How to diagnose IPv6 delegation issues

talha5389

I recently found that my ISP provides me with IPv6 so I am trying to set it up on my home network so I can have direct connection with SD-WAN solutions from my other house which already have IPv6 connectivity (without pfsense). Currently I mostly get relayed connection because IPv4 is behind CG-NAT

• My ISP provides me with /56 IPv6 prefix and a WAN IP address according to information displayed in ISP router.

• If I connect my device directly to ISP router, it gets IPv6 and is able to connect to IPv6 address and receive traffic from IPv6

• ISP router has very limited configuration available, I can only set a DHCP server. There's no mention/logs whether this DHCP6 server will only hand out address or prefixes as well
• There is no option in ISP router to convert it in bridge mode
• I have virtualized pfsense connected to LAN port of ISP router. WAN of pfsense gets valid IPv6 address from DHCP6 server on ISP router.

PFSense configuration

• WAN interfaces allows full ICMP traffic from all sources and to all destinations for both IPv4 and Ipv6.
• "Block Bogon Networks" is disabled
• LAN IPv6 is configured as track interface with WAN as parent and 5 as prefix
• LAN interface allows both IPv4 and IPv6 outbound

• WAN IPv6 is using DHCP

Problem

• Lan is not getting IPv6 assigned to it neither clients connected to LAN interface of PFSense.
• I am not sure where issue lie or how to diagnose this or which tools can help me to diagnose this.
  • Whether ISP is not providing me prefixes
  • Whether ISP router is not delegating prefixes and I need to somehow replace it with a new router/modem on which I can enable bridge mode
  • Whether there is issue in pfsense configuration or virtualization is causing some issue here

Things I tried

• I tried assigning static IPv6 to LAN within delegated prefixes from ISP manually but IPv6 connectivity doesn't seem to work in this case

Workaround

If nothing works, would it be possible to have static IPv6 address on LAN interfaces and have them route IPv6 traffic to/from IPv6 address assigned to WAN of pfsense? If so, can someone direct me to resources/documentation of feature which I can take a look at to achieve this? I think this is basically using PFSense WAN as gif tunnel for its own LAN interfaces but I am not sure if it is doable or not

JKnott

@talha5389 said in How to diagnose IPv6 delegation issues:

If I connect my device directly to ISP router, it gets IPv6 and is able to connect to IPv6 address and receive traffic from IPv6

You need to have the modem configured in bridge mode. If it's in gateway mode, pfSense will not receive what it needs to provided IPv6 to your LAN.

Gertjan

@talha5389

Your "How to diagnose IPv6 delegation issues" :

When you do this :

@talha5389 said in How to diagnose IPv6 delegation issues:

If I connect my device directly to ISP router, it gets IPv6 and is able to connect to IPv6 address and receive traffic from IPv6

your device (a PC ?) uses it's DHCPv6 client to get the usual IPv6, gatewayv6 etc.
But your device doesn't ask for one or more delegation /64 networks.

Routers like pfSense do the classic DHCP(v6) thing, like a PC and ask also for delegated networks, so you can assign , for example by using tracking - or using a static assignment of a delegated /64 on one or more pfSense LANs get get IPv6 on those networks.

Some parts of of the DHCPv6 clients procss work, because :

you got an WAN IPv6.
But more is needed : the delegation part.

Go to System > Advanced > Networking and start by setting DHCP6 Debug to 'checked'.
redo your connection.
Go take a look at the DHCP logs.

The "dhcp6c" shows the interesting stuff.

talha5389

I get these in logs. I am not sure how to determine from these if ISP router is causing issue or is there some issue with pfsense config

