Messages

After trying a few things without success, I saw a suggestion online to set the mss value to 1460. I did that, and everything is back to normal. I'll keep an eye on it anyway. What I don't understand is why, with the same configuration, it was working until I decided to update to version 26.1.6_2, and it hasn't worked since.

I just noticed that the "overview" section now shows routes that I swear weren't there before the problem started (images attached). I also tried it from a Windows client (my usual one is Linux) and it has the same problem (including the slow TLS handshake), but on Windows it continues to load pages after 3-4 seconds, while on Linux it takes so long that browsing is impossible.

I ran test-ipv6.com on Windows and it gave a 10/10 result, although the response times were slightly slower than usual. On Linux, the same test consistently gave a 0/10 result, failing to detect the IPv6 address.

I've downgraded to version 26.1.3 (it was working fine until 26.1.6). I don't know if the ISP changed something coinciding with the update to 26.1.6_2, but since then, IPv6 simply won't work. I can ping from the firewall just fine, but traceroute sometimes works and other times times out, and clients on the network can't access anything using IPv6... youtube.com, for example. I've tried changing various PPPoE connection parameters, but nothing works.

Thanks @nero355. I will try that and see the results.

After trying many things due to the TLS handshake error I mentioned in another post, the only way I could get Opnsense working normally was by disabling IPv6.

I replicated the same configuration (VLANs, PPPoE, IPv6 over PPPoE) on another virtual machine on the same host but with OpenWrt, and everything works fine: IPv4 and IPv6 traffic, and test-ipv6.com (it recognizes my provider correctly and passes the test with a perfect score of 10/10). Therefore, I understand that something caused IPv6 to stop working with my configuration during the upgrade from version 26.1.5 to version 26.1.6. Is there a way to revert to a previous version by downgrading the version packages if necessary to try and pinpoint the problem?

Thanks in advance.

The last post was not correct. The problem continues. I'll try to disable IPv6 globally to see if that helps. After a few hours with IPv6 disabled, everything is working fine. The problem seems to be related to IPv6, but I don't know if it's due to a change the ISP might have made or something else.

I'm going to add some information. I just noticed that the problem occurs when the laptop is connected via Ethernet cable. When it's connected via Wi-Fi, it works perfectly. In this case, since there are more components involved (Ethernet adapter, cable, access point), I'll have to investigate further.

I just restored a backup of version 26.1.6 (without _2) and everything is back to normal. Thanks to everyone for your help. If the same thing happens again when I update to a newer version, we'll revisit the issue.

After letting it rest for a while, I tried again this afternoon, and it wasn't responding to the DNS requests I was sending from my client. I restarted Opnsense and tried again, and this time it responded to requests sent to Opnsense's IPv6 LAN address but not to the IPv4 address. Upon restarting, I noticed that I had enabled the option to use the ISP's DNS servers (it wasn't active before the update). I disabled it and restarted. I switched the initial client (Linux) to Windows, and on Windows, it still displays the "performing tls..." message, but it doesn't freeze; it loads the page in just over a second.

My ISP (Movistar) doesn't have CG-NAT, as far as I know. Regarding IPv6 issues, although it's a beta version, I haven't had any problems for over a year.

The provider test is crap, for me, it shows "OPALTELECOM-AS TalkTalk Communications Limited, GB", while I am in Germany.

If you still use the parameter in Firefox, the test should probably fail, because that setting essentially disables IPv6.

There were several changes in 26.1.6 for IPv6. If you only did an 26.1.6 -> 26.1.6_2 upgrade, everything should work.

What do you mean by "the DNS server is the upstream router"? Do you use a router-behind-router setup, do you mean the ISP router or your OpnSense? If so, its IPv4 or IPv6 address? Please be more specific.

I mean Opnsense

Read the change notes for the update(s) you did. I think there were changes for IPv6. Probably, you need a reboot, depending on what your update path was.

I just read the notes and I don't see anything that could directly affect me (probably due to my lack of knowledge).

The name of the parameter should give you a hint about what is probably wrong with your setup: DNS resolution for IPv6 names or IPv6 reachability.

You should investigate what exactly goes wrong (and then, why).

For example:

1. When you resolve a name like "www.google.com", you will get both an IPv6 and an IPv4 address - that is, if DNS resolution does not fail in the first place, in case your client tries to resolve via IPv6 first. If that fails, which is the IPv6 address of your DNS server? Does it answer?

2. Can you reach the resolved IPv6 via ping? Probably not.

3. Does your client get a routeable IPv6?

4. Has it got an IPv6 gateway? Can it be reached?

5. Can you reach your upstream gateway? Or any IPv6, like "2600::", via ping?

You catch my drift. "websites are slow" means "cannot be reached via IPv6, which is the preferred way" in your case. There is about 0% chance that TLS is impacted. OpnSense does not even interfere with that, unless you use a proxy.

When IPv6 did work before, you should be able to fix it. If your ISP does not offer it, turn it off globally.

Replys to every point:

1. DNS responses work ok. The DNS server is the upstream router.
2. Ping to the resolved address works well.
3. Yes. It gets a routable IPv6.
4. Yes.
5. Yes
I ran a test on http://test-ipv6.com, which failed, including the fact that it says my provider is "APPLE-ENGINEERING - Apple Inc., US" and that's getting close to witchcraft... ;-) because I don't have any Apple devices at home and my provider is Movistar in Spain.

I'll try everything you suggested. The strange thing is, everything was working perfectly yesterday. Today I updated and it started malfunctioning even though I hadn't changed any settings.

After the update, accessing many websites becomes incredibly slow (when it even works) with numerous "performing TLS handshake" messages. Searching online, I found a solution for Firefox that involves enabling the "network.dns.disableIPv6" parameter. After that, it works fine again in that Firefox instance, but the problem persists for the rest of the network. Is anyone else experiencing something similar?

I don't know exactly what you mean with my ISP/connection... but i have tried pinging to many ipv6 sites without any problem. It just happens with the connectivity audit when it has been some time "resting". If I retry inmediately after the failed test, everything is OK.


Greetings