No IPv6 traffic (Init7)

JKnott · Jul 24, 2022, 1:18 PM

Does your ISP provide /48? Are you behind NAT? What type of IPv6 address are you getting on the LAN side? You want Global Unique Addresses, which start with 2 or 3. Every IPv6 capable device will have a link local address, which starts with fe80.

Why are you running DHCPv6? Unless you have a specific need for it, you should be using SLAAC and unmanaged. BTW, thanks to some genius at Google, Android devices don't support DHCPv6.

You might want to mention your ISP, in case there are some specific issues there.

noviceiii · Jul 24, 2022, 3:13 PM

Hi @jknott

Thank you for your reply.

The provider is Init7, Switzerland.
No NAT. I have a connection to the WAN side (FTTH): the fiber cable is directly connected to a unifi switch. PFsense WAN side is connected to the switch (same physical cabeling for the working ipv4).

The network /48 was provided by init7. They offer IPv6 ranges for their customers (and yes, the IPs start with a 2).

The link local adresses do start with fe80 indeed.

I have chosen DHCPv6 since it seemed to be the accurate for the setup (it doesn‘t work with SLAAC neither). And set to managed as I‘d like to have some static devices.

However, I gonna change SLAAC and to unmanaged later.

I think I make something wrong with the routing settings (default gateway/ WAN uplink) or the firewall filter.

noviceiii · Jul 25, 2022, 9:57 PM

Hello all

I did follow @JKnott suggestions with SLAAC & unmanaged without no grace.

My settings are currently as follows.

WAN

IPv6 Configuration Type: DHCP6
Request only an IPv6 prefix: TRUE
DHCPv6 Prefix Delegation size: 48

The provider mentions a subnet 48 for delegation.

LAN

IPv6 Configuration Type: Static IPv6
IPv6 address: 2a02:XXX:XXXX:xxxx::0001
where as the digits in capital X represent digits provided by my provider.

DHCPv6 Server & RA

DHCPv6 Server - Range start: 2a02:XXX:XXXX:xxxx::1000
DHCPv6 Server - Range end: 2a02:XXX:XXXX:xxxx::2000
DHCPv6 Server - Prefix Delegation Size: 64

Router Advertisements

Router Mode: umanaged ..

This gives me a working IPv6 network on the land side, including DNS resolution on WAN and LAN side.

However, I don't get any traffic on the WAN side. And I can see all IPv6 traffic blocked by a "Default deny rule IPv6 (1000000105)" (yes, I have an allow all rule for testing purposes).

Any further ideas would be very welcome...

Greetings
n3

Interfaces
login-to-view

WAN DNS query from a client:

nslookup -query=AAAA google.com        
Server:		2a02:XXX:XXXX:x::1
Address:	2a02:169:15f5:3::1#53

DNS Lookup from PFsense GUI:
login-to-view

JKnott · Jul 26, 2022, 8:27 PM

@noviceiii

What is your WAN gateway address? When you try to access something on the Internet, does it go through pfSense?

noviceiii · Jul 26, 2022, 8:28 PM

@jknott

Thank you for your question.

I have changed the WAN side to static IPv6

IPv6: 2a02:XXX:XXXX:0000:0000:0000:0000:0002 /64
Gateway: 2a02:XXX:XXXX:0000:0000:0000:0000:0001 (default GW not checked)
(yes, currently easier to write all digits)

Kind regards
N3

syhm · Jul 28, 2022, 4:40 PM

@noviceiii

You should disable the "Request only an IPv6 prefix" option. The documentation states "When set, the DHCPv6 client does not request an address for the interface itself, it only requests a delegated prefix." You got what you asked for :) Just uncheck the option and it should work.

Init7 will provide you with either /128 or /64 (preferably) on WAN side. The /48 is delegated and is already working as you stated.

noviceiii · Jul 28, 2022, 8:14 PM

@seyfidin

Danke für Deine Antwort.

Unfortunately, it doesn't help neither to uncheck *only request a delegated prefix".
I have now bruteforced every combination of settings. I give up. I think probably the first time ever in IT I ran out of ideas. Well played, IPv6, you win.

Any further ideas - or screenshots of a similar setup - certainly remain very welcome.

So long,
niii

:-(

JKnott · Jul 28, 2022, 8:33 PM

@noviceiii

Sometimes the best thing to do is start from scratch. Very often it's possible to mess something up, without realizing it.

One thing you could do is capture the entire DHCPv6 sequence and post the capture file here.

syhm · Jul 28, 2022, 9:02 PM

@noviceiii

Gerne, kriegen wir schon hin :) This is a similar setup, except for /48 in your case everything should be the same.

login-to-view

Please post the dhcp6c log. Maybe we can find something there.

login-to-view

noviceiii · Aug 1, 2022, 8:41 AM

@seyfidin
Dankeschön soweit! Leider hatte ich bis anhin kein Glück.

