Couldn't access some web sites via IPv6

J

jekyll530

Hi, I'm using FreeBSD as NAT server which connects to internet via PPPoE, and get an IPv6 prefix for the internal network.
The mentioned setup works mostly fine, except the internal machines couldn't access some specific web sites via IPv6 while the FreeBSD server itself can.
Most sites with IPv6 address can be accessed with no issue, like Google/Facebook services.

The setup detailed as follows:
Internet connection: pppoe (ppp), which acquires IPv6 address for FreeBSD WAN interface (tun0).
dhcp6c: acquires IPv6 prefix for internal network.
rtadvd: advertise the IPv6 prefix to internal machines.

Please let me know if you need anymore details.
Any hint/suggestion about testing/trouble shooting would be appreciated.
Thank you.
 
I also pppoe, using rtsold, the output of:
test-ipv6.com

Test your IPv6.

This will test your browser and connection for IPv6 readiness, as well as show you your current IPv4 and IPv6 address.
test-ipv6.com test-ipv6.com
Should be 10/10

Or,

IPv6 test - IPv6/4 connectivity and speed test

IPv6-test.com is a free service that checks your IPv6 and IPv4 connectivity and speed. Diagnose connection problems, discover which address(es) you are currently using to browse the Internet, and what is your browser's protocol of choice when both v6 and v4 are available.
ipv6-test.com

In rc.conf I have,
Code: 
ifconfig_tun0_ipv6="inet6 accept_rtadv"
ipv6_network_interfaces="tun0 lo0" # List of IPv6 network interfaces
Maybe in your setup you need IPV6-route & ipv6_defaultrouter="...."
 
My ISP only supports IPv4 thus I need to use Hurricane Electric's tunnel. Hurricane Electric gives me one and only one IPv6 IP. This gives me the opportunity to use (and maintain) ipfilter's IPv6 NAT. The tests are not perfect because the large IPv6 packet test fails due to the tunnel. The tunnel has an MTU smaller by 20 octets than the interface it's on but that's the nature of tunnels.

One might say, but with IPv6 you don't need NAT. Well that's true until people, like service providers, are so cheap they have no intention of upgrading their network. As to switching, there are other considerations such as other services the family uses.

I know of companies who have no plans to upgrade to IPv6 because of the cost to upgrade network gear and the staff time (overtime) required to implement it. It comes down to the same old thing again.

On the positive side, ipfilter's IPv6 NAT works, though there is one little bug on my todo list.
 
Alain De Vos said:
I also pppoe, using rtsold, the output of:
test-ipv6.com

Test your IPv6.

This will test your browser and connection for IPv6 readiness, as well as show you your current IPv4 and IPv6 address.
test-ipv6.com test-ipv6.com
Should be 10/10

Or,

IPv6 test - IPv6/4 connectivity and speed test

IPv6-test.com is a free service that checks your IPv6 and IPv4 connectivity and speed. Diagnose connection problems, discover which address(es) you are currently using to browse the Internet, and what is your browser's protocol of choice when both v6 and v4 are available.
ipv6-test.com

In rc.conf I have,
Code: 
ifconfig_tun0_ipv6="inet6 accept_rtadv"
ipv6_network_interfaces="tun0 lo0" # List of IPv6 network interfaces
Maybe in your setup you need IPV6-route & ipv6_defaultrouter="...."
Click to expand...
It seems that I should not use rtsold. In its man page it says "rtsold should be used on IPv6 hosts (non-router nodes) only."

I'm also getting 10/10 from test-ipv6, and 18/20 from ipv6-test (except ICMP shows "Not tested").

I can't set ipv6_defaultrouter in rc.conf because every time I dialup pppoe, I get different IPv6 prefix.
 
SirDice said:
Setting ipv6_defaultrouter="-iface tun0" might work for you.
Click to expand...
I think it might not be necessary. As I mentioned, most sites works fine...

Earlier today I grabbed some traffic, comparing the pcaps between the FreeBSD server and internal machine accessing the same site.
It looks like the traffic of internal machine is somehow dropped, the packet of TLS Server Hello is corrupted, then the connect just got stuck.
 
cy@ said:
I know of companies who have no plans to upgrade to IPv6 because of the cost to upgrade network gear and the staff time (overtime) required to implement it. It comes down to the same old thing again.
Click to expand...

Or they are forced to use software that was already horrible and outdated in the 90s, never evolved to something remotely 'modern' and still completely breaks if IPv6 is enabled on the windows client...
We still can't roll out IPv6 in our Windows subnets because of such crap.


As for the original problem:
Are those sites that cant' be reached perhaps exclusively IPv6 hosted? Also, just to make sure: net.inet6.ip6.forwarding is set to 1?
 
sko said:
As for the original problem:
Are those sites that cant' be reached perhaps exclusively IPv6 hosted? Also, just to make sure: net.inet6.ip6.forwarding is set to 1?
Click to expand...
No, they have both IPv4 and IPv6 addresses. And yes, it's set to 1.
 
You must log in or register to reply here.
Back
Top