dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
24008

plencnerb
Premium Member
join:2000-09-25
53403-1242

2 edits

plencnerb

Premium Member

[IPv6] Issues with IPv6 and pfsense [SOLVED]

I figured it was time to start a new thread on the issues I'm having with getting pfsense configured to work with Comcast in regards to IPv6.

So, this post will be short, as it is just the introduction.

The next few posts will go into more detail. I've done it this way to help break up the different sections, and hopefully, help troubleshoot the issue at hand.

Basic information about my setup

1) Cable Modem:
Vendor: Arris
Model: TM722G/CT
Firmware Name: TS070463A_011312_MODEL_7_8_SIP_PC20
Firmware Build Time: Fri Jan 13 19:51:18 EST 2012

2) Computer
Self-Built desktop running Windows 7 x64 Enterprise

3) Location
Carpentersville, IL.

EDIT 12/11/2012 @ 9:19 AM
Turns out I had to modify the default WAN Configuration setting from for IPv6 Configuration Type from "Track Interface" to "DHCP6".

Everything is now working as it should be.



--Brian
plencnerb

1 edit

plencnerb

Premium Member

Re: [IPv6] Issues with IPv6 and pfsense

Click for full size
Picture #1
Click for full size
Picture #2
Click for full size
Picture #3
So for starters, I wanted to document my testing to show that IPv6 does work for me, when I connect my desktop directly to my cable modem.

For these tests, I connected my desktop directly to my cable modem, after doing a reset on both (desktop was powered off, cable modem was reset using the little pin hole in the back).

Once that was complete, I ran an "ipconfig/all". Those results are below

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
  
C:\Users\Brian A. Plencner>ipconfig /all
  
Windows IP Configuration
  
   Host Name . . . . . . . . . . . . : BRIAN-DESKTOP
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : hsd1.il.comcast.net.
  
Ethernet adapter Local Area Connection:
  
   Connection-specific DNS Suffix  . : hsd1.il.comcast.net.
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : F4-6D-04-F0-32-43
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:558:6033:ad:18b2:dcdb:2418:a1ad(Preferred)
   Lease Obtained. . . . . . . . . . : Monday, December 10, 2012 6:34:58 AM
   Lease Expires . . . . . . . . . . : Friday, December 14, 2012 6:34:57 AM
   Link-local IPv6 Address . . . . . : fe80::34c8:339c:31d4:729b%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 67.184.208.11(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.252.0
   Lease Obtained. . . . . . . . . . : Monday, December 10, 2012 6:34:55 AM
   Lease Expires . . . . . . . . . . : Monday, December 10, 2012 7:31:16 AM
   Default Gateway . . . . . . . . . : fe80::201:5cff:fe3d:4e41%11
                                       67.184.208.1
   DHCP Server . . . . . . . . . . . : 69.252.202.7
   DHCPv6 IAID . . . . . . . . . . . : 250899716
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-26-E4-53-F4-6D-04-F0-32-43
   DNS Servers . . . . . . . . . . . : 2001:558:feed::1
                                       2001:558:feed::2
                                       75.75.75.75
                                       75.75.76.76
   NetBIOS over Tcpip. . . . . . . . : Enabled
  
Tunnel adapter isatap.hsd1.il.comcast.net.:
  
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : hsd1.il.comcast.net.
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
  
Tunnel adapter Teredo Tunneling Pseudo-Interface:
  
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:953c:4b:3355:bc47:2ff4(Preferred)
   Link-local IPv6 Address . . . . . : fe80::4b:3355:bc47:2ff4%13(Preferred)
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Disabled
  
C:\Users\Brian A. Plencner>
 
 

Next, I ran the following command: "netsh int ipv6 show addr". I did this just to verify the information I was seeing from the ipconfig command.

C:\Users\Brian A. Plencner>netsh int ipv6 show addr
  
Interface 1: Loopback Pseudo-Interface 1
  
Addr Type  DAD State   Valid Life Pref. Life Address
---------  ----------- ---------- ---------- ------------------------
Other      Preferred     infinite   infinite ::1
  
Interface 12: isatap.hsd1.il.comcast.net.
  
Addr Type  DAD State   Valid Life Pref. Life Address
---------  ----------- ---------- ---------- ------------------------
Other      Deprecated    infinite   infinite fe80::200:5efe:67.184.208.11%12
  
Interface 13: Teredo Tunneling Pseudo-Interface
  
Addr Type  DAD State   Valid Life Pref. Life Address
---------  ----------- ---------- ---------- ------------------------
Public     Preferred     infinite   infinite 2001:0:9d38:953c:4b:3355:bc47:2ff4
Other      Preferred     infinite   infinite fe80::4b:3355:bc47:2ff4%13
  
Interface 11: Local Area Connection
  
Addr Type  DAD State   Valid Life Pref. Life Address
---------  ----------- ---------- ---------- ------------------------
Dhcp       Preferred     3d23h59m   3d23h59m 2001:558:6033:ad:18b2:dcdb:2418:a1ad
Other      Preferred     infinite   infinite fe80::34c8:339c:31d4:729b%11
  
C:\Users\Brian A. Plencner>
 
 

So far, things were looking good.

