Verizon Fios and IPV6, Which Settings Work?

jeremy.duncan · Jun 30, 2022, 2:25 PM

@ingenium13 dang.. cloning MACs... That makes things super hard in DHCPv6 because of the relationship between it and DUIDs and IAIDs.. glad you got it working

SirSilentBob · Jul 3, 2022, 2:07 AM

***Edit: About 30-some hours later IPv6 came back, on it's own. Guessing some local oddity or something....

Anyone having any oddities with IPv6 today? My wife mentioned today that "the internet started running like crap" around 11am-ish. I'm assuming around that time is when the IPv6 issue happened, and devices ran bad until they realized that IPv6 was dead and fell back to IPv4. I've had IPv6 for weeks now w/o issues, and no recent config changes so it's unexpected.

Nothing really jumps out at me in the log. I connected to my neighbor's Verizon-provided router, and they don't seem to have IPv6 connectivity either, when they also have previously had it like me. Looks like pfsense is keeping the prefix, and the WAN link-local address is showing as online as well, so that part of the connection is working...

Maybe locally (Newport News, VA) there's some sort of work, or IPv6 outage for some reason.

Verbose log below if anyone sees anything interesting!

Jun 30 20:24:28	dhcp6c	73904	got an expected reply, sleeping.
Jun 30 20:24:28	dhcp6c	73904	removing server (ID: 00:02:00:00:05:83:66:34:3a:62:35:3a:32:66:3a:30:34:3a:65:30:3a:63:30:00:00:00)
Jun 30 20:24:28	dhcp6c	73904	removing an event on igb0, state=REQUEST
Jun 30 20:24:28	dhcp6c	73904	script "/var/etc/dhcp6c_wan_dhcp6withoutra_script.sh" terminated
Jun 30 20:24:28	dhcp6c	84659	dhcp6c REQUEST on igb0 - running rtsold
Jun 30 20:24:26	dhcp6c	73904	executes /var/etc/dhcp6c_wan_dhcp6withoutra_script.sh
Jun 30 20:24:26	dhcp6c	73904	add an address 2600:4040:13e5:1a35:21b:21ff:fe73:d35d/64 on igb3
Jun 30 20:24:26	dhcp6c	73904	add an address 2600:4040:13e5:1a20:21b:21ff:fe73:d35c/64 on igb2
Jun 30 20:24:26	dhcp6c	73904	add an address 2600:4040:13e5:1a10:21b:21ff:fe73:d359/64 on igb1
Jun 30 20:24:26	dhcp6c	73904	create a prefix 2600:4040:13e5:1a00::/56 pltime=7200, vltime=7200
Jun 30 20:24:26	dhcp6c	73904	make an IA: PD-0
Jun 30 20:24:26	dhcp6c	73904	dhcp6c Received REQUEST
Jun 30 20:24:26	dhcp6c	73904	IA_PD prefix: 2600:4040:13e5:1a00::/56 pltime=7200 vltime=7200
Jun 30 20:24:26	dhcp6c	73904	get DHCP option IA_PD prefix, len 25
Jun 30 20:24:26	dhcp6c	73904	IA_PD: ID=0, T1=3600, T2=5760
Jun 30 20:24:26	dhcp6c	73904	get DHCP option IA_PD, len 41
Jun 30 20:24:26	dhcp6c	73904	DUID: 00:02:00:00:05:83:66:34:3a:62:35:3a:32:66:3a:30:34:3a:65:30:3a:63:30:00:00:00
Jun 30 20:24:26	dhcp6c	73904	get DHCP option server ID, len 26
Jun 30 20:24:26	dhcp6c	73904	DUID: 00:01:00:01:2a:47:f1:e8:00:1b:21:73:XX:XX
Jun 30 20:24:26	dhcp6c	73904	get DHCP option client ID, len 14
