The pfSense Store

Author Topic: Multiple IPV6 Tunnels  (Read 6443 times)

0 Members and 1 Guest are viewing this topic.

Offline joe_cowboy

  • Jr. Member
  • **
  • Posts: 41
    • View Profile
Multiple IPV6 Tunnels
« on: January 24, 2012, 11:37:25 pm »
I have set up three IPV6 Tunnels one for each of my WAN interfaces with HE tunnelbroker.net.  Followed the pfsense guide.

WAN one gateway comes up with no issues.  WAN1 and WAN2 gateways will not come online.  I have deleted my tunnels with tunnel broker a few times and tried to set them up again.  I have set up a bind server with IPv6 working on my pfsense 2.1 router.  I can do a nslookup on my all three of my tunnel IPv6 addresses on any client or on the router and it resolves them to my account.

I do have ther fire wall rules set for each WAN interface to allow ICMP to the IP tunnelbroker.net uses.
I also set up dynamic DNS for HE.net and it does update my IP address for each WAN interface.

The DHCPv6 server is handing out IPv6 address to all clients just fine.  I do have to manually set the IPv6 address for the gateway and DNS pointing them to my pfsense router. 

Another issue I have is the client manchines can ping the IPv6 gateway of Tunnel WAN but when I do the IPv6 test it says I don't have an IPv6 address.  So I can't load any IPv6 websites. So any ideas on how to resolve this issue too.

I have done the the latest gitsync too.    Thanks for all your help!!!!

test-ipv6.com -- Test Summery:

Your IPv4 address on the public Internet appears to be xxx.xxx.xxx.xxx
No IPv6 address detected [more info]
The World IPv6 Launch day is June 6th, 2012. Good news! Your current browser, on this computer and at this location, are expected to keep working after the Launch. [more info]
When a publisher offers both IPv4 and IPv6, your browser appears to be happy to take the IPv4 site without delay.
Connections to IPv6-only sites are timing out. Any web site that is IPv6 only, will appear to be down to you.
Your DNS server (possibly run by your ISP) appears to have IPv6 Internet access.

Offline mdpugh

  • Jr. Member
  • **
  • Posts: 91
    • View Profile
Re: Multiple IPV6 Tunnels
« Reply #1 on: January 26, 2012, 10:36:06 am »
A may be able to respond correctly to part of your question.  Your pfSense box (router) should be configured to send router advertisements to the clients on the link.  This is how they get the router's link-local address and know to use DHCPv6 to get an address for themselves.  The addresses of DNS servers can be supplied with DHCPv6 or the RA.  The RA includes the non-link-local address of the router in a recursive DNS server option (it does for me anyway), but my clients seem to be ignoring it.  DNS is configurable through DHCPv6 in pfSense on the DHCPv6 Server page.  The configuration setting for RAs is at the top of the same page.  Incidentally, my pfSense box sends accurate router advertisements (including the mentioned DNS option) even when the RA is disabled--can someone explain this?  If you want your clients to use a non-link-local address of the router, you do have to manually configure them.

Also, (and I apologize for hijacking this thread slightly) would you mind being explicit about how you configured Dynamic DNS for he.net?  I've been bashing my head against a wall for about a week now trying to get that to work.  Any help would be much appreciated.

Thanks!

Offline joe_cowboy

  • Jr. Member
  • **
  • Posts: 41
    • View Profile
Re: Multiple IPV6 Tunnels
« Reply #2 on: January 26, 2012, 12:48:46 pm »
I thought I had read in one of the IPv6 Forum threads where they have GATEWAY and DNS address being handed out from the DHCPv6 server disabled right now?  If that is not so what RA mode are you using?  I have Router Advertisements set to Assisted and also tried Managed setting.  I do have my DNS server IPv6 address listed in one of the two input fields.

