IPV6 Prefix ID issue after upgrading to 23.05.1

Appletower · Sep 3, 2023, 5:04 PM

After upgrading to release 23.05.1 my IPv6 connectivity is gone. Noticed it after several days, due to no IPv6 traffic hitting my firewall rules. Installed all patches, but still no PD assignments on all my interfaces.

My setup:

WAN: IPv6 config is DHCP6, only request an IPv6 prefix, PD size 56
LAN: IPv6 track interface, track WAN, prefix ID 1

Does anybody else have this issue? If so, how can I solve it.

Thanks for your support!

Gertjan · Sep 4, 2023, 5:48 AM

@Appletower

Depends ....
IPv4 has become pretty stable,as it took over 50 years to straiten things out.
IPv6 is different : ISP that support the latest IPv6 RFC, that's a rare thing. They all have their own way of implementing things.

You want details : ask for details : Set the dhcp6c client to log more debug info.
System > Advanced > Networking and set check "DHCP6 Debug".

More info will be shown here : Status > System Logs > DHCP
Look for the lines with dhcp6c.

Appletower · Sep 4, 2023, 6:13 AM

Hi @Gertjan, just extended the DHCP logging and see a lot of these messages in the log file:

Sep 4 08:08:42 dhcp6c 58885 reset a timer on igc0.100, state=SOLICIT, timeo=12, retrans=119088
Sep 4 08:08:42 dhcp6c 58885 send solicit to ff02::1:2%igc0.100
Sep 4 08:08:42 dhcp6c 58885 set IA_PD
Sep 4 08:08:42 dhcp6c 58885 set option request (len 4)
Sep 4 08:08:42 dhcp6c 58885 set elapsed time (len 2)
Sep 4 08:08:42 dhcp6c 58885 set client ID (len 14)
Sep 4 08:08:42 dhcp6c 58885 Sending Solicit

IGC0.100 is my VLAN 100 of the WAN interface for my local provider (DELTA here in the Netherlands). Further I don't see any error message.

Any idea what is happening here?

Gertjan · Sep 4, 2023, 6:24 AM

@Appletower

A dhcp6c fragment - read from bottom to top :

2023-09-04 08:14:27.980789+02:00 	dhcp6c 	56194 	receive reply from fe80::46d4:54ff:fe2a:3600%ix3 on ix3
2023-09-04 08:14:27.965505+02:00 	dhcp6c 	56194 	send renew to ff02::1:2%ix3
2023-09-04 08:14:27.965198+02:00 	dhcp6c 	56194 	set IA_PD
2023-09-04 08:14:27.965181+02:00 	dhcp6c 	56194 	set IA_PD prefix
2023-09-04 08:14:27.965159+02:00 	dhcp6c 	56194 	set option request (len 4)
2023-09-04 08:14:27.965140+02:00 	dhcp6c 	56194 	set elapsed time (len 2)
2023-09-04 08:14:27.965123+02:00 	dhcp6c 	56194 	set server ID (len 10)
2023-09-04 08:14:27.965104+02:00 	dhcp6c 	56194 	set client ID (len 14)
2023-09-04 08:14:27.965080+02:00 	dhcp6c 	56194 	a new XID (5a9c45) is generated
2023-09-04 08:14:27.965054+02:00 	dhcp6c 	56194 	Sending Renew
2023-09-04 08:14:27.965023+02:00 	dhcp6c 	56194 	reset a timer on ix3, state=RENEW, timeo=0, retrans=9079
2023-09-04 08:14:27.964945+02:00 	dhcp6c 	56194 	IA timeout for PD-0, state=ACTIVE

Note the difference : I have more :
set IA_PD prefix
set server ID (len 10)

You dhcp6c is in the "Sending Solicit" mode : it never received a answer from a DHCP6 server.

@Appletower said in IPV6 Prefix ID issue after upgrading to 23.05.1:

IGC0.100 is my VLAN 100 of the WAN

That is per ISP instructions ? You have to use a 100 VLAN on WAN ?

