv6, both are created automatically, are they there?

Yes they are both there, auto-named WAN_PPPOE and WAN_DHCP6.  Both are set as default and both have "external" addresses set as the Monitor IP and are responding etc. how I'd expect in that regard.

I will try the track interface now.

Offline pvexed

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: WAN and LAN IPv6
« Reply #16 on: November 29, 2017, 03:44:15 pm »
Ok with Track Interface my WAN gets an IP in block 1 and my LAN gets no IPv6 address at all.  It also causes my WAN to flap and constantly disconnect/reconnect until I remove the track interface.

marjohh

  • Guest
Re: WAN and LAN IPv6
« Reply #17 on: November 29, 2017, 03:51:03 pm »
Ok, put it back as was and do a ping from a device on the LAN side and see if you can ping pfsense's wan  ipv6 address.

Offline pvexed

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: WAN and LAN IPv6
« Reply #18 on: November 29, 2017, 04:03:16 pm »
Ok, put it back as was and do a ping from a device on the LAN side and see if you can ping pfsense's wan  ipv6 address.

Doesn't work unfortunately, same deal.

Here's the output of ip -6 route show on a client:
Code: [Select]
AAAA:XXXX:1:ZZZ:IPV6:IPV6:IPV6:IPV6:IPV6 dev wlp2s0 proto kernel metric 600 pref medium
AAAA:XXXX:1:ZZZ::/64 dev wlp2s0 proto ra metric 600 pref medium
fe80::/64 dev wlp2s0 proto kernel metric 256 pref medium
fe80::/64 dev wlp2s0 proto kernel metric 600 pref medium
default via fe80::1:1 dev wlp2s0 proto ra metric 600 pref medium

And ip -6 nei:
Code: [Select]
fe80::1:1 dev wlp2s0 lladdr 00:08:a2:no:no:no router STALE
AAAA:XXXX:1:ZZZ::1 dev wlp2s0 FAILED

Offline pvexed

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: WAN and LAN IPv6
« Reply #19 on: November 29, 2017, 04:11:32 pm »
Also, if I do a packet capture on pFsense, Interface = LAN, Address Family = IPv6 Only, and run a ping from a LAN client to WAN address, I see the packets coming in to pfSense:
22:08:57.887259 IP6 LAN_CLIENT_V6 > WAN_V6: ICMP6, echo request, seq 1, length 64

Seems they don't go any further than that though.

EDIT: Also did a packet capture on WAN and did a ping from a LAN client.  I think I see the replies trying to get back to the LAN client and failing:
22:13:02.741919 IP6 WAN_V6 > LAN_CLIENT_V6: ICMP6, echo reply, seq 1, length 64
22:13:02.749090 IP6 fe80::V6_GATEWAY > LAN_CLIENT_V6: ICMP6, destination unreachable, unreachable address LAN_CLIENT_V6, length 112
« Last Edit: November 29, 2017, 04:16:37 pm by pvexed »

marjohh

  • Guest
Re: WAN and LAN IPv6
« Reply #20 on: November 29, 2017, 04:19:02 pm »
Can you take a look at your firewall logs and see what's happening there? You do have a default PASS on the LAN side for IPv6 I assume?

Offline pvexed

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: WAN and LAN IPv6
« Reply #21 on: November 29, 2017, 04:23:37 pm »
Can you take a look at your firewall logs and see what's happening there? You do have a default PASS on the LAN side for IPv6 I assume?

Yes I have the "Default allow LAN IPv6 to any rule" enabled, and in fact this is a fairly new pfSense install, all the firewall rules are stock.  I don't see any results under Firewall -> Normal View or Firewall -> Dynamic View for any of the v6 addresses involved while trying to ping.

marjohh

  • Guest
Re: WAN and LAN IPv6
« Reply #22 on: November 29, 2017, 05:27:40 pm »
Hmm, hate to say it, but I'm baffled :(

Let's hope someone else comes in with a fresh mind.

Offline pvexed

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: WAN and LAN IPv6
« Reply #23 on: November 30, 2017, 02:46:41 am »
Just looking at what my ISP said again, or at least part of it:
Quote
Just need to configure static route at WAN device for AAAA:XXXX:1:ZZZ::/64 pointing towards your LAN

Could there be anything to do that given I see when I packet cap on the WAN I see this:
22:13:02.749090 IP6 fe80::V6_GATEWAY > LAN_CLIENT_V6: ICMP6, destination unreachable, unreachable address LAN_CLIENT_V6, length 112

Which seems to be my ISP's gateway (at least its link-local) saying that it can't reach the addresses on my LAN?

Offline pvexed

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: WAN and LAN IPv6
« Reply #24 on: November 30, 2017, 03:22:28 am »
I made some further progress but it's still not 100%.

I noticed that in Diagnostics -> Routes, that AAAA:XXXX:1:ZZZ::/64 was being given a route on the same link as AAAA:XXXX:1:YYY::/64 even when I didn't have ZZZ defined in my LAN or anything.  This made me think that maybe my ISP's DHCP was adding this route which was perhaps confusing pfSense.

