Can't get PD /56 to work
-
Noob here. Currently using pfsense with a tunnelbroker tunnel. It lives on a hyper-v server and has been working well. Recently upgraded internet service with a new modem/router (Actiontec t2200h) that allows port bridging and ISP (Telus) is offering native ipv6, so trying to get pfsense set up to use native ipv6. Created another guest on the hyper-v for testing pfsense. Set it up similarly to how others using PD have done, but it's not working. I need help.
Telus has explained how the prefixes are allocated. They allocate a /56 using PD. The actiontec takes the ff subnet for itself and allocates a WAN address. It uses the 00 subnet for the devices on the LAN. (It does not support PD itelf, but supports port bridging enabling another router to get a prefix from the Telus edge router.) Based on the actiontec status, I can verify that's what it's doing. Here are the addresses:
IPv6 Prefix of Delegated: 2001:569:XXXX:8500::/56
IPv6 WAN Status: Connected
IPv6 WAN Address: 2001:569:XXXX:85ff:4e8b:30ff:fe19:f939/64
IPv6 WAN Link Local Address: fe80::4e8b:30ff:fe19:f939
IPv6 LAN Link Local Address: fe80::4e8b:30ff:fe19:f938I have also verified that it indeed allocates LAN addresses in 2001:569:XXXX:8500/64.
According to Telus, any router that behaves similarly to the actiontec will also work. Anecdotally, others have gotten this working.
Here is how Telus says it's supposed to work:
We (TELUS) are using dhcp6-pd to assign an IPv6 Prefix to the requesting router (usually an Actiontec RG). As you have noticed the prefix is /56 is size and the Actiontec is using two /64 prefixes out of that at this time (In theory those prefixes don't have to be a /64, they could be anything within that /56). The Actiontec "owns" the entire /56 prefix, so you can't just arbitrarily pick say a /64 out of that and start using it. The only way that could work is if the Actiontec in turn delegated a prefix to a requesting router on the LAN side (a feature that currently is not supported on it).
Now if you want to use your own router, you can do what you mentioned by using the port 1 bridge mode on the Actiontec and connecting your device into this. It will work fine, however there are a few issues with a majority of 3rd party devices. In order for it to work your device must:
1. Only request a dhcp6-pd (So only send IA-PD in the dhcp6 solicit message). This is what the Actiontecs actually do.
2. If the device does request both an IA-NA, and an IA-PD in the solicit message, then it must conform to RFC 7550. We are not using IA-NA so in our dhcp Advertise message there will be a NoAddrAvail message for the IA-NA, and a prefix for the IA-PD.
#2 is where most of the 3rd party devices have issues. They don't handle this case and will usually reject the dhcp advertise message that is sent down and just go into and endless solicit loop.
As I said above, I've set it up based on how others have done and also reading the help, but it's not working. The status of the WAN dhcp6 gateway is "unknown". The WAN interface has an ipv6 link-local address and an ipv6 address, but both are fe80. In system/routing/gateways, the WAN dhcp5 gateway is "dynamic", no address.
In the dhcp6 client configuration, I've tried various combinations of settings. In particular, if it's set to only request a prefix, how is the WAN address allocated? Not sure about the advanced settings, or if they are required to comply with the above. On the LAN side, it's set to track the WAN address. In case the firewall was blocking something, I opened it up completely. That made no difference.
If anyone has any words of wisdom, I'm all ears. I can provide more details about the settings or info from the logs if that would help. Just let me know what I should provide.
-
Further to the previous post, here is a bit more detail of how the Telus side is supposed to work:
1 0.000000 fe80::1 ff02::1:2 DHCPv6 209 Relay-forw L: :: Solicit XID: 0x90 CID: 000200000d800001
2 0.068277 fe80::221:5ff:fec3:c424 fe80::1 DHCPv6 236 Relay-reply L: :: Advertise XID: 0x90 CID: 000200000d800001
3 1.000588 fe80::1 ff02::1:2 DHCPv6 223 Relay-forw L: :: Request XID: 0x91 CID: 000200000d800001
4 1.412554 fe80::221:5ff:fec3:c424 fe80::1 DHCPv6 236 Relay-reply L: :: Reply XID: 0x91 CID: 000200000d800001
5 2.195250 fe80::221:5ff:fec3:c424 fe80::1 ICMPv6 86 Router Advertisement from 00:21:05:6c:9d:acApparently the edge router does not respond to an RS message.
-
I'm seeing the exact same thing. I've been using a Sophos UTM box as my main firewall, and recently tried to get IPv6 working with my Telus GPON service. My searches lead me to the same Telus thread you read regarding PD, which the Sophos can't do.
