Re: [pfSense] pfsense ipv6 not working

[Eero Volotinen]

Finally got it working on WAN side of firewall, by just enabling this
checkbox:

Request a IPv6 prefix/information through the IPv4 connectivity link

Still need some work on lan side, because I am a bit lost with it.

--
Eero

2017-11-21 20:46 GMT+02:00 Steve Yates :

> Ah yes, System/Advanced/Networking, Allow IPv6.
>
> --
>
> Steve Yates
> ITS, Inc.
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel
> Sent: Tuesday, November 21, 2017 12:42 PM
> To: pfSense Support and Discussion Mailing List 
> Subject: Re: [pfSense] pfsense ipv6 not working
>
> You also need to enbale it in the Setting.. tick te IPv6 Box.
>
> Am 21.11.17, 19:38 schrieb "List im Auftrag von Steve Yates" <
> list-boun...@lists.pfsense.org im Auftrag von st...@teamits.com>:
>
> Starting at the top level, do you have a firewall rule allowing ICMP
> for IPv6?
>
> --
>
> Steve Yates
> ITS, Inc.
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero
> Volotinen
> Sent: Monday, November 20, 2017 1:01 PM
> To: pfSense Support and Discussion Mailing List <
> list@lists.pfsense.org>
> Subject: [pfSense] pfsense ipv6 not working
>
> Hi List,
>
> Running ipv6 with dhcpv6 from isp and it works on my laptop without
> pfsense,
> but on pfsense shell, I cannot even ping other network addresses that
> gw:
>
> ping6 fe80::208:20ff:fe4e:1c1b
>
> PING6(56=40+8+8 bytes) fe80::ae1f:6bff:fe43:a993%igb3 -->
> fe80::208:20ff:fe4e:1c1b
>
> 16 bytes from fe80::208:20ff:fe4e:1c1b%igb3, icmp_seq=0 hlim=64
> time=0.573
> ms
>
> 16 bytes from fe80::208:20ff:fe4e:1c1b%igb3, icmp_seq=2 hlim=64
> time=0.578
> ms
>
> 16 bytes from fe80::208:20ff:fe4e:1c1b%igb3, icmp_seq=3 hlim=64
> time=0.518
> ms
>
>
> and when trying to ping google:
>
>
>
> ping6 2a00:1450:4001:820::200e
>
> PING6(56=40+8+8 bytes) fe80::ae1f:6bff:fe43:a993%igb3 -->
> 2a00:1450:4001:820::200e
>
> ^C
>
> --- 2a00:1450:4001:820::200e ping6 statistics ---
>
> 7 packets transmitted, 0 packets received, 100.0% packet loss
>
> Wan configuration is using DHCPv6
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense ipv6 not working

[Steve Yates]

Ah yes, System/Advanced/Networking, Allow IPv6.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel
Sent: Tuesday, November 21, 2017 12:42 PM
To: pfSense Support and Discussion Mailing List 
Subject: Re: [pfSense] pfsense ipv6 not working

You also need to enbale it in the Setting.. tick te IPv6 Box.

Am 21.11.17, 19:38 schrieb "List im Auftrag von Steve Yates" 
:

Starting at the top level, do you have a firewall rule allowing ICMP for 
IPv6?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero 
Volotinen
Sent: Monday, November 20, 2017 1:01 PM
To: pfSense Support and Discussion Mailing List 
Subject: [pfSense] pfsense ipv6 not working

Hi List,

Running ipv6 with dhcpv6 from isp and it works on my laptop without pfsense,
but on pfsense shell, I cannot even ping other network addresses that gw:

ping6 fe80::208:20ff:fe4e:1c1b

PING6(56=40+8+8 bytes) fe80::ae1f:6bff:fe43:a993%igb3 -->
fe80::208:20ff:fe4e:1c1b

16 bytes from fe80::208:20ff:fe4e:1c1b%igb3, icmp_seq=0 hlim=64 time=0.573
ms

16 bytes from fe80::208:20ff:fe4e:1c1b%igb3, icmp_seq=2 hlim=64 time=0.578
ms

16 bytes from fe80::208:20ff:fe4e:1c1b%igb3, icmp_seq=3 hlim=64 time=0.518
ms


and when trying to ping google:



ping6 2a00:1450:4001:820::200e

PING6(56=40+8+8 bytes) fe80::ae1f:6bff:fe43:a993%igb3 -->
2a00:1450:4001:820::200e

^C

--- 2a00:1450:4001:820::200e ping6 statistics ---

7 packets transmitted, 0 packets received, 100.0% packet loss

Wan configuration is using DHCPv6

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense ipv6 not working

[Daniel]

You also need to enbale it in the Setting.. tick te IPv6 Box.

Am 21.11.17, 19:38 schrieb "List im Auftrag von Steve Yates" 
:

Starting at the top level, do you have a firewall rule allowing ICMP for 
IPv6?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero 
Volotinen
Sent: Monday, November 20, 2017 1:01 PM
To: pfSense Support and Discussion Mailing List 
Subject: [pfSense] pfsense ipv6 not working

Hi List,

Running ipv6 with dhcpv6 from isp and it works on my laptop without pfsense,
but on pfsense shell, I cannot even ping other network addresses that gw:

ping6 fe80::208:20ff:fe4e:1c1b

PING6(56=40+8+8 bytes) fe80::ae1f:6bff:fe43:a993%igb3 -->
fe80::208:20ff:fe4e:1c1b

16 bytes from fe80::208:20ff:fe4e:1c1b%igb3, icmp_seq=0 hlim=64 time=0.573
ms

16 bytes from fe80::208:20ff:fe4e:1c1b%igb3, icmp_seq=2 hlim=64 time=0.578
ms

16 bytes from fe80::208:20ff:fe4e:1c1b%igb3, icmp_seq=3 hlim=64 time=0.518
ms


and when trying to ping google:



ping6 2a00:1450:4001:820::200e

PING6(56=40+8+8 bytes) fe80::ae1f:6bff:fe43:a993%igb3 -->
2a00:1450:4001:820::200e

^C

--- 2a00:1450:4001:820::200e ping6 statistics ---

7 packets transmitted, 0 packets received, 100.0% packet loss

Wan configuration is using DHCPv6

--
Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] pfsense ipv6 not working

[Steve Yates]

Starting at the top level, do you have a firewall rule allowing ICMP for IPv6?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Eero Volotinen
Sent: Monday, November 20, 2017 1:01 PM
To: pfSense Support and Discussion Mailing List 
Subject: [pfSense] pfsense ipv6 not working

Hi List,

Running ipv6 with dhcpv6 from isp and it works on my laptop without pfsense,
but on pfsense shell, I cannot even ping other network addresses that gw:

ping6 fe80::208:20ff:fe4e:1c1b

PING6(56=40+8+8 bytes) fe80::ae1f:6bff:fe43:a993%igb3 -->
fe80::208:20ff:fe4e:1c1b

16 bytes from fe80::208:20ff:fe4e:1c1b%igb3, icmp_seq=0 hlim=64 time=0.573
ms

16 bytes from fe80::208:20ff:fe4e:1c1b%igb3, icmp_seq=2 hlim=64 time=0.578
ms

16 bytes from fe80::208:20ff:fe4e:1c1b%igb3, icmp_seq=3 hlim=64 time=0.518
ms


and when trying to ping google:



ping6 2a00:1450:4001:820::200e

PING6(56=40+8+8 bytes) fe80::ae1f:6bff:fe43:a993%igb3 -->
2a00:1450:4001:820::200e

^C

--- 2a00:1450:4001:820::200e ping6 statistics ---

7 packets transmitted, 0 packets received, 100.0% packet loss

Wan configuration is using DHCPv6

--
Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] pfsense ipv6 not working

[Eero Volotinen]

Hi List,

Running ipv6 with dhcpv6 from isp and it works on my laptop without pfsense,
but on pfsense shell, I cannot even ping other network addresses that gw:

ping6 fe80::208:20ff:fe4e:1c1b

PING6(56=40+8+8 bytes) fe80::ae1f:6bff:fe43:a993%igb3 -->
fe80::208:20ff:fe4e:1c1b

16 bytes from fe80::208:20ff:fe4e:1c1b%igb3, icmp_seq=0 hlim=64 time=0.573
ms

16 bytes from fe80::208:20ff:fe4e:1c1b%igb3, icmp_seq=2 hlim=64 time=0.578
ms

16 bytes from fe80::208:20ff:fe4e:1c1b%igb3, icmp_seq=3 hlim=64 time=0.518
ms


and when trying to ping google:



ping6 2a00:1450:4001:820::200e

PING6(56=40+8+8 bytes) fe80::ae1f:6bff:fe43:a993%igb3 -->
2a00:1450:4001:820::200e

^C

--- 2a00:1450:4001:820::200e ping6 statistics ---

7 packets transmitted, 0 packets received, 100.0% packet loss

Wan configuration is using DHCPv6

--
Eero
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 nat

[Ivo Tonev]

You can use NPT

Em 16 de nov de 2017 5:19 PM, "Daniel"  escreveu:

> Hi there,
>
>
>
> i added a privat ipv6 LAN on my pfsense which has to do NAT like on IPv4.
>
>
>
> But it seems that NAT with ipv6 is not possible. Is there anyway or is it
> not possible to NAT IPv6 Connections?
>
>
>
> root@web1:~# traceroute6 heise.de
>
> traceroute to heise.de (2a02:2e0:3fe:1001:302::), 30 hops max, 80 byte
> packets
>
>  1  fd12:38ce:2472:a35e::3 (fd12:38ce:2472:a35e::3)  0.071 ms  0.098 ms
> 0.087 ms
>
>  2  * * *
>
>  3  * * *
>
>
>
> I am not interested to use public IPv6-Addresses in my LAN
>
>
>
> Cheers
>
>
>
> Daniel
>
>
>
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] IPv6 nat

[Daniel]

Hi there,

 

i added a privat ipv6 LAN on my pfsense which has to do NAT like on IPv4.

 

But it seems that NAT with ipv6 is not possible. Is there anyway or is it not 
possible to NAT IPv6 Connections?

 

root@web1:~# traceroute6 heise.de

traceroute to heise.de (2a02:2e0:3fe:1001:302::), 30 hops max, 80 byte packets

 1  fd12:38ce:2472:a35e::3 (fd12:38ce:2472:a35e::3)  0.071 ms  0.098 ms  0.087 
ms

 2  * * *

 3  * * *

 

I am not interested to use public IPv6-Addresses in my LAN

 

Cheers

 

Daniel

 

 

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6?

[Steve Yates]

IPv6 has multiple configuration protocols and I'm not sure I have my 
head around them all either.  Generally speaking, addressing is handled by a 
router because it's supposed to be handing out an address assigned by an 
upstream router, so IPs are assigned geographically making large router tables 
unnecessary.  IPv6 doesn't have NAT so every PC gets a public IP and the 
firewall blocks traffic to/from the outside world.  So in your case pfSense 
should be getting an IPv6 from Comcast, and requesting a subnet from Comcast to 
assign to PCs on your LAN.

So if your goal is to have a private IPv6 range on your LAN you should 
probably give up on that and just disable IPv6 on pfSense and you're done.  
That way PCs can use the Windows domain controller for DNS.

Windows has DHCP for IPv6 but the short version is it won't work...as I 
vaguely recall, the spec is something like: because it's not a router, it can 
only assign a /128 address and mask, so no PC can talk to other PCs on the LAN. 
 IPv6s would have to be entered on the PCs manually, or let them get IPv6 from 
pfSense...but then you're back to needing DNS to point to the Windows server.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Michael Munger
Sent: Wednesday, September 20, 2017 11:48 AM
To: list 
Subject: [pfSense] IPv6?

TL;DR - I think pfSense should be blocking DHCP6 requests (or responding
directly), but I am still getting my ISPs IPv6 address for DNS on
machines behind the pfSense firewall. This causes lookup problems since
their DNS server is not reliable. I suspect I have a bad config in my
pfSense firewall (user error), and need guidance on how to resolve this.

Background:

I have severe problems with IPv6. Most of the IPv6 requests time out,
forcing anything that is IPv6 enabled to fall back to IPv4. There's
nothing wrong with IPv4, but, the timeout is supremely annoying.

NOTE: I understand there is a difference between pfSense and DHCP
requests from a client machine. My IPv6 skills are not as strong as my
IPv4 skills, so my solution has been to disable IPv6 on any machine that
has a problem. But that's a bandaid, and not a good solution.

Symptoms:

I seem to be getting a DNS server of
2603:3001:3805:10f0:223:7dff:fe3b:73ac, which is my ISP's DNS Server
(Comcast). I cannot figure out where this is coming from. It appears to
be coming from Comcast, THROUGH pfSense. How is this DHCP request
traversing pfSense to the WAN? I have a local Windows server, with an
fe80:: address, which is a DNS server also. Not sure why this is not
being set as DNS via DHCP6 (different issue).

What I want:

I need to stop the timeouts by controlling where the lookups go (which
servers are getting served in the DHCP6 requests), which cause the
network to bottleneck and request to take forever.

Is there an IPv6 guide / tutorial that I have been unable to find with
Google? I would like to be able to configure pfSense to ignore / block
any upstream DNS servers when DHCP6 requests go out. Or, in the
alternative, control where they go so I can point them at wither my
Windows DNS or a bind9 server (or even the resolver in pfSense). 
Perhaps pfSense is forwarding the requests upstream instead of
responding itself?
-- 
Michael Munger, dCAP, MCPS, MCNPS, MBSS
High Powered Help, Inc.
Microsoft Certified Professional
Microsoft Certified Small Business Specialist
Digium Certified Asterisk Professional
mich...@highpoweredhelp.com <mailto:mich...@highpoweredhelp.com>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] IPv6?

[Michael Munger]

TL;DR - I think pfSense should be blocking DHCP6 requests (or responding
directly), but I am still getting my ISPs IPv6 address for DNS on
machines behind the pfSense firewall. This causes lookup problems since
their DNS server is not reliable. I suspect I have a bad config in my
pfSense firewall (user error), and need guidance on how to resolve this.

Background:

I have severe problems with IPv6. Most of the IPv6 requests time out,
forcing anything that is IPv6 enabled to fall back to IPv4. There's
nothing wrong with IPv4, but, the timeout is supremely annoying.

NOTE: I understand there is a difference between pfSense and DHCP
requests from a client machine. My IPv6 skills are not as strong as my
IPv4 skills, so my solution has been to disable IPv6 on any machine that
has a problem. But that's a bandaid, and not a good solution.

Symptoms:

I seem to be getting a DNS server of
2603:3001:3805:10f0:223:7dff:fe3b:73ac, which is my ISP's DNS Server
(Comcast). I cannot figure out where this is coming from. It appears to
be coming from Comcast, THROUGH pfSense. How is this DHCP request
traversing pfSense to the WAN? I have a local Windows server, with an
fe80:: address, which is a DNS server also. Not sure why this is not
being set as DNS via DHCP6 (different issue).

What I want:

I need to stop the timeouts by controlling where the lookups go (which
servers are getting served in the DHCP6 requests), which cause the
network to bottleneck and request to take forever.

Is there an IPv6 guide / tutorial that I have been unable to find with
Google? I would like to be able to configure pfSense to ignore / block
any upstream DNS servers when DHCP6 requests go out. Or, in the
alternative, control where they go so I can point them at wither my
Windows DNS or a bind9 server (or even the resolver in pfSense). 
Perhaps pfSense is forwarding the requests upstream instead of
responding itself?
-- 
Michael Munger, dCAP, MCPS, MCNPS, MBSS
High Powered Help, Inc.
Microsoft Certified Professional
Microsoft Certified Small Business Specialist
Digium Certified Asterisk Professional
mich...@highpoweredhelp.com 
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 1:1 NAT problems

[Morgan Reed]

Yeah, I trudged all the way through it a while back. You're right, the time
would've been better spent actually fixing the bug than arguing about it.

I'm pretty sure there's even been a few attempted pull requests to fix it
but they've all been rejected.

On Thu, Aug 3, 2017 at 3:28 PM, Matthew Hall  wrote:

> This bug report is absolutely insane. It required more hours for people to
> compose these replies than it would to compose the patch for the actual
> bug. I couldn't even read it all because it was so violently toxic.
>
> Matthew Hall
>
> > On Aug 2, 2017, at 9:36 PM, Morgan Reed  wrote:
> >
> > It's not "google" refusing to support it... It's one Lorenzo Colitti who
> is
> > the roadblock...
> > https://issuetracker.google.com/issues/36949085
> > But yes, it's asinine.
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, 1759
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 1:1 NAT problems

[Matthew Hall]

This bug report is absolutely insane. It required more hours for people to 
compose these replies than it would to compose the patch for the actual bug. I 
couldn't even read it all because it was so violently toxic. 

Matthew Hall

> On Aug 2, 2017, at 9:36 PM, Morgan Reed  wrote:
> 
> It's not "google" refusing to support it... It's one Lorenzo Colitti who is
> the roadblock...
> https://issuetracker.google.com/issues/36949085
> But yes, it's asinine.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 1:1 NAT problems

[Morgan Reed]

It's not "google" refusing to support it... It's one Lorenzo Colitti who is
the roadblock...
https://issuetracker.google.com/issues/36949085
But yes, it's asinine.


On Thu, Aug 3, 2017 at 1:00 PM, Adam Thompson  wrote:

> You could be right, I was writing from memory and ... tbh, I don't care
> enough to go look it up again :).  They shut down, that's a pain in the
> butt, I was already on HE anyway, end of story for me.
> I would do the same here, except that (IMHO) Google's refusal to support
> DHCPv6 on Android is completely asinine.  So my phone still doesn't get an
> IPv6 address here at home :-(.
> (Note: Apple products work perfectly.)
>
> It's interesting to speculate about what will happen at some future date
> when HE turns off (or starts charging for) their tunnel service...  I
> haven't heard anything credible yet, but I assume it'll happen someday.
>
> -Adam
>
> > -Original Message-
> > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Moshe
> > Katz
> > Sent: August 2, 2017 21:38
> > To: pfSense Support and Discussion Mailing List 
> > Subject: Re: [pfSense] IPv6 1:1 NAT problems
> >
> > Adam,
> >
> > Actually, the reason SIXXS shut down is exactly the opposite of what you
> > said. SIXXS shut down because IPv6 adoption was going too slow and a
> > number of ISPs were actually telling their customers "we don't plan to
> > implement
> > IPv6 because you can get it from SIXXS if you really want it." In effect,
> > ISPs were using tunnels as a way of *reducing *IPv6 rollouts.
> >
> > Vick,
> >
> > I also have an HE tunnel at home because my ISP is dragging their feet
> > about implementing IPv6. In fact, my main guest WiFi network runs
> > *only* IPv6.
> > Most of my guests only care about Gmail and YouTube, and those have
> > been
> > IPv6 enabled for ages. It's an experiment to see how many visitors can
> > get away with not noticing that they have no IPv4 connectivity.
> >
> > Moshe
> >
> > --
> > Moshe Katz
> > -- mo...@ymkatz.net
> > -- +1(301)867-3732 <(301)%20867-3732>
> >
> > On Wed, Aug 2, 2017 at 10:32 PM, Adam Thompson
> > 
> > wrote:
> >
> > > So?  Neither do I.  I don't have native IPv6 at the office either.
> > > But both are fully IPv6-connected.
> > > That's what Hurricane Electric tunnels are for.  (And SIXXS, formerly,
> > > but they've decided that IPv6 penetration has reached a point where
> > > they're not needed anymore.  Hahahaha...)
> > >
> > > http://www.tunnelbroker.net/
> > >
> > > Disclaimer: my home situation is a bit of an anomaly - the nearest HE
> > > IPv6 tunnel endpoint is <5msec away from my home router [wireless,
> > not
> > > DSL or cable], and my ISP has a 10Gbps connection to them.
> > > Performance is VERY satisfactory.  However, even my office, where the
> > > nearest HE tunnel endpoint is 30+msec away gets perfectly acceptable
> > performance on IPv6.
> > > Largely because IPv6 paths tend to be shorter and transit fewer
> > routers.
> > > (There are a number of factors at play; sometimes IPv6 is tunneled
> > > over IPv4, which means the path isn't *really* shorter.)
> > >
> > > -Adam
> > >
> > > > -Original Message-
> > > > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Vick
> > > > Khera
> > > > Sent: August 2, 2017 21:28
> > > > To: pfSense Support and Discussion Mailing List
> > > > 
> > > > Subject: Re: [pfSense] IPv6 1:1 NAT problems
> > > >
> > > > Nice. Thanks for the explanation. My IPv6 knowledge is slowly being
> > > > built up. Not having IPv6 at my home router makes it hard to play
> > > > with. I've not had the courage to bring "live" my direct allocation
> > > > at the data
> > > center
> > > > yet.
> > >
> > >
> > > ___
> > > pfSense mailing list
> > > https://lists.pfsense.org/mailman/listinfo/list
> > > Support the project with Gold! https://pfsense.org/gold
> > >
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, 1759
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 1:1 NAT problems

[Matthew Hall]

If you put your network segment into Assisted Mode the clients will try SLAAC 
followed by DHCPv6 so that things can cooperate between both approaches. 

