FIOS - getting /56 PD via DHCP6 but no V6 is assigned to WAN

luckman212

pfSense+ 22.05 head scratcher.

FIOS finally turned up IPv6 to my CO last night (NYC). I am getting a valid /56 via DHCP6 PD and my LAN IPv6 is set to "Track" and is getting a valid GUA 2600:4041...

LAN clients (Mac, iPhone, Win11) are all getting V6 IPs as well and scoring 10/10 on test-ipv6.com

The only problem is pfSense itself is not assigning a GUA to the WAN interface. It just has a link-local fe80::7afe... assigned. Thus, dpinger shows the V6 gateway as "offline" when in reality it isn't.

I've tried power cycling / cold booting both the ONT and pfSense multiple times. Double checked my DHCP6 DUID (set to DUID-LLT with the correct MAC) and made sure all Hardware Checksum Offloading was disabled (Intel + Alcatel ONT bug).

Anyone got any ideas?

update: I created this helper script as a workaround: luckman212/assign-gua-from-iapd - GitHub

JKnott

@luckman212

That could be normal. A GUA address is not needed on the WAN interface and some ISPs don't provide one. With IPv6, link local addresses are often used for routing and would still be used if you had a WAN GUA.

luckman212

Thanks @JKnott

Hmm, that seems like it would be problematic. But, ok—still, dpinger is started with the -B (bind) flag and fails if there's no GUA assigned, e.g. I like to use 2620:fe::9 as my monitor IP and this is not pingable via link local.

If I drop to the shell and execute dpinger -f -d 64 -i v6test 2620:fe::9 it does work fine, so is this that much of an edge case that we need another GUI knob to specify "no bind" for the gateway monitor? Ugh. Any other FIOS people here seeing behavior like this?

luckman212

@jknott More testing...

I tried manually assigning a V6 in the first /64 of my delegated prefix, then bouncing dpinger. Working! So I don't know what kind of voodoo config I have going on here but it seems like I need a checkbox on the WAN like "Assign WAN Interface first IP of subnet 0 from Delegated Prefix". Is there any way to signal this using dhcp6c advanced config?

# ifconfig ix3 inet6 2600:4041:xxxx:b700::1 prefixlen 64
# php -r 'include("gwlb.inc"); setup_gateways_monitor();'

JKnott

@luckman212

I have a WAN GUA, so I don't experience those issues.

I don't know why some ISPs don't provide a GUA. A single /64 would cover a LOT of customers.

luckman212

@jknott Found what essentially appears to be the same issue over on opnsense/core/issues/5630. No solution unfortunately. Can't beleive I'm the only FIOS + pfSense customer facing this issue?

JKnott

@luckman212

If you're using this for monitoring the LAN connection, you can disable the function. For a simple connection, as most users have, it doesn't do much. You could also ping an IPv4 address. One thing I came across a while ago is you can't use link local for the target either. What I did was run traceroute to Google and then used the first GUA that appeared as my target.

luckman212

@jknott Disable what function? No, you can't put an IPv4 address in the Monitor IP of a V6 gateway (pfSense will reject that, rightfully so)

I'm now more focused on what magical incarnation of dhcp6c.conf will trigger the ia-na to add an IP from one of the /64s to the WAN interface.

JKnott

@luckman212

You can set up monitors for IPv4 and IPv6 separately. You can disable gateway monitoring on the same page as where you set up the monitor address. However, it only actually does something if you have more than one WAN connection and also provides status info on the dashboard. So, you don't really need it.

pilot45

@luckman212 I'm not at your level of understanding. However, I'm also in nyc and had FIOS turn on IPv6 a week ago. Despite not getting a WAN GUA, dpinger automatically began pinging the fe80::de38... gateway and is reporting "Online" with no adjustments from me.

I am NOT disabling "hardware checksum offloading" though. And under Interfaces>WAN>DHCP6 Client Config, I have "request only an IPv6 prefix" checked. In system>routing>gateways I have "Monitor IP" blank for both WAN_DHCP and WAN_DHCP6.