Then, using Waterfox I went to the following three web pages

• »test-ipv6.com/
• »test-ipv6.comcast.net/
• »ipv6.speedtest.comcast.net/

The results of these are shown above as Picture #1, #2, and #3, respectively.

As a final verification, I ran some more tests from the command prompt.

nslookup commands

C:\Users\Brian A. Plencner>nslookup www.comcast.net
Server:  cdns01.comcast.net
Address:  2001:558:feed::1
  
Non-authoritative answer:
Name:    a1526.dscg.akamai.net
Addresses:  2001:559:0:5d::1743:3d3b
          2001:559:0:5d::1743:3d39
          96.17.77.66
          96.17.77.42
Aliases:  www.comcast.net
          www.comcast.net.edgesuite.net
  
C:\Users\Brian A. Plencner>nslookup -type=AAAA www.comcast.net
Server:  cdns01.comcast.net
Address:  2001:558:feed::1
  
Non-authoritative answer:
Name:    a1526.dscg.akamai.net
Addresses:  2001:559:0:5d::1743:3d39
          2001:559:0:5d::1743:3d3b
Aliases:  www.comcast.net
          www.comcast.net.edgesuite.net
  
C:\Users\Brian A. Plencner>nslookup www.google.com
Server:  cdns01.comcast.net
Address:  2001:558:feed::1
  
Non-authoritative answer:
Name:    www.google.com
Addresses:  2607:f8b0:400f:801::1011
          74.125.225.208
          74.125.225.211
          74.125.225.209
          74.125.225.210
          74.125.225.212
  
C:\Users\Brian A. Plencner>nslookup -type=AAAA www.google.com
Server:  cdns01.comcast.net
Address:  2001:558:feed::1
  
Non-authoritative answer:
Name:    www.google.com
Address:  2607:f8b0:400f:801::1012
  
C:\Users\Brian A. Plencner>
 
 

ping commands

C:\Users\Brian A. Plencner>ping ipv6.dcsenterprises.net
  
Pinging ipv6-dcs-srv.dyndns-ip.com [2601:5:c80:91:e291:f5ff:fe95:beac] with 32 bytes of data:
Reply from 2601:5:c80:91:e291:f5ff:fe95:beac: time=41ms
Reply from 2601:5:c80:91:e291:f5ff:fe95:beac: time=37ms
Reply from 2601:5:c80:91:e291:f5ff:fe95:beac: time=35ms
Reply from 2601:5:c80:91:e291:f5ff:fe95:beac: time=36ms
  
Ping statistics for 2601:5:c80:91:e291:f5ff:fe95:beac:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 35ms, Maximum = 41ms, Average = 37ms
  
C:\Users\Brian A. Plencner>ping 2601:5:c80:91:e291:f5ff:fe95:beac
  
Pinging 2601:5:c80:91:e291:f5ff:fe95:beac with 32 bytes of data:
Reply from 2601:5:c80:91:e291:f5ff:fe95:beac: time=34ms
Reply from 2601:5:c80:91:e291:f5ff:fe95:beac: time=35ms
Reply from 2601:5:c80:91:e291:f5ff:fe95:beac: time=36ms
Reply from 2601:5:c80:91:e291:f5ff:fe95:beac: time=36ms
  
Ping statistics for 2601:5:c80:91:e291:f5ff:fe95:beac:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 34ms, Maximum = 36ms, Average = 35ms
 
 

And then finally, a few trace commands. I did mix both IPv4 and IPv6 sites in this, just to be complete.

C:\Users\Brian A. Plencner>tracert 2601:5:c80:91:e291:f5ff:fe95:beac
  
Tracing route to 2601:5:c80:91:e291:f5ff:fe95:beac over a maximum of 30 hops
  
  1    37 ms    30 ms    29 ms  2001:558:6033:ad::1
  2     9 ms     8 ms     9 ms  te-9-1-ur04.algonquin.il.chicago.comcast.net [2001:558:322:26f::1]
  3    15 ms    15 ms    15 ms  te-0-3-0-0-ar01.area4.il.chicago.comcast.net [2001:558:300:1e::1]
  4    19 ms    23 ms    23 ms  he-3-5-0-0-cr01.350ecermak.il.ibone.comcast.net [2001:558:0:f7fb::1]
  5    25 ms    25 ms    26 ms  so-7-1-0-0-ar03.nashville.tn.nash.comcast.net [2001:558:0:f7f4::2]
  6    27 ms    26 ms    28 ms  xe-0-1-0-0-sur01.murfreesboro.tn.nash.comcast.net [2001:558:160:57::2]
  7    39 ms    34 ms    27 ms  2001:558:162:32::2
  8    36 ms    35 ms    37 ms  2001:558:6016:19:39d6:46d1:4004:e738
  9    37 ms    35 ms    38 ms  2601:5:c80:91:e291:f5ff:fe95:beac
  
Trace complete.
  