Appletower · Sep 4, 2023, 6:32 AM

@Gertjan VLAN 100 is indeed the VLAN used by my ISP to get internet. Strange is that it all works. But after the upgrade from 23.05 to the newest minor release, IPv6 stopped. Currently running the latest DEV release, but also here no IPv6 connectivity. Will check with another pfSense box with 23.01 installed on it, if IPv6 will work again. Other suggestions?

Gertjan · Sep 5, 2023, 5:29 AM

@Appletower

Packet capture on the WAN interface, VLAN 100 - limit to TCPv6 [edit <= oula - that should be IPv6]
That should show the DHCP6 negotiation.
Outgoing traffic should match what the log lines tell you.

Something has to come back ....

JKnott · Sep 4, 2023, 1:35 PM

@Gertjan said in IPV6 Prefix ID issue after upgrading to 23.05.1:

That should show the DHCP6 negotiation.

Actually, it won't. DHCP on both IPv4 and IPv6 uses UDP. Here's how to do it.

Gertjan · Sep 5, 2023, 5:35 AM

@JKnott said in IPV6 Prefix ID issue after upgrading to 23.05.1:

IPv6 uses UDP

Yep, fail on my side.
Should be - at least - IPv6.
Wasn't sure about DHCPv6 was also UDP only.

I actually used your Here's how to do it to see my failing ISP router : dhcp6-clienst (pfSense) asks for 3 /64 prefixes, ISP router only offers one (1).

Appletower · Sep 5, 2023, 7:21 AM

Hi @Gertjan,

After doing a packet capture on WAN for VLAN 100 (internet) with the parameters to only include UDP on port 546 and 547, I get the following output after doing a restart without WAN connected and inserting the WAN cable after the reboot:

09:16:19.806263 IP6 fe80::227c:14ff:fef0:fb73.546 > ff02::1:2.547: UDP, length 52
09:16:20.841596 IP6 fe80::227c:14ff:fef0:fb73.546 > ff02::1:2.547: UDP, length 52
09:16:22.819232 IP6 fe80::227c:14ff:fef0:fb73.546 > ff02::1:2.547: UDP, length 52
09:16:26.784183 IP6 fe80::227c:14ff:fef0:fb73.546 > ff02::1:2.547: UDP, length 52
09:16:34.332269 IP6 fe80::227c:14ff:fef0:fb73.546 > ff02::1:2.547: UDP, length 52
09:16:48.863322 IP6 fe80::227c:14ff:fef0:fb73.546 > ff02::1:2.547: UDP, length 52
09:17:17.665156 IP6 fe80::227c:14ff:fef0:fb73.546 > ff02::1:2.547: UDP, length 52

Strange is, that when I use a different pfsense box with pfsense v2.7 with the same settings, I get a IPv6 on all my assigned NICs. So it must be something in the newest release of pfsense Plus. It worked before on this box.

Gertjan · Sep 5, 2023, 7:42 AM

@Appletower

I presume that fe80::227c:14ff:fef0:fb73 is the pfSense WAN.
NO answer what so ever.

Just a wild guess : take your pfSense 2.7.0, note the MAC of its WAN.
Copy it over to the WAN of the pfSense plus.

AFAIK : pfSense Plus and pfSense 2.7.0 use the same code here. For example : dhc6c settings etc are equal.

JKnott · Sep 5, 2023, 12:38 PM

@Gertjan said in IPV6 Prefix ID issue after upgrading to 23.05.1:

see my failing ISP router : dhcp6-clienst (pfSense) asks for 3 /64 prefixes, ISP router only offers one (1).

Does your ISP offer more than 1 /64? Some ISPs are d*mn cheap! Is your modem in bridge mode? You need it to get IPv6 to the LAN.

