On 14/05/14 17:55, Chris L wrote:
On May 14, 2014, at 2:51 AM, R. Svejda <r...@balsec.com> wrote:
Hi Chris
generally full agreement with your suggestion, but that's not my problem. Same
IPv6 setup works well with the very same computer in 2nd network environment,
only difference is only the WAN link on the 2nd pfsense.
In my case, I assume that:
- client sends to IPv6 gateway on link-lokal address
- link lokal address is used by multiple devices
- default route for IPv6 is HE tunnel (through gif0 interface)
- But: pppoe2 interface (in very same link-local address!) has an own IPv6
gateway which is not working ..
I am not a network pro and above thoughts might be wrong, but that's how I see
it now ...
PS1: Most "problematic" (reliably failing) page in bad IPv6 setup is
"de.wikipedia.org" (never checked if en.wikipedia.org has the same problem)
PS2: Ubuntu "apt-get update && upgrade" fail as well! it's not only web access.
OK. So get on the client machine that’s failing and work from there. dig, dig
-6, ping, ping6, etc. Web browser can connect to v6 using [v6address], etc.
$ dig de.wikipedia.org a
; <<>> DiG 9.8.3-P1 <<>> de.wikipedia.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13968
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 3
;; QUESTION SECTION:
;de.wikipedia.org. IN A
;; ANSWER SECTION:
de.wikipedia.org. 3070 IN CNAME wikipedia-lb.wikimedia.org.
wikipedia-lb.wikimedia.org. 17 IN CNAME text-lb.ulsfo.wikimedia.org.
text-lb.ulsfo.wikimedia.org. 641 IN A 198.35.26.96
;; AUTHORITY SECTION:
wikimedia.org. 31413 IN NS ns0.wikimedia.org.
wikimedia.org. 31413 IN NS ns1.wikimedia.org.
wikimedia.org. 31413 IN NS ns2.wikimedia.org.
;; ADDITIONAL SECTION:
ns2.wikimedia.org. 976 IN A 91.198.174.239
ns0.wikimedia.org. 1219 IN A 208.80.154.238
ns1.wikimedia.org. 976 IN A 208.80.152.214
;; Query time: 26 msec
;; SERVER: 192.168.223.1#53(192.168.223.1)
;; WHEN: Wed May 14 08:39:49 2014
;; MSG SIZE rcvd: 217
$ dig -6 de.wikipedia.org a
; <<>> DiG 9.8.3-P1 <<>> -6 de.wikipedia.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34558
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;de.wikipedia.org. IN A
;; ANSWER SECTION:
de.wikipedia.org. 3063 IN CNAME wikipedia-lb.wikimedia.org.
wikipedia-lb.wikimedia.org. 10 IN CNAME text-lb.ulsfo.wikimedia.org.
text-lb.ulsfo.wikimedia.org. 634 IN A 198.35.26.96
;; Query time: 1 msec
;; SERVER: 2001:470:f00e:223::1#53(2001:470:f00e:223::1)
;; WHEN: Wed May 14 08:39:57 2014
;; MSG SIZE rcvd: 131
$ dig de.wikipedia.org aaaa
; <<>> DiG 9.8.3-P1 <<>> de.wikipedia.org aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29135
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;de.wikipedia.org. IN AAAA
;; ANSWER SECTION:
de.wikipedia.org. 68 IN CNAME wikipedia-lb.wikimedia.org.
wikipedia-lb.wikimedia.org. 401 IN CNAME text-lb.ulsfo.wikimedia.org.
text-lb.ulsfo.wikimedia.org. 3401 IN AAAA 2620:0:863:ed1a::1
;; Query time: 45 msec
;; SERVER: 192.168.223.1#53(192.168.223.1)
;; WHEN: Wed May 14 08:40:10 2014
;; MSG SIZE rcvd: 127
$ dig -6 de.wikipedia.org aaaa
; <<>> DiG 9.8.3-P1 <<>> -6 de.wikipedia.org aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21900
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;de.wikipedia.org. IN AAAA
;; ANSWER SECTION:
de.wikipedia.org. 59 IN CNAME wikipedia-lb.wikimedia.org.
wikipedia-lb.wikimedia.org. 392 IN CNAME text-lb.ulsfo.wikimedia.org.