Jun 30 20:24:26	dhcp6c	73904	receive reply from fe80::f6b5:2fff:fe04:d9da%igb0 on igb0
Jun 30 20:24:26	dhcp6c	73904	reset a timer on igb0, state=REQUEST, timeo=0, retrans=955
Jun 30 20:24:26	dhcp6c	73904	send request to ff02::1:2%igb0
Jun 30 20:24:26	dhcp6c	73904	set IA_PD
Jun 30 20:24:26	dhcp6c	73904	set IA_PD prefix
Jun 30 20:24:26	dhcp6c	73904	set option request (len 4)
Jun 30 20:24:26	dhcp6c	73904	set elapsed time (len 2)
Jun 30 20:24:26	dhcp6c	73904	set server ID (len 26)
Jun 30 20:24:26	dhcp6c	73904	set client ID (len 14)
Jun 30 20:24:26	dhcp6c	73904	a new XID (803dba) is generated
Jun 30 20:24:26	dhcp6c	73904	Sending Request
Jun 30 20:24:26	dhcp6c	73904	picked a server (ID: 00:02:00:00:05:83:66:34:3a:62:35:3a:32:66:3a:30:34:3a:65:30:3a:63:30:00:00:00)
Jun 30 20:24:25	dhcp6c	73904	reset timer for igb0 to 0.995807
Jun 30 20:24:25	dhcp6c	73904	server ID: 00:02:00:00:05:83:66:34:3a:62:35:3a:32:66:3a:30:34:3a:65:30:3a:63:30:00:00:00, pref=-1
Jun 30 20:24:25	dhcp6c	73904	IA_PD prefix: 2600:4040:13e5:1a00::/56 pltime=7200 vltime=7200
Jun 30 20:24:25	dhcp6c	73904	get DHCP option IA_PD prefix, len 25
Jun 30 20:24:25	dhcp6c	73904	IA_PD: ID=0, T1=3600, T2=5760
Jun 30 20:24:25	dhcp6c	73904	get DHCP option IA_PD, len 41
Jun 30 20:24:25	dhcp6c	73904	DUID: 00:02:00:00:05:83:66:34:3a:62:35:3a:32:66:3a:30:34:3a:65:30:3a:63:30:00:00:00
Jun 30 20:24:25	dhcp6c	73904	get DHCP option server ID, len 26
Jun 30 20:24:25	dhcp6c	73904	DUID: 00:01:00:01:2a:47:f1:e8:00:1b:21:73:XX:XX
Jun 30 20:24:25	dhcp6c	73904	get DHCP option client ID, len 14
Jun 30 20:24:25	dhcp6c	73904	receive advertise from fe80::f6b5:2fff:fe04:d9da%igb0 on igb0
Jun 30 20:24:25	dhcp6c	73904	reset a timer on igb0, state=SOLICIT, timeo=4, retrans=16326
Jun 30 20:24:25	dhcp6c	73904	send solicit to ff02::1:2%igb0
Jun 30 20:24:25	dhcp6c	73904	set IA_PD
Jun 30 20:24:25	dhcp6c	73904	set IA_PD prefix
Jun 30 20:24:25	dhcp6c	73904	set option request (len 4)
Jun 30 20:24:25	dhcp6c	73904	set elapsed time (len 2)
Jun 30 20:24:25	dhcp6c	73904	set client ID (len 14)
Jun 30 20:24:25	dhcp6c	73904	Sending Solicit
Jun 30 20:24:17	dhcp6c	73904	reset a timer on igb0, state=SOLICIT, timeo=3, retrans=8065
Jun 30 20:24:17	dhcp6c	73904	send solicit to ff02::1:2%igb0
Jun 30 20:24:17	dhcp6c	73904	set IA_PD
Jun 30 20:24:17	dhcp6c	73904	set IA_PD prefix
Jun 30 20:24:17	dhcp6c	73904	set option request (len 4)
Jun 30 20:24:17	dhcp6c	73904	set elapsed time (len 2)
Jun 30 20:24:17	dhcp6c	73904	set client ID (len 14)
Jun 30 20:24:17	dhcp6c	73904	Sending Solicit
Jun 30 20:24:13	dhcpleases	23855	Could not deliver signal HUP to process 69147: No such process.
Jun 30 20:24:13	dhcpleases	23855	Sending HUP signal to dns daemon(69147)
Jun 30 20:24:13	dhcp6c	73904	reset a timer on igb0, state=SOLICIT, timeo=2, retrans=3982
