Unable to obtain a GUA on WAN but PD is working to VLANs
-
I've recently moved to pfSense for my router/firewall. I'm running 2.6.0.
My ISP is BT and I'm in the UK. From what I understand and from what I see on the router provided by the ISP, BT allocate a /56 and then the LAN gets a /64 allocated from that. I believe that DHCPv6 is used for the router to get the /56 and then SLAAC is used for clients to get GUAs (on the ISP provided router, at least).
On the ISP provided router, it gets a GUA for the WAN and then clients on the LAN get GUAs from the /64 that's allocated to the LAN. A few months ago, I moved to using OpenWRT as a replacement for the ISP router and I was able to get the same behaviour as I got with the ISP router, with regards to address allocation.
I was running a WireGuard node on the OpenWRT box and because that was getting a GUA on the WAN interface, it allowed me to configure WG peers to use the GUA of the WAN interface as the endpoint for connecting into my network from remote locations.
I've now moved to pfSense. Everything IPv4 is working fine. However, on the IPv6 side, I'm struggling to work out how to get the WAN interface to get a GUA for itself, and ideally one that's not in one of the prefixes delegated to the VLANs behind it. I see PD working correctly to my VLANs; each client on those VLANs get GUAs and they are all able to communicate over the internet via IPv6 with no issues. However, the pfSense box doesn't get a GUA for its WAN interface. The interfaces on the pfSense box for each VLAN have GUAs, but not the WAN.
Given that the ISP router and OpenWRT had no issues in assigning a GUA to the WAN interface, I feel like what I'm trying to do here is doable, it just I'm missing something.
I'm not 100% sure what information would be useful here, past the following. If there's anything that would be useful, please let me know I'll be happy to provide it.
WAN config:
- IPv4 Configuration Type: PPPoE
- IPv6 Configuration Type: DHCP6
- MTU: Blank (default)
- MSS: Blank (default)
- DHCP6 Client Configuration
- Use IPv4 connectivity as parent interface: true
- Request only an IPv6 prefix: false (I've tried turning this on, then rebooting, then turning off, then rebooting, but I still don't get a GUA on WAN)
- DHCPv6 Prefix Delegation size: 56
- Send IPv6 prefix hint: true
- Do not wait for a RA: false
- Do not allow PD/Address release: true (I have this on so that I have pseudo-static GUAs; disabling it doesn't seem to affect GUA assignment on WAN, though)
Hopefully soeone can help :)
Thanks!
-
Are you using a unique Prefix ID for each LAN/VLAN?
-
@jknott Yes, I am
-
First off, you don't need a WAN IPv6 address. Link local addresses are used for routing. You'd normally use the WAN GUA for things like VPN, etc., but you can use any interface address for that.
Did you have a WAN address before?
Have you done a packet capture to see what's happening on the WAN side? If not, capture DHCPv6 and see what it says. If you don't know how to read a packet capture, post the capture file here.
-
You'd normally use the WAN GUA for things like VPN, etc., but you can use any interface address for that.
The thought did occur to me that I could maybe use a private interface address for accessing the VPN, but I felt like that wasn't great, as traffic is going to an internal interface before it goes to the VPN.
Did you have a WAN address before?
Yes, on the ISP provided router and on the OpenWRT box I had running, they both had GUAs on the WAN interface, in addition to GUAs on the interfaces on the VLANs.
Have you done a packet capture to see what's happening on the WAN side?
I've not done, no, but it sounds like a good idea. I'll have a go at it and reply back with my findings. Thanks!
-
@jknott I tried doing a packet capture from the pfSense web GUI using the link you provided, but every time the capture was empty.
Instead, I ran tcpdump on the pfSense box after a reboot and with the WAN cable disconnected and then reconnected it. I then filtered this in Wireshark with the following:
udp.port == 67 || udp.port == 68 || udp.port == 546 || udp.port == 547The resulting packets were left: wan-dhcp.pcap.gz
I'm a little out of my depth at this point and the packets captured don't really mean anything to me, other than me being able to see that DHCPv6 packets are being sent and received by the router and the ISP.
