On Wed, Apr 20, 2016 at 4:53 PM, Olivier Mascia <[email protected]> wrote: >>> I must be tired or something but I have a strange thing with IPv6 on a new >>> box I just setup. >>> >>> Have a x:y:z:d800::/56 routed to me. >>> WAN is static IPv6 on x:y:z:d800::1/64, gateway is >>> x:y:z:d800::ffff:ffff:ffff:ffff (not a nice one but that is what they gave >>> me). >>> LAN is static IPv6 on x:y:z:d801::1/64, no gateway as usual for LAN >>> interface. >>> >>> From a host on the LAN side, at x:y:z:d801::100 (or any other), I can reach >>> pf LAN interface on x:y:z:d801::1, I can also reach pf WAN interface on >>> x:y:z:d800::1, but I can't get a packet to go further. >>> >>> Yet, from pf itself, I can reach (ping for instance) www.google.com (IPv6) >>> from WAN interface, but not from LAN interface. >>> >>> I would have thought "ok I miss a pass rule on the LAN interface", but >>> there is one. This by far is not my first pfSense box, and they all have >>> various kind of IPv6 links. Not that I couldn't be awfully wrong somewhere. >>> So what obvious detail am I overlooking here? If you have any idea? >>> >>> This is 2.3-RELEASE by the way. Other boxes (on other networks) are still >>> 2.2.x. > > > From some packet captures, something caught my eye, but I'm not sure if this > an issue in the hands of my upstream provider or something local to my > pfSense box. > Here are two captures on the WAN of pfSense. > > First one, I'm pinging the WAN ip from a very remote location. One clearly > see 4 echo requests and 4 echo replies. > > 23:32:47.466402 IP6 2a02:578:85a0:101:5cf:576b:9daf:77ca > x:y:z:d800::1: > ICMP6, echo request, seq 73, length 40 > 23:32:47.466455 IP6 x:y:z:d800::1 > 2a02:578:85a0:101:5cf:576b:9daf:77ca: > ICMP6, echo reply, seq 73, length 40 > 23:32:48.476917 IP6 2a02:578:85a0:101:5cf:576b:9daf:77ca > x:y:z:d800::1: > ICMP6, echo request, seq 74, length 40 > 23:32:48.476933 IP6 x:y:z:d800::1 > 2a02:578:85a0:101:5cf:576b:9daf:77ca: > ICMP6, echo reply, seq 74, length 40 > 23:32:49.491979 IP6 2a02:578:85a0:101:5cf:576b:9daf:77ca > x:y:z:d800::1: > ICMP6, echo request, seq 75, length 40 > 23:32:49.492019 IP6 x:y:z:d800::1 > 2a02:578:85a0:101:5cf:576b:9daf:77ca: > ICMP6, echo reply, seq 75, length 40 > 23:32:50.507963 IP6 2a02:578:85a0:101:5cf:576b:9daf:77ca > x:y:z:d800::1: > ICMP6, echo request, seq 76, length 40 > 23:32:50.507987 IP6 x:y:z:d800::1 > 2a02:578:85a0:101:5cf:576b:9daf:77ca: > ICMP6, echo reply, seq 76, length 40 > > This time, I'm pinging the LAN ip (x:y:z:d801::1) from the same remote > location. No echo requests, only neighbor solicitations from a link-local > address fe80...dc78, which I could trace as the upstream router, to > ff02::1:ff00:1. But no advertisements on return from the pfSense box. > > What looks wrong here? > The absence of advertisements from pfSense box on these solicitations (I > would have an issue with my pfSense setup)? > Or are these solicitations unexpected (the upstream provider has a setup > issue regarding my /56 network)?
They're unexpected. That means your ISP isn't routing that network to you as they must be for it to be usable inside your network. ISP issue. _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
