pfSense Support Subscription

Author Topic: IPv6 testing  (Read 62234 times)

0 Members and 1 Guest are viewing this topic.

Offline Koen Zomers

  • Full Member
  • ***
  • Posts: 152
    • View Profile
Re: IPv6 testing
« Reply #165 on: February 11, 2011, 10:11:05 am »
Another question for who might be able to answer it. My traffic logs are now flooded with local LAN IPv6 traffic. Check the attached screenshot. I wonder why. If I do a trace on any of these machines towards the other (which are both on the same physical network and within the same /64 block), it always reaches it directly and not via the pfSense gateway. How come this pfSense gateway does pick up the packet from the LAN anyway and list it as being blocked in the logs?

...

@iFloris, I am experiencing some oddities in my network traffic. I can ping everything without any problems, packet loss or delays (both IPv4 and IPv6), but connecting to IPv6 hosts with i.e. remote desktop takes a long time. Even with hosts on the same physical network. When I enter the IPv4 address of the host it connects directly. I do notice that the IPv6 gateway being used is the fe80:: address of the pfSense box. It does not seem to advertise its normal IPv6 address. Does this work fine at your setup? I'm guessing I maybe need to put in some manual RTADVD commands to advertise the gateway, not sure if it's needed though.

Found the problem! After going through the logs from pfSense I noticed traffic originating from two hosts kept being logged: my two Microsoft domain controllers! And those are the only two ones with static IPv6 addresses. Taking a closer look at their netsh int ipv6 config, I noticed routerdiscovery was set to disabled. This caused Windows not to create a /64 routing entry for itself in the routing table. That on its turned caused every incoming IPv6 LAN packet to be delivered directly thus not showing any oddities in the traceroutes from my clients, but outgoing IPv6 packet from both domain controllers to be routed to the pfSense router first. pfSense on its turn blocked all these LAN to LAN packets. That explains why everything is slow... they all try to communicate with the domain controllers for authorization to access the sources. This caused the wildest problems.. Microsoft DFS to be extremely slow, Outlook being able to communicate with Exchange, only the Send as Behalf of function not to work any longer, Remote Desktops to not connect over IPv6, etc. I now turned on routerdiscovery again, added a static reservation entry in the Windows DHCPv6 server and all works fluently and fast again. Man I love IT.. everything relates to everything.

Offline Koen Zomers

  • Full Member
  • ***
  • Posts: 152
    • View Profile
Re: IPv6 testing
« Reply #166 on: February 11, 2011, 10:16:33 am »
Nope, it's already listed like the Captive portal. Captive portal won't work without kernel work, so that's end of the year at it's earliest.

Ipsec should work after some gui modifications.

I just wanted to play a bit with the captive portal. No real need to use it. I'll use WPA2-Enterprise on my DLink DIR655 in combination with the Microsoft Network Policy server in Windows 2008 R2 now which provides RADIUS authentication against Microsoft Active Directory. Allows logging in securely to your WLAN using your Windows domain credentials. Works like a charm. As said in an earlier post.. I'm a Microsoft man 8)

By the way, if there are more Microsoft fanatics out here who'd like to hook pfSense up to Microsoft Active Directory for authentication to i.e. the webGUI, I can confirm this to work correctly as well with the Network Policy Server in Windows 2008R2 configured as RADIUS server. Sweet!

I'll keep an eye on the gitsync updates for the IPSec update for IPv6. Would be lovely.
« Last Edit: February 11, 2011, 10:21:35 am by Koen Zomers »

Offline Cino

  • Hero Member
  • *****
  • Posts: 1051
    • View Profile
Re: IPv6 testing
« Reply #167 on: February 11, 2011, 11:47:18 am »
without link local addresses you can not connect to the dhcp server. What is most likely here is that I am missing a rule that allows access to the dhcp server.

Been watching my firewall log and figured I would make some rules to allow the link-local addresses... Looking up some of the ports, this is what I currently have on my LAN interface for firewall rules.. What do you guys think?

Edit: I change fe80::/1 to fe80::/10 in my rules and changed the DHCPv6 to udp only..  When I ran 'pfctl -sr', I see there are some DHCPv6 rules with the destination as the lan address.


« Last Edit: February 11, 2011, 04:11:54 pm by Cino »

Offline databeestje

  • Administrator
  • Hero Member
  • *****
  • Posts: 1048
  • It just might be your luck day, if you only knew.
    • View Profile
Re: IPv6 testing
« Reply #168 on: February 11, 2011, 04:53:04 pm »
I would like to note that I am open for donations to my Paypal account on seth.mos@dds.nl.

I'm coding the features I need for the company I work for first, but if anyone has something they want to see sooner there is always a opening for persuasion.


Offline |DSI|

  • Newbie
  • *
  • Posts: 12
    • View Profile
Re: IPv6 testing
« Reply #169 on: February 12, 2011, 02:44:54 pm »
I have now received native IPv6 connectivity from my ISP.