Matthew Hall

> On Aug 2, 2017, at 8:00 PM, Adam Thompson  wrote:
> 
> You could be right, I was writing from memory and ... tbh, I don't care 
> enough to go look it up again :).  They shut down, that's a pain in the butt, 
> I was already on HE anyway, end of story for me.
> I would do the same here, except that (IMHO) Google's refusal to support 
> DHCPv6 on Android is completely asinine.  So my phone still doesn't get an 
> IPv6 address here at home :-(.
> (Note: Apple products work perfectly.)
> 
> It's interesting to speculate about what will happen at some future date when 
> HE turns off (or starts charging for) their tunnel service...  I haven't 
> heard anything credible yet, but I assume it'll happen someday.
> 
> -Adam

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 1:1 NAT problems

[Adam Thompson]

You could be right, I was writing from memory and ... tbh, I don't care enough 
to go look it up again :).  They shut down, that's a pain in the butt, I was 
already on HE anyway, end of story for me.
I would do the same here, except that (IMHO) Google's refusal to support DHCPv6 
on Android is completely asinine.  So my phone still doesn't get an IPv6 
address here at home :-(.
(Note: Apple products work perfectly.)

It's interesting to speculate about what will happen at some future date when 
HE turns off (or starts charging for) their tunnel service...  I haven't heard 
anything credible yet, but I assume it'll happen someday.

-Adam

> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Moshe
> Katz
> Sent: August 2, 2017 21:38
> To: pfSense Support and Discussion Mailing List 
> Subject: Re: [pfSense] IPv6 1:1 NAT problems
> 
> Adam,
> 
> Actually, the reason SIXXS shut down is exactly the opposite of what you
> said. SIXXS shut down because IPv6 adoption was going too slow and a
> number of ISPs were actually telling their customers "we don't plan to
> implement
> IPv6 because you can get it from SIXXS if you really want it." In effect,
> ISPs were using tunnels as a way of *reducing *IPv6 rollouts.
> 
> Vick,
> 
> I also have an HE tunnel at home because my ISP is dragging their feet
> about implementing IPv6. In fact, my main guest WiFi network runs
> *only* IPv6.
> Most of my guests only care about Gmail and YouTube, and those have
> been
> IPv6 enabled for ages. It's an experiment to see how many visitors can
> get away with not noticing that they have no IPv4 connectivity.
> 
> Moshe
> 
> --
> Moshe Katz
> -- mo...@ymkatz.net
> -- +1(301)867-3732 <(301)%20867-3732>
> 
> On Wed, Aug 2, 2017 at 10:32 PM, Adam Thompson
> 
> wrote:
> 
> > So?  Neither do I.  I don't have native IPv6 at the office either.
> > But both are fully IPv6-connected.
> > That's what Hurricane Electric tunnels are for.  (And SIXXS, formerly,
> > but they've decided that IPv6 penetration has reached a point where
> > they're not needed anymore.  Hahahaha...)
> >
> > http://www.tunnelbroker.net/
> >
> > Disclaimer: my home situation is a bit of an anomaly - the nearest HE
> > IPv6 tunnel endpoint is <5msec away from my home router [wireless,
> not
> > DSL or cable], and my ISP has a 10Gbps connection to them.
> > Performance is VERY satisfactory.  However, even my office, where the
> > nearest HE tunnel endpoint is 30+msec away gets perfectly acceptable
> performance on IPv6.
> > Largely because IPv6 paths tend to be shorter and transit fewer
> routers.
> > (There are a number of factors at play; sometimes IPv6 is tunneled
> > over IPv4, which means the path isn't *really* shorter.)
> >
> > -Adam
> >
> > > -Original Message-
> > > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Vick
> > > Khera
> > > Sent: August 2, 2017 21:28
> > > To: pfSense Support and Discussion Mailing List
> > > 
> > > Subject: Re: [pfSense] IPv6 1:1 NAT problems
> > >
> > > Nice. Thanks for the explanation. My IPv6 knowledge is slowly being
> > > built up. Not having IPv6 at my home router makes it hard to play
> > > with. I've not had the courage to bring "live" my direct allocation
> > > at the data
> > center
> > > yet.
> >
> >
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
> >
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 1:1 NAT problems

[Moshe Katz]

Adam,

Actually, the reason SIXXS shut down is exactly the opposite of what you
said. SIXXS shut down because IPv6 adoption was going too slow and a number
of ISPs were actually telling their customers "we don't plan to implement
IPv6 because you can get it from SIXXS if you really want it." In effect,
ISPs were using tunnels as a way of *reducing *IPv6 rollouts.

Vick,

I also have an HE tunnel at home because my ISP is dragging their feet
about implementing IPv6. In fact, my main guest WiFi network runs *only* IPv6.
Most of my guests only care about Gmail and YouTube, and those have been
IPv6 enabled for ages. It's an experiment to see how many visitors can get
away with not noticing that they have no IPv4 connectivity.

Moshe

--
Moshe Katz
-- mo...@ymkatz.net
-- +1(301)867-3732 <(301)%20867-3732>

On Wed, Aug 2, 2017 at 10:32 PM, Adam Thompson 
wrote:

> So?  Neither do I.  I don't have native IPv6 at the office either.  But
> both are fully IPv6-connected.
> That's what Hurricane Electric tunnels are for.  (And SIXXS, formerly, but
> they've decided that IPv6 penetration has reached a point where they're not
> needed anymore.  Hahahaha...)
>
> http://www.tunnelbroker.net/
>
> Disclaimer: my home situation is a bit of an anomaly - the nearest HE IPv6
> tunnel endpoint is <5msec away from my home router [wireless, not DSL or
> cable], and my ISP has a 10Gbps connection to them.  Performance is VERY
> satisfactory.  However, even my office, where the nearest HE tunnel
> endpoint is 30+msec away gets perfectly acceptable performance on IPv6.
> Largely because IPv6 paths tend to be shorter and transit fewer routers.
> (There are a number of factors at play; sometimes IPv6 is tunneled over
> IPv4, which means the path isn't *really* shorter.)
>
> -Adam
>
> > -Original Message-
> > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Vick
> > Khera
> > Sent: August 2, 2017 21:28
> > To: pfSense Support and Discussion Mailing List 
> > Subject: Re: [pfSense] IPv6 1:1 NAT problems
> >
> > Nice. Thanks for the explanation. My IPv6 knowledge is slowly being built
> > up. Not having IPv6 at my home router makes it hard to play with. I've
> > not had the courage to bring "live" my direct allocation at the data
> center
> > yet.
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 1:1 NAT problems

[Adam Thompson]

So?  Neither do I.  I don't have native IPv6 at the office either.  But both 
are fully IPv6-connected.
That's what Hurricane Electric tunnels are for.  (And SIXXS, formerly, but 
they've decided that IPv6 penetration has reached a point where they're not 
needed anymore.  Hahahaha...)

http://www.tunnelbroker.net/

Disclaimer: my home situation is a bit of an anomaly - the nearest HE IPv6 
tunnel endpoint is <5msec away from my home router [wireless, not DSL or 
cable], and my ISP has a 10Gbps connection to them.  Performance is VERY 
satisfactory.  However, even my office, where the nearest HE tunnel endpoint is 
30+msec away gets perfectly acceptable performance on IPv6.  Largely because 
IPv6 paths tend to be shorter and transit fewer routers.  (There are a number 
of factors at play; sometimes IPv6 is tunneled over IPv4, which means the path 
isn't *really* shorter.)

-Adam

> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Vick
> Khera
> Sent: August 2, 2017 21:28
> To: pfSense Support and Discussion Mailing List 
> Subject: Re: [pfSense] IPv6 1:1 NAT problems
> 
> Nice. Thanks for the explanation. My IPv6 knowledge is slowly being built
> up. Not having IPv6 at my home router makes it hard to play with. I've
> not had the courage to bring "live" my direct allocation at the data center
> yet.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 1:1 NAT problems

[Vick Khera]

Nice. Thanks for the explanation. My IPv6 knowledge is slowly being built
up. Not having IPv6 at my home router makes it hard to play with. I've not
had the courage to bring "live" my direct allocation at the data center yet.

On Wed, Aug 2, 2017 at 10:22 PM, Adam Thompson 
wrote:

> Sadly, yes.  Partly due to providers like OVH who don't "get" prefix
> delegation.
> Also, how else do you multi-home without running BGP?  (Keeping in mind
> that the overwhelming majority of networks around the world have no access
> to BGP.)  That's one of the specific use cases for Network Prefix
> Translation.  (I don't have the RFC handy, sorry.)
> -Adam
>
> > -Original Message-
> > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Vick
> > Khera
> > Sent: August 2, 2017 21:20
> > To: pfSense Support and Discussion Mailing List 
> > Subject: Re: [pfSense] IPv6 1:1 NAT problems
> >
> > Is NAT even a thing with IPv6?
> > ___
> > pfSense mailing list
> > https://lists.pfsense.org/mailman/listinfo/list
> > Support the project with Gold! https://pfsense.org/gold
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 1:1 NAT problems

[Adam Thompson]

Sadly, yes.  Partly due to providers like OVH who don't "get" prefix delegation.
Also, how else do you multi-home without running BGP?  (Keeping in mind that 
the overwhelming majority of networks around the world have no access to BGP.)  
That's one of the specific use cases for Network Prefix Translation.  (I don't 
have the RFC handy, sorry.)
-Adam

> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Vick
> Khera
> Sent: August 2, 2017 21:20
> To: pfSense Support and Discussion Mailing List 
> Subject: Re: [pfSense] IPv6 1:1 NAT problems
> 
> Is NAT even a thing with IPv6?
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 1:1 NAT problems

[Matthew Hall]

https://tools.ietf.org/html/rfc6296

Matthew Hall

> On Aug 2, 2017, at 7:19 PM, Vick Khera  wrote:
> 
> Is NAT even a thing with IPv6?
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 1:1 NAT problems

[Vick Khera]

Is NAT even a thing with IPv6?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] IPv6 1:1 NAT problems

[Adam Thompson]

(If you work for Netgate – would a paid support subscription include helping me 
diagnose the problem here, and get this working?  I’m not 100% clear if this is 
in scope or not.)

 

I’ve encountered an – apparently – unusual problem when trying to enable 1:1 
NAT for IPv6.

I’m also having a similar problem with NPt, actually, and since they both seem 
to use the same pf(4) “binat” directive, I suspect they might be related.

 

All IPs here are obfuscated because the list gets archived, but the last two 
octets/hextets[1] and subnet masks are all coped as-is.  I’ll be happy to 
provide actual IP addresses in private emails, if you think that’s where my 
problem lies.

 

Scenario:

*   OVH private cloud (so same non-delegated, NDP-only IPv6 address space 
I’ve mentioned previously)
*   pfSense VM was deployed from official OVA file
*   OVH has allocated 1:2:3:4::/56, 1.2.3.48/28 and a few more IPv4 
subnets, all bound to the same router interface on their end, connected to the 
WAN VLAN on the pfSense VM.  The IPv6 allocation is *NOT* delegated, it’s a 
simple interface binding on their router.
*   pfSense WAN address is 1.2.3.49/28 and 1:2:3:4::49/56.  Default 
gateways are 1.2.3.62 and 1:2:3:4:::::.
*   pfSense LAN address is 10.1.1.1/24 and fd60::1/64.  It is the default 
gateway.
*   One other VM exists on the “LAN” V(X)LAN[2], providing public services 
over tcp/80, tcp/443 and tcp/22.
*   Firewall rules are trivial for debugging purposes: Allow Any/Any/Any on 
WAN and Allow Any/Any/Any on LAN.
*   IPv4 Proxy ARP VIP exists for 1.2.3.50/28
*   1:1 NAT for 1.2.3.50/32 <- -> 10.1.1.2/32 exists, seems to work fine.

 

Notes:

*   I have multiple tenants within my OVH private cloud.
*   I want them all on separate VLANs, both to slightly increase security 
(no sniffing/snooping/spoofing attacks) and also to simplify IPSec tunnel setup.
*   I can’t use NPt because OVH isn’t delegating or routing that /56 to me. 
 (If they would just &^%$#@! *route* the blocks to me, I’d be done a month ago…)
*   I’m “allocating” /64s out of that /56 for each customer purely 
administratively, i.e. on paper

 

What’s happening (that I think is a bug)

*   pfSense itself has IPv6 connectivity at this point, yay.
*   I create a VIP for 1:2:3:4::50/56.
*   If and only if the VIP type is “IP Alias”, then:

*   Other VMs on the same WAN segment can ping :50.
*   External nodes cannot ping :50, until I force a “gratuitous NDP” (that 
shouldn’t even be a thing…) by pinging the default gw with the source address 
set to :50.  There might be a timer involved and I’m too impatient? Dunno, 
anyway this gets global traffic routing working.

*   The moment I create a 1:1 NAT entry for 1:2:3:4::50/128 <- -> 
fd60::2/128, all IPv6 on the WAN stops working.  pfSense no longer replies to 
Neighbour Solicitations packets from the gateway, which… well… breaks IPv6 
pretty thoroughly.  I can still see the incoming NDP packets using tcpdump, but 
no responses.

 

But:

*   If I do this with “Proxy ARP” VIP instead of “IP Alias” VIP, I can 
never ping :50, but creating the 1:1 NAT entry still breaks IPv6 on the WAN 
interface.
*   If I set the WAN interface address to something elsewhere in the range 
(e.g. 1:2:3:5::1/56) and then set up NPt between, say, 1:2:3:4:0/64 (WAN) and 
fd60::/64 (LAN), IPv6 from pfSense itself does not break, but pfSense also does 
not respond to Neighbour Solicitations for IPs in that range, so I don’t have 
functional IPv6 to or from the LAN.  This is a documented limitation, and it’s 
not supposed to work.

 

So I’m lost.  Why on earth would *creating* a 1:1 NAT entry for a pair of /128s 
break IPv6 (NDP, anyway) for the firewall itself?  Why does creating the 
equivalent NPt mapping *not* break the firewall? 

 

While I’m pissed at OVH for refusing to delegate or route the /56, it seems 
this should still be *possible*, even if awkward, to deploy.  But my IPv6 
breakage seems very weird – but what on earth could I be doing SO differently 
that it breaks for me but no-one else?

 

Thanks,

-Adam

 

 

[1] https://en.wikipedia.org/wiki/Hextet - you got a better word? Let me know!

[2] From pfSense’s perspective, it’s just another segment.  Internally, OVH 
uses VMware NSX VXLANs to emulate VLANs to emulate broadcast domains.  As far 
as I can tell, this “just works”.  It doesn’t seem to be part of the problem, 
anyway.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 problem at OVH

[Olivier Mascia]

> Le 2 août 2017 à 14:46, Adam Thompson  a écrit :
> 
> I can't speak to their other platforms, but the Private Cloud offering is 
> based on VMware, and does not permit the use of MAC addresses other than the 
> one assigned to the VM.  So CARP immediately fails there.
> Amusingly (not), there's even special plug-in in the VMware client that is 
> supposed to let me enable "OVH CARP" (it appears its function is to toggle 
> the VMware distributed vSwitch setting allowing "forged" MAC addresses and 
> promiscuous mode) but it doesn't actually work as it relies on the cluster 
> being connected to a Cisco Nexus 1000v vSwitch, which OVH appears to have 
> deprecated and removed.
> So, in any case, anything that requires MAC address changes won't work.
> -Adam


Happily I still have a PCC with Nexus 1000v and my CARP works perfectly for my 
IPv4 setup.  It just is that it never worked with IPv6. Buggy 1000v regarding 
VRRP and IPv6, it seems.

-- 
Best Regards, Meilleures salutations, Met vriendelijke groeten,
Olivier Mascia, http://integral.software



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 problem at OVH

[Olivier Mascia]

> Le 2 août 2017 à 14:50, Adam Thompson  a écrit :
> 
> Before I dive into details, can anyone confirm that they have 1:1 NAT working 
> for IPv6 in production?


I have Adam.

Configure your WAN using the first /57 from the /56 they give you.
For instance: :::yy00::1/56 for WAN with 
::::yy00:::: as gateway.

Now use /64 slices of the second /57 slice for your multiple LANs interfaces.
For instance:
...yy81::1/64 for LAN1
...yy82::1/64 for LAN2 and so on.
...

Then setup NPt as such:
On WAN: external :::yy01::/64 internal :::yy81::/64
On WAN: external :::yy01::/64 internal :::yy81::/64
...

Finally for each single IP to expose to the world, add an IP Alias on WAN as 
such:

:::yy01::1234/57

The /57 is important in this matter, to get it right.

Your :::yy81::1234 IP (in the :::yy81::/64 subnet) used 
internally will properly be reachable (and appear on outgoing connections) as 
:::yy01::1234.

-- 
Best Regards, Meilleures salutations, Met vriendelijke groeten,
Olivier Mascia, http://integral.software


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 problem at OVH

[Adam Thompson]

I've got IPv4 working, as I said, using the Proxy ARP (or IP Alias, both work) 
VIP.
I still don't have IPv6 working, though.

I'm running into a situation where 1:1 NAT for IPv6 seems to either a) simply 
not work at all, or b) utterly kills all IPv6 on the firewall for reasons I 
don't understand yet.

Before I dive into details, can anyone confirm that they have 1:1 NAT working 
for IPv6 in production?

(Eh, I'll start a new thread anyway.)