JKnott · Sep 5, 2023, 12:40 PM

@Gertjan said in IPV6 Prefix ID issue after upgrading to 23.05.1:

Just a wild guess : take your pfSense 2.7.0, note the MAC of its WAN.
Copy it over to the WAN of the pfSense plus.

Or try rebooting the modem. Some require that with a different MAC.

Does IPv4 work properly? If so, that would rule out the MAC issue.

JKnott · Sep 5, 2023, 1:52 PM

@Gertjan said in IPV6 Prefix ID issue after upgrading to 23.05.1:

dhcp6-clienst (pfSense) asks for 3 /64 prefixes

How the heck do you manage that? You specify a prefix length, not the number of prefixes you want.

Gertjan · Sep 5, 2023, 1:52 PM

@JKnott said in IPV6 Prefix ID issue after upgrading to 23.05.1:

How the heck do you manage that? You specify a prefix length, not the number of prefixes you want.

"Home made" dhcp6c config file.

See here.
( Google translate mandatory ^^ )

I'm waiting for the new firmware to be released.

JKnott · Sep 5, 2023, 2:35 PM

@Gertjan said in IPV6 Prefix ID issue after upgrading to 23.05.1:

How the heck do you manage that? You specify a prefix length, not the number of prefixes you want.

"Home made" dhcp6c config file.

You specify the prefix length, which means only powers of 2. Last I checked, 3 wasn't a power of 2.

RobbieTT · Sep 5, 2023, 2:47 PM

@Appletower
There have been a few slight oddities with v23.05.1 with IPv6 in certain configurations. Often a reboot is all it takes but there are a few config tweaks on IPv6 that can help, if needed.

v23.09 dev seems (so far) slightly better with IPv6, which is reassuring.

As you didn't mention them, don't forget about the 2 pages under this tab, especially RAs and Router mode:

login-to-view

️

Appletower · Sep 5, 2023, 3:08 PM

@RobbieTT Thanks for your feedback on de dev release. What worked for me (until release 23.05.1) was the following config:

WAN VLAN 100 for getting a connection with my ISP
System - Advanced - Networking: Allow IPV6 checked, Do not allow PD/Address release checked
Interface - WAN: IPv6 Configuration type selected DHCP6, DHCP6 Prefix size 56, Request only an IPv6 prefix checked
Interface - Opt2 with VLAN 10: IPv6 configuration type is track interface, IPv6 interface WAN selected and IPv6 prefix ID is 1

Here it already is getting odd, because on the dashboard under interface, I now see under WAN 2 IP addresses (my IPv4 and my local IPv6), but under Opt2 I only see my IPv4 and nothing regarding IPv6.

Then under Services - DHCPv6 Server & RA:

DHCP:

DHCPv6 enabled for this interface
using range ::AA - ::FFF
prefix deligation size 64
Provide DNS servers to DHCPv6 clients selected

RA:

Router mode: managed
Provide DNS configuration via radvd & Use same settings as DHCPv6 server are both selected

This worked, but suddenly ... no IPv6 addresses anymore with the latest release.

RobbieTT · Sep 5, 2023, 3:26 PM

@Appletower

Yep, I had similar ripples but more intermittent. Switching to 'Assisted' mode helped enormously (and cured a small issue with Apple HomePods & HomeKit that, in itself, was triggered by an Apple update).

These settings worked for me (of course, use /56 rather than my /48):

login-to-view

Switching to Assisted mode (as recommended by a Netgate dev) was the 'magic' key for me.

️

Appletower · Sep 5, 2023, 3:44 PM

@RobbieTT Updated my pfsense install to the latest DEV release, switched from Managed to Assisted...still no IPv6 on my interfaces :-(

JKnott · Sep 5, 2023, 5:52 PM

@Appletower said in IPV6 Prefix ID issue after upgrading to 23.05.1:

switched from Managed to Assisted...still no IPv6 on my interfaces

Those have to do with DHCPv6 on the local LAN and have nothing to do with whether you get IPv6. I use unmanaged here.