My client machines (Windows 7) are receiving an IPv6 address in the address range I set up on the DHCPv6 Server page but they are not getting the DNS or GATEWAY addresses handed to them I can see.  So I manually set them.  It looks like it is getting the link-local gatway address handed to it but it's not exact:

Client states gateway: fe80::aac9:adff:XXXX:dfb%10
Pfsese states:             fe80::aac9:adff:XXXX:dfb%bridge0

Could this be the issue for clients not seeing IPv6 URLs?  I set up the DHCPv6 server on bridge interface becase that is where I have my DHCP server set too also.  Pfsense could not ping6 the %10 address but could the %bridge0 and the client could not ping the %bridge0 and could the %10 address.

On the DHCPv6 Server page what do you put in the Prefix Delegation Range, if anything???

What about on the System: General Setup page:
Do you need to list the DNS Servers IPv6 address there too?  If so should you point it to one of the WAN IPv6 Tunnel Gateways?

As for setting up the Dynamic DNS for HE.net Tunnel:

Service type:             HE.net Tunnel Broker
Interface to monitor:   WAN
Hostname:                 Tunnel ID: 123456 which is the the six digit number found on your IPv6 Tunnel
                               page at the top on tunnelbroker.net.
Username:                 Username you log into tunnelbroker.net with
Password:                 Password you log into tunnelbroker.net with
Description:               HE.net WAN IP Update

Those settings above I have setup for WAN, WAN1 and WAN2 since I have three tunnels set up.

Still issues with WAN1 and WAN2 IPv6 Tunnel Gateways saying offline.  Thanks for your help.
« Last Edit: January 26, 2012, 02:23:38 pm by joe_cowboy »

Offline mdpugh

  • Jr. Member
  • **
  • Posts: 91
    • View Profile
Re: Multiple IPV6 Tunnels
« Reply #3 on: January 26, 2012, 03:55:26 pm »
You may be right about these the gateway and DNS options being nonfunctional.  I'm using a different machine as a DHCPv6 server; pfSense is firewall/router only.  To my knowledge DHCPv6 does not presently allow for providing the gateway address, so the field you mention must be an artifact.  I'm using 2.1 and I don't see a gateway field on the DHCPv6 Server page.

Here is a Wireshark capture of a router advertisement being sent by my pfSense box:

No.     Time        Source                Destination           Protocol Length Info
    110 51.158149   fe80::203:47ff:fe72:33fc ff02::1               ICMPv6   142    Router Advertisement from 00:03:47:72:33:fc

Frame 110: 142 bytes on wire (1136 bits), 142 bytes captured (1136 bits)
Ethernet II, Src: Intel_72:33:fc (00:03:47:72:33:fc), Dst: IPv6mcast_00:00:00:01 (33:33:00:00:00:01)
Internet Protocol Version 6, Src: fe80::203:47ff:fe72:33fc (fe80::203:47ff:fe72:33fc), Dst: ff02::1 (ff02::1)
Internet Control Message Protocol v6
    Type: Router Advertisement (134)
    Code: 0
    Checksum: 0x42d3 [correct]
    Cur hop limit: 64
    Flags: 0xc0
        1... .... = Managed address configuration: Set
        .1.. .... = Other configuration: Set
        ..0. .... = Home Agent: Not set
        ...0 0... = Prf (Default Router Preference): Medium (0)
        .... .0.. = Proxy: Not set
        .... ..0. = Reserved: 0
    Router lifetime (s): 3600
    Reachable time (ms): 0
    Retrans timer (ms): 0
    ICMPv6 Option (Source link-layer address : 00:03:47:72:33:fc)
        Type: Source link-layer address (1)
        Length: 1 (8 bytes)
        Link-layer address: Intel_72:33:fc (00:03:47:72:33:fc)
    ICMPv6 Option (MTU : 1280)
        Type: MTU (5)
        Length: 1 (8 bytes)
        Reserved
        MTU: 1280
    ICMPv6 Option (Prefix information : fd00:ac10::/120)
        Type: Prefix information (3)
        Length: 4 (32 bytes)
        Prefix Length: 120
        Flag: 0xc0
        Valid Lifetime: 360000
        Preferred Lifetime: 360000
        Reserved
        Prefix: fd00:ac10:: (fd00:ac10::)
    ICMPv6 Option (Recursive DNS Server fd00:ac10::66)
        Type: Recursive DNS Server (25)
        Length: 3 (24 bytes)
        Reserved
        Lifetime: 900
        Recursive DNS Servers: fd00:ac10::66 (fd00:ac10::66)