-Adam

> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jon
> Copeland
> Sent: August 1, 2017 16:10
> To: pfSense Support and Discussion Mailing List 
> Subject: Re: [pfSense] IPv6 problem at OVH
> 
> We have this exact setup.  You are correct, you will need Virtual IP's for
> each public WAN IP that OVH have assigned you.  We have separate
> services listening on x.x.x.1, x.x.x.2, x.x.x.3 etc, works like a charm.
> 
> JC
> 
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Adam
> Thompson
> Sent: August-01-17 12:57 PM
> To: list@lists.pfsense.org
> Subject: [pfSense] IPv6 problem at OVH
> 
> Wondering how anyone else manages (or would manage) this scenario:
> 
> * Private Cloud at OVH.  (Runs VMware, which isn't terribly relevant
> AFAICT.)
> * OVH provides a single VLAN that is connected directly to their router
> * ALL public IP addresses are terminated on that VLAN (i.e. bound
> directly to that interface on their router) including the entire IPv6 /56.
> *** As a consequence, all IPv4 addresses must respond to ARP, and all
> IPv6 addresses must respond to NDP, in order to be successfully publicly
> routed.
> (And yes, they gave me an entire /56 of IPv6... that isn't routed or
> broken up in any way.  And they won't subnet or route anything to me.
> Yay.)
> * Meanwhile, I have public services (multiple tenants) running on
> multiple VLANs, each behind a single pfSense firewall with a WAN
> interface in the massive public-address-space VLAN.
> * I very much want the service address to be different from the firewall
> address, i.e. the firewall WAN i/f might be bound to 1.2.3.4, then I want
> the publicly-accessible service to live at 1.2.3.5, so that I can distinguish
> based on reverse DNS whether outbound connections are coming from
> the firewall or from the customer's server.  This works great with IPv4, a
> Proxy ARP VIP, and 1:1 NAT.
> * I also need to provide IPv6 connectivity inbound AND outbound, ideally
> with the same reverse-dns differentiation.
> 
> I've tried 1:1 NAT, which seems to break IPv6 altogether every time I
> configure it (although JimP can't reproduce it yet, so presumably it's
> somehow environment-specific).  I'm unclear whether this will work
> anyway with the NDP adjacency requirement.
> 
> I've tried NPt, which doesn't do NDP, and so doesn't work in this
> scenario.
> 
> The next thing I can try (but haven't yet) is an IP Alias VIP with Port
> Forwarding, and then... maybe a custom Outbound NAT rule?
> 
> Am I missing something fundamental?  I know what OVH is doing is
> stupid (NDP for an entire /56?  Fee fi fo fum, I smell a DoS attack...) , but
> they have 2000+ other customers on this exact platform, surely ONE of
> them must have a similar situation!  I know IPv6 is new, but ... surely one
> them must run IPv6?
> 
> Again: IPv4 isn't a problem because Proxy ARP works great and solves
> the silliness of them not routing those allocated subnets to me.  IPv6 is a
> problem because pfSense has to handle NDP *and* do NAT and I can't
> find a way to make it do that properly
> 
> 
> Thoughts/opinions/brickbats welcome.
> -Adam
> 
> P.S. I seem to not be receiving emails from the list reliably, kindly CC me
> if you don't mind...
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 problem at OVH

[Adam Thompson]

I can't speak to their other platforms, but the Private Cloud offering is based 
on VMware, and does not permit the use of MAC addresses other than the one 
assigned to the VM.  So CARP immediately fails there.
Amusingly (not), there's even special plug-in in the VMware client that is 
supposed to let me enable "OVH CARP" (it appears its function is to toggle the 
VMware distributed vSwitch setting allowing "forged" MAC addresses and 
promiscuous mode) but it doesn't actually work as it relies on the cluster 
being connected to a Cisco Nexus 1000v vSwitch, which OVH appears to have 
deprecated and removed.
So, in any case, anything that requires MAC address changes won't work.
-Adam


> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Olivier
> Mascia
> Sent: August 2, 2017 02:31
> To: pfSense Support and Discussion Mailing List 
> Subject: Re: [pfSense] IPv6 problem at OVH
> 
> > Le 2 août 2017 à 00:39, Matthew Hall  a
> écrit :
> >
> >> The real issue is that HA setup of a couple of pfSense is impossible
> >> with such an awkward IPv6 setup as OVH imposes to us.
> >
> > Just curious: how does it break CARP + pfSync?
> 
> I don't have the exact specifics in memory right now, but I'll see to dust-
> off some old notes. I remember it was inextricable. But could be a bug in
> VRRP implementation on OVH side and nothing to do with the way they
> (don't) route the IPs (as CARP + pfSync works fine on IPv4 on the same
> platform and the way they deliver IPv4).
> 
> Without those notes, the most specific I remember is that packets were
> coming in randomly on the master (processing them) and the slave
> (properly ignoring them). Just as if the same MAC was seen on both on
> their OVH side.
> 
> 
> --
> Best Regards, Meilleures salutations, Met vriendelijke groeten, Olivier
> Mascia, http://integral.software
> 
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 problem at OVH

[Olivier Mascia]

> Le 2 août 2017 à 00:39, Matthew Hall  a écrit :
> 
>> The real issue is that HA setup of a couple of pfSense is impossible with 
>> such an awkward IPv6 setup as OVH imposes to us.
> 
> Just curious: how does it break CARP + pfSync?

I don't have the exact specifics in memory right now, but I'll see to dust-off 
some old notes. I remember it was inextricable. But could be a bug in VRRP 
implementation on OVH side and nothing to do with the way they (don't) route 
the IPs (as CARP + pfSync works fine on IPv4 on the same platform and the way 
they deliver IPv4).

Without those notes, the most specific I remember is that packets were coming 
in randomly on the master (processing them) and the slave (properly ignoring 
them). Just as if the same MAC was seen on both on their OVH side.


-- 
Best Regards, Meilleures salutations, Met vriendelijke groeten,
Olivier Mascia, http://integral.software


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 problem at OVH

[Matthew Hall]

On Tue, Aug 01, 2017 at 11:27:50PM +0200, Olivier Mascia wrote:
> The real issue is that HA setup of a couple of pfSense is impossible with 
> such an awkward IPv6 setup as OVH imposes to us.

Just curious: how does it break CARP + pfSync?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 problem at OVH

[Olivier Mascia]

> Le 1 août 2017 à 23:09, Jon Copeland  a écrit :
> 
> We have this exact setup.  You are correct, you will need Virtual IP's for 
> each public WAN IP that OVH have assigned you.  We have separate services 
> listening on x.x.x.1, x.x.x.2, x.x.x.3 etc, works like a charm.
> 
> JC
> 

The real issue is that HA setup of a couple of pfSense is impossible with such 
an awkward IPv6 setup as OVH imposes to us.

-- 
Best Regards, Meilleures salutations, Met vriendelijke groeten,
Olivier Mascia



> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Adam Thompson
> Sent: August-01-17 12:57 PM
> To: list@lists.pfsense.org
> Subject: [pfSense] IPv6 problem at OVH
> 
> Wondering how anyone else manages (or would manage) this scenario:
> 
> * Private Cloud at OVH.  (Runs VMware, which isn't terribly relevant
> AFAICT.)
> * OVH provides a single VLAN that is connected directly to their router
> * ALL public IP addresses are terminated on that VLAN (i.e. bound directly to 
> that interface on their router) including the entire IPv6 /56.
> *** As a consequence, all IPv4 addresses must respond to ARP, and all
> IPv6 addresses must respond to NDP, in order to be successfully publicly 
> routed.
> (And yes, they gave me an entire /56 of IPv6... that isn't routed or broken 
> up in any way.  And they won't subnet or route anything to me.  
> Yay.)
> * Meanwhile, I have public services (multiple tenants) running on multiple 
> VLANs, each behind a single pfSense firewall with a WAN interface in the 
> massive public-address-space VLAN.
> * I very much want the service address to be different from the firewall 
> address, i.e. the firewall WAN i/f might be bound to 1.2.3.4, then I want the 
> publicly-accessible service to live at 1.2.3.5, so that I can distinguish 
> based on reverse DNS whether outbound connections are coming from the 
> firewall or from the customer's server.  This works great with IPv4, a Proxy 
> ARP VIP, and 1:1 NAT.
> * I also need to provide IPv6 connectivity inbound AND outbound, ideally with 
> the same reverse-dns differentiation.
> 
> I've tried 1:1 NAT, which seems to break IPv6 altogether every time I 
> configure it (although JimP can't reproduce it yet, so presumably it's 
> somehow environment-specific).  I'm unclear whether this will work anyway 
> with the NDP adjacency requirement.
> 
> I've tried NPt, which doesn't do NDP, and so doesn't work in this scenario.
> 
> The next thing I can try (but haven't yet) is an IP Alias VIP with Port 
> Forwarding, and then... maybe a custom Outbound NAT rule?
> 
> Am I missing something fundamental?  I know what OVH is doing is stupid (NDP 
> for an entire /56?  Fee fi fo fum, I smell a DoS attack...) , but they have 
> 2000+ other customers on this exact platform, surely ONE of them must have a 
> similar situation!  I know IPv6 is new, but ... surely one them must run IPv6?
> 
> Again: IPv4 isn't a problem because Proxy ARP works great and solves the 
> silliness of them not routing those allocated subnets to me.  IPv6 is a 
> problem because pfSense has to handle NDP *and* do NAT and I can't find a way 
> to make it do that properly
> 
> 
> Thoughts/opinions/brickbats welcome.
> -Adam
> 
> P.S. I seem to not be receiving emails from the list reliably, kindly CC me 
> if you don't mind...


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 problem at OVH

[Jon Copeland]

We have this exact setup.  You are correct, you will need Virtual IP's for each 
public WAN IP that OVH have assigned you.  We have separate services listening 
on x.x.x.1, x.x.x.2, x.x.x.3 etc, works like a charm.

JC

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Adam Thompson
Sent: August-01-17 12:57 PM
To: list@lists.pfsense.org
Subject: [pfSense] IPv6 problem at OVH

Wondering how anyone else manages (or would manage) this scenario:

* Private Cloud at OVH.  (Runs VMware, which isn't terribly relevant
AFAICT.)
* OVH provides a single VLAN that is connected directly to their router
* ALL public IP addresses are terminated on that VLAN (i.e. bound directly to 
that interface on their router) including the entire IPv6 /56.
*** As a consequence, all IPv4 addresses must respond to ARP, and all
IPv6 addresses must respond to NDP, in order to be successfully publicly routed.
(And yes, they gave me an entire /56 of IPv6... that isn't routed or broken up 
in any way.  And they won't subnet or route anything to me.  
Yay.)
* Meanwhile, I have public services (multiple tenants) running on multiple 
VLANs, each behind a single pfSense firewall with a WAN interface in the 
massive public-address-space VLAN.
* I very much want the service address to be different from the firewall 
address, i.e. the firewall WAN i/f might be bound to 1.2.3.4, then I want the 
publicly-accessible service to live at 1.2.3.5, so that I can distinguish based 
on reverse DNS whether outbound connections are coming from the firewall or 
from the customer's server.  This works great with IPv4, a Proxy ARP VIP, and 
1:1 NAT.
* I also need to provide IPv6 connectivity inbound AND outbound, ideally with 
the same reverse-dns differentiation.

I've tried 1:1 NAT, which seems to break IPv6 altogether every time I configure 
it (although JimP can't reproduce it yet, so presumably it's somehow 
environment-specific).  I'm unclear whether this will work anyway with the NDP 
adjacency requirement.

I've tried NPt, which doesn't do NDP, and so doesn't work in this scenario.

The next thing I can try (but haven't yet) is an IP Alias VIP with Port 
Forwarding, and then... maybe a custom Outbound NAT rule?

Am I missing something fundamental?  I know what OVH is doing is stupid (NDP 
for an entire /56?  Fee fi fo fum, I smell a DoS attack...) , but they have 
2000+ other customers on this exact platform, surely ONE of them must have a 
similar situation!  I know IPv6 is new, but ... surely one them must run IPv6?

Again: IPv4 isn't a problem because Proxy ARP works great and solves the 
silliness of them not routing those allocated subnets to me.  IPv6 is a problem 
because pfSense has to handle NDP *and* do NAT and I can't find a way to make 
it do that properly


Thoughts/opinions/brickbats welcome.
-Adam

P.S. I seem to not be receiving emails from the list reliably, kindly CC me if 
you don't mind...
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 problem at OVH

[Matthew Hall]

On Tue, Aug 01, 2017 at 01:57:01PM -0500, Adam Thompson wrote:
> *** As a consequence, all IPv4 addresses must respond to ARP, and all IPv6
> addresses must respond to NDP, in order to be successfully publicly routed.

The last time I had this issue, I had a Fortinet installed, and I used this 
featureset:

I don't think the PFSense currently exposes the NAT66 for configuration. When 
you use it, you can use an internal ULA subnet from a ULA generator, and use 
NAT66 to get the right exterior origin.

http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-IPv6-54/IPv6%20Features/IPv6_NAT.htm

It would be best solved using IPv6 VIPs for the inbound NAT. I have tested 
that and had it working on Linux and PFSense myself.

The other thing you can perhaps do, since they sent you a whole /56, is hand 
out /64s inside the PFSense that are chopped out of the /56 given to you. I've 
done that in my house using DHCPv6-PD from Comcast. But it should be possible 
with classic DHCPv6 and some static routes and/or a routing protocol inside 
your setup. It depends just how their layer 2 restrictions work. In my colo 
company it was fine because I didn't have to directly do ARP / NDP as long as 
I could route properly both ways.

> (NDP for an entire /56?  Fee fi fo fum, I smell a DoS attack...)

Yes.. this problem was called out during the lead-up to World IPv6 Day and 
World IPv6 Launch in 2011 and 2012.

https://en.wikipedia.org/wiki/World_IPv6_Day_and_World_IPv6_Launch_Day

Some patches to rate-limit the priority and request rate of new NDP neighbor 
adjacency discovery were added to the vast majority of major Cisco, Juniper, 
... etc. router firmwares.

Matthew.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] IPv6 problem at OVH

[Adam Thompson]

Wondering how anyone else manages (or would manage) this scenario:

* Private Cloud at OVH.  (Runs VMware, which isn't terribly relevant 
AFAICT.)

* OVH provides a single VLAN that is connected directly to their router
* ALL public IP addresses are terminated on that VLAN (i.e. bound 
directly to that interface on their router) including the entire IPv6 
/56.
*** As a consequence, all IPv4 addresses must respond to ARP, and all 
IPv6 addresses must respond to NDP, in order to be successfully publicly 
routed.
(And yes, they gave me an entire /56 of IPv6... that isn't routed or 
broken up in any way.  And they won't subnet or route anything to me.  
Yay.)
* Meanwhile, I have public services (multiple tenants) running on 
multiple VLANs, each behind a single pfSense firewall with a WAN 
interface in the massive public-address-space VLAN.
* I very much want the service address to be different from the firewall 
address, i.e. the firewall WAN i/f might be bound to 1.2.3.4, then I 
want the publicly-accessible service to live at 1.2.3.5, so that I can 
distinguish based on reverse DNS whether outbound connections are coming 
from the firewall or from the customer's server.  This works great with 
IPv4, a Proxy ARP VIP, and 1:1 NAT.
* I also need to provide IPv6 connectivity inbound AND outbound, ideally 
with the same reverse-dns differentiation.


I've tried 1:1 NAT, which seems to break IPv6 altogether every time I 
configure it (although JimP can't reproduce it yet, so presumably it's 
somehow environment-specific).  I'm unclear whether this will work 
anyway with the NDP adjacency requirement.


I've tried NPt, which doesn't do NDP, and so doesn't work in this 
scenario.


The next thing I can try (but haven't yet) is an IP Alias VIP with Port 
Forwarding, and then... maybe a custom Outbound NAT rule?


Am I missing something fundamental?  I know what OVH is doing is stupid 
(NDP for an entire /56?  Fee fi fo fum, I smell a DoS attack...) , but 
they have 2000+ other customers on this exact platform, surely ONE of 
them must have a similar situation!  I know IPv6 is new, but ... surely 
one them must run IPv6?


Again: IPv4 isn't a problem because Proxy ARP works great and solves the 
silliness of them not routing those allocated subnets to me.  IPv6 is a 
problem because pfSense has to handle NDP *and* do NAT and I can't find 
a way to make it do that properly



Thoughts/opinions/brickbats welcome.
-Adam

P.S. I seem to not be receiving emails from the list reliably, kindly CC 
me if you don't mind...

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 (CARP and DHCPv6 failover)

[Steve Yates]

Yes we don't have any DHCP in our CARP environment.

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of hamid ashraf
Sent: Thursday, March 23, 2017 6:01 AM
To: pfSense Support and Discussion Mailing List 
Subject: Re: [pfSense] IPv6 (CARP and DHCPv6 failover)

Dear Steve, 

Thanks for taking time to see my email. 

Yes you can say I have two issues but both are inter-related in my case. As 
CARP does not advertise it self as Gateway in case of DHCPv6 and in my case I 
have configured DHCPv6 which is not replicated to backup firewall and in case 
master goes down...in vein. So you are static assignment in your case for IPv6?
Regards
Hamid
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 (CARP and DHCPv6 failover)

[Jim Pingle]

On 03/22/2017 02:16 PM, hamid ashraf wrote:
> I have 2 pfsense FW 2.3.3 p1 version, one is Master and Second is Backup. 
> CARP configured between both firewalls  for IPv4 and all the configurations 
> are successfully syncing. When I configured the DHCPv6 on master firewall, 
> that configuration didn't replicated to the backup one and everything works 
> perfectly from outside to inside and vice versa on master. When firewall 
> failover IPv6 connectivity is gone. My questions: 
> 
> 1. Does pfsense does not support IPv6 Failover?

No, because the ISC DHCP daemon for IPv6 does not have any concept of
failover baked in at this time. And last I heard, they are holding out
waiting for an IPv6 DHCP failover standard to be written. There are a
couple drafts floating around but last I saw, none have yet move beyond
that stage.

> 2. Does pfsense does not support DHCPv6 failover as I observed nothing has 
> been synced to backup firewall, related to DHCPv6?

It could, but it doesn't, because of the above limitation. You have to
manually configure a different range on both boxes, or use only SLAAC
for automatic assignment. You could configure the same pool on both
units but since the two units cannot share lease information, you end up
relying on IPv6 DAD to prevent conflicts.

Since the potential IPv6 address pool for a subnet is huge (/64), using
a separate range on each unit shouldn't be a problem. But it does mean
you have to configure them manually.

> 3. Please suggest a design to get IPv6, IPv4 workig together in failover with 
> DHCPv6 synced between them and if the firewall failover it should be seemless.

You have to setup each node manually for DHCPv6 but it works fine this way:

Primary:
* DHCPv6 enabled
** DHCPv6 set for a given range (say...
:::xxx0::1:-:::xxx0::1:)
** DHCPv6 DNS server set to the LAN IPv6 CARP VIP

* Router advertisements enabled
** RA set to Managed
** RA Router priority set to Normal
** RA interface set for the LAN IPv6 CARP VIP. Binding to the CARP VIP
interface ensures that radvd only runs on the node which is master.
** RA DNS Server 1 set to the LAN IPv6 CARP VIP (or check the box to use
the same settings as DHCPv6 server)

Secondary:
* DHCPv6 enabled
** DHCPv6 set for DIFFERENT range (say...
:::xxx0::2:-:::xxx0::2:)
** DHCPv6 DNS server set to the LAN IPv6 CARP VIP

* Router advertisements enabled
** RA set to Managed
** RA Router priority set to Normal
** RA interface set for the LAN IPv6 CARP VIP
** RA DNS Server 1 set to the LAN IPv6 CARP VIP (or check the box to use
the same settings as DHCPv6 server)

Then repeat that for each local interface (e.g. DMZ, guest network, etc)

It may seem clunkier than its IPv4 sibling but they both transition at
nearly the same rate.

As an alternative, you could bind the RA daemon to the LAN directly and
set the primary to high, secondary to normal or low. That way nodes
would always know about both gateways and they would decide which one to
use automatically.

Jim P
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 (CARP and DHCPv6 failover)

[hamid ashraf]

Dear Steve, 

Thanks for taking time to see my email. 

Yes you can say I have two issues but both are inter-related in my case. As 
CARP does not advertise it self as Gateway in case of DHCPv6 and in my case I 
have configured DHCPv6 which is not replicated to backup firewall and in case 
master goes down...in vein. So you are static assignment in your case for IPv6?
Regards
Hamid


  From: Steve Yates 
 To: pfSense Support and Discussion Mailing List  
 Sent: Thursday, March 23, 2017 2:20 AM
 Subject: Re: [pfSense] IPv6 (CARP and DHCPv6 failover)
   
Interesting...we have not seen that problem with IPv6 and CARP.  I just looked 
and the backup is showing Backup for all IPs.

I do occasionally, like after our 2.3.2 to 2.3.3_1 upgrade, where one IP does 
get stuck as Master on the backup after the primary is updated and restarts.  I 
am fairly certain it was an IPv4 address though, and is not a new issue.  
Restarting fixes it.

