# Couldn't access some web sites via IPv6



## jekyll530 (Nov 10, 2022)

Hi, I'm using FreeBSD as NAT server which connects to internet via PPPoE, and get an IPv6 prefix for the internal network.
The mentioned setup works mostly fine, except the internal machines couldn't access some specific web sites via IPv6 while the FreeBSD server itself can.
Most sites with IPv6 address can be accessed with no issue, like Google/Facebook services.

The setup detailed as follows:
Internet connection: pppoe (ppp), which acquires IPv6 address for FreeBSD WAN interface (tun0).
dhcp6c: acquires IPv6 prefix for internal network.
rtadvd: advertise the IPv6 prefix to internal machines.

Please let me know if you need anymore details.
Any hint/suggestion about testing/trouble shooting would be appreciated.
Thank you.


----------



## Alain De Vos (Nov 10, 2022)

I also pppoe, using rtsold, the output of:








						Test your IPv6.
					

This will test your browser and connection for IPv6 readiness, as well as show you your current IPv4 and IPv6 address.




					test-ipv6.com
				



Should be 10/10

Or,




__





						IPv6 test - IPv6/4 connectivity and speed test
					

IPv6-test.com is a free service that checks your IPv6 and IPv4 connectivity and speed. Diagnose connection problems, discover which address(es) you are currently using to browse the Internet, and what is your browser's protocol of choice when both v6 and v4 are available.



					ipv6-test.com
				




In rc.conf I have,

```
ifconfig_tun0_ipv6="inet6 accept_rtadv"
ipv6_network_interfaces="tun0 lo0" # List of IPv6 network interfaces
```
Maybe in your setup you need IPV6-route & ipv6_defaultrouter="...."


----------



## cy@ (Nov 10, 2022)

My ISP only supports IPv4 thus I need to use Hurricane Electric's tunnel. Hurricane Electric gives me one and only one IPv6 IP. This gives me the opportunity to use (and maintain) ipfilter's IPv6 NAT. The tests are not perfect because the large IPv6 packet test fails due to the tunnel. The tunnel has an MTU smaller by 20 octets than the interface it's on but that's the nature of tunnels.

One might say, but with IPv6 you don't need NAT. Well that's true until people, like service providers, are so cheap they have no intention of upgrading their network. As to switching, there are other considerations such as other services the family uses.

I know of companies who have no plans to upgrade to IPv6 because of the cost to upgrade network gear and the staff time (overtime) required to implement it. It comes down to the same old thing again.

On the positive side, ipfilter's IPv6 NAT works, though there is one little bug on my todo list.


----------



## covacat (Nov 10, 2022)

if you use mpd5 try to enable mssfix


----------



## jekyll530 (Nov 11, 2022)

Alain De Vos said:


> I also pppoe, using rtsold, the output of:
> 
> 
> 
> ...


It seems that I should not use rtsold. In its man page it says "rtsold should be used on IPv6 hosts (non-router nodes) only."

I'm also getting 10/10 from test-ipv6, and 18/20 from ipv6-test (except ICMP shows "Not tested").

I can't set ipv6_defaultrouter in rc.conf because every time I dialup pppoe, I get different IPv6 prefix.


----------



## SirDice (Nov 11, 2022)

jekyll530 said:


> I can't set ipv6_defaultrouter in rc.conf because every time I dialup pppoe, I get different IPv6 prefix.


Setting `ipv6_defaultrouter="-iface tun0"` might work for you.


----------



## jekyll530 (Nov 11, 2022)

SirDice said:


> Setting `ipv6_defaultrouter="-iface tun0"` might work for you.


I think it might not be necessary. As I mentioned, most sites works fine...

Earlier today I grabbed some traffic, comparing the pcaps between the FreeBSD server and internal machine accessing the same site.
It looks like the traffic of internal machine is somehow dropped, the packet of TLS Server Hello is corrupted, then the connect just got stuck.


----------



## covacat (Nov 11, 2022)

add! default HISADDR6 in ppp.conf may work too


----------



## Alain De Vos (Nov 11, 2022)

I have

```
set mtu 1492
set mru 1492
enable ipcp
enable ipv6cp
```


----------



## jekyll530 (Nov 11, 2022)

Yes I have what both of you said set.


----------



## sko (Nov 11, 2022)

cy@ said:


> I know of companies who have no plans to upgrade to IPv6 because of the cost to upgrade network gear and the staff time (overtime) required to implement it. It comes down to the same old thing again.



Or they are forced to use software that was already horrible and outdated in the 90s, never evolved to something remotely 'modern' and still completely breaks if IPv6 is enabled on the windows client... 
We still can't roll out IPv6 in our Windows subnets because of such crap.


As for the original problem:
Are those sites that cant' be reached perhaps exclusively IPv6 hosted? Also, just to make sure: net.inet6.ip6.forwarding is set to 1?


----------



## jekyll530 (Nov 11, 2022)

sko said:


> As for the original problem:
> Are those sites that cant' be reached perhaps exclusively IPv6 hosted? Also, just to make sure: net.inet6.ip6.forwarding is set to 1?


No, they have both IPv4 and IPv6 addresses. And yes, it's set to 1.


----------



## jekyll530 (Dec 8, 2022)

Problem solved with setting MTU to 1452 in rtadvd.conf .
Thank you guys.


----------

