OPNsense Forum
Archive => 18.1 Legacy Series => Topic started by: bigshorty on April 23, 2018, 03:02:20 pm
-
Hi All
Can any of you helpful lot tell me why my HE Tunnelbroker IPv6 connection will drop within a few minutes of rebooting Opnsense, running version 18.1.6?
It works fine for a short time after I reboot Opnsense, IPv6 test site gives me 10/10 for IPv6 connectivity, but then it seems to give up and can't access some internet sites, particularly Google, Gmail and Tunnelbroker, although a lot of other websites will load.
Any ideas what might be wrong and how to fix would be greatly appreciated. Happy to give any other info should that be of use, just let me know what you need.
Many thanks in advance.
-
Do you have system logs for this? My tunnel is stable. Also consult the docs if not done already:
https://docs.opnsense.org/manual/how-tos/ipv6_tunnelbroker.html
Cheers,
Franco
-
Thanks for the reply Franco.
Unfortunately I don't have system logs for this as yet, but I'll try and get some when I restore the configuration I used back onto opnsense. I only two issues I have when configuring my tunnel are if and where to use the routed /48 prefix, and adding all the firewall rules that are needed, those two parts are the one's I struggle with most.
I did have my tunnel up and running fine before I switched ISP, this is the first time I have tried to configure my tunnel with my new ISP. I have checked to make sure my ISP firewall is off, just in case that was the issue, I also have a static IP address so it can't be an IP address change, so I'm at a loss as to knowing why it will work for a couple of minutes following a reboot, and then won't work.
I'll see if I can get a system log together, in the meantime any other thoughts / ideas would be very welcome.
-
A quick update.
I can get to the point where I have my tunnel configured and online, I can also ping ipv6.google.com in command prompt from my PC, however IPv6 websites won't load.
Any ideas? Please??
-
i assume you did read this https://wiki.opnsense.org/manual/how-tos/ipv6_tunnelbroker.html (https://wiki.opnsense.org/manual/how-tos/ipv6_tunnelbroker.html) and this https://doc.pfsense.org/index.php/Using_IPv6_with_a_Tunnel_Broker (https://doc.pfsense.org/index.php/Using_IPv6_with_a_Tunnel_Broker) to get some idea's
my OPNsense system has the following Firewall Rules for the HE Tunnel;
floating rule IPv6 IPv6-ICMP *
IPv4 ICMP WAN
good luck
-
Thanks for the reply bitman.
I entered the firewall rules you mentioned, but still no joy. Following a reboot of opnsense I can get 10/10 on the ipv6 test site, but can't load ipv6 sites on my browser. After a few minutes I test my ipv6 connection again on the test site and my ipv6 address disappears and I get a 0/10 score. I have followed all the guides out there methodically and no matter what I do I get the same results, it's driving me insane because I just cannot figure it out. As said previously, I had it up and running perfectly before I changed ISP.
I have attached some sections of my system log and was quite surprised by the entry at 20:40:34 which mentioned something about a 'returned exit code '1'. I don't actually know what any of it means so if anyone has any thoughts please do let me know.
-
Forgot to mention that I bypassed Opnsense and set up my Asus RT-AC86U as my router and tried it through that, but still couldn't get my ipv6 tunnel up and running. This makes me wonder if its not actually an issue with my hardware or configuration. I've heard MTU settings might need to be changed on my tunnel for some PPPOE connections to work properly, wonder if this might be the problem.
-
I appreciate all your efforts in trying to sort this problem, however I have managed to fix it, mostly.
It had nothing to do with my opnsense configuration, it was my modem! I was using a Zyxel VMG3925 in bridge modem mode, and some spark of inspiration made me decide to try an unlocked BT HH5A with LEDE firmware installed I had knocking around. I set the HH5A up as a bridge modem and hey presto, my IPv6 tunnel works a treat and has been stable for the last couple of hours.
The only issue now according to the IPv6 test site is that my firewall is filtering ICMPv6 messages. Any ideas on how to rectify this, if it can be, would be very welcome.
-
The only issue now according to the IPv6 test site is that my firewall is filtering ICMPv6 messages. Any ideas on how to rectify this, if it can be, would be very welcome.
Just create a firewall rule allowing ICMPv6 Echo Request.
-
The only issue now according to the IPv6 test site is that my firewall is filtering ICMPv6 messages. Any ideas on how to rectify this, if it can be, would be very welcome.
Just create a firewall rule allowing ICMPv6 Echo Request.
In what interface do I need to create that rule?
-
Well, wherever it fits your needs. ;)
If you want to allow getting pinged from the WAN: On the IPv6 WAN interface. Or you could create a floating rule and allow it from anywhere to anywhere (useful if you have multiple LANs and want to allow pinging between them).
-
see my floating rule as that takes care of it
-
Nice one chaps, all sorted now.
Thanks for all your help.