text-lb.ulsfo.wikimedia.org. 3392 IN AAAA 2620:0:863:ed1a::1
;; Query time: 1 msec
;; SERVER: 2001:470:f00e:223::1#53(2001:470:f00e:223::1)
;; WHEN: Wed May 14 08:40:19 2014
;; MSG SIZE rcvd: 143
$ ping 198.35.26.96
PING 198.35.26.96 (198.35.26.96): 56 data bytes
64 bytes from 198.35.26.96: icmp_seq=0 ttl=55 time=32.231 ms
64 bytes from 198.35.26.96: icmp_seq=1 ttl=55 time=32.145 ms
^C
--- 198.35.26.96 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 32.145/32.188/32.231/0.043 ms
$ ping6 2620:0:863:ed1a::1
PING6(56=40+8+8 bytes) 2001:470:f00e:223:a59c:3e5f:5ada:59bd -->
2620:0:863:ed1a::1
16 bytes from 2620:0:863:ed1a::1, icmp_seq=0 hlim=58 time=71.956 ms
16 bytes from 2620:0:863:ed1a::1, icmp_seq=1 hlim=58 time=110.577 ms
^C
--- 2620:0:863:ed1a::1 ping6 statistics ---
3 packets transmitted, 2 packets received, 33.3% packet loss
round-trip min/avg/max/std-dev = 71.956/91.267/110.577/19.310 ms
I can point my browser at http://198.35.26.96/ or http://[2620:0:863:ed1a::1]
and I get the wikimedia “domain not configured” page for both. That’s expected
(HTTP 1.1) and indicates it’s all working as it should. Note that the
nameserver at 192.168.223.1/2001:470:f00e:223::1 is pfsense 2.1.3 with an IPv4
connection and an HE tunnel over that.
What do you get?
See Also: www.whatismyipv6.com
Hi Chris
thats the wrong path. Same client is working perfectly in Main Office.
No difference except for the WAN interface (pppoe at home office; static
with another upstream firewall at main office).
1)
Why is pppoe interface getting an IPv6 gateway assigned - in pfsense
settings, IPv6 is marked as NONE on WAN interface!
2)
Why do the interfaces vr0, ppoe2, gif0 and vr1_vlan11 all have the same
link-local address? Specially vr1_vlan11 has the same link-local address
like the device vr0 while vr1 has a different one!
IPv4 connection is on pppoe2 / vr1_vlan
IPv6 connection is on gif0
LAN is vr0
Anybody a hint? How can I disable or remove IPv6 config from pppoe/WAN?
Radim
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>> old stuff, wrong order, sorry:
regards, Radim
On 14/05/14 10:06, Chris L wrote:
Instead of generic, local ifconfig information, it might be more beneficial to
concentrate on a specific site that isn’t working and work back from there.
If you fix one, you might just fix them all.
In dual-stack, I have found that the problem is usually receiving a good AAAA
record when querying DNS but not having a good v6 route. Your browser does the
right thing, trying v6 first, gets a good DNS response, but can’t get there.
This is what I experience when my IP address changes. It doesn’t happen often,
maybe every eight months or so, but it trashes my HE tunnel until I get it
reconfigured. This is because IPv4 nameservers can give good AAAA answers. But
then there’s no IPv6 route. The IPv4 nameserver has no idea whether you have a
good IPv6 route. It receives an AAAA resolution request and dutifully obliges.
My client computers have no idea the HE tunnel is dead. They ask if there’s an
IPv6 router on the segment, get a response, and think everything is hunky-dory
so they ask for AAAA records first. They get a good response, and try to
connect. But the Internetv6 is down. :(
On May 14, 2014, at 12:47 AM, R.Sv. <r...@balsec.com> wrote:
Dear all
Started to play around with IPv6 with my Swiss provider (VTX, not yet
officially supporting IPv6) and HE.net IPv6 Tunnel.
IPv6 works, but not correctly, some web pages do not load at all or never end to finish
loading. I guess because some routing problem. Looking at "ifconfig" I have 2
questions:
1) Why do vr0, vr1_vlan, pppoe2 and gif0 interfaces have the same link-local
address?