C:\Users\Brian A. Plencner>tracert www.google.com
  
Tracing route to www.google.com [2607:f8b0:400f:801::1013]
over a maximum of 30 hops:
  
  1    27 ms    29 ms    29 ms  2001:558:6033:ad::1
  2     9 ms     9 ms    10 ms  te-9-1-ur04.algonquin.il.chicago.comcast.net [2001:558:322:26f::1]
  3    16 ms    16 ms    14 ms  te-0-3-0-3-ar01.area4.il.chicago.comcast.net [2001:558:300:286::1]
  4    22 ms    23 ms    17 ms  he-3-7-0-0-cr01.350ecermak.il.ibone.comcast.net [2001:558:0:f68d::1]
  5    14 ms    13 ms    13 ms  pos-1-2-0-0-pe01.350ecermak.il.ibone.comcast.net [2001:558:0:f593::2]
  6    59 ms    13 ms    12 ms  2001:559::44a
  7    13 ms    13 ms    13 ms  2001:4860::1:0:92e
  8    14 ms    13 ms    13 ms  2001:4860::8:0:2fe9
  9    35 ms    37 ms    36 ms  2001:4860::8:0:281d
 10    36 ms    33 ms    33 ms  2001:4860::8:0:3426
 11    34 ms    34 ms    43 ms  2001:4860::1:0:7a4
 12    35 ms    38 ms    36 ms  2001:4860:0:1::593
 13    34 ms    35 ms    35 ms  den03s06-in-x13.1e100.net [2607:f8b0:400f:801::1013]
  
Trace complete.
  
C:\Users\Brian A. Plencner>tracert www.dslreports.com
  
Tracing route to www.dslreports.com [209.123.109.175]
over a maximum of 30 hops:
  
  1    31 ms    22 ms    27 ms  67.184.208.1
  2    29 ms    15 ms    16 ms  te-9-1-ur04.algonquin.il.chicago.comcast.net [68.87.229.189]
  3    15 ms    15 ms    15 ms  te-0-3-0-2-ar01.area4.il.chicago.comcast.net [68.86.189.229]
  4    14 ms    23 ms    11 ms  he-3-8-0-0-cr01.350ecermak.il.ibone.comcast.net [68.86.90.49]
  5    40 ms    35 ms    35 ms  he-4-6-0-0-cr01.newyork.ny.ibone.comcast.net [68.86.88.153]
  6    41 ms    33 ms    40 ms  173.167.58.26
  7    34 ms    33 ms    32 ms  0.e1-4.tbr1.oct.nac.net [209.123.10.122]
  8    35 ms    34 ms    32 ms  vlan804.esd1.oct.nac.net [209.123.10.2]
  9    34 ms    32 ms    32 ms  www.dslreports.com [209.123.109.175]
  
Trace complete.
  
C:\Users\Brian A. Plencner>
 
 

So, my final observation here is that IPv6 is working (as best as I can tell) exactly the way it should be when I am directly connected to my cable modem.

--Brian
plencnerb

plencnerb

Premium Member

Click for full size
Picture #1
Click for full size
Picture #2
Click for full size
Picture #3
In this post, I want to document how things work when I am behind my pfsense firewall.

So, I will run though the same set of tests I did above, and show you my results.

Below are the results of running the command "ipconfig/all"

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
 
C:\Users\Brian A. Plencner>ipconfig/all
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : BRIAN-DESKTOP
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : localdomain
 
Ethernet adapter Local Area Connection:
 
   Connection-specific DNS Suffix  . : localdomain
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : F4-6D-04-F0-32-43
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2601:d:4c00:67:34c8:339c:31d4:729b(Preferred)
   Temporary IPv6 Address. . . . . . : 2601:d:4c00:67:1952:1b74:c511:8be4(Preferred)
   Link-local IPv6 Address . . . . . : fe80::34c8:339c:31d4:729b%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.100(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Monday, December 10, 2012 3:40:21 PM
   Lease Expires . . . . . . . . . . : Monday, December 10, 2012 7:40:21 PM
   Default Gateway . . . . . . . . . : fe80::250:4ff:fe21:713d%11
                                       192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 250899716
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-26-E4-53-F4-6D-04-F0-32-43
   DNS Servers . . . . . . . . . . . : 2601:d:4c00:67::1
                                       192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
 
Tunnel adapter Teredo Tunneling Pseudo-Interface:
 
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:953c:2058:2218:e7f2:eed8(Preferred)
   Link-local IPv6 Address . . . . . : fe80::2058:2218:e7f2:eed8%13(Preferred)
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Disabled
 
Tunnel adapter isatap.localdomain:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : localdomain
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
 
C:\Users\Brian A. Plencner>
 
 

Next, I ran the following command: "netsh int ipv6 show addr". I did this just to verify the information I was seeing from the ipconfig command.