Jun 30 20:24:13	dhcp6c	73904	send solicit to ff02::1:2%igb0
Jun 30 20:24:13	dhcp6c	73904	set IA_PD
Jun 30 20:24:13	dhcp6c	73904	set IA_PD prefix
Jun 30 20:24:13	dhcp6c	73904	set option request (len 4)
Jun 30 20:24:13	dhcp6c	73904	set elapsed time (len 2)
Jun 30 20:24:13	dhcp6c	73904	set client ID (len 14)
Jun 30 20:24:13	dhcp6c	73904	Sending Solicit
Jun 30 20:24:11	dhcp6c	73904	reset a timer on igb0, state=SOLICIT, timeo=1, retrans=2083
Jun 30 20:24:11	dhcp6c	73904	send solicit to ff02::1:2%igb0
Jun 30 20:24:11	dhcp6c	73904	set IA_PD
Jun 30 20:24:11	dhcp6c	73904	set IA_PD prefix
Jun 30 20:24:11	dhcp6c	73904	set option request (len 4)
Jun 30 20:24:11	dhcp6c	73904	set elapsed time (len 2)
Jun 30 20:24:11	dhcp6c	73904	set client ID (len 14)
Jun 30 20:24:11	dhcp6c	73904	Sending Solicit
Jun 30 20:24:10	dhcp6c	73904	reset a timer on igb0, state=SOLICIT, timeo=0, retrans=1091
Jun 30 20:24:10	dhcp6c	73904	send solicit to ff02::1:2%igb0
Jun 30 20:24:10	dhcp6c	73904	set IA_PD
Jun 30 20:24:10	dhcp6c	73904	set IA_PD prefix
Jun 30 20:24:10	dhcp6c	73904	set option request (len 4)
Jun 30 20:24:10	dhcp6c	73904	set elapsed time (len 2)
Jun 30 20:24:10	dhcp6c	73904	set client ID (len 14)
Jun 30 20:24:10	dhcp6c	73904	a new XID (b8cbfb) is generated
Jun 30 20:24:10	dhcp6c	73904	Sending Solicit
Jun 30 20:24:09	dhcp6c	73904	reset a timer on igb0, state=INIT, timeo=0, retrans=891
Jun 30 20:24:09	dhcp6c	73792	called
Jun 30 20:24:09	dhcp6c	73792	called
Jun 30 20:24:09	dhcp6c	73792	<3>end of sentence [;] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>end of closure [}] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>end of sentence [;] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>end of closure [}] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>end of sentence [;] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>[8] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>[sla-len] (7)
Jun 30 20:24:09	dhcp6c	73792	<3>end of sentence [;] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>[53] (2)
Jun 30 20:24:09	dhcp6c	73792	<3>[sla-id] (6)
Jun 30 20:24:09	dhcp6c	73792	<3>begin of closure [{] (1)
Jun 30 20:24:09	dhcp6c	73792	<5>[igb3] (4)
Jun 30 20:24:09	dhcp6c	73792	<3>[prefix-interface] (16)
Jun 30 20:24:09	dhcp6c	73792	<3>end of sentence [;] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>end of closure [}] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>end of sentence [;] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>[8] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>[sla-len] (7)
Jun 30 20:24:09	dhcp6c	73792	<3>end of sentence [;] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>[32] (2)
Jun 30 20:24:09	dhcp6c	73792	<3>[sla-id] (6)
Jun 30 20:24:09	dhcp6c	73792	<3>begin of closure [{] (1)
