>> I must be tired or something but I have a strange thing with IPv6 on a new >> box I just setup. >> >> Have a x:y:z:d800::/56 routed to me. >> WAN is static IPv6 on x:y:z:d800::1/64, gateway is >> x:y:z:d800::ffff:ffff:ffff:ffff (not a nice one but that is what they gave >> me). >> LAN is static IPv6 on x:y:z:d801::1/64, no gateway as usual for LAN >> interface. >> >> From a host on the LAN side, at x:y:z:d801::100 (or any other), I can reach >> pf LAN interface on x:y:z:d801::1, I can also reach pf WAN interface on >> x:y:z:d800::1, but I can't get a packet to go further. >> >> Yet, from pf itself, I can reach (ping for instance) www.google.com (IPv6) >> from WAN interface, but not from LAN interface. >> >> I would have thought "ok I miss a pass rule on the LAN interface", but there >> is one. This by far is not my first pfSense box, and they all have various >> kind of IPv6 links. Not that I couldn't be awfully wrong somewhere. So what >> obvious detail am I overlooking here? If you have any idea? >> >> This is 2.3-RELEASE by the way. Other boxes (on other networks) are still >> 2.2.x.
>From some packet captures, something caught my eye, but I'm not sure if this >an issue in the hands of my upstream provider or something local to my pfSense >box. Here are two captures on the WAN of pfSense. First one, I'm pinging the WAN ip from a very remote location. One clearly see 4 echo requests and 4 echo replies. 23:32:47.466402 IP6 2a02:578:85a0:101:5cf:576b:9daf:77ca > x:y:z:d800::1: ICMP6, echo request, seq 73, length 40 23:32:47.466455 IP6 x:y:z:d800::1 > 2a02:578:85a0:101:5cf:576b:9daf:77ca: ICMP6, echo reply, seq 73, length 40 23:32:48.476917 IP6 2a02:578:85a0:101:5cf:576b:9daf:77ca > x:y:z:d800::1: ICMP6, echo request, seq 74, length 40 23:32:48.476933 IP6 x:y:z:d800::1 > 2a02:578:85a0:101:5cf:576b:9daf:77ca: ICMP6, echo reply, seq 74, length 40 23:32:49.491979 IP6 2a02:578:85a0:101:5cf:576b:9daf:77ca > x:y:z:d800::1: ICMP6, echo request, seq 75, length 40 23:32:49.492019 IP6 x:y:z:d800::1 > 2a02:578:85a0:101:5cf:576b:9daf:77ca: ICMP6, echo reply, seq 75, length 40 23:32:50.507963 IP6 2a02:578:85a0:101:5cf:576b:9daf:77ca > x:y:z:d800::1: ICMP6, echo request, seq 76, length 40 23:32:50.507987 IP6 x:y:z:d800::1 > 2a02:578:85a0:101:5cf:576b:9daf:77ca: ICMP6, echo reply, seq 76, length 40 This time, I'm pinging the LAN ip (x:y:z:d801::1) from the same remote location. No echo requests, only neighbor solicitations from a link-local address fe80...dc78, which I could trace as the upstream router, to ff02::1:ff00:1. But no advertisements on return from the pfSense box. What looks wrong here? The absence of advertisements from pfSense box on these solicitations (I would have an issue with my pfSense setup)? Or are these solicitations unexpected (the upstream provider has a setup issue regarding my /56 network)? 23:35:41.814361 IP6 fe80::aa0c:dff:fe44:dc78 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has x:y:z:d801::1, length 32 23:35:42.815472 IP6 fe80::aa0c:dff:fe44:dc78 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has x:y:z:d801::1, length 32 23:35:51.411220 IP6 fe80::aa0c:dff:fe44:dc78 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has x:y:z:d801::1, length 32 If someone with (easily) much better inner knowledge of IPv6 specifics (than me) has an idea... Thanks!! -- Meilleures salutations, Met vriendelijke groeten, Best Regards, Olivier Mascia, integral.be/om _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