Hamid, are you saying you have two issues, that IPv6 is not being synced and 
that DHCPv6 is not being synced?  We aren't using DHCPv6 but have not seen any 
issues with IPv6 and CARP.  IPv6 connectivity shouldn't be related to whether 
DHCPv6 is running, as long as the PCs have addresses...?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jochen Becker
Sent: Wednesday, March 22, 2017 1:25 PM
To: hamid ashraf ; pfSense Support and Discussion 
Mailing List 
Subject: Re: [pfSense] IPv6 (CARP and DHCPv6 failover)

Hi Hamid,

can you check whether your IPv6 CARP Addresses are in agood condition 
after 10-15 minutes of uptime?
I have a problem with multiple setups where CARPv6 changes to dual 
master after 10 minutes. IPv6 connectivity is nearly impossible with 
that setup. However IPv4 and CARP with v4 are working as they should.
Those problems appeared short after the update to 2.3.3p1.
See also the forum post: https://forum.pfsense.org/index.php?topic=127342.0

Cheers

Jochen

On 22.03.2017 19:16, hamid ashraf wrote:
> Hi,
>
> I have 2 pfsense FW 2.3.3 p1 version, one is Master and Second is Backup. 
> CARP configured between both firewalls  for IPv4 and all the configurations 
> are successfully syncing. When I configured the DHCPv6 on master firewall, 
> that configuration didn't replicated to the backup one and everything works 
> perfectly from outside to inside and vice versa on master. When firewall 
> failover IPv6 connectivity is gone. My questions:
>
> 1. Does pfsense does not support IPv6 Failover?
> 2. Does pfsense does not support DHCPv6 failover as I observed nothing has 
> been synced to backup firewall, related to DHCPv6?
> 3. Please suggest a design to get IPv6, IPv4 workig together in failover with 
> DHCPv6 synced between them and if the firewall failover it should be seemless.
> Diagram attached for your reference.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


   
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 (CARP and DHCPv6 failover)

[Steve Yates]

Interesting...we have not seen that problem with IPv6 and CARP.  I just looked 
and the backup is showing Backup for all IPs.

I do occasionally, like after our 2.3.2 to 2.3.3_1 upgrade, where one IP does 
get stuck as Master on the backup after the primary is updated and restarts.  I 
am fairly certain it was an IPv4 address though, and is not a new issue.  
Restarting fixes it.

Hamid, are you saying you have two issues, that IPv6 is not being synced and 
that DHCPv6 is not being synced?  We aren't using DHCPv6 but have not seen any 
issues with IPv6 and CARP.  IPv6 connectivity shouldn't be related to whether 
DHCPv6 is running, as long as the PCs have addresses...?

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jochen Becker
Sent: Wednesday, March 22, 2017 1:25 PM
To: hamid ashraf ; pfSense Support and Discussion 
Mailing List 
Subject: Re: [pfSense] IPv6 (CARP and DHCPv6 failover)

Hi Hamid,

can you check whether your IPv6 CARP Addresses are in agood condition 
after 10-15 minutes of uptime?
I have a problem with multiple setups where CARPv6 changes to dual 
master after 10 minutes. IPv6 connectivity is nearly impossible with 
that setup. However IPv4 and CARP with v4 are working as they should.
Those problems appeared short after the update to 2.3.3p1.
See also the forum post: https://forum.pfsense.org/index.php?topic=127342.0

Cheers

Jochen

On 22.03.2017 19:16, hamid ashraf wrote:
> Hi,
>
> I have 2 pfsense FW 2.3.3 p1 version, one is Master and Second is Backup. 
> CARP configured between both firewalls  for IPv4 and all the configurations 
> are successfully syncing. When I configured the DHCPv6 on master firewall, 
> that configuration didn't replicated to the backup one and everything works 
> perfectly from outside to inside and vice versa on master. When firewall 
> failover IPv6 connectivity is gone. My questions:
>
> 1. Does pfsense does not support IPv6 Failover?
> 2. Does pfsense does not support DHCPv6 failover as I observed nothing has 
> been synced to backup firewall, related to DHCPv6?
> 3. Please suggest a design to get IPv6, IPv4 workig together in failover with 
> DHCPv6 synced between them and if the firewall failover it should be seemless.
> Diagram attached for your reference.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 (CARP and DHCPv6 failover)

[Jochen Becker]

Hi Hamid,

can you check whether your IPv6 CARP Addresses are in agood condition 
after 10-15 minutes of uptime?
I have a problem with multiple setups where CARPv6 changes to dual 
master after 10 minutes. IPv6 connectivity is nearly impossible with 
that setup. However IPv4 and CARP with v4 are working as they should.

Those problems appeared short after the update to 2.3.3p1.
See also the forum post: https://forum.pfsense.org/index.php?topic=127342.0

Cheers

Jochen

On 22.03.2017 19:16, hamid ashraf wrote:

Hi,

I have 2 pfsense FW 2.3.3 p1 version, one is Master and Second is Backup. CARP 
configured between both firewalls  for IPv4 and all the configurations are 
successfully syncing. When I configured the DHCPv6 on master firewall, that 
configuration didn't replicated to the backup one and everything works 
perfectly from outside to inside and vice versa on master. When firewall 
failover IPv6 connectivity is gone. My questions:

1. Does pfsense does not support IPv6 Failover?
2. Does pfsense does not support DHCPv6 failover as I observed nothing has been 
synced to backup firewall, related to DHCPv6?
3. Please suggest a design to get IPv6, IPv4 workig together in failover with 
DHCPv6 synced between them and if the firewall failover it should be seemless.
Diagram attached for your reference.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] IPv6 (CARP and DHCPv6 failover)

[hamid ashraf]

Hi, 

I have 2 pfsense FW 2.3.3 p1 version, one is Master and Second is Backup. CARP 
configured between both firewalls  for IPv4 and all the configurations are 
successfully syncing. When I configured the DHCPv6 on master firewall, that 
configuration didn't replicated to the backup one and everything works 
perfectly from outside to inside and vice versa on master. When firewall 
failover IPv6 connectivity is gone. My questions: 

1. Does pfsense does not support IPv6 Failover?
2. Does pfsense does not support DHCPv6 failover as I observed nothing has been 
synced to backup firewall, related to DHCPv6?
3. Please suggest a design to get IPv6, IPv4 workig together in failover with 
DHCPv6 synced between them and if the firewall failover it should be seemless.
Diagram attached for your reference.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] IPv6 being used for NTP even though IPv6 is not configured

[Vick Khera]

According to the System/Advanced/Networking page, there is an option
to prefer IPv4. However, it says this: "if IPv6 is configured and a
hostname resolves IPv6 and IPv4 addresses, IPv6 will be used."

I do not have IPv6 configured -- all my interfaces are statically
configured. The only IPv6 I see is the automatic link-local address
assigned to each interface. Is that enough to convince pfSense that it
is "configured"?

The symptom I'm seeing is that one of the remote NTP servers I sync
with returns both IPv6 and IPv4 addresses, and NTP is preferring the
v6 address which does not work here.

If I check the box to enable the "prefer IPv4" it does indeed select
the IPv4 address. So something is misleading pfSense to thinking v6 is
enabled, at least for NTP.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 being used for NTP even though IPv6 is not configured

[Heath Barnhart]

Someone correct me if I'm wrong, but if you are seeing an IPv6 link-local
address on an interface then IPv6 is enabled, just not configured. PFSense
gurus, does setting IPv6 to none in PFSense not disable IPv6 operation in
the OS?

On Mon, Jul 25, 2016 at 8:37 AM, Vick Khera  wrote:

> According to the System/Advanced/Networking page, there is an option
> to prefer IPv4. However, it says this: "if IPv6 is configured and a
> hostname resolves IPv6 and IPv4 addresses, IPv6 will be used."
>
> I do not have IPv6 configured -- all my interfaces are statically
> configured. The only IPv6 I see is the automatic link-local address
> assigned to each interface. Is that enough to convince pfSense that it
> is "configured"?
>
> The symptom I'm seeing is that one of the remote NTP servers I sync
> with returns both IPv6 and IPv4 addresses, and NTP is preferring the
> v6 address which does not work here.
>
> If I check the box to enable the "prefer IPv4" it does indeed select
> the IPv4 address. So something is misleading pfSense to thinking v6 is
> enabled, at least for NTP.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>



-- 
Sincerely,
Heath Barnhart
Network Administrator
[image: KanREN] 
[image: phone] 785-856-9815
2029 Becker Drive, Suite 282
Lawrence, Kansas 66047
[image: linkedin]

 [image: twitter]  [image: twitter]
 need support? 
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix length, XID mismatch

[WebDawg]

On Fri, May 20, 2016 at 1:31 PM, Moshe Katz  wrote:

> On Fri, May 20, 2016 at 12:19 PM, WebDawg  wrote:
>
> > On Fri, May 20, 2016 at 11:06 AM, Moshe Katz 
> wrote:
>
> They will not let you bring your own modem if you have a static IP.
>
> I wrote the last message on my tablet, so I had to keep it short, but I can
> explain further now.
>
> Basically, when you get static IPs from Comcast, they do not want to set up
> the routing for them upstream in the central office (like most other ISPs
> would do).
> Instead, they assign your "Business IP Gateway" device (which is a
> modem/router/firewall combination) a dynamic IP that is in the same block
> of IPs that the entire rest of your neighborhood has.  After the Business
> IP Gateway has received its dynamic address, it advertises itself (I
> believe using RIP) as the next hop to the IP addresses that have been
> allocated to you.
>
> Additionally, the Gateway runs a DHCP server in the 10.x.x.x range. Any
> computer on your network that requests an address on DHCP will receive a
> private address from the Gateway and the Gateway will perform NAT.
>
> In effect, this allows you to have your public addresses and private
> addresses on a single connection to the Internet, with the public addresses
> routed and the private addresses NAT'ed.
>
> To make a long story short, not only will Comcast not allow you to use a
> simple Arris Surfboard modem for static IPs, the way their system is set up
> would not even work if you tried to use a plain modem, because your modem
> wouldn't be able to claim the addresses.
> In theory, Comcast could just allow you to set up your own RIP
> advertisements from your own hardware. I'm guessing that the reason they
> don't want to do that is because they'd rather have full control.
>
> Moshe
>
> --
> Moshe Katz
> -- mo...@ymkatz.net
> -- +1(301)867-3732
>
>
Hmm,

That would be the solution then?  Setup RIP.  Has anyone asked?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix length, XID mismatch

[Moshe Katz]

On Fri, May 20, 2016 at 12:19 PM, WebDawg  wrote:

> On Fri, May 20, 2016 at 11:06 AM, Moshe Katz  wrote:
>
> > If you have static IPs from Comcast, you cannot put the device in bridge
> > mode. The way that Comcast static IPs work is that your Comcast device
> > advertises itself to the rest of Comcast's network as the route to your
> > static addresses. In effect, just pretend that this Comcast device is in
> > Comcast's central office and that you can't change anything about it.
> >
> > Moshe
> >
>
> Wow.
>
> No wonder there are issues.  I have only seen a few good modems as of late
> from any cable provider.
>
> Are there people having the same issues with the newer Arris Cable Modem?
> I see the responses in the thread, will they issue static ip addresses with
> just modems/Arris?
>
> Really, they will not let you bring your own device with a compatable Arris
> modem?
>
> I hate the all in one devices that they give out.  I had issues with one
> until I put it into bridge mode.  It would not NAT correctly.
>
> At another location, I demanded a modem.  I was paying for their fastest
> internet 100M down at the time and there was no way I was going to add all
> that overhead to the connection and depend on garbage firmware.
>
>
They will not let you bring your own modem if you have a static IP.

I wrote the last message on my tablet, so I had to keep it short, but I can
explain further now.

Basically, when you get static IPs from Comcast, they do not want to set up
the routing for them upstream in the central office (like most other ISPs
would do).
Instead, they assign your "Business IP Gateway" device (which is a
modem/router/firewall combination) a dynamic IP that is in the same block
of IPs that the entire rest of your neighborhood has.  After the Business
IP Gateway has received its dynamic address, it advertises itself (I
believe using RIP) as the next hop to the IP addresses that have been
allocated to you.

Additionally, the Gateway runs a DHCP server in the 10.x.x.x range. Any
computer on your network that requests an address on DHCP will receive a
private address from the Gateway and the Gateway will perform NAT.

In effect, this allows you to have your public addresses and private
addresses on a single connection to the Internet, with the public addresses
routed and the private addresses NAT'ed.

To make a long story short, not only will Comcast not allow you to use a
simple Arris Surfboard modem for static IPs, the way their system is set up
would not even work if you tried to use a plain modem, because your modem
wouldn't be able to claim the addresses.
In theory, Comcast could just allow you to set up your own RIP
advertisements from your own hardware. I'm guessing that the reason they
don't want to do that is because they'd rather have full control.

Moshe

--
Moshe Katz
-- mo...@ymkatz.net
-- +1(301)867-3732
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix length, XID mismatch

[WebDawg]

On Fri, May 20, 2016 at 11:06 AM, Moshe Katz  wrote:

> If you have static IPs from Comcast, you cannot put the device in bridge
> mode. The way that Comcast static IPs work is that your Comcast device
> advertises itself to the rest of Comcast's network as the route to your
> static addresses. In effect, just pretend that this Comcast device is in
> Comcast's central office and that you can't change anything about it.
>
> Moshe
>

Wow.

No wonder there are issues.  I have only seen a few good modems as of late
from any cable provider.

Are there people having the same issues with the newer Arris Cable Modem?
I see the responses in the thread, will they issue static ip addresses with
just modems/Arris?

Really, they will not let you bring your own device with a compatable Arris
modem?

I hate the all in one devices that they give out.  I had issues with one
until I put it into bridge mode.  It would not NAT correctly.

At another location, I demanded a modem.  I was paying for their fastest
internet 100M down at the time and there was no way I was going to add all
that overhead to the connection and depend on garbage firmware.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix length, XID mismatch

[Moshe Katz]

If you have static IPs from Comcast, you cannot put the device in bridge
mode. The way that Comcast static IPs work is that your Comcast device
advertises itself to the rest of Comcast's network as the route to your
static addresses. In effect, just pretend that this Comcast device is in
Comcast's central office and that you can't change anything about it.

Moshe
On May 20, 2016 11:54 AM, "WebDawg"  wrote:

> On Wed, May 18, 2016 at 6:14 PM, Steve Yates  wrote:
>
> > We have an application with a Comcast-provided SMC router and two pfSense
> > routers (Comcast <- building <- tenant).  The building router (v2.3.0)
> gets
> > an IPv6 address and can ping out.  However in its DHCP logs I see:
> >
> > dhcp6c  invalid prefix length 64 + 4 + 64
> > dhcp6c  XID mismatch (several of these)
> >
> > Am I correct that "invalid prefix length" means the Comcast router isn't
> > delegating a /60 properly?  I have it set:
> >
> > DHCPv6 Prefix Delegation size   60
> > Send IPv6 prefix hint   checked
> >
> > If I as for a /56 I get "invalid prefix length 64 + 8 + 64."
> >
> > My second question was going to be about getting IPv6 to the PCs inside
> > the tenant router but unless I'm mistaken I need a couple more /64
> networks
> > for that (what a waste of IPs...I know there's a lot but still...).
> >
> > Thanks,
> >
> > Steve Yates
> > ITS, Inc.
> >
> > ___
> >
> >
> Am I correct to assume that you are putting this device in bridge mode?
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix length, XID mismatch

[WebDawg]

On Wed, May 18, 2016 at 6:14 PM, Steve Yates  wrote:

> We have an application with a Comcast-provided SMC router and two pfSense
> routers (Comcast <- building <- tenant).  The building router (v2.3.0) gets
> an IPv6 address and can ping out.  However in its DHCP logs I see:
>
> dhcp6c  invalid prefix length 64 + 4 + 64
> dhcp6c  XID mismatch (several of these)
>
> Am I correct that "invalid prefix length" means the Comcast router isn't
> delegating a /60 properly?  I have it set:
>
> DHCPv6 Prefix Delegation size   60
> Send IPv6 prefix hint   checked
>
> If I as for a /56 I get "invalid prefix length 64 + 8 + 64."
>
> My second question was going to be about getting IPv6 to the PCs inside
> the tenant router but unless I'm mistaken I need a couple more /64 networks
> for that (what a waste of IPs...I know there's a lot but still...).
>
> Thanks,
>
> Steve Yates
> ITS, Inc.
>
> ___
>
>
Am I correct to assume that you are putting this device in bridge mode?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix length, XID mismatch

[Olivier Mascia]

There's indeed no NAT concept in IPv6 but you can use NPt to assign globally 
routable IPs on WAN and have them match to a translated locally routable prefix.

Say you have x:y:z:a::/64 on the WAN side which translate to fd01::/64 on the 
LAN side.

-- 
Meilleures salutations, Met vriendelijke groeten,  Best Regards,
Olivier Mascia (from mobile device), integral.be/om


> Le 19 mai 2016 à 21:59, Steve Yates  a écrit :
> 
> Is there a way to force pfSense to do NAT for IPv6?  If so then we could make 
> it work.  I understand that's not the point of IPv6 but...
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix length, XID mismatch

[Steve Yates]

Is there a way to force pfSense to do NAT for IPv6?  If so then we could make 
it work.  I understand that's not the point of IPv6 but...

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Moshe Katz
Sent: Thursday, May 19, 2016 2:13 PM
To: pfSense Support and Discussion Mailing List 
Subject: Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix 
length, XID mismatch

I'm going to have to guess that you are out of luck for IPv6 then.

If you find anyone at Comcast who is 1) capable of understanding technical 
feedback, 2) receptive to such feedback, and 3) high enough up the chain of 
command to make things happen, I'd be happy to join a campaign to convince that 
person to get this fixed.

Moshe

P. S. Something tells me that we will have moved on to IPv6 or IPv8 (or maybe 
even abandoned IP entirely for something else) by the time anything happens to 
get this fixed. This is Comcast we're talking about after all, a multi-year 
winner and runner-up of Consumerist's "Golden Poo Award" for worst company in 
America.

--
Moshe Katz
-- mo...@ymkatz.net
-- +1(301)867-3732

On Thu, May 19, 2016 at 2:49 PM, Steve Yates  wrote:

> I neglected to mention it but I did find and read many 
> articles on Comcast modem support.  As a whole the posts were rather 
> conflicting and confused so it seemed that it may or may not 
> work...older posts were more likely to say it wasn't working.
>
> We do have a static IPv4 block.  Sadly a few years ago when we 
> tried to increase speeds we were down for a time because their other 
> non-SMC modem couldn't handle static IPs reliably and they had to 
> scrounge for an SMC box for us.  I inferred the techs knew this but 
> Comcast was switching modems anyway.  So, I'm hesitant to ask for a different 
> one.
> :-/  Maybe it is different now.
>
> I don't see anything in the SMC interface about a firmware 
> update.  It's Comcast branded so I assume their firmware.  Maybe we'd 
> have to call.  It has v 3.1.6.57 now.
>
> The SMC does show an IPv6 address, LAN DHCPv6 enabled with a 
> range, and has an "External Router Delegated Prefix" section that is 
> empty.  The building router gets its IP from that range.  The SMC has 
> a different WAN IPv6 address in 2001:558:...::/64.  At the bottom of 
> its Gateway Summary/Network tab I see:
>
> LAN IPv6 Prefixs Delegations2601:249::::/64
>
> ...with the LAN IP range.  (yes, it is spelled "prefixs")
>
> --
>
> Steve Yates
> ITS, Inc.
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Moshe 
> Katz
> Sent: Wednesday, May 18, 2016 10:10 PM
> To: pfSense Support and Discussion Mailing List 
> 
> Subject: Re: [pfSense] IPv6 with Comcast and two pfSense - invalid 
> prefix length, XID mismatch
>
> On Wed, May 18, 2016 at 7:14 PM, Steve Yates  wrote:
>
> > We have an application with a Comcast-provided SMC router and two 
> > pfSense routers (Comcast <- building <- tenant).  The building 
> > router
> > (v2.3.0) gets an IPv6 address and can ping out.  However in its DHCP
> logs I see:
> >
> > dhcp6c  invalid prefix length 64 + 4 + 64
> > dhcp6c  XID mismatch (several of these)
> >
> > Am I correct that "invalid prefix length" means the Comcast router 
> > isn't delegating a /60 properly?  I have it set:
> >
> > DHCPv6 Prefix Delegation size   60
> > Send IPv6 prefix hint   checked
> >
> > If I as for a /56 I get "invalid prefix length 64 + 8 + 64."
> >
> > My second question was going to be about getting IPv6 to the PCs 
> > inside the tenant router but unless I'm mistaken I need a couple 
> > more
> > /64 networks for that (what a waste of IPs...I know there's a lot 
> > but
> still...).
> >
> > Thanks,
> >
> > Steve Yates
> > ITS, Inc.
> >
> >
>
> Comcast's support documents claim that "Business IP Gateway" devices 
> (a.k.a. your SMC modem/router) are allocated a /56. However, there 
> seem to be indications on Comcast's forums and other networking forums 
> that they aren't doing that properly on certain models with certain 
> firmware. (One example is
>
> http://forums.businesshelp.comcast.com/t5/IPV6/Dual-Stack-on-SMC-D3GCC
> R-and-Cisco-DPC3939B/td-p/20504/page/2
> is from over a year ago, but that could still be an issue now given 
> the speed which these companies release firmware updates.)
>
> Can you check if there is a firmware update for the SMC box?
&g

Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix length, XID mismatch

[Moshe Katz]

I'm going to have to guess that you are out of luck for IPv6 then.

