I'm in the process of enabling IPv6 on a working IPv4 3-LAN, 2-WAN setup using pfSense 2.2.6 (I'm also in the process of testing 3.0 and did a cursory test and got the same results with our 3.0 test setup). We're getting IPv6 via a Hurricane Electric tunnel.
There are 3 LANs each with a /24 IPv4 and a /64 IPv6 subnet (the /64's being from the /48 allocated from HE). Currently, incoming IPv6 WAN and WAN_IPv6 access is blocked for all IPv6 except that ICMP types (other than redirect) are allowed. Rules exist allowing unrestricted IPv6 access across all 3 LANs. I have pfSense configured for DHCP6 on all 3 LANs and RA (on all 3 LANs) is set to "Assisted" and (maybe unnecessarily?) "RA Subnet(s)" is set to all 3 of the /64 subnets. Each of the 3 LANs is also it's own VLAN. There are 3x HP 1810 v2 switches across the network. One of the hosts, the problematic one (and, of course, the only one for which we actually want IPv6), is a virtualized OS X 10.8.5 running under VMware Fusion 7.1.2 (also on OS X 10.8.5). The VM host system has 2 VLANs and the VM guest has 2 NICs, one bridged to each of the VM host system's VLANs. Multiple systems on the network, including the "problem" virtualized host, have multi-homed IPv4 and (of course) multi-homed IPv6 interfaces. For simplicity, I've manually set the IPv6 addresses and am using only them for testing. Everything works wonderfully, except that ... I'm having a problem accessing the IPv6 IPs on the virtualized/guest system's interface that's bridged to VLAN3 of the VM host. Accessing IPv6 and IPv4 addresses on VLAN1 and VLAN2 works fine. Accessing IPv4 addresses on VLAN3 works fine. "Sometimes" (see below) one of the 2 manually assigned IPv6 addresses on VLAN3 can be accessed. [Because of what (at least "sometimes") works, I conclude that neither pfSense setup nor a local host firewall is the problem.] Here's the symptoms: - boot the problem/virtualized host then, on another system (C) on VLAN1, run ping6 against both of the 2 IPv6 addresses on (the interface that's bridged to the virtualized host's) VLAN3 and I get "...from <VLAN1 router address> -> <target VLAN3 IPv6 address>: Destination Host Unreachable" (addresses are config'd and up, according to ifconfig but they're not listed in pfSense's NDP table, so this makes [pf]sense). - on the virtualized/problem host, run ping6 against the other system C, and it's OK - now, again run (the same) ping6 commands from the other system (C) on VLAN1 against both of the 2 IPv6 addresses on the virtualized host's VLAN3 and it works against the first IPv6 listed via ifconfig, but not the second [I'm assuming that the ping6 run from the virtualized/problem host caused pfSense to acquire the one IPv6 IP and that's why it's now accessible -- indeed, that 1 of the 2 VLAN3 IPv6 addresses is now in pfSense's NDP table.] - run ping6 from the VM host system against both of the 2 IPv6 addresses on the (VM guest) virtualized host's VLAN3 and both work [I'm assuming, due to the bridging, that local neighbor discovery works from the VM host to its VM guest. pfSense does not acquire the additional IPv6 address from VLAN3.] Tests run from other hosts show results that are consistent with the above tests. So, with 1 exception, everything works and is consistent with what's shown in pfSense's and various host's routing tables and via ifconfig. The failure is that neither of the 2 IPv6 addresses (nor the auto-allocated private IPv6 address) from the interface (on the virtualized host) that's bridged to the VLAN3 interface are learned/acquired by pfSense unless a ping6 is run from the virtualized host and then only the first ifconfig-listed manually assigned IPv6 address is acquired by pfSense. As such, pfSense considers the IP(s) unreachable. I'm guessing that there's an issue where OS X is either not reporting the 2nd interface (i.e., second in that the VLAN1-linked interface is ordered first in the network configuration) or that the bridging is interfering with that communication. I'm assuming that pfSense is "asking" hosts to report via each RA-config'd subnet every "now 'n then" and, as such, VLAN3 is receiving such queries. (Hmmm, as I write this, maybe this is another thing to look at.) QUESTIONS: - has anyone experienced a problem anything like this and, if so, what were you able to do about it? - what's the best way to go about confirming that the virtualized host is receiving whatever queries RA is sending out on VLAN3 (assuming that's what's happening)? I do have packet-capture capability on the VM host and the virtualized/problematic host ... but is there anything simpler? - does anyone have any ideas on how I might solve this issue and/or learn more about exactly what's happening? My next attempt will be to configure rtadvd to run on the virtualized/problem host (with rltime 0) in an effort to get it to tell pfSense that the second interface is present ... but, from what I see in the man page, I don't have much faith that it will work and, after many hours worth of research and experimentation, I'm pretty much at the end of my (newbie IPv6) knowledge (and "rope") on this one. _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