2) Why does ppoe2 have a an official IPv6 address (in GUI/Status/Interfaces it
displays as Gateway IPv6)
On the box, IPv6 is on
On WAN interface: IPv4 Config Type: PPPoE; IPv6 Config Type: None
With Config-Type=None I would expect no IPv6 configuration at all, except an
link-local address.
I already tried other IPv6 config types for WAN, but result is always the same.
I have not yet contacted the provider.
The multiple and for me weird distribution of link-local addresses is probably
my missing knowledge ....
But the IPv6 gateway on pppoe without having a routable IPv6 behind the link is
the problem! How can I prevent/delete that interface and routing setting?
Setup:
provider <-> pppoe2 <-> vr1_vlan11 <-> WAN
pfsense <-> WAN <-> vr1_vlan11 <-> pppoe2 <-> provider (VTX)
pfsense <-> IPV6HE <-> gif0<-> WAN<-> tunnel-to-ipv6 (HE)
A very similar setup where WAN is a static address (private address/DMZ) works
without a problem. The problem is not the IPv6 tunnel setup.
ifconfig | grep inet6:
--------------------------------------------------
[2.1.3-RELEASE][r...@pfs0097.xxx.ch]/root(2): ifconfig | grep inet6
inet6 fe80::20d:b9ff:fe1c:b04%vr0 prefixlen 64 scopeid 0x1
inet6 fe80::20d:b9ff:fe1c:b05%vr1 prefixlen 64 scopeid 0x2
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
inet6 fe80::20d:b9ff:fe1c:b04%vr1_vlan11 prefixlen 64 scopeid 0x7
inet6 fe80::20d:b9ff:fe1c:b04%pppoe2 prefixlen 64 scopeid 0x8
inet6 2001:4c78:bee0:413:20d:b9ff:fe1c:b04 prefixlen 64 autoconf
inet6 2001:470:25:8c::2 --> 2001:470:25:8c::1 prefixlen 128
inet6 fe80::20d:b9ff:fe1c:b04%gif0 prefixlen 64 scopeid 0x9
ifconfig:
--------------------------------------------------
[2.1.3-RELEASE][r...@pfs0097.xxx.ch]/root(1): ifconfig
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8280b<RXCSUM,TXCSUM,VLAN_MTU,WOL_UCAST,WOL_MAGIC,LINKSTATE>
ether 00:0d:b9:1c:0b:04
inet6 fe80::20d:b9ff:fe1c:b04%vr0 prefixlen 64 scopeid 0x1
inet 172.28.58.1 netmask 0xffffff00 broadcast 172.28.58.255
nd6 options=1<PERFORMNUD>
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
vr1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8280b<RXCSUM,TXCSUM,VLAN_MTU,WOL_UCAST,WOL_MAGIC,LINKSTATE>
ether 00:0d:b9:1c:0b:05
inet6 fe80::20d:b9ff:fe1c:b05%vr1 prefixlen 64 scopeid 0x2
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
enc0: flags=0<> metric 0 mtu 1536
pflog0: flags=100<PROMISC> metric 0 mtu 33192
pfsync0: flags=0<> metric 0 mtu 1460
syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=3<RXCSUM,TXCSUM>
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
vr1_vlan11: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 00:0d:b9:1c:0b:05
inet6 fe80::20d:b9ff:fe1c:b04%vr1_vlan11 prefixlen 64 scopeid 0x7
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
vlan: 11 vlanpcp: 0 parent interface: vr1
pppoe2: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu
1492
inet6 fe80::20d:b9ff:fe1c:b04%pppoe2 prefixlen 64 scopeid 0x8
inet 83.228.149.226 --> 212.147.11.51 netmask 0xffffffff
inet6 2001:4c78:bee0:413:20d:b9ff:fe1c:b04 prefixlen 64 autoconf
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280
tunnel inet 83.228.149.226 --> 216.66.80.98
inet6 2001:470:YYY:8c::2 --> 2001:470:YYY:8c::1 prefixlen 128
inet6 fe80::20d:b9ff:fe1c:b04%gif0 prefixlen 64 scopeid 0x9
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
options=1<ACCEPT_REV_ETHIP_VER>
_______________________________________________
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
_______________________________________________
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
_______________________________________________
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
_______________________________________________
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
_______________________________________________
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
