[RESOLVED] pkg.opnsense.org not reachable via IPv6

[loredo]

Hi,

it is currently not possible to do any updates using IPv6 connectivity.
It seems pkg.opnsense.org is not responding on it's v6 address, connecting to v4 works fine.

Can somebody look into this please?

-Julian

[mojojojotroi]

Hi,

Are you 100% sure your IPv6 connectivity is correct ?

[loredo]

Yep, it is working just fine for everything else.

Just changed the screenshot to prove connectivity to another IPv6 website is working .......

[fabian]

Cannot reproduce:

Code: [Select]

curl https://pkg.opnsense.org -v
*   Trying 2001:1af8:4900:a01d:1200::2...
* TCP_NODELAY set
* Connected to pkg.opnsense.org (2001:1af8:4900:a01d:1200::2) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=pkg.opnsense.org
*  start date: Mar 11 03:06:38 2019 GMT
*  expire date: Jun  9 03:06:38 2019 GMT
*  subjectAltName: host "pkg.opnsense.org" matched cert's "pkg.opnsense.org"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: pkg.opnsense.org
...


[loredo]

I can confirm it is working again, potentially a peering issue of Vodafone I guess.

[ssbarnea]

Apparently I have the same problem: the router is unable to establish an IPv6 connection while IPv6 routing is enabled and apparently working.

This problem is specific to the router, the machines from my LAN do have their IPv6 addresses and they can communicate using IP.v6

ping -6 google.com --- works from both router and LAN machines
DNS for IPv6 -- works for both router and LAN machines

IPv6 TCP connections seems to not to working from router (work from LAN) and is very easy to validate using curl:

Code: [Select]

# telnet -6 pkg.freebsd.org 80
Trying 2610:1c1:1:606c::50:1...
STUCK

The outcomes is that it makes `opnsense-update` almost impossible to run (took me >30min to download less than 1MB of packages, witch lots of timeouts).

Current workaround was to configure preffver IPv4 over IPv6 in order to make the router work.

 Still, I do not want to keep this option, clearly there is something wrong about IPv6 on it. I am almost sure it did work like 1-2 month and I didn't make any changes since. I checked the routes and firewall and I found no reasons to worry. Any ideas?

[franco]

> # telnet -6 pkg.freebsd.org 80
> Trying 2610:1c1:1:606c::50:1...
> STUCK

I'm not aware we use the FreeBSD server so I'm relatively sure it is not a general issue with pkg.opnsense.org.


Cheers,
Franco

[ssbarnea]

Maybe I was not clear, the issue is not on the package server side, that is working fine.

The issue is that the router cannot establish IPv6 connection itself (but IPv6 ping works).

The irony is that the router is routing IPv6 traffic itself without any problems, all my clients to pass the same tests, but not the router itself.

A temporary workaround was to enable "Prefer IPv4 over IPv6" in order to make it work but I would really prefer not to use this hack.

Please let me know how can I provide more information in a secure way so we can narrow it down.

PS. I did triple-checked my routes and firewall rules and nothign seems wrong.

[ssbarnea]

I seem that I managed to find what caused it not to work and is a little bit weird. I has the external (PPPoE) IPv6  address configured as static. When I configured it as dynamic, it started to work.

I do mention that even pinging my router static address from outside worked, and pinging from the router to outside worked, so clearly the static IPv6 address was valid. The reason for having it static was that this was recommended for use of with DHCPv6.

I hope this may help others encountering the same issue.

[timota]

looks like pkg.opnsense.org not reachable now via ipv4.

tried from different sources - no luck.

and this happened when i decided to upgrade system to the latest - luckly i checked site availabilyty before i start

Code: [Select]

~$ curl https://pkg.opnsense.org -v
* Rebuilt URL to: https://pkg.opnsense.org/
*   Trying 212.32.245.132...
* TCP_NODELAY set
* connect to 212.32.245.132 port 443 failed: Connection refused
*   Trying 2001:1af8:4900:a01d:1200::2...
* TCP_NODELAY set
* Immediate connect fail for 2001:1af8:4900:a01d:1200::2: Network is unreachable
*   Trying 2001:1af8:4900:a01d:1200::2...
* TCP_NODELAY set
* Immediate connect fail for 2001:1af8:4900:a01d:1200::2: Network is unreachable
* Failed to connect to pkg.opnsense.org port 443: Connection refused
* Closing connection 0
curl: (7) Failed to connect to pkg.opnsense.org port 443: Connection refused



[franco]

The server was down for a bit yesterday morning.


Cheers,
Franco