 
C:\Users\Brian A. Plencner>netsh int ipv6 show addr
 
Interface 1: Loopback Pseudo-Interface 1
 
Addr Type  DAD State   Valid Life Pref. Life Address
---------  ----------- ---------- ---------- ------------------------
Other      Preferred     infinite   infinite ::1
 
Interface 13: Teredo Tunneling Pseudo-Interface
 
Addr Type  DAD State   Valid Life Pref. Life Address
---------  ----------- ---------- ---------- ------------------------
Public     Preferred     infinite   infinite 2001:0:9d38:953c:2058:2218:e7f2:eed8
Other      Preferred     infinite   infinite fe80::2058:2218:e7f2:eed8%13
 
Interface 11: Local Area Connection
 
Addr Type  DAD State   Valid Life Pref. Life Address
---------  ----------- ---------- ---------- ------------------------
Temporary  Preferred    23h59m59s   3h59m59s 2601:d:4c00:67:1952:1b74:c511:8be4
Public     Preferred    23h59m59s   3h59m59s 2601:d:4c00:67:34c8:339c:31d4:729b
Other      Preferred     infinite   infinite fe80::34c8:339c:31d4:729b%11
 
Interface 14: isatap.localdomain
 
Addr Type  DAD State   Valid Life Pref. Life Address
---------  ----------- ---------- ---------- ------------------------
Other      Deprecated    infinite   infinite fe80::5efe:192.168.1.100%14
 
C:\Users\Brian A. Plencner>
 
 

So far, things appear to be working, in regards to pfsense giving my desktop a "proper" IPv6 IP, as well as a "proper" IPv4" IP.

So, I then went ahead and tested the same three sites

• »test-ipv6.com/
• »test-ipv6.comcast.net/
• »ipv6.speedtest.comcast.net/

The results of these are shown above as Picture #1, #2, and #3, respectively.

Of note now is that my results went from 10/10 to 0/10 for both test sites, and the IPv6 speedtest site failed to load.

This tells me that something is not configured correctly in regards to pfsense.

To confirm this, I went ahead and ran the same commands from the command prompt.

nslookup commands

 
C:\Users\Brian A. Plencner>nslookup www.comcast.net
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  2601:d:4c00:67::1
 
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out
 
C:\Users\Brian A. Plencner>nslookup -type=AAAA www.comcast.net
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  2601:d:4c00:67::1
 
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out
 
C:\Users\Brian A. Plencner>nslookup www.google.com
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  2601:d:4c00:67::1
 
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out
 
C:\Users\Brian A. Plencner>nslookup -type=AAAA www.google.com
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  2601:d:4c00:67::1
 
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out
 
C:\Users\Brian A. Plencner>
 
 

ping commands

 
C:\Users\Brian A. Plencner>ping ipv6.dcsenterprises.net
 
Pinging ipv6-dcs-srv.dyndns-ip.com [2601:5:c80:91:e291:f5ff:fe95:beac] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
 
Ping statistics for 2601:5:c80:91:e291:f5ff:fe95:beac:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
 
C:\Users\Brian A. Plencner>ping 2601:5:c80:91:e291:f5ff:fe95:beac
 
Pinging 2601:5:c80:91:e291:f5ff:fe95:beac with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
 
Ping statistics for 2601:5:c80:91:e291:f5ff:fe95:beac:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
 
C:\Users\Brian A. Plencner>
 
 

And then finally, a few trace commands. I did mix both IPv4 and IPv6 sites in this, just to be complete.

 
C:\Users\Brian A. Plencner>tracert 2601:5:c80:91:e291:f5ff:fe95:beac
 
Tracing route to 2601:5:c80:91:e291:f5ff:fe95:beac over a maximum of 30 hops
 
  1     *        *        *     Request timed out.
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.
  6     *        *        *     Request timed out.
  7     *        *        *     Request timed out.
  8     *        *        *     Request timed out.
  9     *        *        *     Request timed out.
 10     *        *        *     Request timed out.
 11     *        *        *     Request timed out.
 12     *        *        *     Request timed out.
 13     *        *        *     Request timed out.
 14     *        *        *     Request timed out.
 15     *        *        *     Request timed out.
 16     *        *        *     Request timed out.
 17     *        *        *     Request timed out.
 18     *        *        *     Request timed out.
 19     *        *        *     Request timed out.
 20     *        *        *     Request timed out.
 21     *        *        *     Request timed out.
 22     *        *        *     Request timed out.
 23     *        *        *     Request timed out.
 24     *        *        *     Request timed out.
 25     *        *        *     Request timed out.
 26     *        *        *     Request timed out.
 27     *        *        *     Request timed out.
 28     *        *        *     Request timed out.
 29     *        *        *     Request timed out.
 30     *        *        *     Request timed out.
 