If you find anyone at Comcast who is 1) capable of understanding technical
feedback, 2) receptive to such feedback, and 3) high enough up the chain of
command to make things happen, I'd be happy to join a campaign to convince
that person to get this fixed.

Moshe

P. S. Something tells me that we will have moved on to IPv6 or IPv8 (or
maybe even abandoned IP entirely for something else) by the time anything
happens to get this fixed. This is Comcast we're talking about after all, a
multi-year winner and runner-up of Consumerist's "Golden Poo Award" for
worst company in America.

--
Moshe Katz
-- mo...@ymkatz.net
-- +1(301)867-3732

On Thu, May 19, 2016 at 2:49 PM, Steve Yates  wrote:

> I neglected to mention it but I did find and read many articles on
> Comcast modem support.  As a whole the posts were rather conflicting and
> confused so it seemed that it may or may not work...older posts were more
> likely to say it wasn't working.
>
> We do have a static IPv4 block.  Sadly a few years ago when we
> tried to increase speeds we were down for a time because their other
> non-SMC modem couldn't handle static IPs reliably and they had to scrounge
> for an SMC box for us.  I inferred the techs knew this but Comcast was
> switching modems anyway.  So, I'm hesitant to ask for a different one.
> :-/  Maybe it is different now.
>
> I don't see anything in the SMC interface about a firmware
> update.  It's Comcast branded so I assume their firmware.  Maybe we'd have
> to call.  It has v 3.1.6.57 now.
>
> The SMC does show an IPv6 address, LAN DHCPv6 enabled with a
> range, and has an "External Router Delegated Prefix" section that is
> empty.  The building router gets its IP from that range.  The SMC has a
> different WAN IPv6 address in 2001:558:...::/64.  At the bottom of its
> Gateway Summary/Network tab I see:
>
> LAN IPv6 Prefixs Delegations2601:249::::/64
>
> ...with the LAN IP range.  (yes, it is spelled "prefixs")
>
> --
>
> Steve Yates
> ITS, Inc.
>
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Moshe Katz
> Sent: Wednesday, May 18, 2016 10:10 PM
> To: pfSense Support and Discussion Mailing List 
> Subject: Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix
> length, XID mismatch
>
> On Wed, May 18, 2016 at 7:14 PM, Steve Yates  wrote:
>
> > We have an application with a Comcast-provided SMC router and two
> > pfSense routers (Comcast <- building <- tenant).  The building router
> > (v2.3.0) gets an IPv6 address and can ping out.  However in its DHCP
> logs I see:
> >
> > dhcp6c  invalid prefix length 64 + 4 + 64
> > dhcp6c  XID mismatch (several of these)
> >
> > Am I correct that "invalid prefix length" means the Comcast router
> > isn't delegating a /60 properly?  I have it set:
> >
> > DHCPv6 Prefix Delegation size   60
> > Send IPv6 prefix hint   checked
> >
> > If I as for a /56 I get "invalid prefix length 64 + 8 + 64."
> >
> > My second question was going to be about getting IPv6 to the PCs
> > inside the tenant router but unless I'm mistaken I need a couple more
> > /64 networks for that (what a waste of IPs...I know there's a lot but
> still...).
> >
> > Thanks,
> >
> > Steve Yates
> > ITS, Inc.
> >
> >
>
> Comcast's support documents claim that "Business IP Gateway" devices
> (a.k.a. your SMC modem/router) are allocated a /56. However, there seem to
> be indications on Comcast's forums and other networking forums that they
> aren't doing that properly on certain models with certain firmware. (One
> example is
>
> http://forums.businesshelp.comcast.com/t5/IPV6/Dual-Stack-on-SMC-D3GCCR-and-Cisco-DPC3939B/td-p/20504/page/2
> is from over a year ago, but that could still be an issue now given the
> speed which these companies release firmware updates.)
>
> Can you check if there is a firmware update for the SMC box?
>
> Is there any way to check in the settings of the SMC box to see what it
> got from Comcast? None of my customers are using that model at the moment,
> so I can't tell you where to look.
>
> If you do not have static IPs from Comcast, your best option is probably
> to replace the Comcast-provided router with a Motorola/Arris Surfboard
> modem and have the building pfSense talk directly to Comcast through that.
> However, for some reason that defies all logical explanation, Comcast will
> not let you B

Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix length, XID mismatch

[Steve Yates]

I neglected to mention it but I did find and read many articles on 
Comcast modem support.  As a whole the posts were rather conflicting and 
confused so it seemed that it may or may not work...older posts were more 
likely to say it wasn't working.

We do have a static IPv4 block.  Sadly a few years ago when we tried to 
increase speeds we were down for a time because their other non-SMC modem 
couldn't handle static IPs reliably and they had to scrounge for an SMC box for 
us.  I inferred the techs knew this but Comcast was switching modems anyway.  
So, I'm hesitant to ask for a different one.  :-/  Maybe it is different now.

I don't see anything in the SMC interface about a firmware update.  
It's Comcast branded so I assume their firmware.  Maybe we'd have to call.  It 
has v 3.1.6.57 now.

The SMC does show an IPv6 address, LAN DHCPv6 enabled with a range, and 
has an "External Router Delegated Prefix" section that is empty.  The building 
router gets its IP from that range.  The SMC has a different WAN IPv6 address 
in 2001:558:...::/64.  At the bottom of its Gateway Summary/Network tab I see:

LAN IPv6 Prefixs Delegations2601:249::::/64

...with the LAN IP range.  (yes, it is spelled "prefixs")

--

Steve Yates
ITS, Inc.

-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Moshe Katz
Sent: Wednesday, May 18, 2016 10:10 PM
To: pfSense Support and Discussion Mailing List 
Subject: Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix 
length, XID mismatch

On Wed, May 18, 2016 at 7:14 PM, Steve Yates  wrote:

> We have an application with a Comcast-provided SMC router and two 
> pfSense routers (Comcast <- building <- tenant).  The building router 
> (v2.3.0) gets an IPv6 address and can ping out.  However in its DHCP logs I 
> see:
>
> dhcp6c  invalid prefix length 64 + 4 + 64
> dhcp6c  XID mismatch (several of these)
>
> Am I correct that "invalid prefix length" means the Comcast router 
> isn't delegating a /60 properly?  I have it set:
>
> DHCPv6 Prefix Delegation size   60
> Send IPv6 prefix hint   checked
>
> If I as for a /56 I get "invalid prefix length 64 + 8 + 64."
>
> My second question was going to be about getting IPv6 to the PCs 
> inside the tenant router but unless I'm mistaken I need a couple more 
> /64 networks for that (what a waste of IPs...I know there's a lot but 
> still...).
>
> Thanks,
>
> Steve Yates
> ITS, Inc.
>
>

Comcast's support documents claim that "Business IP Gateway" devices (a.k.a. 
your SMC modem/router) are allocated a /56. However, there seem to be 
indications on Comcast's forums and other networking forums that they aren't 
doing that properly on certain models with certain firmware. (One example is
http://forums.businesshelp.comcast.com/t5/IPV6/Dual-Stack-on-SMC-D3GCCR-and-Cisco-DPC3939B/td-p/20504/page/2
is from over a year ago, but that could still be an issue now given the speed 
which these companies release firmware updates.)

Can you check if there is a firmware update for the SMC box?

Is there any way to check in the settings of the SMC box to see what it got 
from Comcast? None of my customers are using that model at the moment, so I 
can't tell you where to look.

If you do not have static IPs from Comcast, your best option is probably to 
replace the Comcast-provided router with a Motorola/Arris Surfboard modem and 
have the building pfSense talk directly to Comcast through that.
However, for some reason that defies all logical explanation, Comcast will not 
let you BYOM if you use static IPs.

Some people (also mentioned in the forum link above) have gotten prefix 
delegation to work by asking Comcast to switch their SMC router for a Netgear 
one.

--
Moshe Katz
-- mo...@ymkatz.net
-- +1(301)867-3732
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 with Comcast and two pfSense - invalid prefix length, XID mismatch

[Moshe Katz]

On Wed, May 18, 2016 at 7:14 PM, Steve Yates  wrote:

> We have an application with a Comcast-provided SMC router and two pfSense
> routers (Comcast <- building <- tenant).  The building router (v2.3.0) gets
> an IPv6 address and can ping out.  However in its DHCP logs I see:
>
> dhcp6c  invalid prefix length 64 + 4 + 64
> dhcp6c  XID mismatch (several of these)
>
> Am I correct that "invalid prefix length" means the Comcast router isn't
> delegating a /60 properly?  I have it set:
>
> DHCPv6 Prefix Delegation size   60
> Send IPv6 prefix hint   checked
>
> If I as for a /56 I get "invalid prefix length 64 + 8 + 64."
>
> My second question was going to be about getting IPv6 to the PCs inside
> the tenant router but unless I'm mistaken I need a couple more /64 networks
> for that (what a waste of IPs...I know there's a lot but still...).
>
> Thanks,
>
> Steve Yates
> ITS, Inc.
>
>

Comcast's support documents claim that "Business IP Gateway" devices
(a.k.a. your SMC modem/router) are allocated a /56. However, there seem to
be indications on Comcast's forums and other networking forums that they
aren't doing that properly on certain models with certain firmware. (One
example is
http://forums.businesshelp.comcast.com/t5/IPV6/Dual-Stack-on-SMC-D3GCCR-and-Cisco-DPC3939B/td-p/20504/page/2
is from over a year ago, but that could still be an issue now given the
speed which these companies release firmware updates.)

Can you check if there is a firmware update for the SMC box?

Is there any way to check in the settings of the SMC box to see what it got
from Comcast? None of my customers are using that model at the moment, so I
can't tell you where to look.

If you do not have static IPs from Comcast, your best option is probably to
replace the Comcast-provided router with a Motorola/Arris Surfboard modem
and have the building pfSense talk directly to Comcast through that.
However, for some reason that defies all logical explanation, Comcast will
not let you BYOM if you use static IPs.

Some people (also mentioned in the forum link above) have gotten prefix
delegation to work by asking Comcast to switch their SMC router for a
Netgear one.

--
Moshe Katz
-- mo...@ymkatz.net
-- +1(301)867-3732
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] IPv6 with Comcast and two pfSense - invalid prefix length, XID mismatch

[Steve Yates]

We have an application with a Comcast-provided SMC router and two pfSense 
routers (Comcast <- building <- tenant).  The building router (v2.3.0) gets an 
IPv6 address and can ping out.  However in its DHCP logs I see:

dhcp6c  invalid prefix length 64 + 4 + 64
dhcp6c  XID mismatch (several of these)

Am I correct that "invalid prefix length" means the Comcast router isn't 
delegating a /60 properly?  I have it set:

DHCPv6 Prefix Delegation size   60
Send IPv6 prefix hint   checked

If I as for a /56 I get "invalid prefix length 64 + 8 + 64."

My second question was going to be about getting IPv6 to the PCs inside the 
tenant router but unless I'm mistaken I need a couple more /64 networks for 
that (what a waste of IPs...I know there's a lot but still...).

Thanks,

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] IPv6 cross-LAN access problem to virtualized host

[Bryan D .]

I'm in the process of enabling IPv6 on a working IPv4 3-LAN, 2-WAN setup using 
pfSense 2.2.6 (I'm also in the process of testing 3.0 and did a cursory test 
and got the same results with our 3.0 test setup).  We're getting IPv6 via a 
Hurricane Electric tunnel.

There are 3 LANs each with a /24 IPv4 and a /64 IPv6 subnet (the /64's being 
from the /48 allocated from HE).  Currently, incoming IPv6 WAN and WAN_IPv6 
access is blocked for all IPv6 except that ICMP types (other than redirect) are 
allowed.  Rules exist allowing unrestricted IPv6 access across all 3 LANs.

I have pfSense configured for DHCP6 on all 3 LANs and RA (on all 3 LANs) is set 
to "Assisted" and (maybe unnecessarily?) "RA Subnet(s)" is set to all 3 of the 
/64 subnets.

Each of the 3 LANs is also it's own VLAN.  There are 3x HP 1810 v2 switches 
across the network.

One of the hosts, the problematic one (and, of course, the only one for which 
we actually want IPv6), is a virtualized OS X 10.8.5 running under VMware 
Fusion 7.1.2 (also on OS X 10.8.5).  The VM host system has 2 VLANs and the VM 
guest has 2 NICs, one bridged to each of the VM host system's VLANs.

Multiple systems on the network, including the "problem" virtualized host, have 
multi-homed IPv4 and (of course) multi-homed IPv6 interfaces.  For simplicity, 
I've manually set the IPv6 addresses and am using only them for testing.

Everything works wonderfully, except that ...

I'm having a problem accessing the IPv6 IPs on the virtualized/guest system's 
interface that's bridged to VLAN3 of the VM host.  Accessing IPv6 and IPv4 
addresses on VLAN1 and VLAN2 works fine.  Accessing IPv4 addresses on VLAN3 
works fine.  "Sometimes" (see below) one of the 2 manually assigned IPv6 
addresses on VLAN3 can be accessed.

[Because of what (at least "sometimes") works, I conclude that neither pfSense 
setup nor a local host firewall is the problem.]

Here's the symptoms:

- boot the problem/virtualized host then, on another system (C) on VLAN1, run 
ping6 against both of the 2 IPv6 addresses on (the interface that's bridged to 
the virtualized host's) VLAN3 and I get "...from  -> 
: Destination Host Unreachable" (addresses are 
config'd and up, according to ifconfig but they're not listed in pfSense's NDP 
table, so this makes [pf]sense).

- on the virtualized/problem host, run ping6 against the other system C, and 
it's OK

- now, again run (the same) ping6 commands from the other system (C) on VLAN1 
against both of the 2 IPv6 addresses on the virtualized host's VLAN3 and it 
works against the first IPv6 listed via ifconfig, but not the second

[I'm assuming that the ping6 run from the virtualized/problem host caused 
pfSense to acquire the one IPv6 IP and that's why it's now accessible -- 
indeed, that 1 of the 2 VLAN3 IPv6 addresses is now in pfSense's NDP table.]

- run ping6 from the VM host system against both of the 2 IPv6 addresses on the 
(VM guest) virtualized host's VLAN3 and both work

[I'm assuming, due to the bridging, that local neighbor discovery works from 
the VM host to its VM guest.  pfSense does not acquire the additional IPv6 
address from VLAN3.]

Tests run from other hosts show results that are consistent with the above 
tests.  So, with 1 exception, everything works and is consistent with what's 
shown in pfSense's and various host's routing tables and via ifconfig.

The failure is that neither of the 2 IPv6 addresses (nor the auto-allocated 
private IPv6 address) from the interface (on the virtualized host) that's 
bridged to the VLAN3 interface are learned/acquired by pfSense unless a ping6 
is run from the virtualized host and then only the first ifconfig-listed 
manually assigned IPv6 address is acquired by pfSense.  As such, pfSense 
considers the IP(s) unreachable.

I'm guessing that there's an issue where OS X is either not reporting the 2nd 
interface (i.e., second in that the VLAN1-linked interface is ordered first in 
the network configuration) or that the bridging is interfering with that 
communication.

I'm assuming that pfSense is "asking" hosts to report via each RA-config'd 
subnet every "now 'n then" and, as such, VLAN3 is receiving such queries.  
(Hmmm, as I write this, maybe this is another thing to look at.)

QUESTIONS:

- has anyone experienced a problem anything like this and, if so, what were you 
able to do about it?

- what's the best way to go about confirming that the virtualized host is 
receiving whatever queries RA is sending out on VLAN3 (assuming that's what's 
happening)?  I do have packet-capture capability on the VM host and the 
virtualized/problematic host ... but is there anything simpler?

- does anyone have any ideas on how I might solve this issue and/or learn more 
about exactly what's happening?

My next attempt will be to configure rtadvd to run on the virtualized/problem 
host (with rltime 0) in an effort to get it to tell pfSense that the second 
interface is present ... but, from what I see in the man page, I

Re: [pfSense] IPV6 WAN/LAN routing

[Olivier Mascia]

> Le 21 avr. 2016 à 01:15, Chris Buechler  a écrit :
> 
>> Or are these solicitations unexpected (the upstream provider has a setup 
>> issue regarding my /56 network)?
> 
> They're unexpected. That means your ISP isn't routing that network to
> you as they must be for it to be usable inside your network. ISP
> issue.

Thanks, that's clear.

-- 
Meilleures salutations, Met vriendelijke groeten, Best Regards,
Olivier Mascia, integral.be/om



___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPV6 WAN/LAN routing

[Seth Mos]

Op 20-4-2016 om 18:38 schreef Olivier Mascia:
> Dear all,
> 
> I must be tired or something but I have a strange thing with IPv6 on a new 
> box I just setup.
> 
> Have a x:y:z:d800::/56 routed to me.
> WAN is static IPv6 on x:y:z:d800::1/64, gateway is 
> x:y:z:d800::::: (not a nice one but that is what they gave 
> me).
> LAN is static IPv6 on x:y:z:d801::1/64, no gateway as usual for LAN interface.
> 
> From a host on the LAN side, at x:y:z:d801::100 (or any other), I can reach 
> pf LAN interface on x:y:z:d801::1, I can also reach pf WAN interface on 
> x:y:z:d800::1, but I can't get a packet to go further.
> 
> Yet, from pf itself, I can reach (ping for instance) www.google.com (IPv6) 
> from WAN interface, but not from LAN interface.
> 
> I would have thought "ok I miss a pass rule on the LAN interface", but there 
> is one. This by far is not my first pfSense box, and they all have various 
> kind of IPv6 links. Not that I couldn't be awfully wrong somewhere. So what 
> obvious detail am I overlooking here? If you have any idea?
>

Do you have radvd configured (from the DHCP6 settings) so that clients
on the lan can find the gateway? Or is the client statically configured?
If you only do DHCP6d on pfSense but no RADVD no clients will end up
with a route.

