dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
5087
share rss forum feed

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5

[IPv6] Seeing two different LAN side ranges

Click for full size
 
I finally upgraded my firewall (pfSense) to 2.1 so it supports IPv6. Everything seemed to be going fine but I have no connectivity on any desktop. I get an IP address but just can't surf. I finally figured out what (I think) is causing this but I don't know how to correct it. The LAN side of pfSense has an address in one /64 and my desktop has one in another /64.

From pfSense, I can ping/trace any IPv6 address from WAN or LAN side so connectivity seems to be working. This lead me to believe that the address I needed on my dekstop was the one in the same /64 as pfSense (makes sense, right), so I configured a static address on my desktop in that range but it still doesn't work.

For pfSense, I have the WAN interface set to DHCP6 with prefix delegation size at 64. On the LAN interface I have it set to "track interface" with the WAN interface selected and the prefix ID at 0. This is what I found that I should set the interfaces according to pfSense forums. I'm honestly not sure if this is a Comcast issue or pfSense issue but figured I could probably get help with both here, and actually get Comcast specific help here unlike at pfSense forums.


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:1

Your WAN IPv6 subnet mask should be /128, not /64. You should not have to specify anything other than DHCP for that interface for both IPv4 and IPv6.

Do not assign static public addresses anywhere, it will not work.



whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to JoelC707

said by JoelC707:

The LAN side of pfSense has an address in one /64 and my desktop has one in another /64.

This is normal.

You will need to add firewall rules to pass IPv6 traffic. Firewall > Rules > WAN.

You will want to check the LAN rules as well to make sure there is an IPv6 rule there (that should have been in-place via defaults)


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to graysonf

said by graysonf:

Your WAN IPv6 subnet mask should be /128, not /64. You should not have to specify anything other than DHCP for that interface for both IPv4 and IPv6.

Nope, the WAN subnet is a /64. OP just needs firewall rules.


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:1

Not correct. See:

»Re: [Business] Unexpected IPv6 address with Business Class stati


JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
reply to whfsdude

Yeah I have an IPv6 LAN side rule. i originally had it set to "LAN net" as the source but since the subnet for the LAN interface is different from the desktop subnet it was obviously blocking it. i set the source to "any" and it isnt blocking anymore but i still cant ping/surf on IPv6 from my desktop.



plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:3
reply to JoelC707

See this thread to see how I configured pfsense 2.1 to work with Comcast.

»[IPv6] Issues with IPv6 and pfsense [SOLVED]


JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
reply to graysonf

I expected to see a /128 on WAN side. Is that because of the /64 on the prefix delegation? Why would that cause the two different LAN side subnets?



graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:1
reply to JoelC707

Interfaces: WAN, DHCP6 client configuration:

Set DHCPv6 Prefix Delegation size to None.

Verify your WAN IPv6 address is now /128.



whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to JoelC707

said by JoelC707:

Yeah I have an IPv6 LAN side rule. i originally had it set to "LAN net" as the source but since the subnet for the LAN interface is different from the desktop subnet it was obviously blocking it. i set the source to "any" and it isnt blocking anymore but i still cant ping/surf on IPv6 from my desktop.

You need a WAN one as well. Eg. »willscorner.net/t/wanrule.png

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5

Wait, why do i need an allow all "any any" rule on WAN side? i cant imagine why I would need to fully open up the WAN side like that.



whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to graysonf

said by graysonf:

Interfaces: WAN, DHCP6 client configuration:

Set DHCPv6 Prefix Delegation size to None.

Verify your WAN IPv6 address is now /128.

Incorrect. The WAN IP address is a single address (hence usage /128) but it is a in a /64 subnet. (How the heck is it going to reach the gateway if it's in a /128 subnet).

The DHCP delegation size (on WAN int) needs to be set to /64 if he wants PD on his LAN.


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:1
reply to JoelC707

I don't have any such WAN rule here.


JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
reply to graysonf

Ill have to wait until I get back home in a couple of hours to try out any changes.



whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to JoelC707

said by JoelC707:

Wait, why do i need an allow all "any any" rule on WAN side? i cant imagine why I would need to fully open up the WAN side like that.

FWIW, I lock down my firewall rules via the LAN tab as I have multiple VLANs. In general though, I favor host based security.

You'll need to create several firewall rules if you don't allow all.

Edited for clarify.