Aug 31 15:28:04	dhcp6c	21387	reset a timer on vtnet0, state=SOLICIT, timeo=5, retrans=31623
Aug 31 15:28:04	dhcp6c	21387	send solicit to ff02::1:2%vtnet0
Aug 31 15:28:04	dhcp6c	21387	set IA_PD
Aug 31 15:28:04	dhcp6c	21387	set IA_PD prefix
Aug 31 15:28:04	dhcp6c	21387	set option request (len 4)
Aug 31 15:28:04	dhcp6c	21387	set elapsed time (len 2)
Aug 31 15:28:04	dhcp6c	21387	set identity association
Aug 31 15:28:04	dhcp6c	21387	set client ID (len 14)
Aug 31 15:28:04	dhcp6c	21387	Sending Solicit
Aug 31 15:27:47	dhcp6c	21387	reset a timer on vtnet0, state=SOLICIT, timeo=4, retrans=16314
Aug 31 15:27:47	dhcp6c	21387	send solicit to ff02::1:2%vtnet0
Aug 31 15:27:47	dhcp6c	21387	set IA_PD
Aug 31 15:27:47	dhcp6c	21387	set IA_PD prefix
Aug 31 15:27:47	dhcp6c	21387	set option request (len 4)
Aug 31 15:27:47	dhcp6c	21387	set elapsed time (len 2)
Aug 31 15:27:47	dhcp6c	21387	set identity association
Aug 31 15:27:47	dhcp6c	21387	set client ID (len 14)
Aug 31 15:27:47	dhcp6c	21387	Sending Solicit
Aug 31 15:27:39	dhcp6c	21387	reset a timer on vtnet0, state=SOLICIT, timeo=3, retrans=8193
Aug 31 15:27:39	dhcp6c	21387	send solicit to ff02::1:2%vtnet0
Aug 31 15:27:39	dhcp6c	21387	set IA_PD
Aug 31 15:27:39	dhcp6c	21387	set IA_PD prefix
Aug 31 15:27:39	dhcp6c	21387	set option request (len 4)
Aug 31 15:27:39	dhcp6c	21387	set elapsed time (len 2)
Aug 31 15:27:39	dhcp6c	21387	set identity association
Aug 31 15:27:39	dhcp6c	21387	set client ID (len 14)
Aug 31 15:27:39	dhcp6c	21387	Sending Solicit
Aug 31 15:27:35	dhcp6c	21387	reset a timer on vtnet0, state=SOLICIT, timeo=2, retrans=4058
Aug 31 15:27:35	dhcp6c	21387	send solicit to ff02::1:2%vtnet0
Aug 31 15:27:35	dhcp6c	21387	set IA_PD
Aug 31 15:27:35	dhcp6c	21387	set IA_PD prefix
Aug 31 15:27:35	dhcp6c	21387	set option request (len 4)
Aug 31 15:27:35	dhcp6c	21387	set elapsed time (len 2)
Aug 31 15:27:35	dhcp6c	21387	set identity association
Aug 31 15:27:35	dhcp6c	21387	set client ID (len 14)
Aug 31 15:27:35	dhcp6c	21387	Sending Solicit
Aug 31 15:27:33	dhcp6c	21387	reset a timer on vtnet0, state=SOLICIT, timeo=1, retrans=2075
Aug 31 15:27:33	dhcp6c	21387	send solicit to ff02::1:2%vtnet0
Aug 31 15:27:33	dhcp6c	21387	set IA_PD
Aug 31 15:27:33	dhcp6c	21387	set IA_PD prefix
Aug 31 15:27:33	dhcp6c	21387	set option request (len 4)
Aug 31 15:27:33	dhcp6c	21387	set elapsed time (len 2)
Aug 31 15:27:33	dhcp6c	21387	set identity association
Aug 31 15:27:33	dhcp6c	21387	set client ID (len 14)
Aug 31 15:27:33	dhcp6c	21387	Sending Solicit
Aug 31 15:27:32	dhcp6c	21387	reset a timer on vtnet0, state=SOLICIT, timeo=0, retrans=1025
Aug 31 15:27:32	dhcp6c	21387	send solicit to ff02::1:2%vtnet0
Aug 31 15:27:32	dhcp6c	21387	set IA_PD
Aug 31 15:27:32	dhcp6c	21387	set IA_PD prefix
Aug 31 15:27:32	dhcp6c	21387	set option request (len 4)
Aug 31 15:27:32	dhcp6c	21387	set elapsed time (len 2)
Aug 31 15:27:32	dhcp6c	21387	set identity association
Aug 31 15:27:32	dhcp6c	21387	set client ID (len 14)
Aug 31 15:27:32	dhcp6c	21387	a new XID (973d08) is generated
Aug 31 15:27:32	dhcp6c	21387	Sending Solicit