-
I've come across something curious. It appears you're not even requesting an address. Here's the Request XID from your capture:
There's the line:
Status Code: NoAddrAvail (2)I see the same error on the Advertise XID that preceeds it. This means there's an error at your ISP. It's similar to the one I had with my ISP "Status Message: No prefix available on Link". In my case it was a failure with the CMTS at my ISP's office. A CMTS is used for cable networks, not PPPoE, so I don't know how it differs from ISP.
Any chance you can do a capture on the OpenWRT box? You may have to use a "data tap" to do that, as I did when I had my problem.
-
Hi @jknott
That's interesting! I'm not sure why the pfSense wouldn't be requesting an address.
I've just done a packet capture on the OpenWRT box and applied the same filter I uused on the pfSense box. Here it is: openwrt-wan-dhcp.pcap.gz
In one of the packets from the OpenWRT box, I see the error that you mention above, but it does assign a GUA for the WAN interface, as expected.
Note that to capture the above, I setup a completely fresh installation of OpenWRT 21.02.3 and used the defaults, apart from configuring PPPoE on the WAN interface. I doubt it will be of use, but I thought I'd confirm the WAN configuration from OpenWRT here:
config interface 'WAN' option proto 'pppoe' option username 'REDACTED' option password 'REDACTED' option ipv6 'auto' option ip6assign '64' option peerdns '0' list dns '1.1.1.1' list dns '1.0.0.1' list dns '2606:4700:4700::1111' list dns '2606:4700:4700::1001' option device 'eth1' list ip6class 'WAN_6' -
I suspect it's because the ISP is saying there is no address, which indicates a problem at their end. That's why I suggested doing a capture with OpenWRT for comparison.
-
@jknott Yeah, I get that. But if there is an issue with the ISP, how is the ISP router and the OpenWRT box able to get an address?
-
Again, a comparison is needed. If you get weird problems, you need proof to support your claims. When I had a problem with my ISP, where I wasn't getting a prefix, the network guys who were supposed to work on this sort of thing refused to do anything, because I was using my own router. This was after I was able to demonstrate to 2nd level support that the problem wasn't in my system. Then a senior tech came to my home and I showed him my capture that identified the failing system at my ISP. He also brought his own modem & computer and had the same problem. He then went to the office I'm connected to and tried with 4 different CMTS and found it only failed with the one I'm connected to. Only at that point were the network guys ready to do something about the problem.
BTW, my next door neighbour had the same problem, but a friend in a different city didn't. Both of them were running the modem in gateway mode.Incidentally, I had to teach both the 2nd level support and the senior tech about how IPv6 worked. They had the general idea, but not the detail.
-
@jknott I understand that, thanks. Did you see my message above containing the packet capture from OpenWRT, for comparison? :) To me, I think there's a difference between OpenWRT and pfSense's way of handling this, but I'm no expert!
If it is indeed an ISP issue, I really doubt I'll be able to get my ISP to come round to my house and debug things like yours did, especially considering that their own router does what I'm looking for, out of the box with the default configuration. They really aren't cooperative in helping get a 3rd party router.
-
Here's what I found in the 1st Advertise XID:
Status Message: No addresses have been assignedI don't see any mention of an address in the 2nd Solicit XID.
Are you sure OpenWRT has a GUA?
-
@jknott I see that message, too. Is it possible that OpenWRT and the ISP router are allocating the WAN interface a subnet from the allocated prefix (the /56) from the ISP and then allocating itself an address from that subnet? Rather than getting an address directly in the Solicit/Advertise process? I'm just stabbing in the dark :) I'm just wondering if the message we're seeing is a red herring, in some way.
Yes, OpenWRT definitely got a GUA for the WAN interface, even with the default configuration, even though it got the same error that pfSense is seeing.
-
If it is assigning an address from with your prefix, then that address will start with your /56 prefix.
I don't have any experience with IPv6 on PPPoE or with OpenWRT, so I don't know what else to check.
However, you don't need a WAN GUA. If you want to access pfSense from elsewhere, you can use the LAN interface address.