Jun 30 20:24:09	dhcp6c	73792	<5>[igb2] (4)
Jun 30 20:24:09	dhcp6c	73792	<3>[prefix-interface] (16)
Jun 30 20:24:09	dhcp6c	73792	<3>end of sentence [;] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>end of closure [}] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>end of sentence [;] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>[8] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>[sla-len] (7)
Jun 30 20:24:09	dhcp6c	73792	<3>end of sentence [;] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>[16] (2)
Jun 30 20:24:09	dhcp6c	73792	<3>[sla-id] (6)
Jun 30 20:24:09	dhcp6c	73792	<3>begin of closure [{] (1)
Jun 30 20:24:09	dhcp6c	73792	<5>[igb1] (4)
Jun 30 20:24:09	dhcp6c	73792	<3>[prefix-interface] (16)
Jun 30 20:24:09	dhcp6c	73792	<3>end of sentence [;] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>[infinity] (8)
Jun 30 20:24:09	dhcp6c	73792	<3>[56] (2)
Jun 30 20:24:09	dhcp6c	73792	<3>[/] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>[::] (2)
Jun 30 20:24:09	dhcp6c	73792	<3>[prefix] (6)
Jun 30 20:24:09	dhcp6c	73792	<13>begin of closure [{] (1)
Jun 30 20:24:09	dhcp6c	73792	<13>[0] (1)
Jun 30 20:24:09	dhcp6c	73792	<13>[pd] (2)
Jun 30 20:24:09	dhcp6c	73792	<3>[id-assoc] (8)
Jun 30 20:24:09	dhcp6c	73792	<3>end of sentence [;] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>end of closure [}] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>comment [# we'd like nameservers and RTSOLD to do all the work] (53)
Jun 30 20:24:09	dhcp6c	73792	<3>end of sentence [;] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>["/var/etc/dhcp6c_wan_dhcp6withoutra_script.sh"] (46)
Jun 30 20:24:09	dhcp6c	73792	<3>[script] (6)
Jun 30 20:24:09	dhcp6c	73792	<3>end of sentence [;] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>[domain-name] (11)
Jun 30 20:24:09	dhcp6c	73792	<3>[request] (7)
Jun 30 20:24:09	dhcp6c	73792	<3>end of sentence [;] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>[domain-name-servers] (19)
Jun 30 20:24:09	dhcp6c	73792	<3>[request] (7)
Jun 30 20:24:09	dhcp6c	73792	<3>comment [# request prefix delegation] (27)
Jun 30 20:24:09	dhcp6c	73792	<3>end of sentence [;] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>[0] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>[ia-pd] (5)
Jun 30 20:24:09	dhcp6c	73792	<3>[send] (4)
Jun 30 20:24:09	dhcp6c	73792	<3>begin of closure [{] (1)
Jun 30 20:24:09	dhcp6c	73792	<5>[igb0] (4)
Jun 30 20:24:09	dhcp6c	73792	<3>[interface] (9)
Jun 30 20:24:09	dhcp6c	73792	skip opening control port
Jun 30 20:24:09	dhcp6c	73792	failed initialize control message authentication
Jun 30 20:24:09	dhcp6c	73792	failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
Jun 30 20:24:09	dhcp6c	73792	extracted an existing DUID from /var/db/dhcp6c_duid: 00:01:00:01:2a:47:f1:e8:00:1b:21:73:XX:XX