Trace complete.
 
C:\Users\Brian A. Plencner>tracert www.google.com
 
Tracing route to www.google.com [74.125.225.211]
over a maximum of 30 hops:
 
  1    <1 ms    <1 ms    <1 ms  pfSense.localdomain [192.168.1.1]
  2    30 ms    28 ms    19 ms  24.13.16.1
  3    11 ms    14 ms    10 ms  te-9-1-ur04.algonquin.il.chicago.comcast.net [68.87.229.189]
  4    16 ms    19 ms    15 ms  te-0-3-0-2-ar01.area4.il.chicago.comcast.net [68.86.189.229]
  5    21 ms    23 ms    24 ms  he-3-11-0-0-cr01.350ecermak.il.ibone.comcast.net [68.86.90.13]
  6    29 ms    13 ms    15 ms  pos-1-1-0-0-pe01.350ecermak.il.ibone.comcast.net [68.86.86.38]
  7    37 ms    37 ms     *     66.208.228.202
  8    14 ms    12 ms    14 ms  209.85.254.120
  9    13 ms    13 ms    14 ms  72.14.237.133
 10    25 ms    26 ms    39 ms  72.14.232.141
 11    58 ms    34 ms    35 ms  72.14.239.51
 12    40 ms    34 ms    38 ms  216.239.46.151
 13    49 ms    50 ms    35 ms  209.85.251.111
 14    36 ms    36 ms    35 ms  den03s06-in-f19.1e100.net [74.125.225.211]
 
Trace complete.
 
C:\Users\Brian A. Plencner>tracert www.dslreports.com
 
Tracing route to www.dslreports.com [209.123.109.175]
over a maximum of 30 hops:
 
  1    <1 ms    <1 ms    <1 ms  pfSense.localdomain [192.168.1.1]
  2    27 ms    29 ms    29 ms  24.13.16.1
  3    10 ms    11 ms     9 ms  te-9-1-ur04.algonquin.il.chicago.comcast.net [68.87.229.189]
  4    14 ms    15 ms    15 ms  te-0-3-0-2-ar01.area4.il.chicago.comcast.net [68.86.189.229]
  5    18 ms    23 ms    24 ms  he-3-5-0-0-cr01.350ecermak.il.ibone.comcast.net [68.86.95.237]
  6    39 ms    36 ms    35 ms  he-4-4-0-0-cr01.newyork.ny.ibone.comcast.net [68.86.88.145]
  7    36 ms    34 ms    33 ms  173.167.58.26
  8    34 ms    36 ms    34 ms  0.e1-4.tbr1.oct.nac.net [209.123.10.122]
  9    39 ms    34 ms    35 ms  vlan804.esd1.oct.nac.net [209.123.10.2]
 10    36 ms    34 ms    36 ms  www.dslreports.com [209.123.109.175]
 
Trace complete.
 
C:\Users\Brian A. Plencner>
 
 

So, from what I can figure out, the issue appears to not be a DNS one, as I am able to resolve an IPv6 IP for its proper DNS name. However, I am not able to reach (or ping) to an IPv6 IP, or a IPv6 only site. So, there has to be something that is mis-configured inside of pfsense that is causing this. What I don't know.

--Brian
plencnerb

1 edit

plencnerb

Premium Member


Picture #1
 

Picture #2
 

Picture #3
 
Click for full size
Picture #4
In this post, I'm going to document things in pfsense.

In Picture #1, I am showing the System Information. This should answer any questions about what version I'm running and all of that.

Picture #2 shows everything on the WAN side of things.

Picture #3 shows everything on the LAN side of things.

Finally, Picture #4 shows the only modification I have made. I added a WAN firewall rule to for IPv6. This was per the suggestion by whfsdude See Profile.

--Brian

joako
Premium Member
join:2000-09-07
/dev/null

joako to plencnerb

Premium Member

to plencnerb
1) What is the version of pfsense (Status > Dashboard)
2) What IPv6 info do you see under Status > Interfaces?

Extide
join:2000-06-11
Salt Lake City, UT

Extide to plencnerb

Member

to plencnerb
PFSense currently doesnt support ipv6. The next release (v2.1) will support ipv6. You can download and run a beta of it if you want, but the current release 2.0x versions do not support ipv6.

plencnerb
Premium Member
join:2000-09-25
53403-1242

plencnerb to joako

Premium Member

to joako
said by joako:

1) What is the version of pfsense (Status > Dashboard)
2) What IPv6 info do you see under Status > Interfaces?

said by Extide:

PFSense currently doesnt support ipv6. The next release (v2.1) will support ipv6. You can download and run a beta of it if you want, but the current release 2.0x versions do not support ipv6.

The answers to both of your questions should now be visible in the posts above. I have edited them all at this point.

If you need further information, just ask.

