IPv6 and PFsense

I'm seeing a really odd issue that I'm hoping someone can help with.
I've been setting up IPv6 on my PFsense router. I'm with IDnet and it's all been pretty straight forward.
Clients are picking up an IP address from the delegated range and DNS is bahing as it should. I can look up IPv6 addresses, and I can ping these addresses.
However, any IPv6 webbrowsing just times out. The test-ip6v.com site tells me I'm badly configured and reports that the IPv6 tests time out after 15 seconds.
If I do a test-netconnection from powershell, I can connect to a webserver.
I even wiped the router and started again yesterday but I'm haing the same issue.

I know I've missed something basic somewhere, but adressing, routing and firewall all seem OK.
Any ideas?!

Create a second lan with only IPv6 connectivity
if you have any Android devices make sure you are doing SLAAC alongside DHCPv6

Pick three known sites to test against:

https://ifconfig.co/

https://ipv6.google.com/search?q=what+is+my+IP+address

http://www.example.net/

yes the last one is deliberately non-https in case SSL/TLS or cert validation is what is breaking

I assume with IDNet you have your /48 delegation and are using Track Interface to get a /64 allocated on each LAN

Check the Default allow (this LAN) to any rules are defined at the end of the rulesets for each LAN interface, one rule each for v4 and v6 so you can see the packet/byte counters separately.
You can use a combined IPv4+6 rule once all is working but it can help to be able to selectively disable things.

While browsing, display the Diagnostics > States and filter if necessary to show states from a known client device.
See if they are Established:Established or many only half-open.

Are you on PPPoE and if so does Status > Interfaces show the 1492 MTU on WAN?

Edited by prlzx (Fri 09-Jun-23 20:57:51)

Firstly, thank you so much for your advice here.

I'll need to put some time aside to set up the second lan and configure it up.

However, I did notice a couple of things:

Yes, I have a /48 delegation with IDNet, and am using Track Interface in a /64 LAN.
I'd reverted back to defualt settings yesterday and built everything up again. This gave me seperate IPv4/6 firewall rules. Both have reasonable non-zero counts.

Looking at the Diagnostics -> States list, most things are established:established, with the exception of some fin_wait_2 or closing states. There are a few ICMP entries with NO_TRAFFIC listed.

Yes, I'm on PPPoE and I've got an MTU of 1492 on the WAN.

I vistied the sites whilst still having an IPv4 address. The ifconfig and google sites list an IPv6 address. example.net works as expected.
One thing I noticed from the sites, is that my Temporary IPv6 is listed, rahter than my 'normal' address. It has the correct prefix, but it's the only thing I can see which isn't 'right'.

If nothing, this is a good learning curve!

When I moved from Cerberus to BT FTTP I need to select the "Only request an IPv6 prefix, do not request an IPv6 address" on the WAN page - try changing that setting. On OpenReach FTTP you should be able to have a WAN MTU of 1500 - it works for me on Cerberus and BT.

I'd read this somewhere, and gave it a try. Though it made no difference :/

Edited by gromit69 (Sat 10-Jun-23 16:33:01)

Yes a temporary (or privacy) IPv6 address is the normal one for hosts to use when communicating with the Internet.
It's configurable at the OS level (not something pfSense informs the hosts to do).

As a rule of thumb for servers you may still prefer to use an address based on the MAC of your network interface, or assign them by DHCPv6, particularly if allowing external traffic through the firewall to these services or accessing them via VPN.

For portable devices (laptops/tablets/phones) you can usually let it do the temporary thing if they aren't running services that other hosts expect to find at a fixed address.
This may not even matter if hosts on the LAN respond to mDNS and/or DNS on pfSense is keeping track of resolving hosts by name.

The choice of three was non-random btw.
ipv6.google.com is IPv6-only,
while ifconfig.co and www.example.net are dual stack for DNS and the web servers so will follow the preference of your OS, and in most cases is IPv6 before IPv4 but with Happy Eyeballs.
And they don't have huge numbers of advertising domains to lookup and generate states for compared with everyday websites.

This gives you some chance of guessing what may be going on based on what combinations of those sites were behaving differently when browsing to them.

Edited by prlzx (Sun 11-Jun-23 12:50:10)

Hi do you find the baby jumbos work ok on pfSense these days?
I remember it not being able to persist the 1508 on the ethernet interface to allow 1500 MTU/MRU on a PPPoE interface, but that was many versions ago and with xDSL connections, while most of the pfSenses I manage have static addressing on leased lines now.

(edit) I see from redmine that was resolved 7 years ago so I should really have kept up with that discussion.

It turns out it was the MTU....
My head hit the desk when I found out.

All working perfectly now!