So instead I turned off IPv6 on the WAN, and deleted the gateway for IPv6.  Then I made a new gateway with the ISP link-local address and with the IPv6 over IPv4 link checkbox checked.  Then I statically assigned the old IPv6 address my WAN had to the WAN and set that as the gateway.  WAN came back up and didn't look any different than before (pings/traceroutes from pfSense to internet working as expected). 

I checked Diagnostics -> Routes and I can see there's no route for ZZZ block, as expected.  So then I added ZZZ block to LAN as before, and still with upstream gateway set to none, so essentially exactly the same config.  After checking Diagnostics -> Routes now I can see ZZZ block has a route via the LAN port and not the PPPoE link.

Fundamentally, IPv6 now works on LAN clients, I can go to https://ipv6.google.com without issue on LAN clients.  But something is still broken.  All pings and traceroutes stop at the pfSense box.  For example:
tracert -6 google.com

Tracing route to google.com [2a00:1450:4009:812::200e]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  pfsense.lan.xxxxx [AAAA:XXXX:1:ZZZ::1]

Trace complete.

marjohh

  • Guest
Re: WAN and LAN IPv6
« Reply #25 on: November 30, 2017, 04:11:35 am »
This begins to sound like my system. I have a PPPoE connection the negotiates on V4, then V6 is routed via the PPPoE link, my addresses are all static, although I can use dhcp6.

When you say you cannot ping the LAN client, are you trying to ping it from the WAN?

Offline pvexed

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: WAN and LAN IPv6
« Reply #26 on: November 30, 2017, 04:30:40 am »
So now on the LAN client I can ping the IPv6 LAN static IP (ZZZ block).  But also if I try to ping any other IPv6 address, it just terminates at that address (the IP statically assigned to the LAN).

Here's some examples from a LAN client:
Code: [Select]
ping -6 AAAA:XXXX:1:ZZZ::1

Pinging 2a01:5d00:1:6ed::1 with 32 bytes of data:
Reply from AAAA:XXXX:1:ZZZ::1: time<1ms
Reply from AAAA:XXXX:1:ZZZ::1: time<1ms
Reply from AAAA:XXXX:1:ZZZ::1: time<1ms
Reply from AAAA:XXXX:1:ZZZ::1: time<1ms

Ping statistics for AAAA:XXXX:1:ZZZ::1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

So far so good.

Code: [Select]
ping -6 google.com

Pinging google.com [2a00:1450:4009:812::200e] with 32 bytes of data:
Reply from 2a00:1450:4009:812::200e: time<1ms
Reply from 2a00:1450:4009:812::200e: time<1ms
Reply from 2a00:1450:4009:812::200e: time<1ms
Reply from 2a00:1450:4009:812::200e: time<1ms

Ping statistics for 2a00:1450:4009:812::200e:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

Doesn't look right, the ping to my ISP's gateway is about 7ms.  On traceroute we see:
Code: [Select]
tracert -6 google.com

Tracing route to google.com [2a00:1450:4009:812::200e]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  pfsense.lan.xxxxx [AAAA:XXXX:1:ZZZ::1]

Trace complete.

This obviously isn't correct and it seems like very strange behaviour.  Everything destined to somewhere not inside AAAA:XXXX:1:ZZZ::/64 seems to "terminate" at pfSense, and yet the LAN clients can use IPv6 only websites and connect to services on the public internet over IPv6. 

From the outside, trying to traceroute one of the LAN IPv6 addresses from the public internet, I see that the last hop before it's unable to continue is my WAN IPv6 (not my LAN).

From inside the LAN, trying to connect or ping another LAN client over IPv6 works as I'd expect - it's direct and through the switch with no communication with pfSense.

To answer your question - if I try to ping a LAN client from Diagnostics -> Ping with source address set to WAN, this appears to work.

marjohh

  • Guest
Re: WAN and LAN IPv6
« Reply #27 on: November 30, 2017, 04:35:35 am »
When pinging from the outside in, you'll need to have a rule set up to allow that. All inbound traffic is blocked by default, apart from that which is of course in response to an outbound request.

Offline pvexed

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: WAN and LAN IPv6
« Reply #28 on: November 30, 2017, 04:42:15 am »
When pinging from the outside in, you'll need to have a rule set up to allow that. All inbound traffic is blocked by default, apart from that which is of course in response to an outbound request.

Sorry, of course I've been messing with this IPv6 specific stuff for so long now I forget the easy stuff. Rule added on WAN to allow ICMP echorep/rechoreq when destination = LAN net has solved traceroute/ping from the outside.  So now the only remaining issue is traceroute/ping from the inside which is really weird.

marjohh

  • Guest
Re: WAN and LAN IPv6
« Reply #29 on: November 30, 2017, 04:45:36 am »
Try this ping this address and see what you get.

2001:41c1:4008::bbc:1