Thanks,

--Brian

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf to plencnerb

MVM

to plencnerb
Your WAN IPv6 netmask is 64 bits. Mine is 128 bits.

Your LAN IPv6 address looks more like it was statically assigned, not by DHCP-PD.

You still haven't said how you are configuring for IPv6. Post those screens as well.

plencnerb
Premium Member
join:2000-09-25
53403-1242

plencnerb

Premium Member

Click for full size
WAN Interface Configuration
Click for full size
LAN Interface Configuration
said by graysonf:

Your WAN IPv6 netmask is 64 bits. Mine is 128 bits.

Your LAN IPv6 address looks more like it was statically assigned, not by DHCP-PD.

You still haven't said how you are configuring for IPv6. Post those screens as well.

Above are how I currently have things configured in regards to the LAN and WAN interfaces.

By default, when I installed pfsense, I did not need to make any changes to this, per what whfsdude See Profile said in the other post.

His comment is below
said by whfsdude:

Are you running the 2.1 branch?

1. Interfaces > WAN
2. For 'IPv6 Configuration Type' select 'DHCP6'
3. For 'DHCPv6 Prefix Delegation size' select '64', apply
4. Interfaces > LAN
5. For 'IPv6 Configuration Type' select 'Track Interface'
6. For 'IPv6 Interface' select WAN.
7. For 'IPv6 Prefix ID' enter '0', apply
8. Reboot!

What you are suggesting is a bit different then what he has said. But, since we are in troubleshooting mode, I'm willing to make any changes to see what I can do to figure this out.

So, on the LAN Interface configuration page, I modified the IPv6 Configuration Type from the value "Track Interface" to "DHCP6".

Once that was done, I did an ipconfig /release and then an ipconfig /renew.

The issue now is solved! The IPv6 Test pages now come back with a score of 10/10. On the Comcast IPv6 Speedtest side, it now loads, and shows my IPv6 IP at the top.

That was an easy fix!

Of course, it makes me wonder then, what is different between my setup and whfsdude See Profile's, as he is also running pfsense, with that one value different then what I have, and he apparently does not have any issues.

Thoughts?

--Brian


graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf

MVM

Glad you have it sorted out. You might want to change the Subject of the root post for this to include [SOLVED].

plencnerb
Premium Member
join:2000-09-25
53403-1242

plencnerb

Premium Member

said by graysonf:

Glad you have it sorted out. You might want to change the Subject of the root post for this to include [SOLVED].

Went ahead and did that, and modified my OP post as well to indicate what I had to do to fix it.

I am curious though to hear whfsdude See Profile's thoughts on this, as he is the one that said what he uses for that value, and apparently it is working fine for him.

Now the next step I think is to work with the mods to modify NetDog See Profile's thread to put a post that shows the configuration steps / changes that need to be made in this version of pfsense to get it to work. Once that is done, then delete all of the posts and troubleshooting steps from my case, as that configuration has now been confirmed to be working. Thoughts? Kind of like a cleanup / reset on the thread, and get it ready for the next user who comes along with configuration issues for a different piece of hardware.

--Brian

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf

MVM

I doubt they will delete posts or threads, which is why I suggested editing the Subject to include [SOLVED].

whfsdude
Premium Member
join:2003-04-05
Washington, DC

whfsdude to plencnerb

Premium Member

to plencnerb
said by plencnerb:

I am curious though to hear whfsdude See Profile's thoughts on this, as he is the one that said what he uses for that value, and apparently it is working fine for him.

Sorry I've been swamped since Monday and haven't had much time to look at threads. Glad you figured it out.

I was using DHCP6 w/track interface up until two weeks ago when I moved to all static configurations.

I wonder if it's a regression in their code. »lists.pfsense.org/piperm ··· 831.html

plencnerb
Premium Member
join:2000-09-25
53403-1242

plencnerb to graysonf

Premium Member

to graysonf
They probably won't, it was just a suggestion.

Maybe what I am thinking of is more along the lines of a FAQ for IPv6. NetDog's thread could be the "work area" so to speak for the FAQ. We take the first first post as kind of the starting point for the FAQ, and then as people post their different routers and configurations, and we all work together to get them up and running, the FAQ then is modified to include a section for a specific hardware.

--Brian

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf

MVM

FAQ, good idea. Feel free to get started anytime

plencnerb
Premium Member
join:2000-09-25
53403-1242

plencnerb

Premium Member

You know, I would if I knew how to start!

If anything, I would have no problems putting together the section on configuration for pfsense.

--Brian

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf

MVM

Go to the Comcast FAQ page here: »Comcast High Speed Internet FAQ

Contact one of the Editors on the upper right side via Instant Message. I'm sure they will point you in the right direction.