1. You need ICMP rule (PMTUD needs to work).
2. Optional rules for UDP or TCP depending on any incoming traffic.

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5

Ahhh ok that makes more sense

I do have ICMP enabled for v4 and v6. At the moment I dont have any services i want to open up on the lan for v6 (yet). If youre doing vlan or host based security then that makes more sense. I thought you were saying i needed to open up the network for general browsing over IPv6 to work, but that makes more sense.



whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to JoelC707

Looking at the code (no longer running PD here). It looks like firewall rules get added now and don't show via the GUI for PD. Which is maybe why it now works out of the box without adding the WAN rule.

cat /tmp/rules.debug

# Automatic Pass rules for any delegated IPv6 prefixes through dynamic IPv6 clients
pass in quick on $LAN inet6 from [pd_prefix] to any keep state label "Allow IPv6 on LAN to any"
pass in quick on $WAN inet6 from any to [pd_prefix] keep state label "Allow IPv6 in on WAN to [pd_prefix]"
 


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to JoelC707

said by JoelC707:

I do have ICMP enabled for v4 and v6. At the moment I dont have any services i want to open up on the lan for v6 (yet). If youre doing vlan or host based security then that makes more sense.

Yeah, when you're dealing with VLANs, you scoot the rules back to the VLAN interfaces (eg. LAN, Voice) because you don't want traffic passing between the VLANs without rules in place.

For this reason, I've always been taught it's best to put the firewall/ACL as close to the network you want to protect as possible.


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to JoelC707

FWIW, I can reach your LAN interface via ICMP.

PING 2601:0:ac40:9::1(2601:0:ac40:9::1) 56 data bytes
64 bytes from 2601:0:ac40:9::1: icmp_seq=1 ttl=46 time=63.7 ms

Odd that you can't ping6 out.

Question:
Can you ping6 2601:0:ac40:9::1 from inside the LAN?

What about ping6 your WAN IP address from inside?


JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5

I dont remember off hand but from my desktop I think i can ping that address. i can ping/trace anything i want from pfsense so the circuit is working, its just not extending to the desktop. I should be headjng home shortly.


JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
reply to JoelC707

Alright here is what I have done so far.

Made no interface changes and put in an IPv6 "any any" rule on WAN side. No changes.

Left WAN at "DHCP6, 64 PD" and changed LAN to "DHCP6, 64 PD". This got me the 2601:0:ac40:1a subnet on LAN interface instead of 2601:0:ac40:9::1. No change.

Changed WAN to "DHCP6, None for PD", left LAN as above. WAN interface is still /64 not /128 (not entirely sure this is as much an issue really). Still, no changes.

Left WAN as above and changed LAN back to "track interface, 0". I'm back to the 2601:0:ac40:9::1 address on LAN side but other than that, no changes.

At some point I have picked up both the "9" and "1a" addresses on my desktop. New screen shot attached showing current IP addresses on my desktop. ICMP is allowed through the firewall regardless of the "any any" rule being set or not and the Windows firewall is off. Can anyone ping any of those addresses?

I statically assigned the IPv6 DNS as I don't seem to be getting one from the RA assignment. This isn't really an issue because I do not want to use whatever DNS Comcast would send me, I run a Windows DC at home and will eventually point my desktop to it for DNS once I get this all sorted out.

For references, the Google DNS 2001:4860:4860::8888 and this test: »ipv6test.google.com/ are what I have been using to verify IPv6 connectivity on the desktop. I can ping/trace the Google DNs from the firewall so it's at least partially working.


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to JoelC707

Looking at the screenshot, you've got addresses on your LAN outside of your routed /64. That could be the problem.

2601:0:ac40:9::/64 - Assigning via PD (according to your screenshot).

Yet you have a secondary address (2601:0:ac40:1a::/64) assigned on your PC outside of that /64.

Reboot the Windows machine and see if you still get that second incorrect address.

OT/Addressing DNS: To my knowledge RDNSS isn't supported via Windows and isn't configured on pfsense (so you can't push DNS via RA). You'll want to use "assisted" and setup DHCPv6 to push DNS in the future. I've had mixed success with DHCPv6 being started after a change so if you do DHCPv6 config changes, you'll want to reboot pfsense.



whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to JoelC707

said by JoelC707:

Can anyone ping any of those addresses?

