IPv6 Gateway monitoring broken in 2.6.0?

kimble

Since upgrading to 2.6.0 from 2.5.2, my IPv6 WAN interface (configured by DHCP6 over PPPoE) is stuck as 'pending' in the gateway monitor. (IPv6 routing is configured correctly, and is usable.)

On further investigation, this seems to be because a dpinger instance to monitor this gateway is not being started.

If, instead of setting a monitor IP for the gateway, I leave that field blank, dpinger does start successfully, pinging the gateway (which is a link-local address). Alas, the ISP's gateway address does not respond to pings, so this is useless - it just shows as 'offline'.

In summary, setting a monitor IP causes dpinger to fail to start. I suspect this might be related to the lack of a global IPv6 address on WAN?

Gertjan

@kimble
AN IP, v4 or v6, as close a possible, but not nearby, is best.
If not, hit the IPv6 of the NTP or DNS server of your ISP.
Or figure out the IPv6 counterpart of 8.8.8.8, and use that as a monitoring IPv6.

kimble

@gertjan I know. My ISP provides an IP (both V4 and V6) for the purpose, which I had been using successfully in 2.5.2
The problem is that in 2.6.0 dpinger never starts when a monitoring IP is configured.

kimble

Okay, I think this is related to this issue: https://redmine.pfsense.org/issues/6880

The dhcp6c conflict prevents a global IPv6 address being allocated to the WAN interface. Which for some reason breaks the starting of dpinger when there's a monitor IP configured for that gateway.

By killing the other instance of dhcp6c (a backup LTE connection), the WAN interface gets allocated a global IPv6 address. Dpinger is then started successfully for that gateway, and its status is reported as 'online' as expected.

That solves my gateway problem, but I suspect this is a bug, as it's normal for some ISPs to operate with just link-local addresses on IPv6 WAN interfaces.

JKnott

@kimble

My ISP only provides a link local address, so what I did was run a traceroute to Google and used the address from the next hop.

kimble

@jknott said in IPv6 Gateway monitoring broken in 2.6.0?:

@kimble

My ISP only provides a link local address, so what I did was run a traceroute to Google and used the address from the next hop.

Right. So, does it still work for you in 2.6.0?

Gertjan

@kimble said in IPv6 Gateway monitoring broken in 2.6.0?:

still work for you in 2.6.0?

Just pick one, test if it repleis to IPv6 ICMP, and use it.

[2.6.0-RELEASE][admin@pfsense.right-here.net]/root: traceroute6 www.google.com
traceroute6 to www.google.com (2a00:1450:4006:809::2004) from 2001:470:1f12:5c0::2, 64 hops max, 20 byte packets
 1  tunnel2458xx9.tunnel.tserv10.par1.ipv6.he.net  44.360 ms  45.311 ms  45.460 ms
 2  10ge7-3.core1.par2.he.net  42.212 ms  42.915 ms  42.217 ms
 3  google.equinix-ix.fr  44.706 ms  44.374 ms  47.826 ms
 4  2001:4860:0:1015::10  41.464 ms
    2001:4860:0:1018::6  42.401 ms  42.585 ms
 5  2001:4860::c:4002:51c7  56.574 ms
    2001:4860::c:4002:51c9  56.555 ms  56.576 ms
 6  2001:4860::9:4001:c34  53.944 ms
    2001:4860::9:4002:56af  60.303 ms  82.966 ms
 7  2001:4860:0:1b::1  54.828 ms
    2001:4860:0:1::b3d  57.324 ms
    2001:4860:0:1::ec3  54.846 ms
 8  mrs09s11-in-x04.1e100.net  54.055 ms  112.765 ms  54.585 ms

Candidates are : "10ge7-3.core1.par2.he.net", some router at he.net or "google.equinix-ix.fr", but I didn't find an IPv6.
So, go for "2001:4860:0:1015::10".

login-to-view

Btw : and think about this : using "8.8.8.8" or their Ipv6 equivalent is plain stpd.

JKnott

@kimble said in IPv6 Gateway monitoring broken in 2.6.0?:

So, does it still work for you in 2.6.0?

Yes.

kimble

@gertjan said in IPv6 Gateway monitoring broken in 2.6.0?:

@kimble said in IPv6 Gateway monitoring broken in 2.6.0?:

still work for you in 2.6.0?

Just pick one, test if it repleis to IPv6 ICMP, and use it.

My problem isn't choosing a monitor address. My ISP provides one for the purpose, and it replies to ICMP ping just fine.

The isssue I've found is that, for reasons that aren't entirely clear, pfsense doesn't start a dpinger process to monitor the gateway when a) I'm using a monitor IP and b) there's no global IPv6 address on the WAN interface.

Anyway, this is no longer a problem for me, as I've worked around the known bug that was preventing the WAN interface acquiring a global address.

johnpoz

@kimble said in IPv6 Gateway monitoring broken in 2.6.0?:

or reasons that aren't entirely clear, pfsense doesn't start a dpinger process to monitor the gateway when a) I'm using a monitor IP and b) there's no global IPv6 address on the WAN interface.

