dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
5345
share rss forum feed

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
reply to JoelC707

Re: [IPv6] Seeing two different LAN side ranges

Alright here is what I have done so far.

Made no interface changes and put in an IPv6 "any any" rule on WAN side. No changes.

Left WAN at "DHCP6, 64 PD" and changed LAN to "DHCP6, 64 PD". This got me the 2601:0:ac40:1a subnet on LAN interface instead of 2601:0:ac40:9::1. No change.

Changed WAN to "DHCP6, None for PD", left LAN as above. WAN interface is still /64 not /128 (not entirely sure this is as much an issue really). Still, no changes.

Left WAN as above and changed LAN back to "track interface, 0". I'm back to the 2601:0:ac40:9::1 address on LAN side but other than that, no changes.

At some point I have picked up both the "9" and "1a" addresses on my desktop. New screen shot attached showing current IP addresses on my desktop. ICMP is allowed through the firewall regardless of the "any any" rule being set or not and the Windows firewall is off. Can anyone ping any of those addresses?

I statically assigned the IPv6 DNS as I don't seem to be getting one from the RA assignment. This isn't really an issue because I do not want to use whatever DNS Comcast would send me, I run a Windows DC at home and will eventually point my desktop to it for DNS once I get this all sorted out.

For references, the Google DNS 2001:4860:4860::8888 and this test: »ipv6test.google.com/ are what I have been using to verify IPv6 connectivity on the desktop. I can ping/trace the Google DNs from the firewall so it's at least partially working.


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to JoelC707
Looking at the screenshot, you've got addresses on your LAN outside of your routed /64. That could be the problem.

2601:0:ac40:9::/64 - Assigning via PD (according to your screenshot).

Yet you have a secondary address (2601:0:ac40:1a::/64) assigned on your PC outside of that /64.

Reboot the Windows machine and see if you still get that second incorrect address.

OT/Addressing DNS: To my knowledge RDNSS isn't supported via Windows and isn't configured on pfsense (so you can't push DNS via RA). You'll want to use "assisted" and setup DHCPv6 to push DNS in the future. I've had mixed success with DHCPv6 being started after a change so if you do DHCPv6 config changes, you'll want to reboot pfsense.


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to JoelC707
said by JoelC707:

Can anyone ping any of those addresses?

$: ping6 -c 2 2601:0:ac40:9:152d:82e8:ab72:980c
PING6(56=40+8+8 bytes) 2001:559:0:84::2 --> 2601:0:ac40:9:152d:82e8:ab72:980c
16 bytes from 2601:0:ac40:9:152d:82e8:ab72:980c, icmp_seq=0 hlim=55 time=37.416 ms
16 bytes from 2601:0:ac40:9:152d:82e8:ab72:980c, icmp_seq=1 hlim=55 time=54.012 ms
 
--- 2601:0:ac40:9:152d:82e8:ab72:980c ping6 statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 37.416/45.714/54.012/8.298 ms
 

$: ping6 -c 2 2601:0:ac40:1a:152d:82e8:ab72:980c
PING6(56=40+8+8 bytes) 2001:559:0:84::2 --> 2601:0:ac40:1a:152d:82e8:ab72:980c
 
--- 2601:0:ac40:1a:152d:82e8:ab72:980c ping6 statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
 


whfsdude
Premium
join:2003-04-05
Washington, DC
reply to JoelC707
LAN should not be DHCP6. It should be track interface (wan). Prefix id 0.

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
reply to whfsdude
That's the thing, I've gotten both the "9" and "1a" range on the LAN side so I wasn't sure which one it was supposed to be. Based on your pings below (and the fact pfSense picks ::1 from the "9" subnet, versus a random address from "1a" subnet), I think "9" is the one it should be.

I can't modify the DHCP6/RA server settings in pfSense since it isn't configured with a static address, so I assume any addresses my desktops are getting are being sent via an auto-configured RA mode in pfSense or via Comcast.


