IPv6 Monitoring stuck on pending

Gertjan

@gregeeh said in IPv6 Monitoring stuck on pending:

but I have changed nothing in pfsense for months

That proves the issue is not on your side.

If the IPv6 connection doesn't come up, it's normal that pinging to 2001:4860:4860::8844 doesn't work. It will keep on saying 'Pending'.
How can ping work over a non existing connection anyway ^^

To check the 'construction' of the connection, and if you use the dhcp client, switch the client do debug mode first.

Rebuild the connection.
Admire the results here : Status > System Logs > DHCP - look for the lines where "Process" says "dhcp6c ".
Compare working with non working sequence.

Now you have the info to
a) yell at your ISP
or
b) slap admin into the face.

gregeeh

@Gertjan said in IPv6 Monitoring stuck on pending:

That proves the issue is not on your side.

You would think so, but IPv6 is working great on the clients.

I have even restored a backup of pfSense from 1 month ago when it was working, just to be sure, and I'm getting the same results.

stephenw10

What does the interface status look like?

Pending like that usually implies he interface hasn't come up. Or cannot arp for the gateway in IPv4.

Is it trying to use the link-local address? What do the states show?

gregeeh

@stephenw10 said in IPv6 Monitoring stuck on pending:

What does the interface status look like?

johnpoz

@gregeeh well not sure how pfsense would talk to that IPv6 you have as monitoring from only a link local address.. While sure it can route traffic for you lan side device. Itself would not be able to talk to some gua IPv6 from that fe80 address.

Vs pointing to that google dns IP for monitor, just let it use its gateway which is just a link-local address. Since your wan doesn't seem to be getting a GUA address

You don't happen to have this checked do you?

gregeeh

@johnpoz said in IPv6 Monitoring stuck on pending:

@gregeeh well not sure how pfsense would talk to that IPv6 you have as monitoring from only a link local address.. While sure it can route traffic for you lan side device. Itself would not be able to talk to some gua IPv6 from that fe80 address.

Vs pointing to that google dns IP for monitor, just let it use its gateway which is just a link-local address. Since your wan doesn't seem to be getting a GUA address

I hear what you are saying but it has been working this way for months and has suddenly stopped. Do you think something might has changed on my ISP side?

stephenw10

Hmm, normally pfSense itself will use a routable address as source but for gateway monitoring it always uses the interface address in order to be forced via the correct WAN.

I see exactly the same behaviour here with a WAN that delivers prefix only.

Did you always have link-local only there?

johnpoz

@gregeeh they might of stop giving the wan interface a gua address.. But I don't see how that would ever work, there is no way you can ping that gua from that link-local address..

@stephenw10 saying it would use a routeable address, yeah I would think so ;) but if it doesn't have one - what would it use, an IP from the lan side out of the prefix delegated?

What if you remove the google dns IP out of your monitoring.. Wont it just use the link-local gateway as its monitor, which you would hope would answer ping.

gregeeh

Thanks everyone you are correct, I obviously did not always have a link-local address. Here is the Monitoring Graph showing when it stopped working:

Here is my ISP connection information:

Off to my ISP now, and once again thank you all for your assistance.

stephenw10

@johnpoz said in IPv6 Monitoring stuck on pending:

what would it use, an IP from the lan side out of the prefix delegated?

Yes, that's exactly what it does.

And, yes, if you remove the remote address it pings the gateway link-local address just fine.

johnpoz

@gregeeh said in IPv6 Monitoring stuck on pending:

I obviously did not always have a link-local address

Just to correct your wording here a bit, you would always have a link-local, always.. But you might not always have a gua address.

Its possible your gua went away for some reason? Did you check that setting I posted about not asking for one?

But seems like what @stephenw10 is saying, is if the wan doesn't get a gua, that it should use an IP out of the lan side prefix as the source when dpinger wants to talk to the monitor IP if that is a gua..

gregeeh

@johnpoz said in IPv6 Monitoring stuck on pending:

You don't happen to have this checked do you?

chpalmer

Try adding a :1 to the end of your monitor IP.. I have to do that for a couple of my customers including my setup here..

2001:4860:4860::8844:1

johnpoz

@chpalmer said in IPv6 Monitoring stuck on pending:

2001:4860:4860::8844:1

that is not the correct address for google dns, nor would it answer ping.. Nor would it matter if he has no gua to talk to it with.

gregeeh

@johnpoz said in IPv6 Monitoring stuck on pending:

But seems like what @stephenw10 is saying, is if the wan doesn't get a gua, that it should use an IP out of the lan side prefix as the source when dpinger wants to talk to the monitor IP if that is a gua..

Only being a mere learner when it comes to networking issues, is there a way of of testing this?

chpalmer

@johnpoz said in IPv6 Monitoring stuck on pending:

that is not the correct address for google dns, nor would it answer ping.. Nor would it matter if he has no gua to talk to it with.

Yeah.. quick draw here.. I assumed it was the gateway address.

stephenw10

@johnpoz said in IPv6 Monitoring stuck on pending:

But seems like what @stephenw10 is saying, is if the wan doesn't get a gua, that it should use an IP out of the lan side prefix as the source when dpinger wants to talk to the monitor IP if that is a gua..

Ah, no that's not what I'm saying.

pfSense will use a GUA address from some other interface for most traffic, pkg checks etc.

It specifically will not use it for dpinger though. dpinger always uses the interface address so that it get's forced via the correct gateway by route-to. So it fails to anything beyond the segment with link-local only on the WAN.

johnpoz

@stephenw10 thanks for the clarification.. But just curious why would it grab an IP from say lan to check for updates when it could just use the wans IPv4 address?

Maybe this needs a bit of a note in the docs? Or maybe a warning vs just "pending" about no gua to use to check the gua monitoring IP? Prob a note where you set the other monitoring IPs about needing a gua to check gua based monitor IP?

johnpoz

@gregeeh said in IPv6 Monitoring stuck on pending:

is there a way of of testing this?

Testing what? that you can't talk to gua from a link-local fe80 address? Or that you adding that :1 on the end isn't a live IP that doesn't answer ping or dns? ;)

link-local is for the local network only, they do not route.. So no there is no way to talk to a gua from a link-local out to the internet.. If the gui is on the same network then yeah ok might be able to do it.. But from a sane networking point of view it shouldn't

stephenw10

@johnpoz said in IPv6 Monitoring stuck on pending:

why would it grab an IP from say lan to check for updates when it could just use the wans IPv4 address?

It could. It will prefer IPv6 though if it has a IPv6 route it can use. If you set 'prefer IPv4' it will use that.