@AmC_OldSarge said in Android Clients unable to reach Internal Exchange Server:

From what I am reading, by default, android uses IPv6 for DNS.

Most things prefer IPv6 by default, but if it's not available they'll go immediately for IPv4.

@cnrd said in pfSense does not reply to NS sent by ISP router, ISP does not respond to DHCPv6 request as a result:

As stated here: https://www.freebsd.org/security/advisories/FreeBSD-SA-08:10.nd6.asc

The solution described below causes IPv6 Neighbor Discovery Neighbor Solicitation messages from non-neighbors to be ignored.
This can be re-enabled if required by setting the newly added net.inet6.icmp6.nd6_onlink_ns_rfc4861 sysctl to a non-zero value.

I think a package coming from a global address to a link local would be considered a non-neighbor.

Here is what I read on Redit:

"II. Problem Description

IPv6 routers may allow "on-link" IPv6 nodes to create and update the
router's neighbor cache and forwarding information. A malicious IPv6 node sharing a common router but on a different physical segment from another node may be able to spoof Neighbor Discovery messages, allowing it to update router information for the victim node."

Now, take a look at the packet containing the neighbour solicitation or advertisement and check the hop limit. It is 255. This is protection against that threat as a router would have to decrement it from 0, but a 0 hop limit would cause the packet to be dropped. This guarantees the packet originated on the local network. If it's any other number, the packet originated elsewhere and with a hop limit other than 255 or 0.

@signalz

If one device gets an IPv6 address but another doesn't, you have a local problem. Likely you have pfsense misconfigured.

As for AAAA records, there is no way for any DNS server to know what name you assign to an address, unless you configure it. I have both the pfsense DNS server and a public server available. I put the host names I choose on those servers. Also, bear in mind, there are consistent addresses and privacy addresses, which change every day. Point the DNS to the consistent addresses. Consistent addresses are often based on the MAC address, but may be based on a random number. Either way, you point the DNS to the consistent address. Also, you will probably have a WAN IPv6 address, which is likely not used for routing.

So, when you determine what your consistent addresses are, enter names for them in the pfsense DNS server.

@evberd thanks for posting. I just lost connectivity again today, triggering the multiple-reboot cycle of pFsense until it would finally pull an IPv6 for my WAN and LAN. While I can grit my teeth and suffer through this until I get it going before the next disruption, it is truly vexing behavior. I woke up to no connectivity a few days ago due to Comcast equipment maintenance, and had to spend half an hour and was late to work because I needed to get the internet going for distance learning for my kids.

That said, I've read what you've written a couple times, and it hasn't completely sunk in. I have tried using VLAN before and failed miserably. I am not an expert.

I do use dynamic DNS as Comcast has changed my IP address several times over the past 6 months, I think due to equipment upgrades which is not a bad thing. The performance is impressive. Dynamic DNS does actually work, and does not seem to be a terrible solution for residential service.

DHCPv4 can use a "client identifier" such as a DUID, just like DHCPv6. (rfc4361)

I suspect this is what you are seeing.

@qwerty123
I've got Spectrum and it's the same thing- I have some homelab servers that I don't want dynamic but I have implemented ipv6 internally (dual stack). What I did, right or wrong, was set the WAN interface to DHCP6, and the LAN and 2 VLANs to track, specifying prefix IDs for the VLANs (/56 hint worked). I also set the WAN to NOT send a release to the ISP under DHCP6 Client Config. Instead of using the DHCP6 from my servers, I set that up in PFSense and setup static IPV6 mappings for the servers. But instead of specifying the prefix which we know may change, I set the addresses as ::{interface identifier} hoping that if I don't specify a prefix, and it changes, at least the prefix ID and the interface ID remain as I specified and my servers still get a valid routable IPV6 ip. When it changes I will have to update a couple of ALIASES that list those networks, and some settings under Services/DHCPv6 Server & RA. Hopefully I won't have to mess with the static mappings though.

Still some things to examine there but yes the ndp output is what I was looking for.

@Bob-Dig said in Network Prefix Translation (NPt) Failing:

First, JKnott is always right.

That's not what my ex says! 😉

@skilledinept

Forget about the management interface and radius for a moment. The purpose of an AP is to provide a layer 2 connection between devices. That's it. So, it should pass IPv4 & IPv6 equally well. I get the impression your radius server is IPv4 only. Is that a problem? Can the clients only connect via IPv6? These days, dual stack is quite common and normally IPv6 is preferred, with fallback to IPv4.