As you can see, it provides the unique-local address of the router in the Recursive DNS Server option--which would work for you if you're running DNS Forwarding on the pfSense machine if the clients were using the option.  My clients appear to ignore it.  As I said, I have RAs disabled on all my LAN interfaces and pfSense is still happily sending RAs like the one shown.  I don't know what's going down there.  Notice also that the Managed and Other flags are set which means that clients that receive this advertisement will expect to get both their addresses and DNS server addresses through DHCPv6.

I'm not sure why you're bridging or why you would need to.  The zone ID is going to vary from host to host I think, so I'd expect it to be different.  I just tried pinging the link-local address of pfSense without specifying the zone ID and it worked fine (I had to add a new firewall rule to allow it through, though, so don't forget that).

Don't put anything in the prefix delegation fields unless you have another router downstream (which would indeed be a complex setup).

The DNS Servers on the General Setup are used like forwarders.  If you have DNS Forwarding enabled and pfSense hasn't already cached the address, pfSense passes DNS requests it receives on to these servers.  Since you're using HE, put 2001:470:20::2 in one of these fields.  I don't know if the ns#.he.net (# = 1-5) servers do recursion.  If not, they wouldn't be useful here.

Hope this helps!  Thanks for the Dynamic DNS info.  I'm going to try that now.
« Last Edit: January 26, 2012, 04:05:19 pm by mdpugh »

Offline joe_cowboy

  • Jr. Member
  • **
  • Posts: 41
    • View Profile
Re: Multiple IPV6 Tunnels
« Reply #4 on: January 26, 2012, 04:14:59 pm »
Here is what the DHCPv6 Server page generates:

/var/dhcpd/etc/dhcpdv6.conf


option domain-name "localdomain";
option ldap-server code 95 = text;
option domain-search-list code 119 = text;

default-lease-time 7200;
max-lease-time 86400;
log-facility local7;
ddns-update-style none;
one-lease-per-client true;
deny duplicates;
ping-check true;
authoritative;
subnet6 2001:470:XXXX:2::/64 {
                option dhcp6.name-servers 2001:470:XXXX:2::1;
        range6 2001:470:XXXX:2::1000 2001:470:XXXX:2::FFFF;
        # Not supported in IPv6; option dhcp6.routers 2001:470:XXXX:2::1;
        option domain-name "pfSense.localdomain";
        option domain-search-list "";
        option dhcp6.name-servers 2001:470:XXXX:2::1;
}

As you can see the dhcp6.routers is commented out and see it does list DNS server IPv6 address (which I stated before I installed the package Bind97 and set it up on my pfSense router).

Thanks for your help. So what would you suggest for settings then.  

Why I have a bridge0 set up is because I have a multiport LAN card and 2 USB wifi in the router.  I followed a guide on setting it up because I had issues with my cleints not seeing one another on the bridge.  I have another thread talking about the isses.  Maybe you can look at that thread and see what you think of my last UPDATE: post about issues with FTP. :)  

http://forum.pfsense.org/index.php/topic,42811.msg237237.html#msg237237


Thanks again...
« Last Edit: January 26, 2012, 04:21:47 pm by joe_cowboy »

Offline mdpugh

  • Jr. Member
  • **
  • Posts: 91
    • View Profile
Re: Multiple IPV6 Tunnels
« Reply #5 on: January 26, 2012, 04:39:41 pm »
I'm going to read your other thread before going any further to try to understand the bridge issue.  Each of my pfSense boxes has five interfaces in it so, naturally, having multiple interfaces doesn't by itself necessitate bridging.  So, I need to see why you're doing it to reply coherently.  In the meantime, have you captured any packets between the boxes to see exactly what pfSense is sending in its Router Advertisements, DHCPv6 Advertisements, and DHCPv6 Replies?