NetDog
Premium Member
join:2002-03-04
Hollywood, FL

NetDog to plencnerb

Premium Member

to plencnerb
said by plencnerb:

Now the next step I think is to work with the mods to modify NetDog See Profile's thread to put a post that shows the configuration steps / changes that need to be made in this version of pfsense to get it to work. Once that is done, then delete all of the posts and troubleshooting steps from my case, as that configuration has now been confirmed to be working. Thoughts? Kind of like a cleanup / reset on the thread, and get it ready for the next user who comes along with configuration issues for a different piece of hardware.

--Brian

how about a thread that just has the how-to? I have been thinking about writing a How-to for each of the routers and devices that I know about.. Thinking and on paper are two different things .. I have been working on a Juniper router\switch as of late so it has been taking my spare time.

plencnerb
Premium Member
join:2000-09-25
53403-1242

plencnerb

Premium Member

Re: [IPv6] Issues with IPv6 and pfsense [SOLVED]

Ok I don't get it.

Yes, I'm replying to my own thread.

Why would I do something?

Answer: Things are not working now with IPv6.

Both IPv6 test sites that used to return 10/10 now return 0/10. I cannot get to »ipv6.speedtest.comcast.net/ anymore.

System Uptime on my modem is 11 d: 8 h: 37 m.
System Update for PFSense is just behind that, at 11 Days 08 Hours 29 Minutes 21 Seconds.

The last configuration change that I made to PFsense was on Wed Dec 12 12:36:08 CST 2012, which, is just after the last edit I made to the first post of this thread to indicate that it was working.

So, my question is, What Broke! And, probably more important, how do I get it working again?

--Brian

IPv6_NOT
@comcast.net

IPv6_NOT

Anon

My Comcast supplied Netgear WNR1000v2-VC also randomly loses IPv6 connectivity. It sometimes will stay in sync for several weeks, and sometimes only for a few days. IPv6 connectivity always comes back if I reboot the router and remake the connections with the attached PCs.

The problem with the Netgear router seems to be that its WAN is randomly assigned a new IPv6 address (but the 2001:558:xxxx:xx: prefix does does not change, nor does the IPv4 address). That new IP address triggers a new PD prefix for the LAN, but the old PD prefix is also still active. The only fix I have found is to reboot the router.

Have you tried rebooting your pFsense box and reconnecting the attached PC(s)?
IPv6_NOT

IPv6_NOT to plencnerb

Anon

to plencnerb
This is an update to the post I made ~20 minutes ago. That post is still in limbo, so I hope that both posts either are approved at the same time, or in the proper sequence so that this post makes sense.

The problem with my WNR1000v2-VC just occurred, so I will post some screen shots of what I see so that you can look at the similar status pages in pFsense to see if your problem is similar.


IPv6 status from several days ago



IPv6 status showing dual WAN IP addresses



IPv6 status after reboot

plencnerb
Premium Member
join:2000-09-25
53403-1242

plencnerb

Premium Member

That is interesting.

I'm not seeing the dual WAN IPv6 IP's like you posted in your screen shot, but I did notice that the last part is different with my IPv6 IP.

I have no idea what you call each section, but the first 4 items are the same, but the last 4 are different.

Yet, my router, and cable modem have not been rebooted since I noted what my IPv6 IP address was.

Below is what I'm talking about.

My IPv6 IP, on 12/12/2012 around 12:30 PM
2001:558:6033:ad:7d1b:4b65:f6a7:4462

PFSense is now showing this
2001:558:6033:ad:149f:8627:2f1:9d33

The part after the :ad: is what has changed.

Is that what you are talking about?

It only takes a few minutes to reboot my router, so I may go ahead and do that this morning and report back.

--Brian

IPv6_NOT
@comcast.net

IPv6_NOT

Anon

said by plencnerb:

That is interesting.

I'm not seeing the dual WAN IPv6 IP's like you posted in your screen shot, but I did notice that the last part is different with my IPv6 IP.

I have no idea what you call each section, but the first 4 items are the same, but the last 4 are different.

Yet, my router, and cable modem have not been rebooted since I noted what my IPv6 IP address was.

Below is what I'm talking about.

My IPv6 IP, on 12/12/2012 around 12:30 PM
2001:558:6033:ad:7d1b:4b65:f6a7:4462

PFSense is now showing this
2001:558:6033:ad:149f:8627:2f1:9d33

The part after the :ad: is what has changed.

Is that what you are talking about?

It only takes a few minutes to reboot my router, so I may go ahead and do that this morning and report back.

--Brian

Yes, that is what I was talking about. I don't always see the dual WAN IPv6 assignments showing in the GUI status page either (but I suspect it is there but just not showing). Sometimes it also manifests itself as two LAN IPv6 addresses with the PD portion changed, but the DUID (the last part of the IPv6 address) not changed.