Everything has been perfect so far. I'm also on 22.05. Protectli FW4B.

pilot45

forgot to add to my first reply

luckman212

I am burying my head in the sand on this one for now. Wasted half a day on this and in the end maybe it's just not that important. Hopefully as Verizon finishes their rollout maybe they'll continue improving things.

JKnott

@luckman212

I just noticed something in the help for gateway monitors:

"By default, the gateway monitoring daemon will ping each gateway periodically to monitor latency and packet loss for traffic to the monitored IP address."

I haven't verified this, so perhaps it automagically pings the gateway for the monitor. Perhaps you could remove any address you entered to see what happens. Just run Packet Capture on the WAN port, filtering on the gateway address and ICMP6 to see what turns up. I do know you can't manually enter a link local address, but perhaps when it tries what it knows is the gateway it might work.

JKnott

@pilot45 said in FIOS - getting /56 PD via DHCP6 but no V6 is assigned to WAN:

I have "request only an IPv6 prefix" checked.

Is that setting required for them? If not, try without it. That definitely will prevent pfSense from getting a WAN GUA.

luckman212

@jknott No - that setting is not required. But, I tested it extensively with both modes, it made no difference. VZ ignores the ia-na request completely. It only supplies the delegated prefix.

Dpinger will ping the default gateway if monitor IP is left blank. This has always been the case. The problem there is, very often an ISP outage will not be detected because the first or 2nd hop continue to be "up" even though nothing gets beyond that. So it's generally more useful to specify a public IP farther upstream so outages are detected properly.

What is really needed to fix this is one or both of:

• Verizon deciding to respect dhcp6c's ia-na request in the solicit
• Upstream code change to dhcp6c to allow it to assign an IP from one of the ia-pd (delegated prefix) subnets to the parent interface itself. Currently, putting that in /var/etc/dhcp6c.conf is rejected as invalid—even though manually assigning the IP with ifconfig works fine.

JKnott

@luckman212 said in FIOS - getting /56 PD via DHCP6 but no V6 is assigned to WAN:

Dpinger will ping the default gateway if monitor IP is left blank. This has always been the case.

I checked mine. When the monitor IP is left blank, I can see the pings go out, but the gateway is not responding. I went back to using an address I obtained by doing a traceroute to Google and taking the first GUA it passed through.

luckman212

@jknott this is veering a little off topic. But, who's your ISP? What kind of CPE/ONT is it? Guessing it's just a case of the near-side equip not allowing pings. In my case my next hop is pingable even on its fe80 IP.

SirSilentBob

@luckman212 you are not alone. Most of us other Vz Fios users have asked or searched for at one point if anyone has a script or something or ideas on how to automate the WAN geting a GUA assigned that will draw from the /56 so we don't have ONLY a link local ipv6 addresson wan. Verizon's own routers seem to have something hardcoded that makes it so that FF::1 is used for the wan. People thought that it was RFC6603 being used, but when the traffic was analyzed at the packet level verizon did not seem to be responding to the RFC6603 prefix exclusion request.

So if you have 2600:4040:ABCD:12/56 as your PD, the the fios router will set 2600:4040:ABCD:12FF::1 as your WAN ipv6 GUA. Basically the fios router just takes the very last of the 256 LAN /64s you have (FF) and dedicates it to the WAN.

If anyone ever comes up with a way to scrip that, then many many fios pfsense users will be greatful, especially me.

Most of the time people suggest using a virtual IP and just setting that ip to something valid within your /56, but even with the ipv6 setting to not release the prefix, power flickers, and other things beyond control can make the PD still change.

If what you did to get a valid GUA on your wan is a script you can share that will update the WAN gua when PD changes occur, could you share it and maybe give a brief setup tutorial please?

Good luck and enjoy ipv6 without a tunnel.

luckman212

@sirsilentbob Good idea. I just whipped this together. Please give it a try and let me know if it works for you. Don't forget to check the box to enable dhcp6 to start in debug mode (see README)

luckman212/assign-gua-from-iapd - GitHub

JKnott

@luckman212

My ISP is Rogers. They provide a Technicolor CGM4141ROG modem, which I assume is a Rogers specific version.

The first hop, which is likely the modem, doesn't show up in traceroute and every address past it is GUA. So yeah, pings are likely blocked.