Delegated prefix not used

redakula

Hi
I have a weird problem with prefix delegation which is not applied to any interface. It is a fresh install of pfSense.
Details from ISP:
Delegated a /48, must set ia-pd 1, ia-na 1 and IAID for NA 1.
I am a bit unsure of the prefix delegation options (id-assoc pd ID and so on) could these settings be an issue? Not particulaly well documented.
Here is my configuration for WAN:

The router gets an IPV6 address and as far as i can tell from the logs receives the /48 prefix. But the prefix is not applied to the WAN interface and no address is set on the interfaces set to track WAN.
Logs show the prefix being received and created but it appears nowhere in pfSense so it is as if nothing actually happens...

Dec 6 17:09:36 	dhcp6c 	26547 	got an expected reply, sleeping.
Dec 6 17:09:36 	dhcp6c 	26547 	removing server (ID: 00:01:00:01:21:5a:37:e1:96:96:78:4c:ae:6d)
Dec 6 17:09:36 	dhcp6c 	26547 	removing an event on xn3, state=REQUEST
Dec 6 17:09:36 	dhcp6c 	26547 	script "/var/etc/dhcp6c_wan_script.sh" terminated
Dec 6 17:09:20 	dhcp6c 	62547 	dhcp6c RELEASE, REQUEST or EXIT on xn3 running rc.newwanipv6
Dec 6 17:09:20 	dhcp6c 	26547 	executes /var/etc/dhcp6c_wan_script.sh
Dec 6 17:09:20 	dhcp6c 	26547 	add an address XXXX:4000:11::1066/128 on xn3
Dec 6 17:09:20 	dhcp6c 	26547 	create an address XXXX:4000:11::1066 pltime=3000, vltime=3677128090032541600
Dec 6 17:09:20 	dhcp6c 	26547 	make an IA: NA-1
Dec 6 17:09:20 	dhcp6c 	26547 	create a prefix XXXX:4001:1066::/48 pltime=3000, vltime=4000
Dec 6 17:09:20 	dhcp6c 	26547 	make an IA: PD-1
Dec 6 17:09:20 	dhcp6c 	26547 	nameserver[1] XXXX:4000:0:6::5
Dec 6 17:09:20 	dhcp6c 	26547 	nameserver[0] XXXX:4000:0:6::3
Dec 6 17:09:20 	dhcp6c 	26547 	dhcp6c Received REQUEST
Dec 6 17:09:20 	dhcp6c 	26547 	IA_PD prefix: XXXX:4001:1066::/48 pltime=3000 vltime=140733193392032
Dec 6 17:09:20 	dhcp6c 	26547 	get DHCP option IA_PD prefix, len 25
Dec 6 17:09:20 	dhcp6c 	26547 	IA_PD: ID=1, T1=1000, T2=2000
Dec 6 17:09:20 	dhcp6c 	26547 	get DHCP option IA_PD, len 41
Dec 6 17:09:20 	dhcp6c 	26547 	get DHCP option DNS, len 32
Dec 6 17:09:20 	dhcp6c 	26547 	IA_NA address: XXXX:4000:11::1066 pltime=3000 vltime=4000
Dec 6 17:09:20 	dhcp6c 	26547 	get DHCP option IA address, len 24
Dec 6 17:09:20 	dhcp6c 	26547 	IA_NA: ID=1, T1=1000, T2=2000
Dec 6 17:09:20 	dhcp6c 	26547 	get DHCP option identity association, len 40
Dec 6 17:09:20 	dhcp6c 	26547 	DUID: 00:01:00:01:21:5a:37:e1:96:96:78:4c:ae:6d
Dec 6 17:09:20 	dhcp6c 	26547 	get DHCP option server ID, len 14
Dec 6 17:09:20 	dhcp6c 	26547 	DUID: 00:01:00:01:29:29:31:73:8e:24:16:73:a8:f2
Dec 6 17:09:20 	dhcp6c 	26547 	get DHCP option client ID, len 14
Dec 6 17:09:20 	dhcp6c 	26547 	receive reply from fe80::11:1%xn3 on xn3
Dec 6 17:09:20 	dhcp6c 	26547 	reset a timer on xn3, state=REQUEST, timeo=0, retrans=1025
Dec 6 17:09:20 	dhcp6c 	26547 	send request to ff02::1:2%xn3

