Unable to obtain a GUA on WAN but PD is working to VLANs
-
First off, you don't need a WAN IPv6 address. Link local addresses are used for routing. You'd normally use the WAN GUA for things like VPN, etc., but you can use any interface address for that.
Did you have a WAN address before?
Have you done a packet capture to see what's happening on the WAN side? If not, capture DHCPv6 and see what it says. If you don't know how to read a packet capture, post the capture file here.
-
You'd normally use the WAN GUA for things like VPN, etc., but you can use any interface address for that.
The thought did occur to me that I could maybe use a private interface address for accessing the VPN, but I felt like that wasn't great, as traffic is going to an internal interface before it goes to the VPN.
Did you have a WAN address before?
Yes, on the ISP provided router and on the OpenWRT box I had running, they both had GUAs on the WAN interface, in addition to GUAs on the interfaces on the VLANs.
Have you done a packet capture to see what's happening on the WAN side?
I've not done, no, but it sounds like a good idea. I'll have a go at it and reply back with my findings. Thanks!
-
@jknott I tried doing a packet capture from the pfSense web GUI using the link you provided, but every time the capture was empty.
Instead, I ran tcpdump on the pfSense box after a reboot and with the WAN cable disconnected and then reconnected it. I then filtered this in Wireshark with the following:
udp.port == 67 || udp.port == 68 || udp.port == 546 || udp.port == 547
The resulting packets were left: wan-dhcp.pcap.gz
I'm a little out of my depth at this point and the packets captured don't really mean anything to me, other than me being able to see that DHCPv6 packets are being sent and received by the router and the ISP.
-
I've come across something curious. It appears you're not even requesting an address. Here's the Request XID from your capture:
There's the line:
Status Code: NoAddrAvail (2)I see the same error on the Advertise XID that preceeds it. This means there's an error at your ISP. It's similar to the one I had with my ISP "Status Message: No prefix available on Link". In my case it was a failure with the CMTS at my ISP's office. A CMTS is used for cable networks, not PPPoE, so I don't know how it differs from ISP.
Any chance you can do a capture on the OpenWRT box? You may have to use a "data tap" to do that, as I did when I had my problem.
-
Hi @jknott
That's interesting! I'm not sure why the pfSense wouldn't be requesting an address.
I've just done a packet capture on the OpenWRT box and applied the same filter I uused on the pfSense box. Here it is: openwrt-wan-dhcp.pcap.gz
In one of the packets from the OpenWRT box, I see the error that you mention above, but it does assign a GUA for the WAN interface, as expected.
Note that to capture the above, I setup a completely fresh installation of OpenWRT 21.02.3 and used the defaults, apart from configuring PPPoE on the WAN interface. I doubt it will be of use, but I thought I'd confirm the WAN configuration from OpenWRT here:
config interface 'WAN' option proto 'pppoe' option username 'REDACTED' option password 'REDACTED' option ipv6 'auto' option ip6assign '64' option peerdns '0' list dns '1.1.1.1' list dns '1.0.0.1' list dns '2606:4700:4700::1111' list dns '2606:4700:4700::1001' option device 'eth1' list ip6class 'WAN_6'
-
I suspect it's because the ISP is saying there is no address, which indicates a problem at their end. That's why I suggested doing a capture with OpenWRT for comparison.
-
@jknott Yeah, I get that. But if there is an issue with the ISP, how is the ISP router and the OpenWRT box able to get an address?
-
Again, a comparison is needed. If you get weird problems, you need proof to support your claims. When I had a problem with my ISP, where I wasn't getting a prefix, the network guys who were supposed to work on this sort of thing refused to do anything, because I was using my own router. This was after I was able to demonstrate to 2nd level support that the problem wasn't in my system. Then a senior tech came to my home and I showed him my capture that identified the failing system at my ISP. He also brought his own modem & computer and had the same problem. He then went to the office I'm connected to and tried with 4 different CMTS and found it only failed with the one I'm connected to. Only at that point were the network guys ready to do something about the problem.
BTW, my next door neighbour had the same problem, but a friend in a different city didn't. Both of them were running the modem in gateway mode.Incidentally, I had to teach both the 2nd level support and the senior tech about how IPv6 worked. They had the general idea, but not the detail.
-
@jknott I understand that, thanks. Did you see my message above containing the packet capture from OpenWRT, for comparison? :) To me, I think there's a difference between OpenWRT and pfSense's way of handling this, but I'm no expert!
If it is indeed an ISP issue, I really doubt I'll be able to get my ISP to come round to my house and debug things like yours did, especially considering that their own router does what I'm looking for, out of the box with the default configuration. They really aren't cooperative in helping get a 3rd party router.
-
Here's what I found in the 1st Advertise XID:
Status Message: No addresses have been assignedI don't see any mention of an address in the 2nd Solicit XID.
Are you sure OpenWRT has a GUA?
-
@jknott I see that message, too. Is it possible that OpenWRT and the ISP router are allocating the WAN interface a subnet from the allocated prefix (the /56) from the ISP and then allocating itself an address from that subnet? Rather than getting an address directly in the Solicit/Advertise process? I'm just stabbing in the dark :) I'm just wondering if the message we're seeing is a red herring, in some way.
Yes, OpenWRT definitely got a GUA for the WAN interface, even with the default configuration, even though it got the same error that pfSense is seeing.
-
If it is assigning an address from with your prefix, then that address will start with your /56 prefix.
I don't have any experience with IPv6 on PPPoE or with OpenWRT, so I don't know what else to check.
However, you don't need a WAN GUA. If you want to access pfSense from elsewhere, you can use the LAN interface address.