In either case I think what has happened is that the DHCP6 has assigned a new IP address, but the old IPv6 address is also still assigned. I think that this is happening in my Netgear router because it is getting a /64 WAN assignment when it should be getting a /128, but there is no configuration setting that I can make to change that. I noticed that in one of your pfsense screen shots that you also were getting a /64 WAN assignment, so if you can change that in the pfsense config, you may be able to prevent this from happening again.

plencnerb
Premium Member
join:2000-09-25
53403-1242

plencnerb

Premium Member

Click for full size
#1

#2
  
said by IPv6_NOT :

I think that this is happening in my Netgear router because it is getting a /64 WAN assignment when it should be getting a /128, but there is no configuration setting that I can make to change that. I noticed that in one of your pfsense screen shots that you also were getting a /64 WAN assignment, so if you can change that in the pfsense config, you may be able to prevent this from happening again.

Are you talking about the section that I posted above in pic #1? That section is on the WAN interface configuration.

If so, the values that I can select there are shown in pic #2. Does not look like I have the option to set that to be /128, unless I'm looking in the wrong spot.

--Brian

IPv6_NOT
@comcast.net

IPv6_NOT

Anon

said by plencnerb:

Are you talking about the section that I posted above in pic #1? That section is on the WAN interface configuration.

If so, the values that I can select there are shown in pic #2. Does not look like I have the option to set that to be /128, unless I'm looking in the wrong spot.

--Brian

I am not very familiar with pfsense, but everything I have seen in this and other forums discussing how Comcast assigns IPv6 addresses has implied that a standalone PC or a router WAN interface should receive a /128 IPv6 address beginning with 2001:558:xxxx:yy.

I don't have access to the hidden OpenWRT configuration in my Comcast supplied Netgear router and the only workable WAN options I have available are "Auto Detect" and "DHCP", and both give me a /64 IP address assignment. I know someone with a D-Link router, and that router does not explicitly have a selection choice for the WAN IP address allocation size either, but his router does get a /128 from Comcast, and his router's WAN IPv6 address is stable.

If you can't manually select a /128 preference for the WAN allocation size in pfsense, perhaps selecting "None" might work?

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf to plencnerb

MVM

to plencnerb
Any relation with what is going on here to this thread?

»[IPv6] Seeing two different LAN side ranges

plencnerb
Premium Member
join:2000-09-25
53403-1242

plencnerb

Premium Member

I've seen that thread, but I do need to take the time to sit down and read it fully to see if I'm having the same issues.

The one thing I did see so far in that thread appears to be a disagreement on the WAN DHCPv6 Prefix Delegation size. whfsdude See Profile indicates that it should be set as /64 to work correctly. Which, for me that is what I had, and it did work.

However, you (graysonf See Profile) have a different view, in that the setting should be set to "None", which would imply that it will pull a /128 from Comcast. You have it set that way (I'm guessing) and it also appears to work. I have to step out for a few hours, but when I get home, I'll play with that and see if it makes a difference.

In the meantime, if I look at my dashboard, something has gone south, as the status of the gateway "WAN_DHCP6" is now showing "Unknown". I know when everything was working, it did show "Online", with a proper IPv6 IP in the gateway box.

--Brian

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf

MVM

I suggested "None" because /128 is not a choice. I don't run pfsense here, I run m0n0wall instead. And I get a /128 on WAN and there is nothing to specify other than DHCP on WAN - there is no list of subnet mask choices.

I may flash a copy of pfsense to a spare CF and try it here to see what happens.

I do recall another thread along these lines and the way it turned out NetDog (I think) got involved and solved it. The cause was some type of misconfiguration by Comcast for that particular customer.

IPv6_NOT
@comcast.net

IPv6_NOT

Anon

said by graysonf:

I suggested "None" because /128 is not a choice. I don't run pfsense here, I run m0n0wall instead. And I get a /128 on WAN and there is nothing to specify other than DHCP on WAN - there is no list of subnet mask choices.

I may flash a copy of pfsense to a spare CF and try it here to see what happens.

I do recall another thread along these lines and the way it turned out NetDog (I think) got involved and solved it. The cause was some type of misconfiguration by Comcast for that particular customer.

In NetDog's sticky thread: »[IPv6] Troubleshooting Comcast IPv6 (Start Here) he seems to agree that a router's WAN should get a /128 allocation:




Since NetDog does IPv6 support for Comcast, one would hope that his opinion is based on facts.

whfsdude
Premium Member
join:2003-04-05
Washington, DC

1 edit

whfsdude

Premium Member

said by IPv6_NOT :

»[IPv6] Troubleshooting Comcast IPv6 (Start Here) he seems to agree that a router's WAN should get a /128 allocation

He's talking about allocation, not subnet. If you had a /128 subnet, you wouldn't be able to reach the gateway (it's just a single addressed network).

pfsense very clearly asks for the subnet which is why you give it a "/64."

If you do not believe that it's in a /64, pcap the RA.

fwiw, I ran pfsense on Comcast's network using '64' on-link and '64' for the PD prefix up until I had my new service installed (which is static).

Edit: Clearly failed to read "allocation" IPv6_NOT is correct and we're pretty much saying the same thing.