Any ideas on the cause or further debugging steps?
Full log file attached for a renew of the WAN interface
dhcp6c.txt

JKnott

@redakula

Does your ISP provide any info? Also, the WAN address is usually not from your prefix. In fact, you don't even need a WAN IPv6 address, as link local addresses are normally used for routing.

redakula

@jknott
Hi
Yes these options are from the ISP:
Delegated a /48, must set ia-pd 1, ia-na 1 and IAID for NA 1.
Selecting only request prefix does not seem to make a difference as WAN still gets an address - which indeed is not in the prefix.

JKnott

@redakula

It appears they are just making the /48 available, which you then have to configure for, instead of using prefix delegation. Do they also provide a gateway address so you can do that?

BTW, who is the ISP? Maybe someone else has experience with them? Do they normally support business customers where there would be a network admin?

redakula

@jknott
The ISP is Kviknet (Denmark).
The google translate is ok for their help page:
IPV6 help page

Their DHCP server injects the route so i do need to use DHCPv6.

It appears to be a bit of a quirky setup...

JKnott

@redakula said in Delegated prefix not used:

It appears to be a bit of a quirky setup...

With both SLAAC and DHCPv6-PD on the WAN??? I can see one or the other, but not both. Can you do a packet capture on the WAN interface during startup and attach the capture file here.

To do this:

1. Shut down pfsense and disconnect the WAN cable
2. Power up pfsense and start Packet Capture on the WAN port, filtering on ICMP6
3. Reconnect the WAN cable and let Packet Capture run for a minute or so.
4. Download the capture file and attach it here.

redakula

@jknott

Thank you for your time :-)

Yep they acknowledge that it is a special setup. Apparently they use some ZTE routers that are not particularly well documented. (And i guess just plain weird...)
It appears that the routing part via the RA announcements on WAN works fine as the router itself has ipv6 internet access. I have previously struggled with the default route either not being set or disappearing. But it appears stable now after allowing RA's on WAN.

I attached a capture of WAN via an intermediate switch where i could mirror the port. I included ICMPv6 and DHCPv6 packets without any further filtering but i guess type 133+134 are the interesting ones...

The DHCPv6 packets returned from the ISP look like they have all the information as the logs from dhcp6c also show... But i am not deep enough into IPV6 to see if something is missing that throws off pfSense maybe?
2b4f is the WAN interface.

router_initWAN.pcapng

redakula

Ok tried something... I set the prefix interface to my LAN interface and the /48 prefix is delegated to this interface.
So it appears that the problem is assigning the interface to the WAN interface - which would be required for the track interface option to work???

JKnott

@redakula

I see several MAC addresses. Which one is you? It appears you can see other traffic than yours with that connection, which makes it hard to sort things out. You could try putting your MAC address in the Host Address box in Packet Capture. Then it will only capture traffic to or from your system. I normally don't have to do that with IPv6, but do with IPv4.

JKnott

@redakula

You set the track interface to WAN, unless your ISP is doing something different. You then enter a prefix ID to choose which prefix from that /48 you want to use on an interface. Your choices range from 0 to ffff and you can only use an ID once.

JKnott

@jknott said in Delegated prefix not used:

I see several MAC addresses.

Sorry, I meant link local address, though they are often based on the MAC.

redakula

Ok i just gave up on getting pfSense to generate a working configuration...
If something in my ISP's weird setup is causing it, a bug or the position of the moon i have no idea.

But it works when writing the config file manually and adding the interfaces. The interface still shows nothing about the delegated prefix but everything is working.
RA's set to unmanaged on the local interfaces.

The config file that works with my setup (on Kviknet in denmark):

interface xn3 {
        send ia-pd 1;
        send ia-na 1;
        script "/var/etc/dhcp6c_wan_script.sh";
};
id-assoc na 1 { };
id-assoc pd 1 { 
        prefix ::/48 infinity;
        prefix-interface xn0 {
                sla-len 16;
                sla-id 1;
        };
        prefix-interface xn1 {
                sla-len 16;
                sla-id 2;
        };
};