Kind regards,

Seth
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPV6 WAN/LAN routing

[Chris Buechler]

On Wed, Apr 20, 2016 at 4:53 PM, Olivier Mascia  wrote:
>>> I must be tired or something but I have a strange thing with IPv6 on a new 
>>> box I just setup.
>>>
>>> Have a x:y:z:d800::/56 routed to me.
>>> WAN is static IPv6 on x:y:z:d800::1/64, gateway is 
>>> x:y:z:d800::::: (not a nice one but that is what they gave 
>>> me).
>>> LAN is static IPv6 on x:y:z:d801::1/64, no gateway as usual for LAN 
>>> interface.
>>>
>>> From a host on the LAN side, at x:y:z:d801::100 (or any other), I can reach 
>>> pf LAN interface on x:y:z:d801::1, I can also reach pf WAN interface on 
>>> x:y:z:d800::1, but I can't get a packet to go further.
>>>
>>> Yet, from pf itself, I can reach (ping for instance) www.google.com (IPv6) 
>>> from WAN interface, but not from LAN interface.
>>>
>>> I would have thought "ok I miss a pass rule on the LAN interface", but 
>>> there is one. This by far is not my first pfSense box, and they all have 
>>> various kind of IPv6 links. Not that I couldn't be awfully wrong somewhere. 
>>> So what obvious detail am I overlooking here? If you have any idea?
>>>
>>> This is 2.3-RELEASE by the way. Other boxes (on other networks) are still 
>>> 2.2.x.
>
>
> From some packet captures, something caught my eye, but I'm not sure if this 
> an issue in the hands of my upstream provider or something local to my 
> pfSense box.
> Here are two captures on the WAN of pfSense.
>
> First one, I'm pinging the WAN ip from a very remote location. One clearly 
> see 4 echo requests and 4 echo replies.
>
> 23:32:47.466402 IP6 2a02:578:85a0:101:5cf:576b:9daf:77ca > x:y:z:d800::1: 
> ICMP6, echo request, seq 73, length 40
> 23:32:47.466455 IP6 x:y:z:d800::1 > 2a02:578:85a0:101:5cf:576b:9daf:77ca: 
> ICMP6, echo reply, seq 73, length 40
> 23:32:48.476917 IP6 2a02:578:85a0:101:5cf:576b:9daf:77ca > x:y:z:d800::1: 
> ICMP6, echo request, seq 74, length 40
> 23:32:48.476933 IP6 x:y:z:d800::1 > 2a02:578:85a0:101:5cf:576b:9daf:77ca: 
> ICMP6, echo reply, seq 74, length 40
> 23:32:49.491979 IP6 2a02:578:85a0:101:5cf:576b:9daf:77ca > x:y:z:d800::1: 
> ICMP6, echo request, seq 75, length 40
> 23:32:49.492019 IP6 x:y:z:d800::1 > 2a02:578:85a0:101:5cf:576b:9daf:77ca: 
> ICMP6, echo reply, seq 75, length 40
> 23:32:50.507963 IP6 2a02:578:85a0:101:5cf:576b:9daf:77ca > x:y:z:d800::1: 
> ICMP6, echo request, seq 76, length 40
> 23:32:50.507987 IP6 x:y:z:d800::1 > 2a02:578:85a0:101:5cf:576b:9daf:77ca: 
> ICMP6, echo reply, seq 76, length 40
>
> This time, I'm pinging the LAN ip (x:y:z:d801::1) from the same remote 
> location. No echo requests, only neighbor solicitations from a link-local 
> address fe80...dc78, which I could trace as the upstream router, to 
> ff02::1:ff00:1. But no advertisements on return from the pfSense box.
>
> What looks wrong here?
> The absence of advertisements from pfSense box on these solicitations (I 
> would have an issue with my pfSense setup)?
> Or are these solicitations unexpected (the upstream provider has a setup 
> issue regarding my /56 network)?

They're unexpected. That means your ISP isn't routing that network to
you as they must be for it to be usable inside your network. ISP
issue.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPV6 WAN/LAN routing

[Olivier Mascia]

>> I must be tired or something but I have a strange thing with IPv6 on a new 
>> box I just setup.
>> 
>> Have a x:y:z:d800::/56 routed to me.
>> WAN is static IPv6 on x:y:z:d800::1/64, gateway is 
>> x:y:z:d800::::: (not a nice one but that is what they gave 
>> me).
>> LAN is static IPv6 on x:y:z:d801::1/64, no gateway as usual for LAN 
>> interface.
>> 
>> From a host on the LAN side, at x:y:z:d801::100 (or any other), I can reach 
>> pf LAN interface on x:y:z:d801::1, I can also reach pf WAN interface on 
>> x:y:z:d800::1, but I can't get a packet to go further.
>> 
>> Yet, from pf itself, I can reach (ping for instance) www.google.com (IPv6) 
>> from WAN interface, but not from LAN interface.
>> 
>> I would have thought "ok I miss a pass rule on the LAN interface", but there 
>> is one. This by far is not my first pfSense box, and they all have various 
>> kind of IPv6 links. Not that I couldn't be awfully wrong somewhere. So what 
>> obvious detail am I overlooking here? If you have any idea?
>> 
>> This is 2.3-RELEASE by the way. Other boxes (on other networks) are still 
>> 2.2.x.


>From some packet captures, something caught my eye, but I'm not sure if this 
>an issue in the hands of my upstream provider or something local to my pfSense 
>box.
Here are two captures on the WAN of pfSense.

First one, I'm pinging the WAN ip from a very remote location. One clearly see 
4 echo requests and 4 echo replies.

23:32:47.466402 IP6 2a02:578:85a0:101:5cf:576b:9daf:77ca > x:y:z:d800::1: 
ICMP6, echo request, seq 73, length 40
23:32:47.466455 IP6 x:y:z:d800::1 > 2a02:578:85a0:101:5cf:576b:9daf:77ca: 
ICMP6, echo reply, seq 73, length 40
23:32:48.476917 IP6 2a02:578:85a0:101:5cf:576b:9daf:77ca > x:y:z:d800::1: 
ICMP6, echo request, seq 74, length 40
23:32:48.476933 IP6 x:y:z:d800::1 > 2a02:578:85a0:101:5cf:576b:9daf:77ca: 
ICMP6, echo reply, seq 74, length 40
23:32:49.491979 IP6 2a02:578:85a0:101:5cf:576b:9daf:77ca > x:y:z:d800::1: 
ICMP6, echo request, seq 75, length 40
23:32:49.492019 IP6 x:y:z:d800::1 > 2a02:578:85a0:101:5cf:576b:9daf:77ca: 
ICMP6, echo reply, seq 75, length 40
23:32:50.507963 IP6 2a02:578:85a0:101:5cf:576b:9daf:77ca > x:y:z:d800::1: 
ICMP6, echo request, seq 76, length 40
23:32:50.507987 IP6 x:y:z:d800::1 > 2a02:578:85a0:101:5cf:576b:9daf:77ca: 
ICMP6, echo reply, seq 76, length 40

This time, I'm pinging the LAN ip (x:y:z:d801::1) from the same remote 
location. No echo requests, only neighbor solicitations from a link-local 
address fe80...dc78, which I could trace as the upstream router, to 
ff02::1:ff00:1. But no advertisements on return from the pfSense box.

What looks wrong here?
The absence of advertisements from pfSense box on these solicitations (I would 
have an issue with my pfSense setup)?
Or are these solicitations unexpected (the upstream provider has a setup issue 
regarding my /56 network)?

23:35:41.814361 IP6 fe80::aa0c:dff:fe44:dc78 > ff02::1:ff00:1: ICMP6, neighbor 
solicitation, who has x:y:z:d801::1, length 32
23:35:42.815472 IP6 fe80::aa0c:dff:fe44:dc78 > ff02::1:ff00:1: ICMP6, neighbor 
solicitation, who has x:y:z:d801::1, length 32
23:35:51.411220 IP6 fe80::aa0c:dff:fe44:dc78 > ff02::1:ff00:1: ICMP6, neighbor 
solicitation, who has x:y:z:d801::1, length 32

If someone with (easily) much better inner knowledge of IPv6 specifics (than 
me) has an idea... Thanks!!

-- 
Meilleures salutations, Met vriendelijke groeten, Best Regards,
Olivier Mascia, integral.be/om


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPV6 WAN/LAN routing

[Olivier Mascia]

> Le 20 avr. 2016 à 18:53, Steve Yates  a écrit :
> 
> To rule out any missing firewall rules, on Status: System logs: Settings, 
> check "Log packets matched from the default block rules put in the ruleset" 
> and see if it starts logging your pings from the LAN.
> 
> --
> 
> Steve Yates
> ITS, Inc.

Thanks Steve,
No the default rules don't catch any of these packets.
Activating the logging on my wide LAN allow rule, I can indeed even see them OK 
as in:


Default allow LAN IPv6 to any rule (10102)[x:y:z:d801::130]   
[2a00:1450:4007:808::2003]ICMPv6

-- 
Meilleures salutations, Met vriendelijke groeten, Best Regards,
Olivier Mascia, integral.be/om

> 
> 
> -Original Message-
> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Olivier Mascia
> Sent: Wednesday, April 20, 2016 11:39 AM
> To: pfSense Support and Discussion Mailing List 
> Subject: [pfSense] IPV6 WAN/LAN routing
> 
> Dear all,
> 
> I must be tired or something but I have a strange thing with IPv6 on a new 
> box I just setup.
> 
> Have a x:y:z:d800::/56 routed to me.
> WAN is static IPv6 on x:y:z:d800::1/64, gateway is 
> x:y:z:d800::::: (not a nice one but that is what they gave 
> me).
> LAN is static IPv6 on x:y:z:d801::1/64, no gateway as usual for LAN interface.
> 
> From a host on the LAN side, at x:y:z:d801::100 (or any other), I can reach 
> pf LAN interface on x:y:z:d801::1, I can also reach pf WAN interface on 
> x:y:z:d800::1, but I can't get a packet to go further.
> 
> Yet, from pf itself, I can reach (ping for instance) www.google.com (IPv6) 
> from WAN interface, but not from LAN interface.
> 
> I would have thought "ok I miss a pass rule on the LAN interface", but there 
> is one. This by far is not my first pfSense box, and they all have various 
> kind of IPv6 links. Not that I couldn't be awfully wrong somewhere. So what 
> obvious detail am I overlooking here? If you have any idea?
> 
> This is 2.3-RELEASE by the way. Other boxes (on other networks) are still 
> 2.2.x.
> 
> --
> Meilleures salutations, Met vriendelijke groeten, Best Regards, Olivier 
> Mascia, integral.be/om
> 


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPV6 WAN/LAN routing

[Steve Yates]

To rule out any missing firewall rules, on Status: System logs: Settings, check 
"Log packets matched from the default block rules put in the ruleset" and see 
if it starts logging your pings from the LAN.

--

Steve Yates
ITS, Inc.


-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Olivier Mascia
Sent: Wednesday, April 20, 2016 11:39 AM
To: pfSense Support and Discussion Mailing List 
Subject: [pfSense] IPV6 WAN/LAN routing

Dear all,

I must be tired or something but I have a strange thing with IPv6 on a new box 
I just setup.

Have a x:y:z:d800::/56 routed to me.
WAN is static IPv6 on x:y:z:d800::1/64, gateway is 
x:y:z:d800::::: (not a nice one but that is what they gave me).
LAN is static IPv6 on x:y:z:d801::1/64, no gateway as usual for LAN interface.

>From a host on the LAN side, at x:y:z:d801::100 (or any other), I can reach pf 
>LAN interface on x:y:z:d801::1, I can also reach pf WAN interface on 
>x:y:z:d800::1, but I can't get a packet to go further.

Yet, from pf itself, I can reach (ping for instance) www.google.com (IPv6) from 
WAN interface, but not from LAN interface.

I would have thought "ok I miss a pass rule on the LAN interface", but there is 
one. This by far is not my first pfSense box, and they all have various kind of 
IPv6 links. Not that I couldn't be awfully wrong somewhere. So what obvious 
detail am I overlooking here? If you have any idea?

This is 2.3-RELEASE by the way. Other boxes (on other networks) are still 2.2.x.

--
Meilleures salutations, Met vriendelijke groeten, Best Regards, Olivier Mascia, 
integral.be/om


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] IPV6 WAN/LAN routing

[Olivier Mascia]

Dear all,

I must be tired or something but I have a strange thing with IPv6 on a new box 
I just setup.

Have a x:y:z:d800::/56 routed to me.
WAN is static IPv6 on x:y:z:d800::1/64, gateway is 
x:y:z:d800::::: (not a nice one but that is what they gave me).
LAN is static IPv6 on x:y:z:d801::1/64, no gateway as usual for LAN interface.

>From a host on the LAN side, at x:y:z:d801::100 (or any other), I can reach pf 
>LAN interface on x:y:z:d801::1, I can also reach pf WAN interface on 
>x:y:z:d800::1, but I can't get a packet to go further.

Yet, from pf itself, I can reach (ping for instance) www.google.com (IPv6) from 
WAN interface, but not from LAN interface.

I would have thought "ok I miss a pass rule on the LAN interface", but there is 
one. This by far is not my first pfSense box, and they all have various kind of 
IPv6 links. Not that I couldn't be awfully wrong somewhere. So what obvious 
detail am I overlooking here? If you have any idea?

This is 2.3-RELEASE by the way. Other boxes (on other networks) are still 2.2.x.

-- 
Meilleures salutations, Met vriendelijke groeten, Best Regards,
Olivier Mascia, integral.be/om


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] ipv6 proxy the neighbours

[Josh]

I spent quite a bit of time trying to accomplish 
https://www.ipsidixit.net/2010/03/24/239/ task on pfsense FreeBSD and on 
MacOS with no success.


Linux command

ip -6 neigh add proxy ipv6_address dev eth0

is supposedly translated to FreeBSD

ndp -s ipv6_address eth0_mac_address proxy

but it has zero effect. I see neighbour advertisement packets but no 
response on them.


also I can't find BSD version of Linux net.ipv6.conf.all.proxy_ndp Is 
there one?


Has anyone been able to use pfsense as IPv6 gateway? What am I missing?

Regards,
Josh.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 Router Advertisement & DNS

[İhsan Doğan]

Hi Chris,

On Thursday, 04 Jun 2015 17:26 -0500, Chris Buechler wrote:

> > I'm running IPv6 on my LAN interface and I'm experiencing some
> > weird IPv6 Router advertisement issues. When I look at at Router
> > Advertisement Daemon configuration, only the prefix and the DNS
> > domain should be sent:
> >
> > # Automatically Generated, do not edit
> > # Generated config for dhcp6 delegation from wan on lan
> > interface em0 {
> > AdvSendAdvert on;
> > MinRtrAdvInterval 3;
> > MaxRtrAdvInterval 10;
> > AdvLinkMTU 1500;
> > AdvOtherConfigFlag on;
> > prefix 2a02:168:9800::/64 {
> > AdvOnLink on;
> > AdvAutonomous on;
> > AdvRouterAddr on;
> > };
> > DNSSL lan.dogan.ch { }
> >
> 
> It's not setting RDNSS, so it's not from radvd. You have DHCPv6
> enabled, are you assigning DNS via it?

No, I'm not using DHCPv6 on the LAN side. DHCPv6 is only used on
the WAN side (as a DHCPv6 client) for the prefix delegation.



Ihsan

-- 
ih...@dogan.ch http://blog.dogan.ch/
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 Router Advertisement & DNS

[Chris Buechler]

On Wed, Jun 3, 2015 at 4:19 AM, İhsan Doğan  wrote:
> Hi,
>
> I'm running IPv6 on my LAN interface and I'm experiencing some
> weird IPv6 Router advertisement issues. When I look at at Router
> Advertisement Daemon configuration, only the prefix and the DNS
> domain should be sent:
>
> # Automatically Generated, do not edit
> # Generated config for dhcp6 delegation from wan on lan
> interface em0 {
> AdvSendAdvert on;
> MinRtrAdvInterval 3;
> MaxRtrAdvInterval 10;
> AdvLinkMTU 1500;
> AdvOtherConfigFlag on;
> prefix 2a02:168:9800::/64 {
> AdvOnLink on;
> AdvAutonomous on;
> AdvRouterAddr on;
> };
> DNSSL lan.dogan.ch { }
>

It's not setting RDNSS, so it's not from radvd. You have DHCPv6
enabled, are you assigning DNS via it?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] IPv6 Router Advertisement & DNS

[İhsan Doğan]

Hi,

I'm running IPv6 on my LAN interface and I'm experiencing some
weird IPv6 Router advertisement issues. When I look at at Router
Advertisement Daemon configuration, only the prefix and the DNS
domain should be sent:

# Automatically Generated, do not edit
# Generated config for dhcp6 delegation from wan on lan
interface em0 {
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
AdvLinkMTU 1500;
AdvOtherConfigFlag on;
prefix 2a02:168:9800::/64 {
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
DNSSL lan.dogan.ch { }

Unfortunately, a Windows 7 client configures the pfsense address
as the DNS server (sorry, it's in German):

Ethernet-Adapter LAN-Verbindung:
   Verbindungsspezifisches DNS-Suffix: home
   Beschreibung. . . . . . . . . . . : vmxnet3 Ethernet Adapter
   Physikalische Adresse . . . . . . : 00-0C-29-F9-24-1F
   DHCP aktiviert. . . . . . . . . . : Nein
   Autokonfiguration aktiviert . . . : Ja
   IPv6-Adresse. . . . . . . . . . . : 
:xxx::0:7dec:f195:8510:8892(Bevorzugt)
   Temporäre IPv6-Adresse. . . . . . : 
:xxx::0:3045:c28a:e709:8662(Bevorzugt)
   Verbindungslokale IPv6-Adresse  . : fe80::7dec:f195:8510:8892%11(Bevorzugt)
   IPv4-Adresse  . . . . . . . . . . : 192.168.42.180(Bevorzugt)
   Subnetzmaske  . . . . . . . . . . : 255.255.255.0
   Standardgateway . . . . . . . . . : fe80::1:1%11
   192.168.42.1
   DHCPv6-IAID . . . . . . . . . . . : 234884137
   DHCPv6-Client-DUID. . . . . . . . : xx-xx-xx-xx-xx-xx-CC-69-00-0C-29-F9-24-1F
   DNS-Server  . . . . . . . . . . . : :xxx::0:20c:29ff:fe87:1d76
   192.168.42.178
   192.168.42.158
   NetBIOS über TCP/IP . . . . . . . : Aktiviert
   Suchliste für verbindungsspezifische DNS-Suffixe:
   home

And the router advirtesement package looks fine so far:

10:47:55.267792 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 88) 
fe80::1:1 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 88
hop limit 64, Flags [other stateful], pref medium, router lifetime 30s, 
reachable time 0s, retrans time 0s
  prefix info option (3), length 32 (4): :xxx:::/64, Flags 
[onlink, auto, router], valid time 86400s, pref. time 14400s
0x:  40e0 0001 5180  3840   
0x0010:        
  dnssl option (31), length 24 (3):  lifetime 10s, domain(s): 
lan.dogan.ch.
0x:    000a 036c 616e 0564 6f67 616e
0x0010:  0263 6800 
  mtu option (5), length 8 (1):  1500
0x:    05dc
  source link-address option (1), length 8 (1): 00:0c:29:87:1d:76
0x:  000c 2987 1d76

I'm wondering now, why the pfsense router address is set as a DNS
server, while there is no DNS forwarder or DNS resolver running
there. I've also noticed, that if I specify IPv6 DNS server
addresses for pfsense, they are set in the radv.conf, but the
client (Windows 7 and Android 5.1.1) are trying to use the
default gateway as a DNS server.

Well, I think this behaviour isn't right and probably there is
something wrong here.



Ihsan

-- 
ih...@dogan.ch http://blog.dogan.ch/
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] IPv6 and OS X?

[Benno Rice]

On 14 Aug 2014, at 11:12 pm, Chris L  wrote:

> 
> On Aug 14, 2014, at 9:47 PM, Benno Rice  wrote:
> 
>> 
>> 
>> Even though the network configuration is set up to automatically configure 
>> IPv6 (and has done in the past, when I was using a FRITZ!Box on Internode 
>> ADSL in Australia) and the pfSense system is definitely sending the router 
>> advertisements and they’re definitely reaching the OS X system:
>> 
>> Any ideas where I’d go from here?
>> 
> 
> In pfSense DHCPv6 is off on the LAN, Router Advertisements are set to 
> unmanaged and on OS X it’s set to configure IPv6 automatically?
> 
> That’s my setup here (but with an HE tunnel and static setup of an assigned 
> /64 on LAN.)  It’s never given me any problems at all.

I can’t set the IPv6 router mode for the LAN as it’s set to track the WAN 
interface and the DHCPv6 Server/RA configuration stuff only comes up on static 
interfaces. I can see the radvd configuration on the pfSense system and as I 
showed in the previous message I can see advertisements arriving. OS X is set 
to configure IPv6 automatically.

The radvd.conf is:

# Automatically Generated, do not edit
# Generated config for dhcp6 delegation from wan on lan
interface re2 {
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
AdvLinkMTU 1500;
AdvOtherConfigFlag on;
prefix 2601:8:9a80:69d::/64 {
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
RDNSS 2601:8:9a80:69d:20d:b9ff:fe34:c61a { };
DNSSL jeamland.net { };
};


signature.asc
Description: Message signed with OpenPGP using GPGMail
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 and OS X?

