English Forums > General Discussion

IPv6 unable to ping out from WAN, but LAN clients work.

(1/1)

mgittelman:
Running 24.1.4 and set up IPv6. On the WAN, I have DHCPv6 enabled with a /56 prefix which is according to my ISP's instructions. The LAN is set to track interface.

LAN clients successfully get IPv6 addresses and can ping out and visit IPv6 sites.
LAN clients can ping the IPv6 address of the firewall on the LAN side, but the WAN side is unresponsive to ping requests.
External sites can reach the LAN IPv6 IP address assigned to the firewall, but not the WAN IPv6 address assigned to the firewall ( I do not understand why).
The firewall can ping IPv6 addresses on the LAN side.

I have the following as my top listed WAN rule:


    IPv4+6 ICMP   *   *   *   *   *   *            
   
From the console on the firewall, when I ping are traceroute to ipv6.google.com I get the following (removing my IP):

root@opnsense:~ # traceroute6 ipv6.google.com
traceroute6 to ipv6.l.google.com (2607:f8b0:4005:802::200e) from xxx:xxx:xxx:xxx, 64 hops max, 28 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * *^C
root@opnsense:~ # ping6 google.com
PING6(56=40+8+8 bytes) xxx:xxx:xxx:xxx --> 2607:f8b0:4005:801::200e

I have even tried using ping -S <different source IPs on the firwall> ipv6.google.com and nothing works.

Neither the ping nor the trace go anywhere.

Obviously this is slightly academic, as it works on the LAN side. I did need to set "prefer IPv4 ofer IPv6" under settings -> general other I'm unable to run updates or install plugins.

IPv4 pings work as expected.

Any ideas?

mgittelman:
One possible hint:

When I look at the firewall log, it shows the ping coming from the IPv6 address on WAN (as passing) even if I try to specify the ping source as the LAN address.

Since I can't ping the WAN address externally, is it possible that my ISP is blocking access to that address range or making it non-routable? I'm pretty sure when I hook a laptop up directly to the ISP connection, both sets of addresses end up on one interface, but with OPNsense, its assigning one to the WAN and one to the LAN. It seems insistent on routing through the WAN address.

When I do a traceroute on a client on the LAN, it never shows as passing through that WAN address. It seems that OPNsense is routing IPv6 traffic through the LAN address for clients, but can't do so itself if that makes sense.

zan:
Your WAN's GUA might be broken, as in not routable. Consider checking with your ISP.
In the meantime, you could try enabling the "Request only an IPv6 prefix" option.
Your WAN doesn't need to have a GUA to have a working IPv6.

mgittelman:
Thanks for your reply!

I disabled IPv6 on the WAN so that it didn't have any addresses anymore, then enabled it again with DHCPv6 and "Request only an IPv6 prefix." On the dashboard, it now displays only a link local fe80 address, but ifconfig still shows the GUA starting with 2604. Ping requests still come from that GUA address. I'm not understanding this discrepancy.

I did connect an iPad directly to the ISP connection bypassing the firewall. It gets 2 GUA addresses, but is unable to reach any ipv6 address on the internet. I think you are probably right that my ISP has misconfigured something.

mgittelman:
I did some more testing. My WAN interface gets 2 IPv6 addresses:

A /128 address I believe from DHCPv6.
A /64 address I think from SLAAC.

My LAN gets a /64 address from PD.

In OPNsense, I can't ping out from any of these addresses, but I can traceroute6 to ipv6.google.com from the /128 address, and from the /64 address assigned to the LAN. The /64 IPv6 address on the WAN doesn't work.

Same exact think if I probe port 80 on ipv6.google.com. It works from the /128 address and the LAN address, but not the /64 WAN address.

OPNsense is probably using the 1st available address that it can for traffic, but in this case, maybe it's the wrong one? Can this be changed so it can reach IPv6 addresses by default?

Navigation

[0] Message Index