Offline mdpugh

  • Jr. Member
  • **
  • Posts: 91
    • View Profile
Re: Multiple IPV6 Tunnels
« Reply #6 on: January 26, 2012, 06:19:58 pm »
OK.  I see what you're doing now.  I'm not sure that bridging would interfere with your problems in this thread, so the only thing I would suggest is getting one working flawlessly before proceeding to the next.  That's one advantage to having more than one machine providing these services--much easier to troubleshoot.

I thought you'd said you were running DNS on this box, but when I went back to make sure (albeit quickly), I couldn't find it.  At any rate, I guess you won't be needing DNS Forwarder, and I'm not sure what, if anything, Bind97 will do with the DNS Server fields in General Setup; I'm not familiar with Bind97 in particular.  It can't hurt to populate the fields though.  I've got mine set to 2001:470:20::2 and using the WAN_IPv6 gateway now, but it also worked before I selected a GW.  Since you've got more than one GW, pfSense may not default to this behavior, so it's probably best to use one of them.

The dhcpdv6.conf looks right to me.  The next thing I would do is capture a DHCPv6 Advertisement and see if it has the DNS server option included.  It wouldn't hurt to get a Solicitation too and make sure the clients are requesting it.  Windows clients request DNS by default, but you never know.  If you're right about the DNS option being disabled in pfSense for now, the fact that pfSense is generating a correct config file doesn't necessarily equate to advertising it on the link.  The Request and Reply messages also contain the DNS Server option, if you want to check those too.  You should be able to see where this is breaking down.  Wireshark has been the quintessential troubleshooting tool for me.
« Last Edit: January 26, 2012, 06:28:18 pm by mdpugh »

Offline mdpugh

  • Jr. Member
  • **
  • Posts: 91
    • View Profile
Re: Multiple IPV6 Tunnels
« Reply #7 on: January 26, 2012, 06:33:05 pm »
Here's something else I'd try.  Run something like this on a Windows client and reply with your results:

PS C:\Windows\system32> netsh interface ipv6 show int

Idx     Met         MTU          State                Name
---  ----------  ----------  ------------  ---------------------------
  1          50  4294967295  connected     Loopback Pseudo-Interface 1
 16          10        1280  connected     Local Area Connection
 11          50        1280  disconnected  IP6Tunnel
 13          50        1280  disconnected  isatap.ComPughTerWorx.com
 18          10        1280  connected     Local Area Connection 2

PS C:\Windows\system32> netsh interface ipv6 show int 18

Interface Local Area Connection 2 Parameters
----------------------------------------------
IfLuid                             : ethernet_9
IfIndex                            : 18
State                              : connected
Metric                             : 10
Link MTU                           : 1280 bytes
Reachable Time                     : 34500 ms
Base Reachable Time                : 30000 ms
Retransmission Interval            : 1000 ms
DAD Transmits                      : 1
Site Prefix Length                 : 64
Site Id                            : 1
Forwarding                         : disabled
Advertising                        : disabled
Neighbor Discovery                 : enabled
Neighbor Unreachability Detection  : enabled
Router Discovery                   : enabled
Managed Address Configuration      : enabled
Other Stateful Configuration       : enabled
Weak Host Sends                    : disabled
Weak Host Receives                 : disabled
Use Automatic Metric               : enabled
Ignore Default Routes              : enabled
Advertised Router Lifetime         : 1800 seconds
Advertise Default Route            : disabled
Current Hop Limit                  : 64
Force ARPND Wake up patterns       : disabled
Directed MAC Wake up patterns      : disabled

PS C:\Windows\system32>

Offline joe_cowboy

  • Jr. Member
  • **
  • Posts: 41
    • View Profile
Re: Multiple IPV6 Tunnels
« Reply #8 on: January 26, 2012, 09:38:56 pm »
I am I am running BIND97 package Name Server/DNS.  So far it will resolve any IPv6 address and Name using nslookup.  Even the local IPv6 address: www6.pfsense.localdoamin or ipv6.pfsense.localdomain.  What I put in my zone records.


