2 months later
scn
How exactly did you set it up?
IPv4 and IPv6 on Pfsense:
I get an IPv6 address like this: fe80::20b:XXXXXXXX but that is not a real IPv6 address.
I have a Zyxel AX7501-B0 as a bridge. IPv4 works and also Live and Replay TV.
No, I don’t have that with me. For me it runs over DSL and PPPoE with another provider (BBCS).
Do you have IPV6 enabled in pfSense? You can find it via System/Advanced Tab:Networking / Allow IPv6
Here’s a hint about the problem from your log: [https://forum.netgate.com/topic/130805/default-ipv6-deny-rule-in-system-logs-even-tho-default-is-pass/4?lang=en](https:// forum.netgate.com/topic/130805/default-ipv6-deny-rule-in-system-logs-even-tho-default-is-pass/4?lang=de)
Let’s see if @Tux0ne wants to get involved here.
Yes, well, I don’t want to be like that. But there can be no question of liking it 😅
Only request an IPv6 prefix with 56 on the WAN.
And for the LAN Interfaces Track Interface WAN with the ID you want.
WAN interface release / renew or reboot.
That should be it if Swisscom doesn’t do something strange.
Unfortunately no success so far.
I turned off the DHCPv6 server for a round of testing
Has anyone posted this here?
dhcp6c output with debug active:
Networking:
In order to get something other than a fe80::20b:XXXXX Ipv6 on the firewall, do I have to set firewall rules first?
Addition:
As I said, I use a Zyxel Bridge via P2MP. I’m not sure whether I have to set something up for Ipv6 and Bridge on the Zyxel, I didn’t look at that closely at the time.
It always looks about the same in the log. Further input is very welcome.
Yes, you have to activate RA on the LAN interface, you can use assisted.
To start, create a rule on the LAN interface that generally allows IPv6.
Then show me how the LAN interface is configured.
I would also check after refreshing the WAN interface to see if you find any messages that port 546/547 was blocked. Then you can activate this directly from the log using the easy rule, for example.
The question also arises as to whether native IPv6 is already activated on your access. Don’t know if that’s generally the case. You can check it by connecting the original plastic router from Swisscom.
Here is the LAN interface.
Addition:
So I’m a little afraid of attaching the IB 3 again. I then have to re-register it in the center and then it becomes another procedure to get the Zyxel to work.
I called support once, unfortunately no concrete help. He also didn’t know whether IPv6 was already being delivered to everyone. Normally he said that others have an IPv6 address. Because of course I’m traveling pretty special and he can’t see anything. But it didn’t sound like you could activate anything.
Funny: He said MyServices might also be something, I can hardly imagine someone sitting there who has experience with IPv6 and Pfsense. Then I’d better practice again and see if I can get any information or ideas from somewhere else.
Log:
So far nothing found for the two ports.
10 days later
@“x”#1120532It is important that you have activated IPv6 with Swisscom’s own router before you connect the Zyxel and the pfSense. I have exactly the same setup as you, Zyxel AX7501-B0 behind it a Netgate firewall. This on an XGSPON P2MP Anschluss. IPv6 works for me. According to your screenshots, my setup is the same.
If you enable debug on the WAN IPv6 you should see the /56 prefix in the DHCP log (filtering by Process dhcp6c).
6 days later
I actually hadn’t activated IPv6 yet, I did that today and IPv4 is running again via Zyxel.
I was also able to get an IPv6 address once, but no longer.
Should it show me an IPv6 on the WAN connection? But I was never able to do that. There is always the IPv6 local link.
But on Lan it once showed me a different IP.
It started like this: 2a02:1210:8880 can that be?
I suspect that something is wrong with the firewall or IPv6.
EDIT:
This was because I had activated the “Advanced Configuration” for IPv6 but had not entered anything.
But why do I still have the local link on WAN?
Do I still have to pair the whole thing for IPv6 with Swisscom?
7 days later
Does anyone else have an idea?
I’ve tested pretty much all the settings. Of course, print screens of your settings would be great. What do I have to set in the firewall rules? I opened everything but nothing happens. I see connections from the client to an IPv6 address. I can also query DNS from the client, at least it resolves it correctly. Something seems to be working.
Nevertheless, pinging IPv6 DNS when surfing in the browser and Google doesn’t work.
8 days later
Hello @gnome2018
Have you found a solution to your problem in the meantime?
Let us know so that other users can also benefit from your knowledge.
Kind regards, Raphael
a month later
Unfortunately I’m not any further yet. I still have questions and I have pulled out all the stops on this topic without exception. But I would thank you if you could ask the core network team.
I would also be happy to supply or test additional print screens. It’s actually not stressful for me, but I would still like to finish it and confirm that it works.
Internally I can ping from PC to PC via IPv6. It would be best if I had a few screenshots of all the settings on the Pfsense.
It would be important to know whether:
- 2a02:1210:88ab:1500 <– An IPv6 range that is Swisscom and that is distributed to customers?
- Don’t you have to enter DNS settings?
- DHCPv6 servers must be deactivated <- Are deactivated for me
- Do I have to/should I get an IPv6 address on the WAN interface behind my Zyxel router or just directly on the interfaces?
- If the IPv6 is distributed correctly to the end devices that also receive IPv6 addresses, why can’t I ping from these to the outside world?
13 days later
Hello @gnome2018
In a previous post I wrote that my IPv6 works on a pfSense behind a Zyxel Bridge on an xgspon Anschluss. But that is not the case at the moment. Regarding your questions:
- 2a02:1210:88ab:1500 <– An IPv6 range that is Swisscom and that is distributed to customers? Correct, is an official customer IP range.
- M__Don’t you have to enter DNS settings? Try ping6 google.com from pfSense, for example. If a v6 address is resolved for you, that’s ok.
- DHCPv6 servers must be deactivated <- Are deactivated for me. Correct, RA should be sufficient in most cases.
- Do I have to / should I get an IPv6 address on the WAN interface behind my Zyxel router or just directly on the interfaces? Link-local is sufficient, i.e. an fe80: on the WAN interface, no public address required.
- If the IPv6 is distributed correctly to the end devices that also receive IPv6 addresses from me, why can’t I ping from these to the outside world? I have exactly this problem at the moment. I once tried to reach my IPv6 host from another, functioning IPv6 host (not on my Internet Anschluss). I see the ICMP echo request and also the ICMP echo reply on the host and on the WAN interface of the pfSense. Unfortunately I can’t trace on the Zyxel Bridge, it looks like I don’t have permission to do a tcpdump.
I’ll try to get a trace on the network element (FAN) when I get the chance.
Thank you for the answers. In this case it looks exactly the same for you as it does for me.
I can’t ping anything from the Pfsense regardless of the interface. I’ve tested pretty much all of them.
PING6(56=40+8+8 bytes) 2a02:1210:XXXX:XXXX:XXX:XXXX:XXXX:XXX --> 2001:4860:4860::8888
ping6: wrote 2001:4860:4860::8888 16 chars, ret=-1
ping6: wrote 2001:4860:4860::8888 16 chars, ret=-1
ping6: wrote 2001:4860:4860::8888 16 chars, ret=-1
--- 2001:4860:4860::8888 ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet lossAll IPv6 test websites were always negative.
I once did IPv6 packet captures on the Pfsense and sent various pings. But somehow you can’t do much with it. I will send them to you via email.