Aug 31 15:27:31	dhcp6c	21387	reset a timer on vtnet0, state=INIT, timeo=0, retrans=118
Aug 31 15:27:31	dhcp6c	21387	removing an event on vtnet0, state=SOLICIT
Aug 31 15:27:31	dhcp6c	21387	restarting
Aug 31 15:27:31	dhcp6c	21387	reset a timer on vtnet0, state=SOLICIT, timeo=1, retrans=2083
Aug 31 15:27:31	dhcp6c	21387	send solicit to ff02::1:2%vtnet0
Aug 31 15:27:31	dhcp6c	21387	set IA_PD
Aug 31 15:27:31	dhcp6c	21387	set IA_PD prefix
Aug 31 15:27:31	dhcp6c	21387	set option request (len 4)
Aug 31 15:27:31	dhcp6c	21387	set elapsed time (len 2)
Aug 31 15:27:31	dhcp6c	21387	set identity association
Aug 31 15:27:31	dhcp6c	21387	set client ID (len 14)
Aug 31 15:27:31	dhcp6c	21387	Sending Solicit
Aug 31 15:27:30	dhcp6c	21387	reset a timer on vtnet0, state=SOLICIT, timeo=0, retrans=1091
Aug 31 15:27:30	dhcp6c	21387	send solicit to ff02::1:2%vtnet0
Aug 31 15:27:30	dhcp6c	21387	set IA_PD
Aug 31 15:27:30	dhcp6c	21387	set IA_PD prefix
Aug 31 15:27:30	dhcp6c	21387	set option request (len 4)
Aug 31 15:27:30	dhcp6c	21387	set elapsed time (len 2)
Aug 31 15:27:30	dhcp6c	21387	set identity association
Aug 31 15:27:30	dhcp6c	21387	set client ID (len 14)
Aug 31 15:27:30	dhcp6c	21387	a new XID (ffe90e) is generated
Aug 31 15:27:30	dhcp6c	21387	Sending Solicit
Aug 31 15:27:29	dhcp6c	21387	reset a timer on vtnet0, state=INIT, timeo=0, retrans=891
Aug 31 15:27:29	dhcp6c	21249	called
Aug 31 15:27:29	dhcp6c	21249	called
Aug 31 15:27:29	dhcp6c	21249	<3>end of sentence [;] (1)
Aug 31 15:27:29	dhcp6c	21249	<3>end of closure [}] (1)
Aug 31 15:27:29	dhcp6c	21249	<3>end of sentence [;] (1)
Aug 31 15:27:29	dhcp6c	21249	<3>end of closure [}] (1)
Aug 31 15:27:29	dhcp6c	21249	<3>end of sentence [;] (1)
Aug 31 15:27:29	dhcp6c	21249	<3>[8] (1)
Aug 31 15:27:29	dhcp6c	21249	<3>[sla-len] (7)
Aug 31 15:27:29	dhcp6c	21249	<3>end of sentence [;] (1)
Aug 31 15:27:29	dhcp6c	21249	<3>[5] (1)
Aug 31 15:27:29	dhcp6c	21249	<3>[sla-id] (6)
Aug 31 15:27:29	dhcp6c	21249	<3>begin of closure [{] (1)
Aug 31 15:27:29	dhcp6c	21249	<5>[vtnet1] (6)
Aug 31 15:27:29	dhcp6c	21249	<3>[prefix-interface] (16)
Aug 31 15:27:29	dhcp6c	21249	<3>end of sentence [;] (1)
Aug 31 15:27:29	dhcp6c	21249	<3>[infinity] (8)
Aug 31 15:27:29	dhcp6c	21249	<3>[56] (2)
Aug 31 15:27:29	dhcp6c	21249	<3>[/] (1)
Aug 31 15:27:29	dhcp6c	21249	<3>[::] (2)
Aug 31 15:27:29	dhcp6c	21249	<3>[prefix] (6)
Aug 31 15:27:29	dhcp6c	21249	<13>begin of closure [{] (1)
Aug 31 15:27:29	dhcp6c	21249	<13>[0] (1)
Aug 31 15:27:29	dhcp6c	21249	<13>[pd] (2)
Aug 31 15:27:29	dhcp6c	21249	<3>[id-assoc] (8)
Aug 31 15:27:29	dhcp6c	21249	<3>end of sentence [;] (1)
Aug 31 15:27:29	dhcp6c	21249	<3>end of closure [}] (1)
Aug 31 15:27:29	dhcp6c	21249	<13>begin of closure [{] (1)
Aug 31 15:27:29	dhcp6c	21249	<13>[0] (1)
Aug 31 15:27:29	dhcp6c	21249	<13>[na] (2)
Aug 31 15:27:29	dhcp6c	21249	<3>[id-assoc] (8)
Aug 31 15:27:29	dhcp6c	21249	<3>end of sentence [;] (1)
Aug 31 15:27:29	dhcp6c	21249	<3>end of closure [}] (1)
Aug 31 15:27:29	dhcp6c	21249	<3>comment [# we'd like some nameservers please] (35)
Aug 31 15:27:29	dhcp6c	21249	<3>end of sentence [;] (1)
Aug 31 15:27:29	dhcp6c	21249	<3>["/var/etc/dhcp6c_wan_script.sh"] (31)