C:\Windows\system32> netsh interface ipv6 show int


Idx     Met         MTU          State                Name
---  ----------  ----------  ------------  ---------------------------
  1          50  4294967295  connected     Loopback Pseudo-Interface 1
 13          64        1500  connected     Wireless Network Connection
 14          50        1280  disconnected  isatap.local
 15           5        1500  disconnected  Wireless Network Connection 2
 12          50        1280  connected     Teredo Tunneling Pseudo-Interface
 17          50        1280  disconnected  isatap.{17833B82-C5E9-4494-B44F-48984733BA06}
 19          50        1280  disconnected  isatap.{063A2798-F022-487E-A745-DD0A1BDE0E62}

C:\Windows\system32> netsh interface ipv6 show int 13

Interface Wireless Network Connection Parameters
----------------------------------------------
IfLuid                             : wireless_0
IfIndex                            : 13
State                              : connected
Metric                             : 64
Link MTU                           : 1500 bytes
Reachable Time                     : 20000 ms
Base Reachable Time                : 30000 ms
Retransmission Interval            : 1000 ms
DAD Transmits                      : 1
Site Prefix Length                 : 64
Site Id                            : 1
Forwarding                         : disabled
Advertising                        : disabled
Neighbor Discovery                 : enabled
Neighbor Unreachability Detection  : enabled
Router Discovery                   : enabled
Managed Address Configuration      : enabled
Other Stateful Configuration       : enabled
Weak Host Sends                    : enabled
Weak Host Receives                 : disabled
Use Automatic Metric               : disabled
Ignore Default Routes              : disabled
Advertised Router Lifetime         : 1800 seconds
Advertise Default Route            : disabled
Current Hop Limit                  : 64
Force ARPND Wake up patterns       : disabled
Directed MAC Wake up patterns      : disabled

« Last Edit: January 27, 2012, 09:59:18 am by joe_cowboy »

Offline joe_cowboy

  • Jr. Member
  • **
  • Posts: 41
    • View Profile
Re: Multiple IPV6 Tunnels
« Reply #9 on: January 27, 2012, 10:48:10 am »
Wire Shark Capture:

12   0.699003   fe80::aac9:adff:fe39:dfb   ff02::1   ICMPv6   166   Router Advertisement from aa:c9:ad:39:0d:fb