Really?

After another call to my ISP the problem finally solved!!!
There was nothing from my side!

Thank you all for your support.

@Jim-Coogan what ended up being a show stopper for me was my ISP only allocating a /64 range to my modem. For DHCPv6 relay to work with pfSense acting as a router you need to be able to use DHCPv6 with Prefix Delegation. To do that you need a bigger allocation than /64, e.g. /56 or /60 etc.

The bridged interfaces are ipv4 only. the issue is that the automatically generated rules are floating rules so they apply globally

Yeah as Jknott has stated its normal.. It is also possible that the wan never even gets global address, and just use link-local.. Im not a fan of that, I like to see a global address on my wan ;)

There is plenty of IPs to go around ;) ISP can afford to assign a global to the transit network ;)

edit: to expand on the sheer number of IPs.. A min assignment from RIR for an ISP is a /32 - I just got one for a ipv6 project we are doing from Arin.. That is 65K /48s ;) or 4 billion /64s..

Comcast got a /9 - which is 36 quadrillion /64s - you would think they can afford a few /64 for transit networks ;)

And its not like they can't get more... It took a couple of weeks to get the /32 - all you have to do is show basic need.. And a basic plan on how your going to use them..

These ISPs telling users they can only get 1 /64 is just nuts... You can head over to HE and they will give you a /48 you can tunnel for free. I have had mine for over 10 years..

ISPs should have no issues giving users either a 48 or at min a /56 and using a global for their transit network.

What if you use a remote receiver?

From experience I've learned that DDNS in pfSense, or any other appliance only works when you're "gentle" to it, meaning one hostname. As soon as you add additional hostnames, domains it'll fail to update them so I got a VPS and installed pfSense on it for the static IP they give you, starting at USD5/mo, sometimes less, it's the cheapest static address you can rent.

I actually use it for the GIF to HurricaneElectric and tunnel both IPv4 and IPv6 to the local pfSense, I have about the same latency in local IPv4 as in tunneled IPv4 and (double-) tunneled IPv6.

But where I'm going with this is:

I also use my remote instance's public address as the monitor IP for the local WAN gateway. And since I can contact the remote instance locally through the tunnel, I get statistics on it with any tool, like from which IP a tunnel is has been brought up--which I know would only be mine. "Loopback" Stats. This data can be sent to a syslog server or queried through SNMP. You can query all sorts of data, I check consumption because the VPS has a data cap, I'm used to not having it because of my ISP so this is really handy, you can set it to notify you through a bot on Telegram, Matrix, classic email or a buttload of other integrations it has:

Screen_Shot_2020-10-09_at_14_37_41.png
Screen_Shot_2020-10-09_at_14_51_00.png

The first one is LibreNMS, completely free, does SNMP and syslog, you don't need scripts or databases because it's meant to keep historic data, it's all there as long as you feed it. The second one is VMware's vRealize Log Insight, also free (*with purchase) it only does syslog but it's very comprehensive, king of syslogs, it can proxy the syslog to yet more servers and has this thing called agents, custom-made-on-site apps preconfigured to send data to it and reconfigurable remotely. It's very cool.

LibreNMS is like a 2core/2G/20G VM if I'm not mistaken, Log Insight is much hungrier but you can tweak it before first starting it, I discovered. Both need fast disks.

@virgiliomi said in IPv6 ping/traceroute from Windows 10 PCs:

Before I try to offer a reason, can I make a guess that you have Verizon FiOS? 🙂

Edit: Never mind... I see you're not from the US. We have an ISP in part of the US that has an ICMP Traceroute issue (affects only Windows, not Linux/Mac since they use UDP instead of ICMP by default). I thought that might have been what you were experiencing.

I am not familiar with your ISP so can't be specific, but a few things to double check- You did set the prefix delegation under WAN/DHCP 6 CLIENT CONFIG, and try with prefix hint set ON and OFF?

@Hikari

The /x indicates the prefix length. Your LAN gets a /64 prefix, which means 64 bits for the network address, leaving 64 for the device within the LAN. A /128 means the entire 128 bits is prefix leaving no bits for more than 1 device. I doubt it would have anything to do with the MAC, as it's assigned by DHCP. If it was MAC based, it would be obvious. Your LAN gateway demonstrates the link local address is used, not a public address.