[Chris L]

On Aug 14, 2014, at 9:47 PM, Benno Rice  wrote:

> 
> 
> Even though the network configuration is set up to automatically configure 
> IPv6 (and has done in the past, when I was using a FRITZ!Box on Internode 
> ADSL in Australia) and the pfSense system is definitely sending the router 
> advertisements and they’re definitely reaching the OS X system:
> 
> Any ideas where I’d go from here?
> 

In pfSense DHCPv6 is off on the LAN, Router Advertisements are set to unmanaged 
and on OS X it’s set to configure IPv6 automatically?

That’s my setup here (but with an HE tunnel and static setup of an assigned /64 
on LAN.)  It’s never given me any problems at all.


> Many thanks,
> Benno.
> 
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] IPv6 and OS X?

[Benno Rice]

Hi,

I’ve got a system running pfSense 2.1.4 (most recent) acting as a gateway for 
my Comcast internet service. I’ve got IPv6 configured as DHCP6 on the WAN side 
requesting a /64 prefix. For the LAN interface I have it set to track the WAN 
interface.

I can confirm that the WAN interface is getting an IPv6 address:

re1: flags=8843 metric 0 mtu 1500

options=209b
ether 00:0d:b9:34:c6:19
inet 67.182.141.248 netmask 0xf800 broadcast 255.255.255.255
inet6 fe80::20d:b9ff:fe34:c619%re1 prefixlen 64 scopeid 0x2
inet6 2001:558:600a:35:309a:40e2:efb8:28ca prefixlen 128
nd6 options=3
media: Ethernet autoselect (1000baseT )
status: active

and I seem to be getting the delegated prefix and it appears to end up on the 
LAN interface:

re2: flags=8843 metric 0 mtu 1500

options=209b
ether 00:0d:b9:34:c6:1a
inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255
inet6 2601:8:9a80:69d:20d:b9ff:fe34:c61a prefixlen 64
inet6 fe80::1:1%re2 prefixlen 64 scopeid 0x3
nd6 options=1
media: Ethernet autoselect (1000baseT )
status: active

Connectivity appears to be working from the pfSense system:

[2.1.4-RELEASE][admin@pfSense]/root(32): ping6 -c 5 pfsense.org
PING6(56=40+8+8 bytes) 2001:558:600a:35:309a:40e2:efb8:28ca --> 
2610:160:11:11::69
16 bytes from 2610:160:11:11::69, icmp_seq=0 hlim=52 time=77.539 ms
16 bytes from 2610:160:11:11::69, icmp_seq=1 hlim=52 time=78.463 ms
16 bytes from 2610:160:11:11::69, icmp_seq=2 hlim=52 time=77.437 ms
16 bytes from 2610:160:11:11::69, icmp_seq=3 hlim=52 time=76.808 ms
16 bytes from 2610:160:11:11::69, icmp_seq=4 hlim=52 time=79.694 ms

--- pfsense.org ping6 statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 76.808/77.988/79.694/1.003 ms

However, my OS X system (Mavericks, up to date) doesn’t appear to be acting on 
the router advertisements the pfSense box is sending:

> ifconfig en0
en0: flags=8863 mtu 1500
ether 94:94:26:09:b8:1c
inet6 fe80::9694:26ff:fe09:b81c%en0 prefixlen 64 scopeid 0x4
inet 192.168.1.15 netmask 0xff00 broadcast 192.168.1.255
nd6 options=1
media: autoselect
status: active

Even though the network configuration is set up to automatically configure IPv6 
(and has done in the past, when I was using a FRITZ!Box on Internode ADSL in 
Australia) and the pfSense system is definitely sending the router 
advertisements and they’re definitely reaching the OS X system:

> sudo tcpdump - -i en0 ip6
tcpdump: listening on en0, link-type EN10MB (Ethernet), capture size 65535 bytes
21:45:00.342737 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 112) 
fe80::1:1 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 112
hop limit 64, Flags [other stateful], pref medium, router lifetime 30s, 
reachable time 0s, retrans time 0s
  prefix info option (3), length 32 (4): 2601:8:9a80:69d::/64, Flags 
[onlink, auto, router], valid time 86400s, pref. time 14400s
0x:  40e0 0001 5180  3840   2601
0x0010:  0008 9a80 069d    
  rdnss option (25), length 24 (3):  lifetime 10s, addr: 
2601:8:9a80:69d:20d:b9ff:fe34:c61a
0x:    000a 2601 0008 9a80 069d 020d
0x0010:  b9ff fe34 c61a
  unknown option (31), length 24 (3):
0x:    000a 086a 6561 6d6c 616e 6403
0x0010:  6e65 7400 
  mtu option (5), length 8 (1):  1500
0x:    05dc
  source link-address option (1), length 8 (1): 00:0d:b9:34:c6:1a
0x:  000d b934 c61a

Any ideas where I’d go from here?

Many thanks,
Benno.



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 Default Gateway

[Mark Tinka]

On Wednesday, July 09, 2014 05:45:36 PM Lyle Giese wrote:

> Typos are a terrible thing.  I often put in a ; instead
> of a : in IPv6 addresses.  Depending on the font, it can
> be VERY hard to see that.

In this case, the problem wasn't the IPv6 address. The 
problem was that I used "white_spaces" in the name I gave 
the entry. pfSense does not like that :-).

Mark.


signature.asc
Description: This is a digitally signed message part.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 Default Gateway

[Lyle Giese]

Typos are a terrible thing.  I often put in a ; instead of a : in IPv6 
addresses.  Depending on the font, it can be VERY hard to see that.


Plus we can not see what you thought you typed in or what you really 
typed in, it's very hard to guess what's wrong.


Lyle

On 07/09/14 10:17, Mark Tinka wrote:

Hello all.

I'm trying to create an IPv6 default gateway, and the box is
throwing back this error:

The following input errors were detected:
The gateway name must not contain invalid
 characters.

Anybody why this is coming back? The IPv6 address is
standard, and is being used well on other devices.

All help appreciated.

Mark.


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 Default Gateway

[Mark Tinka]

Sorry guys, my bad - I read the error as something being 
wrong with the IPv6 address itself, and on second glance, 
the issue is with the name tagged to the entry.

All sorted now. Thanks.

Mark.

On Wednesday, July 09, 2014 05:17:27 PM Mark Tinka wrote:
> Hello all.
> 
> I'm trying to create an IPv6 default gateway, and the box
> is throwing back this error:
> 
>   The following input errors were detected:
>   The gateway name must not contain invalid
> characters.
> 
> Anybody why this is coming back? The IPv6 address is
> standard, and is being used well on other devices.
> 
> All help appreciated.
> 
> Mark.


signature.asc
Description: This is a digitally signed message part.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] IPv6 Default Gateway

[Mark Tinka]

Hello all.

I'm trying to create an IPv6 default gateway, and the box is 
throwing back this error:

The following input errors were detected:
The gateway name must not contain invalid
characters.

Anybody why this is coming back? The IPv6 address is 
standard, and is being used well on other devices.

All help appreciated.

Mark.


signature.asc
Description: This is a digitally signed message part.
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] IPv6 Match / Queue

[Giles Davis]

Hi all,

Wondering if anyone else has come across weirdness with queue'ing IPv6
traffic with PF / PFSense at all (or could perhaps point out my derps)? :)

As far as I can tell, 'Match' rules just plain don't seem work to queue
v6 traffic, whereas they work just fine with v4. Behaviour seems to be
the same on 2.1 and 2.1.1.

In the proess of trying to hunt down where this is going wrong, i've got:

A match rule for all IPv4 TCP [From rules.debug]:
match log  on {  bge0  } inet proto tcp  from any to any flags S/SA 
queue (qIPV4,qACK)  label "USER_RULE: Match v4 TCP LAN"
 This works fine, all v4/TCP traffic matches and falls into the
qIPV4 queue just as it should do. No issues here.

However with a match rules for all IPv6 TCP [From rules.debug]:
match log  on {  bge0  } inet6 proto tcp  from any to any flags S/SA 
queue (qIPV6,qACK)  label "USER_RULE: Match v6 TCP LAN"
 This doesn't cause IPv6 traffic to fall into the qIPV6 queue as you
would expect - it just hits the default queue. :(

The rule seems to have gone in just fine:
[2.1.1-RELEASE][root@pfsense.localdomain]/root(8): pfctl -vvvs rules |
grep 'inet6 proto tcp all'
@64 match log on bge0 inet6 proto tcp all flags S/SA label "USER_RULE:
Match v6 TCP LAN" queue(qIPV6, qACK)

And furthermore, traffic seems to match the rule just fine too:
[2.1.1-RELEASE][root@pfsense.localdomain]/root(1): tcpdump -n -e -ttt -i
pflog0

00:00:23.541557 rule 64/0(match): unkn(11) in on bge0: [|ip6]
00:00:00.633186 rule 64/0(match): unkn(11) in on bge0: [|ip6]
00:00:00.664269 rule 64/0(match): unkn(11) in on bge0: [|ip6]

 but yet the v6 traffic always just falls into the Default queue all
the same where v4 traffic ends up queue'd in the specified queue perfectly.

It seems I can make IPv6 traffic match a queue by using Pass/Quick:
pass log  quick  on {  bge0  } inet6 proto tcp  from any to
2001:4db0:10:1::2 flags S/SA keep state  queue (qIPV6,qACK)  label
"USER_RULE: Pass/Quick"
 This does seem to drop traffic to this destination into the correct
queue as expected - but this breaks the nice flexibilty of being able to
have a whole pile of 'Floating' Match rules for traffic shaping coupled
with 'Interface' Pass / Drop rules to actually firewall traffic as required.

My google-fu seems to be failing me on finding much in the way of help
on this one, so if anyone has any thoughts - they would be greatly
appreciated.

Many thanks! :)

Giles.

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 address data validation

[Chris Buechler]

On Mon, Feb 10, 2014 at 10:23 AM, Brian Candler  wrote:

>  [For some reason the 'New Issue' button on redmine is no longer visible
> to me, so I'll record this minor issue here]
>
>
I misunderstood redmine's permissions and broke that temporarily, should
work now. If not, please contact me off-list.

I opened a ticket with this one.
https://redmine.pfsense.org/issues/3444
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] IPv6 address data validation

[Brian Candler]

[For some reason the 'New Issue' button on redmine is no longer visible 
to me, so I'll record this minor issue here]


When creating a network alias which contains an IPv6 address, some 
additional data validation is required. Specifically, it lets you enter 
the following:


Firewall > Aliases > [+]
Name: foo
Type: Network(s)
Network(s): [+]
[fc00:123::/48]   [ /48 ]

This happened to me for real when copy-pasting a subnet into the first 
field.


The data is accepted, and the alias then has value "fc00:123::/48/48". 
However, this prevents the ruleset from loading. More seriously, the 
entire ruleset is left empty. That is: after clicking Apply, 'pfctl -sr' 
shows nothing at all, and the firewall is open.


If you then navigate to another page, you do see an error notification:

"
02-10-14 17:11:31  	[ 
There were error(s) loading the rules: /tmp/rules.debug:26: syntax error 
- The line in question reads [26]: table { fc00:123::/48/48 } ] 



"

You can fix or delete the offending alias to correct the problem.

Suggestion: either reject an alias which contains /nnn, or else use the 
/nnn part to override the CIDR drop-down selector (which would be 
convenient for copy-pasting aliases)


Regards,

Brian.

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 - Subnetting/Routing with HE?

[Mehta, Hemen (DPCC)]

How can one go about getting a /48?

On Sep 30, 2013, at 5:52 AM, Mark Tinka  wrote:

> On Monday, September 30, 2013 10:58:42 AM Seth Mos wrote:
> 
>> On that note: This is a last call to people in the US to
>> get one before they are stuck in a hard place.
>> 
>> We got ours just in time before the last /8 policy in
>> RIPE land.
>> 
>> Like the whole IPv6 migration, better plan ahead then get
>> stuck between a rock and a hard place.
> 
> APNIC are down to allocating only /22's until they're fully 
> out.
> 
> AFRINIC and LACNIC still have space for a few more years.
> 
> RIPE is tapped out, and ARIN isn't far behind.
> 
> All in all, apply for a /48 PI IPv6 allocation if you're an 
> end-user. You won't have to renumber (ever) again.
> 
> Mark.
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 - Subnetting/Routing with HE?

[Mark Tinka]

On Tuesday, October 01, 2013 04:06:20 PM Mehta, Hemen (DPCC) 
wrote:

> How can one go about getting a /48?

Go to your RIR's web site and apply for space based on their 
policy.

The RIR policy are generally very clear and pregnant with 
details on what to do :-).

Mark.


signature.asc
Description: This is a digitally signed message part.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 - Subnetting/Routing with HE?

[Adam Thompson]

I just obtained PI space in ARIN land as an End User (not an ISP).
US$550 for the ASN.
US$500 for the IPv6 block.
US$500 for the IPv4 block.
I believe those are all annual amounts.
-Adam

Chris Bagnall  wrote:

>On 1 Oct 2013, at 14:31, Eugen Leitl  wrote:
>> But you're going to pay the annual fee. Or is PI
>> for end user through sponsoring LIR possible without 
>> incurring annual costs?
>
>I can't speak for other jurisdictions, but in RIPE-land, most LIRs charge 
>around 70GBP per annum to sponsor each allocation. So assuming ASN, v4 and v6 
>PI ranges, you're looking at around 210GBP per annum.
>
>Kind regards,
>
>Chris
>-- 
>This email is made from 100% recycled electrons
>
>___
>List mailing list
>List@lists.pfsense.org
>http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 - Subnetting/Routing with HE?

[Chris Bagnall]

On 1 Oct 2013, at 14:31, Eugen Leitl  wrote:
> But you're going to pay the annual fee. Or is PI
> for end user through sponsoring LIR possible without 
> incurring annual costs?

I can't speak for other jurisdictions, but in RIPE-land, most LIRs charge 
around 70GBP per annum to sponsor each allocation. So assuming ASN, v4 and v6 
PI ranges, you're looking at around 210GBP per annum.

Kind regards,

Chris
-- 
This email is made from 100% recycled electrons

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 - Subnetting/Routing with HE?

[Mark Tinka]

On Tuesday, October 01, 2013 03:31:55 PM Eugen Leitl wrote:

> But you're going to pay the annual fee. Or is PI
> for end user through sponsoring LIR possible without
> incurring annual costs?

PI space allocations require membership (I haven't read the 
latest allocation policies for all RIR's), which means 
you'll need to pay a membership fee.

If your region supports NIR's, you'd still pay the LIR, I 
presume.

Mark.


signature.asc
Description: This is a digitally signed message part.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 - Subnetting/Routing with HE?

[Eugen Leitl]

On Mon, Sep 30, 2013 at 11:52:31AM +0200, Mark Tinka wrote:

> All in all, apply for a /48 PI IPv6 allocation if you're an 
> end-user. You won't have to renumber (ever) again.

But you're going to pay the annual fee. Or is PI
for end user through sponsoring LIR possible without 
incurring annual costs?


signature.asc
Description: Digital signature
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 - Subnetting/Routing with HE?

[Mark Tinka]

On Monday, September 30, 2013 10:58:42 AM Seth Mos wrote:

> On that note: This is a last call to people in the US to
> get one before they are stuck in a hard place.
> 
> We got ours just in time before the last /8 policy in
> RIPE land.
> 
> Like the whole IPv6 migration, better plan ahead then get
> stuck between a rock and a hard place.

APNIC are down to allocating only /22's until they're fully 
out.

AFRINIC and LACNIC still have space for a few more years.

RIPE is tapped out, and ARIN isn't far behind.

All in all, apply for a /48 PI IPv6 allocation if you're an 
end-user. You won't have to renumber (ever) again.

Mark.


signature.asc
Description: This is a digitally signed message part.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 - Subnetting/Routing with HE?

[Seth Mos]

On 30-9-2013 10:53, Chris Bagnall wrote:
> On 30/9/13 7:56 am, Seth Mos wrote:
>> I finally bit the bullet and signed up for PI space with a ASN and
>> hopefully that's that.
> 
> Worth mentioning here that no more IPv4 PI ranges will be allocated - at
> least not within RIPE jurisdiction (conservation rules kicked in when we
> started on the last /8). Other RIRs might be different.

On that note: This is a last call to people in the US to get one before
they are stuck in a hard place.

We got ours just in time before the last /8 policy in RIPE land.

Like the whole IPv6 migration, better plan ahead then get stuck between
a rock and a hard place.

Cheers,
Seth
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 - Subnetting/Routing with HE?

[Chris Bagnall]

On 30/9/13 7:56 am, Seth Mos wrote:

I finally bit the bullet and signed up for PI space with a ASN and
hopefully that's that.


Worth mentioning here that no more IPv4 PI ranges will be allocated - at 
least not within RIPE jurisdiction (conservation rules kicked in when we 
started on the last /8). Other RIRs might be different.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 - Subnetting/Routing with HE?

[Seth Mos]

On 27-9-2013 18:13, Adam Thompson wrote:

> I firmly agree with previous posts that outline why this allocation
> policy is suboptimal.
> However, I do *not* want to be renumbering my IPv6 hosts down the road
> simply because I wanted to be the most efficient guy on the block.  Nor
> do I want to be the guy who can't run protocol XYZ because I didn't use
> /64s.

Wait, what? Renumbering in IPv6 is different from IPv4 how?

I had to renumber my IPv4 connections 6 times in the past decade, and I
mean in the globally routed way, not the internal LAN. Now the size here
is a fair bit of external servers, and those have public addresses,
firewall rules and/or NAT mappings. Then there is the host config etc.

I finally bit the bullet and signed up for PI space with a ASN and
hopefully that's that.

In retrospect, I should have done that ages ago. It would have saved the
company tons of money in labor. You see, cheaping out with the smaller
plans seemed like a good idea (cheap multiwan) but it turns out to be
far more expensive in the long run with migration.

Renumbering is cumbersome but it's really no different now then it was
before.

For all that it matters, I expect this not to happen so much with IPv6,
because the default /48 allocation is so much larger. It's easy to do
some aggregated routing without ending up with /29's everywhere.

A IPv4 /24 was effectively 254 hosts, until you wanted to do routing and
the effective number of hosts go downhill very fast from there.

I had to renumber twice in IPv4 alone because I got a larger netblock.
This because you needed to provide a reasonable requirement, and you
can't get larger without a decent motivation and actually using those
addresses.

I think the default IPv6 size of /48 is well chosen.

The moral is: If your company is Multiwan and has about 100 desktops,
apply for a ASN and get BGP connections. It is the right business decision.

Regards,

Seth

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 - Subnetting/Routing with HE?

[Mark Tinka]

On Friday, September 27, 2013 06:13:35 PM Adam Thompson 
wrote:

> FWIW, I've had to look into this lately and went trawling
> through the RFCs for guidance.
> The IETF is very firmly on the side of always using a /64
> for subnets. At least RFCs 3177, 3315, 3627, 3736, 3956,
> 3971, 4291, 4862, 4866, 4872, 4941, 5375 either mandate,
> recommend, specify, or rely on, the use of /64 for *all*
> subnets with hosts.
> This goes so far as language in the RFCs that reads like
> "...however, not all IPv6 implementations prevent the
> use of longer subnet prefixes at this time...". 
> (Quoting from memory, might not be 100% accurate.)

Things change, and will keep changing as we gain more IPv6 
experience.

Look at RFC 6177, for example (which obsoletes one of the 
ones you mention, RFC 3177).

> However, I do *not* want to be renumbering my IPv6 hosts
> down the road simply because I wanted to be the most
> efficient guy on the block.  Nor do I want to be the guy
> who can't run protocol XYZ because I didn't use /64s.

Personally, I've been hearing this particular argument for 
nearly 10x years, and I think it's FUD.

Mark.


signature.asc
Description: This is a digitally signed message part.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 - Subnetting/Routing with HE?

[Adam Thompson]

The /64 is really only a requirement if you want to
support SLAAC.

Which is not to say a /64 is only required if you need
SLAAC. Just that if you need SLAAC, not other prefix length
will work.