Frame 12: 166 bytes on wire (1328 bits), 166 bytes captured (1328 bits)
Ethernet II, Src: aa:c9:ad:39:0d:fb (aa:c9:ad:39:0d:fb), Dst: IPv6mcast_00:00:00:01 (33:33:00:00:00:01)
Internet Protocol Version 6, Src: fe80::aac9:adff:fe39:dfb (fe80::aac9:adff:fe39:dfb), Dst: ff02::1 (ff02::1)
Internet Control Message Protocol v6
  Type: Router Advertisement (134)
  Code: 0
  Checksum: 0xec6d [correct]
  Cur hop limit: 64
  Flags: 0xc0
    1... .... = Managed address configuration: Set
    .1.. .... = Other configuration: Set
    ..0. .... = Home Agent: Not set
    ...0 0... = Prf (Default Router Preference): Medium (0)
    .... .0.. = Proxy: Not set
    .... ..0. = Reserved: 0
  Router lifetime (s): 1800
  Reachable time (ms): 0
  Retrans timer (ms): 0
  ICMPv6 Option (Source link-layer address : aa:c9:ad:39:0d:fb)
    Type: Source link-layer address (1)
    Length: 1 (8 bytes)
    Link-layer address: aa:c9:ad:39:0d:fb (aa:c9:ad:39:0d:fb)
  ICMPv6 Option (Prefix information : 2001:470:2d8f:2::/64)
    Type: Prefix information (3)
    Length: 4 (32 bytes)
    Prefix Length: 64
    Flag: 0xc0
      1... .... = On-link flag(L): Set
      .1.. .... = Autonomous address-configuration flag(A): Set
      ..0. .... = Router address flag(R): Not set
      ...0 0000 = Reserved: 0
    Valid Lifetime: 2592000
    Preferred Lifetime: 604800
    Reserved
    Prefix: 2001:470:2d8f:2:: (2001:470:2d8f:2::)
  ICMPv6 Option (Recursive DNS Server 2001:470:2d8f:2::1)
    Type: Recursive DNS Server (25)
    Length: 3 (24 bytes)
    Reserved
    Lifetime: 900
    Recursive DNS Servers: 2001:470:2d8f:2::1 (2001:470:2d8f:2::1)
  ICMPv6 Option (DNS Search List Option pfSense.localdomain)
    Type: DNS Search List Option (31)
    Length: 4 (32 bytes)
    Reserved
    Lifetime: 900
    Domain Names: pfSense.localdomain
    Padding

Offline mdpugh

  • Jr. Member
  • **
  • Posts: 91
    • View Profile
Re: Multiple IPV6 Tunnels
« Reply #10 on: January 27, 2012, 01:02:41 pm »
These seem correct at first glance.  Have you captured any of the DHCPv6 messages?

Offline joe_cowboy

  • Jr. Member
  • **
  • Posts: 41
    • View Profile
Re: Multiple IPV6 Tunnels
« Reply #11 on: January 27, 2012, 08:38:12 pm »
What kind of messages do you want?  What are you wanting me to capture with WireShark?

Thanks again...

Offline mdpugh

  • Jr. Member
  • **
  • Posts: 91
    • View Profile
Re: Multiple IPV6 Tunnels
« Reply #12 on: January 27, 2012, 09:39:32 pm »
Start with a DHCPv6 Solicit and its accompanying DHCPv6 Advertisement.  That's probably enough to see what's happening (or not).

Offline mdpugh

  • Jr. Member
  • **
  • Posts: 91
    • View Profile
Re: Multiple IPV6 Tunnels
« Reply #13 on: January 28, 2012, 01:19:28 pm »
On a Windows client type ipconfig /release6 in a Powershell (or command prompt) window.  The start Wireshark capturing on an interface that will request an IPv6 address from pfSense.  Return to Powershell and type ipconfig /renew6.  Stop capture and examine the DHCPv6 messages between machines.  Post here if you like or send me the capture file.

Offline mdpugh

  • Jr. Member
  • **
  • Posts: 91
    • View Profile
Re: Multiple IPV6 Tunnels
« Reply #14 on: January 28, 2012, 07:34:47 pm »
Are you positive that the client is getting the IPv6 address from the server?  The client you ran ipconfig on should have an address ending in :ebcf provided you haven't released it since running Wireshark.  Here is what I'm not seeing: DHCPv6 Request and DHCPv6 Reply.  The fact that an Advertise message appears in response to each Solicit proves that your server is hearing your client.  The client is then supposed to respond to the Advertise with a Request and, finally, the server answers with a Reply.  The absence of the Request indicates to me that your client isn't responding (or responding properly) to the server.  But if the client is getting an IPv6 address from the server, then we have a more complicated scenario because it's responding to the Advertise only in part.  I'll have to do some digging to see at what point in the message/response sequence the client commits to the address.  There is enough information in the Advertise for the client to extract the offered address, but there is also enough for it to get the DNS server address, so why one and not the other?  No matter what, though, the client should be sending a Request and it isn't.