I have installed a vanilla pfsense on my proxmox and have a distinct IPv4 and IPv6 pfsense running in parallel (rather convenient actually).

The "new" IPv6-Pfsense behaves the same as my original installation. I have again, a link local on the WAN side and a static/DHCP (and working) LAN side. IPv6 traffic does not go through and is blocked with IPv6 default block rule. Hurray, I can replicate non-working things with high probability. :-)

Please find below the DHCP log (you might ignore messages about the rouge DHCP server, thats from the parallel setup and former DHCPv6 server).

TIME	Process	PID	Message
01.07.31 22:54	dhcpd	26047	send_packet6: No route to host
01.07.31 22:54	dhcpd	26047	dhcpv6: send_packet6() sent -1 of 84 bytes
01.07.31 22:54	dhcpd	26047	Solicit message from fe80::aaaa:bbbb:cccc:ae41 port 546, transaction ID 0x252D3200
01.07.31 22:54	dhcpd	26047	Picking pool address 2a02:XXXX:XXXX:3::2000
01.07.31 22:54	dhcpd	26047	Advertise NA: address 2a02:XXXX:XXXX:3::2000 to client with duid 00:01:00:01:2a:6a:b2:7d:3c:06:30:31:a2:8b iaid = 0 valid for 7200 seconds
01.07.31 22:54	dhcpd	26047	Sending Advertise to fe80::aaaa:bbbb:cccc:ae41 port 546
01.07.31 22:54	dhcpd	26047	send_packet6: No route to host
01.07.31 22:54	dhcpd	26047	dhcpv6: send_packet6() sent -1 of 84 bytes
01.07.31 22:55	dhcpd	26047	Solicit message from fe80::8f4:xxxxx:9278 port 546, transaction ID 0x6EA16000
01.07.31 22:55	dhcpd	26047	Picking pool address 2a02:XXXX:XXXX:3::2000
01.07.31 22:55	dhcpd	26047	Advertise NA: address 2a02:XXXX:XXXX:3::2000 to client with duid 00:02:00:00:ab:11:f7:a9:50:ab:cf:12:80:15 iaid = -900527782 valid for 7200 seconds
01.07.31 22:55	dhcpd	26047	Sending Advertise to fe80::xxxxx:9278 port 546
01.07.31 22:55	dhcpd	26047	send_packet6: No route to host
01.07.31 22:55	dhcpd	26047	dhcpv6: send_packet6() sent -1 of 84 bytes
01.07.31 22:55	dhcpd	26047	Solicit message from XXXXX port 546, transaction ID 0x51988400
01.07.31 22:55	dhcpd	26047	Discarding Renew from fe80::aaa2:bbb2:ccc2:3cac; not our server identifier (CLIENTID 00:04:0c:55:e2:3b:db:f7:b8:6b:eb:6b:40:18:1e:0d:47:62, SERVERID 00:01:00:01:2a:77:00:16:06:14:dc:19:57:d9, server DUID 00:01:00:01:2a:79:a7:5e:9e:f5:c6:fb:d1:7b)
01.07.31 22:55	dhcpd	26047	Solicit message from XXXXX port 546, transaction ID 0x51988400
01.07.31 22:55	dhcpd	26047	Picking pool address 2a02:XXXX:XXXX:3::2000
01.07.31 22:55	dhcpd	26047	Advertise NA: address 2a02:XXXX:XXXX:3::2000 to client with duid 00:03:00:01:00:11:32:0d:81:f7 iaid = 839746039 valid for 7200 seconds
01.07.31 22:55	dhcpd	26047	Sending Advertise to fe80::xxxxxxxxxx port 546
01.07.31 22:55	dhcpd	26047	send_packet6: No route to host
01.07.31 22:55	dhcpd	26047	dhcpv6: send_packet6() sent -1 of 80 bytes
01.07.31 22:55	dhcpd	26047	Solicit message from XXXXX port 546, transaction ID 0x51988400
01.07.31 22:55	dhcpd	26047	Picking pool address 2a02:XXXX:XXXX:3::2000
01.07.31 22:55	dhcpd	26047	Advertise NA: address 2a02:XXXX:XXXX:3::2000 to client with duid 00:02:00:00:ab:11:e6:87:ce:95:e3:b5:db:58 iaid = -900527782 valid for 7200 seconds
01.07.31 22:55	dhcpd	26047	Sending Advertise to fe80::xxxxxx port 546

I gain the impression, my issue is related to proxmox or the unifi switches...