How would you ping some IPv6 IP if you don't have a global IPv6 address to ping it from.. So that seems kind of blatantly clear to why dpinger couldn't or wouldn't start pinging something if it doesn't have an address to ping from ;)

kimble

@jknott said in IPv6 Gateway monitoring broken in 2.6.0?:

@kimble said in IPv6 Gateway monitoring broken in 2.6.0?:

So, does it still work for you in 2.6.0?

Yes.

Looking at gwlb.inc it seems that it won't start dpinger while the IPv6 interface is tentative. Which I assume is the difference between "no global address because there isn't supposed to be one" and "no global address because dhcp6c isn't working properly".

Which means it's just a symptom of the multiple dhcp6c instances bug.

kimble

@johnpoz said in IPv6 Gateway monitoring broken in 2.6.0?:

@kimble said in IPv6 Gateway monitoring broken in 2.6.0?:

or reasons that aren't entirely clear, pfsense doesn't start a dpinger process to monitor the gateway when a) I'm using a monitor IP and b) there's no global IPv6 address on the WAN interface.

How would you ping some IPv6 IP if you don't have a global IPv6 address to ping it from.. So that seems kind of blatantly clear to why dpinger couldn't or wouldn't start pinging something if it doesn't have an address to ping from ;)

Good question and beyond my expertise - binding to a link-local address is only going to work for pinging the endpoint. It appears to be working for @JKnott though?

johnpoz

@kimble said in IPv6 Gateway monitoring broken in 2.6.0?:

It appears to be working for @JKnott though?

BS - sorry but you can not ping a global IPv6 address if you only have a link local address as the source.. Just not freaking possible.. That might be your route, but you still need a valid source IP to use..

How would you ever get an answer?

You could ping your router, or your gateway via the link local, but you wouldn't be able to ping some global IPv6 address without a global IPv6 address as your source.

Gertjan

@kimble said in IPv6 Gateway monitoring broken in 2.6.0?:

It appears to be working for @JKnott though?

Good question.

I think he did what I did : I focussed at the subject that states :

IPv6 Gateway monitoring broken in 2.6.0?

and my IPv6 Gateway monitoring works very well under 2.6.0.

@kimble said in IPv6 Gateway monitoring broken in 2.6.0?:

Which means it's just a symptom of the multiple dhcp6c instances bug.

You have more then one IPv6 WAN ?

kimble

@johnpoz said in IPv6 Gateway monitoring broken in 2.6.0?:

@kimble said in IPv6 Gateway monitoring broken in 2.6.0?:

It appears to be working for @JKnott though?

BS - sorry but you can not ping a global IPv6 address if you only have a link local address as the source.. Just not freaking possible.. That might be your route, but you still need a valid source IP to use..

How would you ever get an answer?

You could ping your router, or your gateway via the link local, but you wouldn't be able to ping some global IPv6 address without a global IPv6 address as your source.

Maybe it's clever enough to bind to a LAN address in that instance? I've no idea.

Otherwise it's something that cloud do with a more explicit error message, rather than the gateway being stuck on 'pending'.

kimble

@gertjan said in IPv6 Gateway monitoring broken in 2.6.0?:

@kimble said in IPv6 Gateway monitoring broken in 2.6.0?:

It appears to be working for @JKnott though?

Good question.

I think he did what I did : I focussed at the subject that states :

IPv6 Gateway monitoring broken in 2.6.0?

Yes, I did try to edit the OP to make that clearer when I worked out what was going on, but it was out of time.

and my IPv6 Gateway monitoring works very well under 2.6.0.

@kimble said in IPv6 Gateway monitoring broken in 2.6.0?:

Which means it's just a symptom of the multiple dhcp6c instances bug.

You have more then one IPv6 WAN ?

Yes. Depending on the vagaries of the mobile provider I'm using for a backup connection.

JKnott

@kimble

I have a global WAN address, as well as the link local address. The first hop is a link local address, as is common. I cannot use that link local address, but I can use a global address beyond. Also, I cannot even ping that link local address from the command line, so I suspect my ISP has turned off echo.

JKnott

@johnpoz said in IPv6 Gateway monitoring broken in 2.6.0?:

BS - sorry but you can not ping a global IPv6 address if you only have a link local address as the source.. Just not freaking possible.. That might be your route, but you still need a valid source IP to use..

All you need is a valid global address and the ping6 command allows setting a source address with the -S option, so any valid address on pfsense can be used. I just tried it, using my LAN global address to ping the address I used for the monitor.

So, even if you don't have a global WAN address, you can still ping a global address by using the LAN address.

This is one area where things can get really "interesting".

JKnott

@kimble said in IPv6 Gateway monitoring broken in 2.6.0?:

Maybe it's clever enough to bind to a LAN address in that instance? I've no idea.

You have to specify a source address by using the -S option in ping. I just did it, using my LAN global address.

reberhar

This post is deleted!