I then tried setting up a Linux box that was conveniently connected to the network, and make it do a PD request only. Didn't work. So I put Wireshark on to see what was going on. I could see the request going out, but nothing in response.
Of course the Actiontec router works fine, but I refuse to use it.
So I thought I'd try pfSense, because I heard that it could do PD.
But I'm seeing the same thing in Wireshark - a request going out but nothing coming in.
Anyone have any suggestions?
-
Since you have gpon, is it possible to have your wireshark connected on the wan side while the actiontec boots up? If so, maybe you could see what's happening. What type of actiontec to you have? Not sure if that would work in my case because I can't get directly on the wan side, only through the bridged port 1. I suppose I could create another windows guest, install wireshark on it and connect it to the virtual switch on the wan side, then powercycle the modem and find out if I can see what's happening.
Also, what settings are you using? Did you manually configure ipv6 or did you let the installer do it?
-
I haven't tried wiresharking the Actiontec box but I can - I'll try setting it up tomorrow and seeing exactly what's being sent and received and see if I can compare that to what pfSense is doing.
As for what ipv6 settings, I manually configured pfSense, and specifically set it to PD only (which is what the telus guy said in his thread) but it didn't make any difference. I'll report back tomorrow with what I find.
-
I installed wireshark on the windows 10 guest and moved it to the other side of my test pfsense guest, which is connected to the bridged port on the actiontec. It's not really a supported configuration for ipv6, so it couldn't acquire an ipv6 address. I rebooted pfsense to see what traffic it generated. I saw messages from the pc trying to get an address, but there was no sign of pfsense trying to acquire a prefix. It doesn't seem right, so I'll try again tomorrow.
-
If any of you experts out there can point me in the right direction, I'd really appreciate it. If there are particular settings I should try or log messages that I should post, let me know. I'd really like to get this working.
-
I haven't looked at this in a couple of months, but I believe the issue with Telus' IPv6 implementation is related to https://redmine.pfsense.org/issues/5993.
If you set up the dhcp6 client to only request an IPv6 prefix, set it to ask for a /56, and to send the IPv6 prefix hint then it should work if you run the following command, assuming em0 is your WAN interface.
/usr/local/sbin/dhcp6c -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_em0.pid em0 -
I haven't looked at this in a couple of months, but I believe the issue with Telus' IPv6 implementation is related to https://redmine.pfsense.org/issues/5993.
If you set up the dhcp6 client to only request an IPv6 prefix, set it to ask for a /56, and to send the IPv6 prefix hint then it should work if you run the following command, assuming em0 is your WAN interface.
/usr/local/sbin/dhcp6c -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_em0.pid em0I think it's pretty clear that the problem I'm having is related to bug 5993. I tried your suggestion using hn0, which is my wan interface. pfsense did not grab a prefix and dhcp6 did not start. I'd be glad to post log messages or whatever to get to the bottom of this, but my forehead is sore from banging against the wall.
-
I haven't looked at this in a couple of months, but I believe the issue with Telus' IPv6 implementation is related to https://redmine.pfsense.org/issues/5993.
If you set up the dhcp6 client to only request an IPv6 prefix, set it to ask for a /56, and to send the IPv6 prefix hint then it should work if you run the following command, assuming em0 is your WAN interface.
/usr/local/sbin/dhcp6c -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_em0.pid em0I think it's pretty clear that the problem I'm having is related to bug 5993. I tried your suggestion using hn0, which is my wan interface. pfsense did not grab a prefix and dhcp6 did not start. I'd be glad to post log messages or whatever to get to the bottom of this, but my forehead is sore from banging against the wall.
I rebooted pfsense and the pc and tried again. This time it worked. No idea why it worked this time, but not before. Now, if we can only get a version of pfsense with this built-in!
UPDATE: The Gateways panel on Status / Dashboard shows ~ for the address and Pending for RTT, RTTsd and Loss, and Unknown for Status. Status / Gateways / Gateways shows blank for Monitor, and Pending for RTT, RTTsd, Loss and Status.
-
I just updated to 2.3.2-DEVELOPMENT which included a update to dhcp6 and seems things are working better. my internal clients have valid ipv6 addresses and ipv6 dns works just fine.
However I can't get any ipv6 traffic to leave my lan, but ipv6 connectivity works just fine on the router.
-
I just updated to 2.3.2-DEVELOPMENT which included a update to dhcp6 and seems things are working better. my internal clients have valid ipv6 addresses and ipv6 dns works just fine.
However I can't get any ipv6 traffic to leave my lan, but ipv6 connectivity works just fine on the router.
I just installed the DEV version and for me there was no difference. I configured the prefix and other settings as before. I had to manually start dhcp6c as above. After that, everything was the same as it was with the other version. The dhcp6 gateway status is "pending", but ipv6 is working.