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
said by JoelC707:

That's the thing, I've gotten both the "9" and "1a" range on the LAN side so I wasn't sure which one it was supposed to be. Based on your pings below (and the fact pfSense picks ::1 from the "9" subnet, versus a random address from "1a" subnet), I think "9" is the one it should be.

Set the LAN interface to the "track" interface setting and reboot the router. That should take care of the "1a" subnet problem.

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
Rebooted desktop, that cleared all old "1a" addresses out. Interestingly, according to Windows, I have Internet connectivity via IPv6 now (previously it showed "no internet access") so it must be able to resolve whatever test address it uses.

WAN: DHCP6, PD Size None
LAN: Track Interface, WAN, 0 - has a the "9" address again.

Outbound "any any" rule via IPv6 and I even put it at the top of the list above all IPv4 rules just for the hell of it. Still being told I don't have IPv6 and can't ping Google's IPv6 DNS from my desktop (pfSense on the other hand, still CAN ping Google's IPv6 DNS).

Grrr..... must be some bug in the traceroute function of pfSense. Every time I do a traceroute there it locks up the GUI. Option 11 on console doesn't solve it either (reset webconfigurator), have to reboot. I'll upload screenshots as soon as I'm back up (and who knows, it may fix it, though I've rebooted before with no fix).

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
Click for full size
Click for full size
Click for full size
Click for full size
Click for full size
Click for full size
So option 11 worked this time. I'd rather not reboot pfSense if I can get away with it but if I have to I will.

Only showing 2601:0:ac:9:: addresses now. Still no IPv6 access to the internet from the desktop (other systems on my network are exhibiting the same behavior). I do have a Bellsouth DSL circuit and am using a MultiWAN for IPv4 as the outbound rules will show. I don't see why it would but would that cause any issues?

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
Changed WAN prefix delegation from none to 64 and noticed my browsing was sluggish. Back when I was using a HE tunnel I would notice that if my IPv6 connectivity went down for some reason (browsers tend to prefer IPv6 IIRC and it would take time to fail out IPv6 and go back to IPv4). I refreshed the Google test page and it says I have IPv6 connectivity. Ran a ping test and still no go.

Reset the WAN interface PD to None to try and recreate the old settings, now it doesn't matter if I set it to None or 64 but I still can't get IPv6 connectivity (though it appears my browsing speed has returned to normal).

Looks like it was partially working for less than a minute. I don't know if me changing the PD setting fixed it this time or not (and if it did, why didn't setting it back to 64 "re-fix" it?).


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to JoelC707
said by JoelC707:

WAN: DHCP6, PD Size None
LAN: Track Interface, WAN, 0 - has a the "9" address again.

I am still going through the updates (stepped away for xmas dinner).

DHCP6 prefix size has to be set to /64. That would explain the oddness you were seeing when you tried to set the prefix id on the LAN interface.

Also one thing to keep in mind is that almost any v6 interface change in pfsense requires a reboot to work properly. I haven't poked around too much at the internals but I think it has to do with spawning the WIDE (yes they're using that) DHCP6 client/server.


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to JoelC707
Can still ping your desktop.

ping6 -c 2 2601:0:ac40:9:152d:82e8:ab72:980c
PING6(56=40+8+8 bytes) 2001:559:0:84::2 --> 2601:0:ac40:9:152d:82e8:ab72:980c
16 bytes from 2601:0:ac40:9:152d:82e8:ab72:980c, icmp_seq=0 hlim=55 time=40.162 ms
 

Interestingly enough, I can't ping6 the Comcast interface. Assuming I got that address right from your last screenshot.

ping6 2001:558:6011:58:85e6:fc5d:6999:ebc9
PING6(56=40+8+8 bytes) 2001:559:0:84::2 --> 2001:558:6011:58:85e6:fc5d:6999:ebc9
^C
--- 2001:558:6011:58:85e6:fc5d:6999:ebc9 ping6 statistics ---
2 packets transmitted, 0 packets received, 100.0% packet loss
 

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
reply to whfsdude
No worries on any delay. I know it's Christmas. For that matter, thank you for even taking time to help me today (and that also goes for everyone else who has replied). We do most of our Christmas stuff on Christmas Eve because others in the family usually go do things at their respective churches in Christmas Day so it's usually a full day for them.

