On May 14, 2014, at 2:51 AM, R. Svejda <r...@balsec.com> wrote: > Hi Chris > > generally full agreement with your suggestion, but that's not my problem. > Same IPv6 setup works well with the very same computer in 2nd network > environment, only difference is only the WAN link on the 2nd pfsense. > > In my case, I assume that: > - client sends to IPv6 gateway on link-lokal address > - link lokal address is used by multiple devices > - default route for IPv6 is HE tunnel (through gif0 interface) > - But: pppoe2 interface (in very same link-local address!) has an own IPv6 > gateway which is not working .. > > I am not a network pro and above thoughts might be wrong, but that's how I > see it now ... > > PS1: Most "problematic" (reliably failing) page in bad IPv6 setup is > "de.wikipedia.org" (never checked if en.wikipedia.org has the same problem) > PS2: Ubuntu "apt-get update && upgrade" fail as well! it's not only web > access. >
OK. So get on the client machine that’s failing and work from there. dig, dig -6, ping, ping6, etc. Web browser can connect to v6 using [v6address], etc. $ dig de.wikipedia.org a ; <<>> DiG 9.8.3-P1 <<>> de.wikipedia.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13968 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;de.wikipedia.org. IN A ;; ANSWER SECTION: de.wikipedia.org. 3070 IN CNAME wikipedia-lb.wikimedia.org. wikipedia-lb.wikimedia.org. 17 IN CNAME text-lb.ulsfo.wikimedia.org. text-lb.ulsfo.wikimedia.org. 641 IN A 198.35.26.96 ;; AUTHORITY SECTION: wikimedia.org. 31413 IN NS ns0.wikimedia.org. wikimedia.org. 31413 IN NS ns1.wikimedia.org. wikimedia.org. 31413 IN NS ns2.wikimedia.org. ;; ADDITIONAL SECTION: ns2.wikimedia.org. 976 IN A 91.198.174.239 ns0.wikimedia.org. 1219 IN A 208.80.154.238 ns1.wikimedia.org. 976 IN A 208.80.152.214 ;; Query time: 26 msec ;; SERVER: 192.168.223.1#53(192.168.223.1) ;; WHEN: Wed May 14 08:39:49 2014 ;; MSG SIZE rcvd: 217 $ dig -6 de.wikipedia.org a ; <<>> DiG 9.8.3-P1 <<>> -6 de.wikipedia.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34558 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;de.wikipedia.org. IN A ;; ANSWER SECTION: de.wikipedia.org. 3063 IN CNAME wikipedia-lb.wikimedia.org. wikipedia-lb.wikimedia.org. 10 IN CNAME text-lb.ulsfo.wikimedia.org. text-lb.ulsfo.wikimedia.org. 634 IN A 198.35.26.96 ;; Query time: 1 msec ;; SERVER: 2001:470:f00e:223::1#53(2001:470:f00e:223::1) ;; WHEN: Wed May 14 08:39:57 2014 ;; MSG SIZE rcvd: 131 $ dig de.wikipedia.org aaaa ; <<>> DiG 9.8.3-P1 <<>> de.wikipedia.org aaaa ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29135 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;de.wikipedia.org. IN AAAA ;; ANSWER SECTION: de.wikipedia.org. 68 IN CNAME wikipedia-lb.wikimedia.org. wikipedia-lb.wikimedia.org. 401 IN CNAME text-lb.ulsfo.wikimedia.org. text-lb.ulsfo.wikimedia.org. 3401 IN AAAA 2620:0:863:ed1a::1 ;; Query time: 45 msec ;; SERVER: 192.168.223.1#53(192.168.223.1) ;; WHEN: Wed May 14 08:40:10 2014 ;; MSG SIZE rcvd: 127 $ dig -6 de.wikipedia.org aaaa ; <<>> DiG 9.8.3-P1 <<>> -6 de.wikipedia.org aaaa ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21900 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;de.wikipedia.org. IN AAAA ;; ANSWER SECTION: de.wikipedia.org. 59 IN CNAME wikipedia-lb.wikimedia.org. wikipedia-lb.wikimedia.org. 392 IN CNAME text-lb.ulsfo.wikimedia.org. text-lb.ulsfo.wikimedia.org. 3392 IN AAAA 2620:0:863:ed1a::1 ;; Query time: 1 msec ;; SERVER: 2001:470:f00e:223::1#53(2001:470:f00e:223::1) ;; WHEN: Wed May 14 08:40:19 2014 ;; MSG SIZE rcvd: 143 $ ping 198.35.26.96 PING 198.35.26.96 (198.35.26.96): 56 data bytes 64 bytes from 198.35.26.96: icmp_seq=0 ttl=55 time=32.231 ms 64 bytes from 198.35.26.96: icmp_seq=1 ttl=55 time=32.145 ms ^C --- 198.35.26.96 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 32.145/32.188/32.231/0.043 ms $ ping6 2620:0:863:ed1a::1 PING6(56=40+8+8 bytes) 2001:470:f00e:223:a59c:3e5f:5ada:59bd --> 2620:0:863:ed1a::1 16 bytes from 2620:0:863:ed1a::1, icmp_seq=0 hlim=58 time=71.956 ms 16 bytes from 2620:0:863:ed1a::1, icmp_seq=1 hlim=58 time=110.577 ms ^C --- 2620:0:863:ed1a::1 ping6 statistics --- 3 packets transmitted, 2 packets received, 33.3% packet loss round-trip min/avg/max/std-dev = 71.956/91.267/110.577/19.310 ms I can point my browser at http://198.35.26.96/ or http://[2620:0:863:ed1a::1] and I get the wikimedia “domain not configured” page for both. That’s expected (HTTP 1.1) and indicates it’s all working as it should. Note that the nameserver at 192.168.223.1/2001:470:f00e:223::1 is pfsense 2.1.3 with an IPv4 connection and an HE tunnel over that. What do you get? See Also: www.whatismyipv6.com > regards, Radim > > > On 14/05/14 10:06, Chris L wrote: >> Instead of generic, local ifconfig information, it might be more beneficial >> to concentrate on a specific site that isn’t working and work back from >> there. >> >> If you fix one, you might just fix them all. >> >> In dual-stack, I have found that the problem is usually receiving a good >> AAAA record when querying DNS but not having a good v6 route. Your browser >> does the right thing, trying v6 first, gets a good DNS response, but can’t >> get there. >> >> This is what I experience when my IP address changes. It doesn’t happen >> often, maybe every eight months or so, but it trashes my HE tunnel until I >> get it reconfigured. This is because IPv4 nameservers can give good AAAA >> answers. But then there’s no IPv6 route. The IPv4 nameserver has no idea >> whether you have a good IPv6 route. It receives an AAAA resolution request >> and dutifully obliges. >> >> My client computers have no idea the HE tunnel is dead. They ask if there’s >> an IPv6 router on the segment, get a response, and think everything is >> hunky-dory so they ask for AAAA records first. They get a good response, >> and try to connect. But the Internetv6 is down. :( >> >> On May 14, 2014, at 12:47 AM, R.Sv. <r...@balsec.com> wrote: >> >>> Dear all >>> >>> Started to play around with IPv6 with my Swiss provider (VTX, not yet >>> officially supporting IPv6) and HE.net IPv6 Tunnel. >>> >>> IPv6 works, but not correctly, some web pages do not load at all or never >>> end to finish loading. I guess because some routing problem. Looking at >>> "ifconfig" I have 2 questions: >>> >>> 1) Why do vr0, vr1_vlan, pppoe2 and gif0 interfaces have the same >>> link-local address? >>> 2) Why does ppoe2 have a an official IPv6 address (in GUI/Status/Interfaces >>> it displays as Gateway IPv6) >>> >>> On the box, IPv6 is on >>> On WAN interface: IPv4 Config Type: PPPoE; IPv6 Config Type: None >>> >>> With Config-Type=None I would expect no IPv6 configuration at all, except >>> an link-local address. >>> I already tried other IPv6 config types for WAN, but result is always the >>> same. I have not yet contacted the provider. >>> >>> The multiple and for me weird distribution of link-local addresses is >>> probably my missing knowledge .... >>> But the IPv6 gateway on pppoe without having a routable IPv6 behind the >>> link is the problem! How can I prevent/delete that interface and routing >>> setting? >>> >>> Setup: >>> provider <-> pppoe2 <-> vr1_vlan11 <-> WAN >>> pfsense <-> WAN <-> vr1_vlan11 <-> pppoe2 <-> provider (VTX) >>> pfsense <-> IPV6HE <-> gif0<-> WAN<-> tunnel-to-ipv6 (HE) >>> >>> A very similar setup where WAN is a static address (private address/DMZ) >>> works without a problem. The problem is not the IPv6 tunnel setup. >>> >>> ifconfig | grep inet6: >>> -------------------------------------------------- >>> [2.1.3-RELEASE][r...