1
General Discussion / IPv6 unable to ping out from WAN, but LAN clients work.
« on: March 29, 2024, 06:29:23 am »
Running 24.1.4 and set up IPv6. On the WAN, I have DHCPv6 enabled with a /56 prefix which is according to my ISP's instructions. The LAN is set to track interface.
LAN clients successfully get IPv6 addresses and can ping out and visit IPv6 sites.
LAN clients can ping the IPv6 address of the firewall on the LAN side, but the WAN side is unresponsive to ping requests.
External sites can reach the LAN IPv6 IP address assigned to the firewall, but not the WAN IPv6 address assigned to the firewall ( I do not understand why).
The firewall can ping IPv6 addresses on the LAN side.
I have the following as my top listed WAN rule:
IPv4+6 ICMP * * * * * *
From the console on the firewall, when I ping are traceroute to ipv6.google.com I get the following (removing my IP):
root@opnsense:~ # traceroute6 ipv6.google.com
traceroute6 to ipv6.l.google.com (2607:f8b0:4005:802::200e) from xxx:xxx:xxx:xxx, 64 hops max, 28 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * *^C
root@opnsense:~ # ping6 google.com
PING6(56=40+8+8 bytes) xxx:xxx:xxx:xxx --> 2607:f8b0:4005:801::200e
I have even tried using ping -S <different source IPs on the firwall> ipv6.google.com and nothing works.
Neither the ping nor the trace go anywhere.
Obviously this is slightly academic, as it works on the LAN side. I did need to set "prefer IPv4 ofer IPv6" under settings -> general other I'm unable to run updates or install plugins.
IPv4 pings work as expected.
Any ideas?
LAN clients successfully get IPv6 addresses and can ping out and visit IPv6 sites.
LAN clients can ping the IPv6 address of the firewall on the LAN side, but the WAN side is unresponsive to ping requests.
External sites can reach the LAN IPv6 IP address assigned to the firewall, but not the WAN IPv6 address assigned to the firewall ( I do not understand why).
The firewall can ping IPv6 addresses on the LAN side.
I have the following as my top listed WAN rule:
IPv4+6 ICMP * * * * * *
From the console on the firewall, when I ping are traceroute to ipv6.google.com I get the following (removing my IP):
root@opnsense:~ # traceroute6 ipv6.google.com
traceroute6 to ipv6.l.google.com (2607:f8b0:4005:802::200e) from xxx:xxx:xxx:xxx, 64 hops max, 28 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * *^C
root@opnsense:~ # ping6 google.com
PING6(56=40+8+8 bytes) xxx:xxx:xxx:xxx --> 2607:f8b0:4005:801::200e
I have even tried using ping -S <different source IPs on the firwall> ipv6.google.com and nothing works.
Neither the ping nor the trace go anywhere.
Obviously this is slightly academic, as it works on the LAN side. I did need to set "prefer IPv4 ofer IPv6" under settings -> general other I'm unable to run updates or install plugins.
IPv4 pings work as expected.
Any ideas?