I am using Link Aggregation on WAN interface. IPv4 works fine on LAGG interface but I have trouble configuring IPv6 on LAGG interface.
It seems that there is problem with setting IPv6 default route on LAGG interface, because Diagnostic->Routes shows this output under IPv6:
Quote
default    2a01:260:XXXX::d    UGS    0    2937    1500    em0

For IPv4 it shows this
Quote
default    89.212.0.1    UGS    0    663297    1500    lagg0

So I assume that under IPv6 default route, interface should also be lagg0, not em0?

Offline databeestje

  • Administrator
  • Hero Member
  • *****
  • Posts: 1048
  • It just might be your luck day, if you only knew.
    • View Profile
Re: IPv6 testing
« Reply #170 on: February 13, 2011, 03:52:25 am »
Yes, that should also have been lagg0. Since I don't have anything here that's lagg capable I'd need to search. What's odd though is that the default route path for v4 and v6 is exactly the same.

I can only guess that the parent interface in another piece of code is used causing it to fail. Hmmm. Can you send me a sanitized config.xml to my email address seth.mos@dds.nl

That's probably the only way to find out. You can safely strip the aliases and rules. I won't need a password as I'll just reset that. How many interfaces is this box?

Offline |DSI|

  • Newbie
  • *
  • Posts: 12
    • View Profile
Re: IPv6 testing
« Reply #171 on: February 13, 2011, 09:26:37 am »
Email with details sent!

Offline Koen Zomers

  • Full Member
  • ***
  • Posts: 152
    • View Profile
Re: IPv6 testing
« Reply #172 on: February 14, 2011, 02:36:37 am »
@databeestje, small bug found in the Easy Rule feature in the firewall logs. When I click to create an Easy Rule from a denied firewall rule regarding IPv6 traffic, it gets added as an IPv4 rule.

Offline databeestje

  • Administrator
  • Hero Member
  • *****
  • Posts: 1048
  • It just might be your luck day, if you only knew.
    • View Profile
Re: IPv6 testing
« Reply #173 on: February 14, 2011, 01:05:39 pm »
I've noticed that, I'm currently stuck at work with a Cisco 1841 though that needs to do 4 wire shdsl that isn't cooperating.

Added to the list

I've added some code, no idea if it works, have not tested, coded blind.
« Last Edit: February 14, 2011, 03:30:54 pm by databeestje »

Offline Koen Zomers

  • Full Member
  • ***
  • Posts: 152
    • View Profile
Re: IPv6 testing
« Reply #174 on: February 15, 2011, 02:20:36 am »

Added to the list

I've added some code, no idea if it works, have not tested, coded blind.

Thanks! I'll give it a try in about an hour and let you know if it works. Downloading some stuff now, so can't use the reboot at the moment ;)

Offline skorge

  • Jr. Member
  • **
  • Posts: 36
    • View Profile
Re: IPv6 testing
« Reply #175 on: February 15, 2011, 03:21:22 am »
Hi,

And thanks for the work being done on IPv6! I upgraded to RC1 yesterday and got a HE-tunnel up and running pretty soon after.

One thing I noticed: After upgrading to RC1 and the doing the gitsync the version under system information went back to BETA-5. I guess that's just a cosmetic fix, but I wanted to point it out.

Thanks again for all the effort being put in to this.

Regards
skorge

Offline databeestje

  • Administrator
  • Hero Member
  • *****
  • Posts: 1048
  • It just might be your luck day, if you only knew.
    • View Profile
Re: IPv6 testing
« Reply #176 on: February 15, 2011, 03:31:50 am »
Not that it matter much, other show stoppers prevented a RC release. So the tree is back to BETA5 anyways

Offline Koen Zomers

  • Full Member
  • ***
  • Posts: 152
    • View Profile
Re: IPv6 testing
« Reply #177 on: February 15, 2011, 05:28:54 am »

Added to the list

I've added some code, no idea if it works, have not tested, coded blind.

Thanks! I'll give it a try in about an hour and let you know if it works. Downloading some stuff now, so can't use the reboot at the moment ;)

I can confirm it to be fixed! Good job!

Offline |DSI|

  • Newbie
  • *
  • Posts: 12
    • View Profile
Re: IPv6 testing
« Reply #178 on: February 15, 2011, 11:26:08 am »
When creating firewall rule, would it be possible to add option "Both" to TCP/IP Version - so that firewall rule would apply to both IPv4 and IPv6?

Offline GrandmasterB

  • Jr. Member
  • **
  • Posts: 30
    • View Profile
Re: IPv6 testing
« Reply #179 on: February 15, 2011, 12:54:33 pm »

Another little bug for the todo-list:

- When running the dhcpv6d server without specifying an ipv6 DNS option, the dhcpv6d will fail to start if you have not have specified an ipv6 DNS server for the PFsense box itself (System: General Setup).