@pfs0097.xxx.ch]/root(2): ifconfig | grep inet6 >>> inet6 fe80::20d:b9ff:fe1c:b04%vr0 prefixlen 64 scopeid 0x1 >>> inet6 fe80::20d:b9ff:fe1c:b05%vr1 prefixlen 64 scopeid 0x2 >>> inet6 ::1 prefixlen 128 >>> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 >>> inet6 fe80::20d:b9ff:fe1c:b04%vr1_vlan11 prefixlen 64 scopeid 0x7 >>> inet6 fe80::20d:b9ff:fe1c:b04%pppoe2 prefixlen 64 scopeid 0x8 >>> inet6 2001:4c78:bee0:413:20d:b9ff:fe1c:b04 prefixlen 64 autoconf >>> inet6 2001:470:25:8c::2 --> 2001:470:25:8c::1 prefixlen 128 >>> inet6 fe80::20d:b9ff:fe1c:b04%gif0 prefixlen 64 scopeid 0x9 >>> >>> >>> ifconfig: >>> -------------------------------------------------- >>> [2.1.3-RELEASE][r...@pfs0097.xxx.ch]/root(1): ifconfig >>> vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 >>> options=8280b<RXCSUM,TXCSUM,VLAN_MTU,WOL_UCAST,WOL_MAGIC,LINKSTATE> >>> ether 00:0d:b9:1c:0b:04 >>> inet6 fe80::20d:b9ff:fe1c:b04%vr0 prefixlen 64 scopeid 0x1 >>> inet 172.28.58.1 netmask 0xffffff00 broadcast 172.28.58.255 >>> nd6 options=1<PERFORMNUD> >>> media: Ethernet autoselect (100baseTX <full-duplex>) >>> status: active >>> vr1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 >>> options=8280b<RXCSUM,TXCSUM,VLAN_MTU,WOL_UCAST,WOL_MAGIC,LINKSTATE> >>> ether 00:0d:b9:1c:0b:05 >>> inet6 fe80::20d:b9ff:fe1c:b05%vr1 prefixlen 64 scopeid 0x2 >>> nd6 options=3<PERFORMNUD,ACCEPT_RTADV> >>> media: Ethernet autoselect (100baseTX <full-duplex>) >>> status: active >>> enc0: flags=0<> metric 0 mtu 1536 >>> pflog0: flags=100<PROMISC> metric 0 mtu 33192 >>> pfsync0: flags=0<> metric 0 mtu 1460 >>> syncpeer: 224.0.0.240 maxupd: 128 syncok: 1 >>> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 >>> options=3<RXCSUM,TXCSUM> >>> inet 127.0.0.1 netmask 0xff000000 >>> inet6 ::1 prefixlen 128 >>> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 >>> nd6 options=3<PERFORMNUD,ACCEPT_RTADV> >>> vr1_vlan11: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu >>> 1500 >>> ether 00:0d:b9:1c:0b:05 >>> inet6 fe80::20d:b9ff:fe1c:b04%vr1_vlan11 prefixlen 64 scopeid 0x7 >>> nd6 options=3<PERFORMNUD,ACCEPT_RTADV> >>> media: Ethernet autoselect (100baseTX <full-duplex>) >>> status: active >>> vlan: 11 vlanpcp: 0 parent interface: vr1 >>> pppoe2: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 >>> mtu 1492 >>> inet6 fe80::20d:b9ff:fe1c:b04%pppoe2 prefixlen 64 scopeid 0x8 >>> inet 83.228.149.226 --> 212.147.11.51 netmask 0xffffffff >>> inet6 2001:4c78:bee0:413:20d:b9ff:fe1c:b04 prefixlen 64 autoconf >>> nd6 options=3<PERFORMNUD,ACCEPT_RTADV> >>> gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280 >>> tunnel inet 83.228.149.226 --> 216.66.80.98 >>> inet6 2001:470:YYY:8c::2 --> 2001:470:YYY:8c::1 prefixlen 128 >>> inet6 fe80::20d:b9ff:fe1c:b04%gif0 prefixlen 64 scopeid 0x9 >>> nd6 options=3<PERFORMNUD,ACCEPT_RTADV> >>> options=1<ACCEPT_REV_ETHIP_VER> >>> _______________________________________________ >>> List mailing list >>> List@lists.pfsense.org >>> https://lists.pfsense.org/mailman/listinfo/list >> _______________________________________________ >> List mailing list >> List@lists.pfsense.org >> https://lists.pfsense.org/mailman/listinfo/list > > _______________________________________________ > List mailing list > List@lists.pfsense.org > https://lists.pfsense.org/mailman/listinfo/list _______________________________________________ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