Aug 31 15:27:29	dhcp6c	21249	<3>[script] (6)
Aug 31 15:27:29	dhcp6c	21249	<3>end of sentence [;] (1)
Aug 31 15:27:29	dhcp6c	21249	<3>[domain-name] (11)
Aug 31 15:27:29	dhcp6c	21249	<3>[request] (7)
Aug 31 15:27:29	dhcp6c	21249	<3>end of sentence [;] (1)
Aug 31 15:27:29	dhcp6c	21249	<3>[domain-name-servers] (19)
Aug 31 15:27:29	dhcp6c	21249	<3>[request] (7)
Aug 31 15:27:29	dhcp6c	21249	<3>comment [# request prefix delegation] (27)
Aug 31 15:27:29	dhcp6c	21249	<3>end of sentence [;] (1)
Aug 31 15:27:29	dhcp6c	21249	<3>[0] (1)
Aug 31 15:27:29	dhcp6c	21249	<3>[ia-pd] (5)
Aug 31 15:27:29	dhcp6c	21249	<3>[send] (4)
Aug 31 15:27:29	dhcp6c	21249	<3>comment [# request stateful address] (26)
Aug 31 15:27:29	dhcp6c	21249	<3>end of sentence [;] (1)
Aug 31 15:27:29	dhcp6c	21249	<3>[0] (1)
Aug 31 15:27:29	dhcp6c	21249	<3>[ia-na] (5)
Aug 31 15:27:29	dhcp6c	21249	<3>[send] (4)
Aug 31 15:27:29	dhcp6c	21249	<3>begin of closure [{] (1)
Aug 31 15:27:29	dhcp6c	21249	<5>[vtnet0] (6)
Aug 31 15:27:29	dhcp6c	21249	<3>[interface] (9)
Aug 31 15:27:29	dhcp6c	21249	skip opening control port
Aug 31 15:27:29	dhcp6c	21249	failed initialize control message authentication
Aug 31 15:27:29	dhcp6c	21249	failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
Aug 31 15:27:29	dhcp6c	21249	extracted an existing DUID from /var/db/dhcp6c_duid: 00:01:00:01:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
Aug 31 15:27:26	dhcp6c	99693	exiting
Aug 31 15:27:26	dhcp6c	99693	script "/var/etc/dhcp6c_wan_dhcp6withoutra_script.sh" terminated
Aug 31 15:27:26	dhcp6c	4040	script "/var/etc/dhcp6c_wan_dhcp6withoutra_script.sh" cannot be executed safely
Aug 31 15:27:26	dhcp6c	4040	lstat failed: No such file or directory
Aug 31 15:27:26	dhcp6c	99693	executes /var/etc/dhcp6c_wan_dhcp6withoutra_script.sh
Aug 31 15:27:26	dhcp6c	99693	removing an event on vtnet0, state=SOLICIT
Aug 31 15:27:26	dhcp6c	99693	exit without release
Aug 31 15:27:02	dhcp6c	99693	reset a timer on vtnet0, state=SOLICIT, timeo=221, retrans=121764
Aug 31 15:27:02	dhcp6c	99693	send solicit to ff02::1:2%vtnet0
Aug 31 15:27:02	dhcp6c	99693	set IA_PD
Aug 31 15:27:02	dhcp6c	99693	set IA_PD prefix
Aug 31 15:27:02	dhcp6c	99693	set option request (len 4)
Aug 31 15:27:02	dhcp6c	99693	set elapsed time (len 2)
Aug 31 15:27:02	dhcp6c	99693	set identity association
Aug 31 15:27:02	dhcp6c	99693	set client ID (len 14)
Aug 31 15:27:02	dhcp6c	99693	Sending Solicit
Aug 31 15:25:05	dhcp6c	99693	reset a timer on vtnet0, state=SOLICIT, timeo=220, retrans=116268
Aug 31 15:25:05	dhcp6c	99693	send solicit to ff02::1:2%vtnet0
Aug 31 15:25:05	dhcp6c	99693	set IA_PD
Aug 31 15:25:05	dhcp6c	99693	set IA_PD prefix
Aug 31 15:25:05	dhcp6c	99693	set option request (len 4)
Aug 31 15:25:05	dhcp6c	99693	set elapsed time (len 2)
Aug 31 15:25:05	dhcp6c	99693	set identity association
Aug 31 15:25:05	dhcp6c	99693	set client ID (len 14)
Aug 31 15:25:05	dhcp6c	99693	Sending Solicit
Aug 31 15:22:55	dhcp6c	99693	reset a timer on vtnet0, state=SOLICIT, timeo=219, retrans=130776
Aug 31 15:22:55	dhcp6c	99693	send solicit to ff02::1:2%vtnet0