tman222 · Jul 15, 2022, 2:02 AM

After a short (~45min) outage last night, IPV6 became available on my Verizon FiOS circuit as well. I can confirm that the setup instructions in post 2 above from @MikeV7896 work great. The only thing that took me a second to figure out is that the WAN interface needs to be cycled (up/down) for IPV6 to start working after it has been enabled if it wasn't enabled before. After rebooting the firewall, I saw an IPV6 prefix delegated as expected to the LAN interface which I had setup to track the WAN interface.

Once all this is working, one can further configure IPV6 on pfSense for downstream clients by going to Services > DHCPv6 Server & RA:

https://docs.netgate.com/pfsense/en/latest/services/dhcp/ipv6.html

arion · Jul 18, 2022, 8:39 PM

Is there a default alias or anything that can be used to reference the delegated IPv6 prefix in firewall rules? I use an invert-match rule pointing to an alias for my security networks (DMZ, IOT, etc.) so that they can get to any Internet destination but can't get to my local networks by default. This was fine with my HE tunnel because I had a statically assigned /48 that was routable across the tunnel from which I assigned /64 networks. With DHCP-PD, I can't see any easy way to explicitly block IPv6 traffic between the networks within the delegated prefix.. Any ideas?

MikeV7896 · Jul 27, 2022, 2:53 AM

@arion

There aren't any aliases (as in something in Firewall > Aliases), but you could create block rules with a destination of "LAN Network" (or whatever network you want to prevent access to) and if the prefix changes in the future, the rule would automatically update with the new prefix for your LAN network (or whatever network you've selected in the rule).

arion · Jul 27, 2022, 2:53 AM

@mikev7896 Thanks for the note. Yeah, what you describe is how I approached blocking "internal" networks before someone tipped me off to how to effectively use the inverse-rules (allow everything except certain networks covered by an alias). I can go back to an implicit allow at the bottom of my rules and then explicit blocks rules above for my internal networks, but I was hoping there was a way to do this without reverting to this approach. I'm spoiled by the inverse rule now and going back to the other mode seems like a step backwards. Oh well. I think I'll stick with the inverse-rule, and hard code the prefix I've been assigned and cross my fingers for a while. Thanks for the input though!

MaxK 0 · Jul 27, 2022, 8:43 PM

I just saw that my Verizon Fios WAN_DHCP6 Gateway came online for the first time after a reboot of my 3100 (version 22.01).

login-to-view

I followed the settings in post 2 above (and rebooted). From pfSense ping, I can IPv6 ping to an external address (google) and I can ping to the pfSense LAN interface IPv6 address (I would hope so). But I can’t IPv6 ping from pfSense to clients on the LAN that have an IPv6 address. And I can’t “ping -6” from Win10 client to pfSense or externally (request timed out).

Also, when I try to run ipv6-test.com I get “IPv6 connectivity Not Supported” and “DNS4 + IP6 Unreachable”, “DNS6 + IP4 Reachable”, and “DNS6 + IP6 Unreachable.”

The routing logs have a warning on startup but nothing else:

radvd 51430 warning: AdvDNSSLLifetime <= 2*MaxRtrAdvInterval would allow stale DNS suffixes to be deleted faster

I did read through this post and Netgate docs multiple times but I don’t know where else to look or other troubleshooting steps I should do.

tman222 · Jul 27, 2022, 9:03 PM

@maxk-0

Couple questions for you:

What settings do you have enabled for your LAN Interface under Services > DHCPv6 Server & RA? Are your LAN clients getting valid IPv6 addresses (not just link local addresses)?
Are your firewall rules allowing outbound IPv6 traffic from LAN?

Hope this helps.

MaxK 0 · Jul 27, 2022, 9:13 PM

Thank you very much @tman222. I did not have a firewall rule to allow IPv6.

betapc · Aug 3, 2022, 1:11 PM

Good Morning everybody;

I tried everything, I did all @MikeV7896 setting and I have all the IPV6 address, but I don't have network traffic, I can ping all my internal network IPV6 address and also the one assigned by FIOS but I can ping anything else outside of my network. IPV6 test show my IPV6 address but no connection to any IPV6 servers.

I tried using the default DNS servers and also tried Google's DNS server still not working.