$: ping6 -c 2 2601:0:ac40:9:152d:82e8:ab72:980c
PING6(56=40+8+8 bytes) 2001:559:0:84::2 --> 2601:0:ac40:9:152d:82e8:ab72:980c
16 bytes from 2601:0:ac40:9:152d:82e8:ab72:980c, icmp_seq=0 hlim=55 time=37.416 ms
16 bytes from 2601:0:ac40:9:152d:82e8:ab72:980c, icmp_seq=1 hlim=55 time=54.012 ms
 
--- 2601:0:ac40:9:152d:82e8:ab72:980c ping6 statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 37.416/45.714/54.012/8.298 ms
 

$: ping6 -c 2 2601:0:ac40:1a:152d:82e8:ab72:980c
PING6(56=40+8+8 bytes) 2001:559:0:84::2 --> 2601:0:ac40:1a:152d:82e8:ab72:980c
 
--- 2601:0:ac40:1a:152d:82e8:ab72:980c ping6 statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
 


whfsdude
Premium
join:2003-04-05
Washington, DC
reply to JoelC707

LAN should not be DHCP6. It should be track interface (wan). Prefix id 0.


JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
reply to whfsdude

That's the thing, I've gotten both the "9" and "1a" range on the LAN side so I wasn't sure which one it was supposed to be. Based on your pings below (and the fact pfSense picks ::1 from the "9" subnet, versus a random address from "1a" subnet), I think "9" is the one it should be.

I can't modify the DHCP6/RA server settings in pfSense since it isn't configured with a static address, so I assume any addresses my desktops are getting are being sent via an auto-configured RA mode in pfSense or via Comcast.



whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast

said by JoelC707:

That's the thing, I've gotten both the "9" and "1a" range on the LAN side so I wasn't sure which one it was supposed to be. Based on your pings below (and the fact pfSense picks ::1 from the "9" subnet, versus a random address from "1a" subnet), I think "9" is the one it should be.

Set the LAN interface to the "track" interface setting and reboot the router. That should take care of the "1a" subnet problem.

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5

Rebooted desktop, that cleared all old "1a" addresses out. Interestingly, according to Windows, I have Internet connectivity via IPv6 now (previously it showed "no internet access") so it must be able to resolve whatever test address it uses.

WAN: DHCP6, PD Size None
LAN: Track Interface, WAN, 0 - has a the "9" address again.

Outbound "any any" rule via IPv6 and I even put it at the top of the list above all IPv4 rules just for the hell of it. Still being told I don't have IPv6 and can't ping Google's IPv6 DNS from my desktop (pfSense on the other hand, still CAN ping Google's IPv6 DNS).

Grrr..... must be some bug in the traceroute function of pfSense. Every time I do a traceroute there it locks up the GUI. Option 11 on console doesn't solve it either (reset webconfigurator), have to reboot. I'll upload screenshots as soon as I'm back up (and who knows, it may fix it, though I've rebooted before with no fix).


JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5

Click for full size
Click for full size
Click for full size
Click for full size
Click for full size
Click for full size
So option 11 worked this time. I'd rather not reboot pfSense if I can get away with it but if I have to I will.

Only showing 2601:0:ac:9:: addresses now. Still no IPv6 access to the internet from the desktop (other systems on my network are exhibiting the same behavior). I do have a Bellsouth DSL circuit and am using a MultiWAN for IPv4 as the outbound rules will show. I don't see why it would but would that cause any issues?

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5

Changed WAN prefix delegation from none to 64 and noticed my browsing was sluggish. Back when I was using a HE tunnel I would notice that if my IPv6 connectivity went down for some reason (browsers tend to prefer IPv6 IIRC and it would take time to fail out IPv6 and go back to IPv4). I refreshed the Google test page and it says I have IPv6 connectivity. Ran a ping test and still no go.

Reset the WAN interface PD to None to try and recreate the old settings, now it doesn't matter if I set it to None or 64 but I still can't get IPv6 connectivity (though it appears my browsing speed has returned to normal).

Looks like it was partially working for less than a minute. I don't know if me changing the PD setting fixed it this time or not (and if it did, why didn't setting it back to 64 "re-fix" it?).



whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to JoelC707

said by JoelC707:

WAN: DHCP6, PD Size None
LAN: Track Interface, WAN, 0 - has a the "9" address again.

I am still going through the updates (stepped away for xmas dinner).

DHCP6 prefix size has to be set to /64. That would explain the oddness you were seeing when you tried to set the prefix id on the LAN interface.

Also one thing to keep in mind is that almost any v6 interface change in pfsense requires a reboot to work properly. I haven't poked around too much at the internals but I think it has to do with spawning the WIDE (yes they're using that) DHCP6 client/server.