Gertjan

@talha5389

Hummm.
I would like to see something that looks like this (read from bottom to top) :

You can see that a prefix was received.
An IPv6 address is maped onto igc0, my LAN interface. The rest is used by my DHCPv6 LAN server for LAN devices, for those who ask for a IPv6.

Take note : pfSense just got one prefix, as my ISP router says it has a /56 for 'me', but it can only one to every connected router (== pfSense). Europe's biggest ISP isn't IPv6 perfect yet ...

edit : your logs lines (image) : I see the dhcp6c sending info, and nothing comes back ... ?

talha5389

@Gertjan Yes. Unfortunately I don't see any reply come back from ISP Router that's why I am thinking that ISP router doesn't allow delegating prefixes. I checked logs again for reply

In addition to that, I have found out that ISP router is blocking inbound IPv6 traffic (which is not bad itself) but there is no way to stop it and have pfsense act as DMZ for ipv6 inbound traffic

JKnott

@Gertjan said in How to diagnose IPv6 delegation issues:

You can see that a prefix was received.
An IPv6 address is maped onto igc0, my LAN interface. The rest is used by my DHCPv6 LAN server for LAN devices, for those who ask for a IPv6.

Take note : pfSense just got one prefix, as my ISP router says it has a /56 for 'me', but it can only one to every connected router (== pfSense). Europe's biggest ISP isn't IPv6 perfect yet ...

edit : your logs lines (image) : I see the dhcp6c sending info, and nothing comes back ... ?

I mentioned above that your modem must be in bridged, not gateway mode for this to work. Is it?

Gertjan

@JKnott said in How to diagnose IPv6 delegation issues:

I mentioned above that your modem must be in bridged, not gateway mode for this to work. Is it?

Why ?
Putting the ISP router in 'bridge' mode isn't possible anymore in France.
I've been using PPPOE in the past, somewhere before 2010 .... but that type of connection has been abandoned here.

The only way out is : as I have a 4100 with 2 SFP fiber Combo WAN ports, I could

1. find the right SFP module.
2. Construct my own DHCP client v4 config.
3. Same thing for DHCP client v6
4. Do things I never understood : for the TV decoder to work, VLAN's have to be created ....
5. Add another box and do more network 'strange' stuff to make the phone work (it's used for our fax ... as a fax is still used in uour business .... that will fade out soon)

Step 1 to 5 have been documented on forums in France. It's close to rocket science to me.
And the day the ISP changes something, my connection will fall ...
Not forbidden by the ISP (Orange), but totally unsupported and non documented, of course.

My ISP router is a router. A triple play device, supporting also two phone lines, video (TV stuff using a ISP video decoder whatever), does Wifi.

Its capable of handing over a /56 :

The MAC 90:ec:77:29:39:2x is the MAC of the WAN interface of pfSense.

That is : this router, a "Livebox 6 Pro" in France can't hand over more then one (1) /64 for one attached router, pfSense in my case. I've mapped (using tracking) this /64 to one of my pfSense LAN interfaces. It's considered to be a bug.

Furthermore, like @talha5389 : impossible to put in place a firewall rule that "passes" traffic using this /64, to pfSense. It's a know bug, still waiting for the update.

JKnott

@Gertjan said in How to diagnose IPv6 delegation issues:

Putting the ISP router in 'bridge' mode isn't possible anymore in France.

Do those routers provide DHCPv6-PD to the customer? That's what pfSense requires to provide IPv6 to the LAN.

I'm on Rogers, in Canada, and if I had a fibre connection, I could completely eliminate all their equipment, other than the optical terminal, and install my own router. As I'm on cable, I have to put their modem in bridge mode.

Maybe you can do a capture of what's happening on the pfSense WAN port and post it here.