I thought I read somewhere in one of the early replies to set the WAN PD size to None instead of 64. I've tried both and neither seems to be the "fix". Currently it is set for 64 PD. I'll see if I can get an opening to reboot pfSense, Netflix is being used right now LOL.


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to JoelC707
Some thoughts of what might be useful in troubleshooting this.

Show routes via the GUI (System > Routing)

Via the CLI:
#look at ND table.
ndp -an

#Do a tcpdump and see if you have outbound traffic leaving the WAN int.

tcpdump -i bge1 -n -v ip6

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
reply to whfsdude
Click for full size
No idea what's up with that. I compared segment for segment, you pinged the right address. Is it because the ICMP firewall rule is set to IPv4 + IPv6? I assumed that was an easy way to add similar rules for both versions to the same host (so you don't have to duplicate a bunch of rules).


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to JoelC707
said by JoelC707:

I thought I read somewhere in one of the early replies to set the WAN PD size to None instead of 64. I've tried both and neither seems to be the "fix". Currently it is set for 64 PD. I'll see if I can get an opening to reboot pfSense, Netflix is being used right now LOL.

Just wait until the next Amazon outage (should be shortly)

Prefix Delegation Size is what your DHCP6 client requests for any routed prefixes. This is done WAN always.

When you do a "Track Interface", all you're specifying to pfsense is to say "I want to use a routed subnet." Prefix ID 0 is just "give me the 0th (first) subnet you have." Since it's a /64, you just have one subnet to play with.


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to JoelC707
said by JoelC707:

No idea what's up with that. I compared segment for segment, you pinged the right address. Is it because the ICMP firewall rule is set to IPv4 + IPv6? I assumed that was an easy way to add similar rules for both versions to the same host (so you don't have to duplicate a bunch of rules).

Could be a GUI bug (hopefully). Try adding two distinct rules for both v4, and v6.

Edit: I've left an open ping on your WAN address. Will let you know if it becomes pingable.


whfsdude
Premium
join:2003-04-05
Washington, DC
reply to JoelC707
Success!

16 bytes from 2001:558:6011:58:85e6:fc5d:6999:ebc9, icmp_seq=447 hlim=57 time=21.879 ms

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
reply to whfsdude
Click for full size
Click for full size
Click for full size
Click for full size
Click for full size
No static routes in place but I did SS's of each tab for you.

ND table still shows some "1a" addresses in it. May or may not be the cause, but they're certainly not helping things, that's for sure.

Tcpdump shows IPv6 traffic from what I can tell. Did a SS of the last page after ctrl-c.

Side note: even though they have alternate file extensions (.png in this case), this site won't accept uploads with the name "ping" and "tcpdump", it kicks back an internal server error. Wonder what else I can get it to kick back with LOL.

Also, I split the ICMP rules into separate v4/v6 rules. Give the ping a try again.

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
reply to whfsdude
said by whfsdude:

Just wait until the next Amazon outage (should be shortly)

I assume you mean Netflix? Funny you mention that though, they had some funky outage last night. Our 4 year old fell asleep at 8-9 or so and woke up at about 11. Couldn't get her to go back to sleep till after 2 (and we didn't want to go to sleep until she did, just in case lol). Netflix on the TV kept failing to connect.