Below are my settings, thanks for the help.

login-to-view
login-to-view
login-to-view
login-to-view
login-to-view
login-to-view
login-to-view login-to-view
login-to-view
login-to-view login-to-view login-to-view
login-to-view

jeremy.duncan · Aug 3, 2022, 1:21 PM

@betapc I am skeptical about the "LAN net" alias when it comes to tracked DHCPv6-PD. For shits and giggles add a rule on your LAN side allowing all IPv6 any any...

betapc · Aug 3, 2022, 2:14 PM

@jeremy-duncan Thanks for the replied. Change, still no working.

IPV6 test result change:

login-to-view login-to-view

The setting for DHCP6 and Advertisement are correct?

login-to-view
login-to-view

Thanks

jeremy.duncan · Aug 3, 2022, 2:26 PM

@betapc no you have to set the router mode to managed on the RA section if you are using DHCPv6.

betapc · Aug 3, 2022, 2:58 PM

@jeremy-duncan I made the changes still no working, I got all the IPV6 address, DNS server running but no connection outside of my network.

I don't know what else to do. I already did a clean installation of pFSense, still nothing.

bassopt · Aug 3, 2022, 6:23 PM

I actually found out a bit more about what was going on.

Since I have pfsense virtualized with a didcated nic card on pfsense i decided to restore a backup I had from a few days ago. I found out that i had PFBlockerNG installed but for some reason it was not active. ( i must have been messing with some testing and disabled it)
Meaning that for some reason when you have it installed but it's disabled it basically completelly opens holes like this on your firewall (not sure what happens on the IPV4 side though) . This is a major bug ! As soon as i activated pfblockerng I couldnt ping or ssh my VMs anymore same if uninstalled it. As soon i tried to disable it but still have it installed. Boom...everything open.
I only have PFBlocker on WAN interface for inbound and my main Lan and dedicated Homelab Lan for outbout, and everything is configured automatically as floating rules.... basically blocking inbound except for a few IP blocking settings on both inboud and outbound.
I'll report this to pfsense as soon as i have time.

betapc · Aug 4, 2022, 2:08 PM

@jeremy-duncan my set up is pFSense connected directly to ONT. Still not working. I was talking to FIOS customer support and they sent me a new router, I connected to the ONT, same issue, router provided all IPV6 address and getaways but no connection. The ONT is like 9 year old, I don't think that is the problem. I think the problem is more the implementation.

It's frustrating because some services were down and I didn't know why, and then I found because they were trying to connect using IPV6.

Even pFSense wasn't updating or retrieving any packages because of the IPV6. I checked on pFSense only use IPV4 and fixed my network issues.

Any suggestions how to make FIOS to fix this issues?

Thanks.

betapc · Aug 5, 2022, 8:44 PM

I have IPV6 working 100 % on FIOS network on all my interfaces using pFSense, finally after couple days.

Thanks everybody for the input, with this post I was able to enable IPV6. Thanks to @ jeremy.duncan and @MikeV7896.

These are my setting for future reference. I am using pFSense Plus.

login-to-view
login-to-view
login-to-view
login-to-view login-to-view
login-to-view
login-to-view
login-to-view
login-to-view
login-to-view
login-to-view

jeremy.duncan · Aug 5, 2022, 8:47 PM

@betapc what ended up being your fix?

MikeV7896 · Aug 5, 2022, 8:56 PM

@betapc There had been some IPv6 routing issues in NJ that are believed to have been resolved earlier today... so might've been affected by that?

betapc · Aug 5, 2022, 8:59 PM

@jeremy-duncan I did what you told me to change Router mode: Managed, and also I unchecked Provide DNS servers to DHCPv6 clients on all the interfaces, then unplugged all the cables from pFSense, FIOS ONT turn off and unplugged from the electricity, turned on without any cables, turned off again, plugged all the cables and turned on again.

Truth to be told I don't really know what made the trick.

Thanks