I know lots of networks that use a /64 for point-to-point
links. I don't, but many do, and it works.
FWIW, I've had to look into this lately and went trawling through the 
RFCs for guidance.
The IETF is very firmly on the side of always using a /64 for subnets.  
At least RFCs 3177, 3315, 3627, 3736, 3956, 3971, 4291, 4862, 4866, 
4872, 4941, 5375 either mandate, recommend, specify, or rely on, the use 
of /64 for *all* subnets with hosts.
This goes so far as language in the RFCs that reads like "...however, 
not all IPv6 implementations prevent the use of longer subnet prefixes 
at this time...".  (Quoting from memory, might not be 100% accurate.)


There's only one exception I've found and that's 
DRAFT-KOHNO-IPV6-PREFIXLEN-P2P, which AFAIK has not been accepted and is 
now ineligible to become a standards-track RFC.


I firmly agree with previous posts that outline why this allocation 
policy is suboptimal.
However, I do *not* want to be renumbering my IPv6 hosts down the road 
simply because I wanted to be the most efficient guy on the block.  Nor 
do I want to be the guy who can't run protocol XYZ because I didn't use 
/64s.


--
-Adam Thompson
 athom...@athompso.net

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 - Subnetting/Routing with HE?

[Mark Tinka]

On Friday, September 27, 2013 05:01:56 PM Adam Piasecki 
wrote:

> I'm somewhat new to ipv6, but looking at the insane
> amount of IPv6 address's in a /64. What is the recommend
> number of hosts to actually assign to that subnet. If i
> could somehow assign all the Ipv6 address's in a /64 to
> hosts, I have doubts the network would be happy.

With IPv6, it's more about convenience than anything else. 
Never having to worry about growing a segment scope 
outweighs the number of hosts you can address.

No network, that I know of today, can scale to support a 
fully utilized /64 in a single segment. But that was never 
the intent with IPv6, anyway :-).

Mark.


signature.asc
Description: This is a digitally signed message part.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 - Subnetting/Routing with HE?

[Adam Piasecki]

On 9/27/2013 9:36 AM, Mark Tinka wrote:

On Friday, September 27, 2013 03:27:12 PM Eugen Leitl wrote:


All the IPv6 guys I asked said to never do that.

The beauty is - your network, your rules :-).


I can see when I would use a much smaller subnet
e.g. for building a tunnel or CARP, but that's a very
special case.

/128's for Loopback, and /126's (and recently, /127's) for
point-to-point.


While /64 per LAN segment is wasteful ( /80 or even /96
for end users might have been enough), we're stuck with
it for a long while.

I don't dispute that - if you certainly want the benefits of
SLAAC, you will have no other option other than /64; and
since DHCPv6 doesn't support passing of the Router option,
you end up having to use both SLAAC and DHCPv6 together.

Mark.

I'm somewhat new to ipv6, but looking at the insane amount of IPv6 
address's in a /64. What is the recommend number of hosts to actually 
assign to that subnet. If i could somehow assign all the Ipv6 address's 
in a /64 to hosts, I have doubts the network would be happy.


Adam
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 - Subnetting/Routing with HE?

[Mark Tinka]

On Friday, September 27, 2013 03:27:12 PM Eugen Leitl wrote:

> All the IPv6 guys I asked said to never do that.

The beauty is - your network, your rules :-).

> I can see when I would use a much smaller subnet
> e.g. for building a tunnel or CARP, but that's a very
> special case.

/128's for Loopback, and /126's (and recently, /127's) for 
point-to-point.

> While /64 per LAN segment is wasteful ( /80 or even /96
> for end users might have been enough), we're stuck with
> it for a long while.

I don't dispute that - if you certainly want the benefits of 
SLAAC, you will have no other option other than /64; and 
since DHCPv6 doesn't support passing of the Router option, 
you end up having to use both SLAAC and DHCPv6 together.

Mark.


signature.asc
Description: This is a digitally signed message part.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 - Subnetting/Routing with HE?

[Eugen Leitl]

On Fri, Sep 27, 2013 at 03:15:34PM +0200, Mark Tinka wrote:

> If you need SLAAC, a /64 is your only option.
> 
> If you don't need SLAAC on your network segment, and you 
> don't need a /64, then you can use a longer prefix length.

All the IPv6 guys I asked said to never do that.

I can see when I would use a much smaller subnet
e.g. for building a tunnel or CARP, but that's a very
special case.

While /64 per LAN segment is wasteful ( /80 or even /96 for
end users might have been enough), we're stuck with
it for a long while.

This is not all bad, you can use the private part of /64
to encode and transport information across the Internet,
e.g geographic position (WGS 84 fixes), etc..

In general the large size of private addresses allows
novel uses like cjdns (public key as address identity).

I'm happy Google reports 2% IPv6 penetration, while
still appearing to look exponential
http://www.google.com/ipv6/statistics.html




signature.asc
Description: Digital signature
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 - Subnetting/Routing with HE?

[Mark Tinka]

On Friday, September 27, 2013 02:53:06 PM Jim Pingle wrote:

> It is only a requirement for SLAAC, yes, but it's also
> recommended quite strongly in various RFCs and other
> docs from the IETF.

Well, the RFC's haven't always bent themselves toward best 
practice, just recommendation.

And given that we're still all trying to understanding IPv6 
in practice, I expect more recommendations to follow in 
coming years.

> The IETF wants /64's everywhere (which IMHO is quite
> wasteful, but ...)

The argument is that IPv4-thinking in an IPv6 world is 
counter-intuitive. But the other argument says we always 
thought 32 bits would be more than enough, just like 640KB 
of RAM should have been :-).

No one really knows how long IPv6 will last, especially if 
you walk away from today's thinking.

> It may work perfectly well for some things, but not
> others. I'm not sure I trust everything else to properly
> adhere to what _should_ work... :-)

8x years running /112's on LAN's and no issue.

There are discussions about ASIC or NPU optimization in 
route lookups, code that is expecting a certain prefix 
length, e.t.c.

I don't buy it, but that's just me :-).

Mark.


signature.asc
Description: This is a digitally signed message part.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 - Subnetting/Routing with HE?

[Mark Tinka]

On Friday, September 27, 2013 02:38:25 PM Eugen Leitl wrote:

> It seems that /64 for each network segment is mandatory,
> to prevent autoconfig breakage.

That's right.

If you need SLAAC, a /64 is your only option.

If you don't need SLAAC on your network segment, and you 
don't need a /64, then you can use a longer prefix length.

Mark.


signature.asc
Description: This is a digitally signed message part.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 - Subnetting/Routing with HE?

[Jim Pingle]

On 9/27/2013 8:24 AM, Mark Tinka wrote:
> On Friday, September 27, 2013 02:16:10 PM Jim Pingle wrote:
> 
>> Generally speaking when you assign a subnet to an
>> interface for use, you want that to be a /64 only.
>> Larger chunks would be routed, either by static routes,
>> PD, or some other means.
> 
> The /64 is really only a requirement if you want to support 
> SLAAC.

It is only a requirement for SLAAC, yes, but it's also recommended quite
strongly in various RFCs and other docs from the IETF.

The IETF wants /64's everywhere (which IMHO is quite wasteful, but ...)

http://tools.ietf.org/html/rfc4291#section-2.5.1

http://tools.ietf.org/html/rfc3627

> If you're doing static IPv6 address assignments and don't 
> need SLAAC, then you can go for longer (or non-typical) 
> prefix lengths.
> 
> I use /112's where I don't need SLAAC. Still more space than 
> I need if you consider the scope of the broadcast domain.

It may work perfectly well for some things, but not others. I'm not sure
I trust everything else to properly adhere to what _should_ work... :-)

Jim
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 - Subnetting/Routing with HE?

[Eugen Leitl]

On Fri, Sep 27, 2013 at 02:24:04PM +0200, Mark Tinka wrote:
> On Friday, September 27, 2013 02:16:10 PM Jim Pingle wrote:
> 
> > Generally speaking when you assign a subnet to an
> > interface for use, you want that to be a /64 only.
> > Larger chunks would be routed, either by static routes,
> > PD, or some other means.
> 
> The /64 is really only a requirement if you want to support 
> SLAAC.

It seems that /64 for each network segment is mandatory,
to prevent autoconfig breakage.

I just looked what my current 6to4 (from a /16)
pfSense is delivering on LAN, and it looks like a /64
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 - Subnetting/Routing with HE?

[Mark Tinka]

On Friday, September 27, 2013 02:24:04 PM Mark Tinka wrote:

> The /64 is really only a requirement if you want to
> support SLAAC.

Which is not to say a /64 is only required if you need 
SLAAC. Just that if you need SLAAC, not other prefix length 
will work.

I know lots of networks that use a /64 for point-to-point 
links. I don't, but many do, and it works.

Mark.


signature.asc
Description: This is a digitally signed message part.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 - Subnetting/Routing with HE?

[Mark Tinka]

On Friday, September 27, 2013 02:16:10 PM Jim Pingle wrote:

> Generally speaking when you assign a subnet to an
> interface for use, you want that to be a /64 only.
> Larger chunks would be routed, either by static routes,
> PD, or some other means.

The /64 is really only a requirement if you want to support 
SLAAC.

If you're doing static IPv6 address assignments and don't 
need SLAAC, then you can go for longer (or non-typical) 
prefix lengths.

I use /112's where I don't need SLAAC. Still more space than 
I need if you consider the scope of the broadcast domain.

Mark.


signature.asc
Description: This is a digitally signed message part.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 - Subnetting/Routing with HE?

[Mark Tinka]

On Friday, September 27, 2013 02:09:19 PM Tim Nelson wrote:

> I have an IPv6 tunnel from Hurricane Electric. The /64 is
> routed to my GIF interface. I requested another /48 for
> assignment internally. If I assign the full /48 to an
> interface, everything works as expected. However, if I
> subnet that /48 into smaller networks (say some /54s),
> and assign individual /54s to multiple interfaces, none
> of them appear to work.

What do you mean by "none of them appear to work"?

/54 is not as common as /56, but I can't see why it wouldn't 
work, short of the software being coded to support only 
specific subnets.

Mark.


signature.asc
Description: This is a digitally signed message part.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 - Subnetting/Routing with HE?

[Jim Pingle]

On 9/27/2013 8:09 AM, Tim Nelson wrote:
> Alright, I understand IPv6 is a 'different animal'. BUT, I'm trying to do 
> something that seems logical, but not working. Hoping someone can shed light 
> on it?
> 
> I have an IPv6 tunnel from Hurricane Electric. The /64 is routed to my GIF 
> interface. I requested another /48 for assignment internally. If I assign the 
> full /48 to an interface, everything works as expected. However, if I subnet 
> that /48 into smaller networks (say some /54s), and assign individual /54s to 
> multiple interfaces, none of them appear to work.
> 
> Can I not split up a larger subnet into smaller ones with IPv6? Firewall 
> rules are legit for each of the interfaces, routing is correct, etc. With 
> IPv4 this is straight forward... :(
> 
> Thoughts?

I split my he.net assigned /48 into many /64's and a couple larger
chunks for testing various things (DHCP6-PD, VPNs, etc) and haven't had
any problems.

Generally speaking when you assign a subnet to an interface for use, you
want that to be a /64 only. Larger chunks would be routed, either by
static routes, PD, or some other means.

Jim
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] IPv6 - Subnetting/Routing with HE?

[Tim Nelson]

Alright, I understand IPv6 is a 'different animal'. BUT, I'm trying to do 
something that seems logical, but not working. Hoping someone can shed light on 
it?

I have an IPv6 tunnel from Hurricane Electric. The /64 is routed to my GIF 
interface. I requested another /48 for assignment internally. If I assign the 
full /48 to an interface, everything works as expected. However, if I subnet 
that /48 into smaller networks (say some /54s), and assign individual /54s to 
multiple interfaces, none of them appear to work.

Can I not split up a larger subnet into smaller ones with IPv6? Firewall rules 
are legit for each of the interfaces, routing is correct, etc. With IPv4 this 
is straight forward... :(

Thoughts?

--Tim
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 & HE.net tunnel - MTU problem confirmed

[Adam Hunt]

That's an interesting idea. Would there be anything keeping me from using a
my pfSense box as-is for native IPv4 connectivity while using a second box
running OpenBSD or dare I say, Linux as my IPv6 gateway connected to HE via
a 6in4 tunnel? Would I still be able to use pfSense's DHCPv6 server to
create and maintain v6 leases?

Thanks again.


On Thu, Aug 15, 2013 at 7:38 PM, Adam Thompson wrote:

> I'm very glad this email thread has occurred... I was hoping to deploy two
> pfSense boxes as IPv6 routers.
> Now I'm wondering if I should just put in OpenBSD at least for now?
> -Adam
>
>
> Adam Hunt  wrote:
>
> Thanks for the explanation Chris. I did run across a bug report that seems
> to be exactly what we're running into (
> http://redmine.pfsense.org/issues/2129).
>
> Are the issues with v6 fragmentation inherent to FreeBSD 8.3 that pfSesne
> 2.1 is based on? Also, are there any workarounds for those of us running
> 2.1? I'm not sure when 2.2 will be tagged but it would great if there was
> some way, maybe by adjusting the MTU and/or MSS values, that those of us
> affected by this bug could use get their v6 tunnels up and running, even if
> not at their theoretical peak efficiency.
>
> Thanks for all the help. I realize IPv6 support can be more than a little
> tricky. I really appreciate all the work that everyone has done on pfSense,
> it's a great tool.
>
> --adam
>
>
> On Thu, Aug 15, 2013 at 6:20 PM, Chris Buechler  wrote:
>
>> On Thu, Aug 15, 2013 at 3:23 PM, Adam Thompson 
>> wrote:
>> >
>> > Even weirder…
>> >
>> > Although I can successfully ping at payload sizes up to 1432, I see
>> another more troubling problem:  there’s a “hole” where it works
>> > with payloads up to 1232, fails with payloads between 1233 and 1255
>> inclusive, then works again with payloads 1256 bytes and above. > WTF
>> >
>>
>> The original scenario, the diff between 1232 and 1233 is that at 1233,
>> the echo request no longer fits in the minimum IPv6 size, so it's
>> fragmented.
>> 20:16:33.241123 IP6 2610:160:11:33::230 > 2610:160:11:3::100: frag
>> (0|1232) ICMP6, echo request, seq 2, length 1232
>> 20:16:33.241129 IP6 2610:160:11:33::230 > 2610:160:11:3::100: frag
>> (1232|176)
>>
>> no response to the fragmented request.
>>
>> 20:16:37.260945 IP6 2610:160:11:33::230 > 2610:160:11:3::100: ICMP6,
>> echo request, seq 0, length 1408
>> 20:16:37.262526 IP6 2610:160:11:3::100 > 2610:160:11:33::230: ICMP6,
>> echo reply, seq 0, length 1408
>>
>> bigger request that isn't fragmented is fine.
>>
>> If you don't specify -m on ping6 (at least with the FreeBSD ping6,
>> others are likely similar), ping6 asks the kernel to fragment packets
>> to fit the minimum IPv6 MTU, 1280.
>>
>> PF has issues with v6 fragmentation that we won't be able to address
>> until 2.2, which is the root of the problem.
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> http://lists.pfsense.org/mailman/listinfo/list
>>
>
>
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 & HE.net tunnel - MTU problem confirmed

[Adam Thompson]

I'm very glad this email thread has occurred... I was hoping to deploy two 
pfSense boxes as IPv6 routers.
Now I'm wondering if I should just put in OpenBSD at least for now?
-Adam

Adam Hunt  wrote:

>Thanks for the explanation Chris. I did run across a bug report that seems to 
>be exactly what we're running into (http://redmine.pfsense.org/issues/2129).
>
>
>Are the issues with v6 fragmentation inherent to FreeBSD 8.3 that pfSesne 2.1 
>is based on? Also, are there any workarounds for those of us running 2.1? I'm 
>not sure when 2.2 will be tagged but it would great if there was some way, 
>maybe by adjusting the MTU and/or MSS values, that those of us affected by 
>this bug could use get their v6 tunnels up and running, even if not at their 
>theoretical peak efficiency.
>
>
>Thanks for all the help. I realize IPv6 support can be more than a little 
>tricky. I really appreciate all the work that everyone has done on pfSense, 
>it's a great tool.
>
>
>--adam
>
>
>
>On Thu, Aug 15, 2013 at 6:20 PM, Chris Buechler  wrote:
>
>On Thu, Aug 15, 2013 at 3:23 PM, Adam Thompson  wrote:
>>
>> Even weirder…
>>
>> Although I can successfully ping at payload sizes up to 1432, I see another 
>> more troubling problem:  there’s a “hole” where it works
>> with payloads up to 1232, fails with payloads between 1233 and 1255 
>> inclusive, then works again with payloads 1256 bytes and above. > WTF
>>
>
>The original scenario, the diff between 1232 and 1233 is that at 1233,
>the echo request no longer fits in the minimum IPv6 size, so it's
>fragmented.
>20:16:33.241123 IP6 2610:160:11:33::230 > 2610:160:11:3::100: frag
>(0|1232) ICMP6, echo request, seq 2, length 1232
>20:16:33.241129 IP6 2610:160:11:33::230 > 2610:160:11:3::100: frag (1232|176)
>
>no response to the fragmented request.
>
>20:16:37.260945 IP6 2610:160:11:33::230 > 2610:160:11:3::100: ICMP6,
>echo request, seq 0, length 1408
>20:16:37.262526 IP6 2610:160:11:3::100 > 2610:160:11:33::230: ICMP6,
>echo reply, seq 0, length 1408
>
>bigger request that isn't fragmented is fine.
>
>If you don't specify -m on ping6 (at least with the FreeBSD ping6,
>others are likely similar), ping6 asks the kernel to fragment packets
>to fit the minimum IPv6 MTU, 1280.
>
>PF has issues with v6 fragmentation that we won't be able to address
>until 2.2, which is the root of the problem.
>
>___
>List mailing list
>List@lists.pfsense.org
>http://lists.pfsense.org/mailman/listinfo/list
>
>
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] IPv6 & HE.net tunnel - MTU problem confirmed

[Adam Hunt]

Thanks for the explanation Chris. I did run across a bug report that seems
to be exactly what we're running into (
http://redmine.pfsense.org/issues/2129).

Are the issues with v6 fragmentation inherent to FreeBSD 8.3 that pfSesne
2.1 is based on? Also, are there any workarounds for those of us running
2.1? I'm not sure when 2.2 will be tagged but it would great if there was
some way, maybe by adjusting the MTU and/or MSS values, that those of us
affected by this bug could use get their v6 tunnels up and running, even if
not at their theoretical peak efficiency.

Thanks for all the help. I realize IPv6 support can be more than a little
tricky. I really appreciate all the work that everyone has done on pfSense,
it's a great tool.

--adam


On Thu, Aug 15, 2013 at 6:20 PM, Chris Buechler  wrote:

> On Thu, Aug 15, 2013 at 3:23 PM, Adam Thompson 
> wrote:
> >
> > Even weirder…
> >
> > Although I can successfully ping at payload sizes up to 1432, I see
> another more troubling problem:  there’s a “hole” where it works
> > with payloads up to 1232, fails with payloads between 1233 and 1255
> inclusive, then works again with payloads 1256 bytes and above. > WTF
> >
>
> The original scenario, the diff between 1232 and 1233 is that at 1233,
> the echo request no longer fits in the minimum IPv6 size, so it's
> fragmented.
> 20:16:33.241123 IP6 2610:160:11:33::230 > 2610:160:11:3::100: frag
> (0|1232) ICMP6, echo request, seq 2, length 1232
> 20:16:33.241129 IP6 2610:160:11:33::230 > 2610:160:11:3::100: frag
> (1232|176)
>
> no response to the fragmented request.
>
> 20:16:37.260945 IP6 2610:160:11:33::230 > 2610:160:11:3::100: ICMP6,
> echo request, seq 0, length 1408
> 20:16:37.262526 IP6 2610:160:11:3::100 > 2610:160:11:33::230: ICMP6,
> echo reply, seq 0, length 1408
>
> bigger request that isn't fragmented is fine.
>
> If you don't specify -m on ping6 (at least with the FreeBSD ping6,
> others are likely similar), ping6 asks the kernel to fragment packets
> to fit the minimum IPv6 MTU, 1280.
>
> PF has issues with v6 fragmentation that we won't be able to address
> until 2.2, which is the root of the problem.
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list