Tried their support page and found this Mortal Kombat style combo code (no kidding, check it for yourself: »support.netflix.com/en/node/461#gsc.tab=0. Then click the first link for the Smart TV) to disconnect and reconnect the TV to Netflix. Got it disconnected but it still wouldn't communicate to reconnect. Then the "my account" page kept throwing up an error (Netflix error, not browsing error). Surprisingly I could watch stuff from my computer so we just watched it that way.


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to JoelC707
said by JoelC707:

Also, I split the ICMP rules into separate v4/v6 rules. Give the ping a try again.

Not sure if you saw above but ICMP is all set now. I'll probably file a bug report for that w/pfsense if there isn't one already.

ND table looks good. The reason you have the other addresses is because some machines on your LAN probably haven't dropped the prefix yet.

tcpdump is good but doesn't show any traffic from the LAN. You'll want to run it when do something like the v6 test page.

I am suggesting the tcpdump route as I don't see anything wrong with your config at this point.


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to JoelC707
said by JoelC707:

I assume you mean Netflix? Funny you mention that though, they had some funky outage last night. Our 4 year old fell asleep at 8-9 or so and woke up at about 11. Couldn't get her to go back to sleep till after 2 (and we didn't want to go to sleep until she did, just in case lol). Netflix on the TV kept failing to connect.

Yeah - bit me as I was trying to watch Arrested Development last night. It was related to the Amazon AWS' elastic load balancer. Netflix uses Amazon for everything but the actual streaming part of their service. Browsing and selecting movies is done via AWS instances.

»gigaom.com/video/netflix-down-xmas-eve/

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5

1 recommendation

reply to whfsdude
It scrolls past at a pretty good rate so I'm not sure if I could catch anything in a screen shot. I think what I'll do then is reboot pfSense as soon as I can and see if that solves it now that we have everything else squared away.

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
reply to whfsdude
Interesting info. I never knew Netflix used Amazon's services for their infrastructure. Makes sense the actual streaming would still come from Netflix since Amazon has a competing product but there's nothing stopping Netflix or another provider from leveraging Amazon's massive server infrastructure.

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
reply to whfsdude
Rebooted pfSense. No change

Here's something. What snapshot are you or anyone else running? I'm on the latest (Dec 19th) snap, but you or someone mentioned in another thread I read that a regression is always possible. Maybe I need to downgrade. It'll mean recreating a bunch of firewall rules but I could just blow away and recreate it from scratch (might have to do that anyway if I downgrade as I don't know what importing config settings would do).

I'm really at a loss here. I don't know if it's pfSense or my network. I've used IPv6 before via a HE tunnel so nothing funky in the switches or anything should be messing with it. They are web managed switches (one D-Link, one Dell) but I haven't seen anything IPv6 related in them.


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to JoelC707
2.1-BETA1 (amd64)
built on Wed Dec 19 15:46:29 EST 2012
FreeBSD 8.3-RELEASE-p5

But I'm not running PD anymore as I've got all static ranges

The only other suggestion I can think of is when you allowed any traffic on the "Comcast" firewall rule, was it also set to IPv4+IPv6?


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
reply to JoelC707
There are more recent snapshots here:

»snapshots.pfsense.org/FreeBSD_RE···?C=M;O=D

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
reply to whfsdude
I started with that image you're using, another got released a few hours later (mine has 19:19:47 as the time stamp) and I upgraded to it. For that matter, would an upgrade have broken this?

The Comcast "any any" rule was IPv6 only. I have re-enabled it and it made no difference.

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
reply to graysonf
Aha it was set to check against the release server not the snapshots server. I just assumed they took a break from updates for Christmas or something. Before I contemplate blowing this away and starting fresh, I'm gonna try an update and see what I can make it do with a newer snapshot (at least with an update I don't have to recreate a bunch of rules and such lol).


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
You can save your current configuration file at any time and restore it later into your next install. No need to recreate anything from scratch.

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
Yeah but I'm worried there might be something hidden that is messing this up and restoring the config would restore the fault too. I guess I don't really see what that might be since everything else says it should be working but I'm stumped at this point.