So long,
n3

syhm · Aug 1, 2022, 8:41 AM

@noviceiii

Unfortunately the log doesn't show the dhcp6c process. Just set the filter like in the picture in my previous post. Thats the process we need to look into.

noviceiii · Aug 2, 2022, 7:29 PM

@syhm said in No IPv6 traffic (Init7):

dhcp6c

Thank you. Thats the full log more or less. There are no more entries. And no entries related with process dhcp6c.

Is it the intention to see the dhcp settings releated to the WAN side?

login-to-view

JKnott · Aug 2, 2022, 7:34 PM

@syhm said in No IPv6 traffic (Init7):

Unfortunately the log doesn't show the dhcp6c process.

Try this.

noviceiii · Aug 2, 2022, 8:38 PM

@jknott

Uugh. I need a moment to prepare that setup... I did a packet capture session for now.

(fe80::aaaa:bbbb:cccc:4b11 is the link local address of the WAN port)

22:34:10.389487 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) :: > ff02::1:fff3:4b11: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::aaaa:bbbb:cccc:4b11
	  unknown option (14), length 8 (1): 
	    0x0000:  24e4 2075 0d32
22:34:12.505358 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 16) fe80::aaaa:bbbb:cccc:4b11 > ff02::2: [icmp6 sum ok] ICMP6, router solicitation, length 16
	  source link-address option (1), length 8 (1): ae:2e:85:f3:4b:11
	    0x0000:  ae2e 85f3 4b11
22:34:16.510649 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 16) fe80::aaaa:bbbb:cccc:4b11 > ff02::2: [icmp6 sum ok] ICMP6, router solicitation, length 16
	  source link-address option (1), length 8 (1): ae:2e:85:f3:4b:11
	    0x0000:  ae2e 85f3 4b11
22:34:20.535123 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 16) fe80::aaaa:bbbb:cccc:4b11 > ff02::2: [icmp6 sum ok] ICMP6, router solicitation, length 16
	  source link-address option (1), length 8 (1): ae:2e:85:f3:4b:11
	    0x0000:  ae2e 85f3 4b11

JKnott · Aug 2, 2022, 8:46 PM

@noviceiii

Please upload the capture file. It contains a lot more info that what you show. When you open it in Wireshark, you can see a lot of detail.

Here's an example of one I did a few years ago.
DHCPv6 Solicit and Renew.pcapng

noviceiii · Aug 2, 2022, 9:23 PM

@jknott said in No IPv6 traffic (Init7):

show full capture file

A long time ago that I used wireshark, my old friend.... Please see the capture file attached this post (not much of use in it I guess).

dhcp-ipv6-capture.cap

JKnott · Aug 9, 2022, 9:32 PM

@noviceiii

I thought you had a problem with dhcpv6. There is none of that in the capture. You have to filter on port 546 or 547 to capture dhcpv6.

noviceiii · Aug 9, 2022, 9:36 PM

@jknott
I unfortunately haven't got the slightest idea what to investigate. Mybe its DHCP, maybe its something else... So far, I went through anything, tryed any combination on the WAN interface settings, googled (people with the same setup/ provider habe a working environment with the settings stated in the initial post) - I even checked the cables and switches.

I just don't get any traffic on IPv6 on the WAN-side. LAN-side works well and I can reach the LAN side of pfsense by its (LAN-)IPv6 address.

What I see, is that any traffic is blocked by a default rule

Default deny rule IPv6

and a pending gateway
login-to-view

@syhm was asking for dhcp6c log entries, which I have found eventualy under "general".
Its as below and only just this repeating.

Aug 9 22:46:15	php	420	rc.bootup: Unbound start waiting on dhcp6c.
Aug 9 22:46:16	php	420	rc.bootup: Unbound start waiting on dhcp6c.
Aug 9 22:46:17	php	420	rc.bootup: Unbound start waiting on dhcp6c.
Aug 9 22:46:18	php	420	rc.bootup: Unbound start waiting on dhcp6c.

However, the interfaces seem to be.. well... there
login-to-view

So long....
n3

JKnott · Aug 9, 2022, 11:10 PM

@noviceiii

Start by providing the dhcpv6 capture file as I have now requested a couple of times. Here again are the instructions.

noviceiii · Aug 10, 2022, 10:12 PM

@jknott
Roger that.
There isn't actually any thing more than what was captured in the attached file above. There is just nothing related to IPv6 coming on that WAN port.

I'll connect a laptop directly to the switch but need to organize an ethernet dongle first and reconfigure the switch (the only non-company-locked laptop I have at hand has a USB C port only).

I'll report back. Takes a moment.