Received delegated /64 prefix, ipv6 outgoing but no incoming?
-
Context:
- Comcast Xfinity cable 2gpbs service w/Hitron modem
- Upgraded pfSense hardware (Beelink EQ12, Intel NICs) and restored backup
- dhcp6 received delegated /64 prefix
- IPv4 working OK
Problem: No outgoing ipv6 traffic
Here's the WAN section from config.xml, which looks identical to the one in the backup taken before upgrade.
<wan> <enable></enable> <if>igc0</if> <blockbogons></blockbogons> <descr><![CDATA[WAN]]></descr> <alias-address></alias-address> <alias-subnet>32</alias-subnet> <spoofmac></spoofmac> <blockpriv></blockpriv> <ipaddr>dhcp</ipaddr> <dhcphostname></dhcphostname> <dhcprejectfrom></dhcprejectfrom> <adv_dhcp_pt_timeout></adv_dhcp_pt_timeout> <adv_dhcp_pt_retry></adv_dhcp_pt_retry> <adv_dhcp_pt_select_timeout></adv_dhcp_pt_select_timeout> <adv_dhcp_pt_reboot></adv_dhcp_pt_reboot> <adv_dhcp_pt_backoff_cutoff></adv_dhcp_pt_backoff_cutoff> <adv_dhcp_pt_initial_interval></adv_dhcp_pt_initial_interval> <adv_dhcp_pt_values>SavedCfg</adv_dhcp_pt_values> <adv_dhcp_send_options></adv_dhcp_send_options> <adv_dhcp_request_options></adv_dhcp_request_options> <adv_dhcp_required_options></adv_dhcp_required_options> <adv_dhcp_option_modifiers></adv_dhcp_option_modifiers> <adv_dhcp_config_advanced></adv_dhcp_config_advanced> <adv_dhcp_config_file_override></adv_dhcp_config_file_override> <adv_dhcp_config_file_override_path></adv_dhcp_config_file_override_path> <ipaddrv6>dhcp6</ipaddrv6> <dhcp6-duid></dhcp6-duid> <dhcp6-ia-pd-len>0</dhcp6-ia-pd-len> <dhcp6withoutra></dhcp6withoutra> <adv_dhcp6_prefix_selected_interface>wan</adv_dhcp6_prefix_selected_interface> </wan>ifconfig igc0
igc0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 description: WAN options=4e020bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_MAGIC,RXCSUM_IPV6,TXCSUM_IPV6,HWSTATS,MEXTPG> ether e8:ff:1e:d2:b0:35 inet [obfus.cated].118.74 netmask 0xfffff800 broadcast 255.255.255.255 inet 192.168.100.2 netmask 0xfffffc00 broadcast 192.168.103.255 inet6 fe80::eaff:1eff:fed2:b035%igc0 prefixlen 64 scopeid 0x1 inet6 [delegated prefix]:88d8:92d5:ca61:f002 prefixlen 128 pltime 246450 vltime 246450 media: Ethernet autoselect (2500Base-T <full-duplex>) status: active nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>Packet capture. The firewall thinks it's transmitting ipv6 but there are never any responses.
/root: tcpdump -i igc0 ip6 tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on igc0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 19:12:28.947759 IP6 fe80::21c:73ff:fe00:99 > ff02::1: ICMP6, router advertisement, length 128 19:12:29.198034 IP6 2001:558:6025:a:88d8:92d5:ca61:f002 > 2001:558:100d:7d::3: ICMP6, echo request, id 57023, seq 15540, length 9 19:12:29.719035 IP6 2001:558:6025:a:88d8:92d5:ca61:f002 > 2001:558:100d:7d::3: ICMP6, echo request, id 57023, seq 15541, length 9 19:12:30.249029 IP6 2001:558:6025:a:88d8:92d5:ca61:f002 > 2001:558:100d:7d::3: ICMP6, echo request, id 57023, seq 15542, length 9 19:12:30.775082 IP6 2001:558:6025:a:88d8:92d5:ca61:f002 > 2001:558:100d:7d::3: ICMP6, echo request, id 57023, seq 15543, length 9 19:12:31.232106 IP6 fe80::21c:73ff:fe00:99 > ff02::1: ICMP6, router advertisement, length 128 19:12:31.302426 IP6 2001:558:6025:a:88d8:92d5:ca61:f002 > 2001:558:100d:7d::3: ICMP6, echo request, id 57023, seq 15544, length 9 19:12:31.834625 IP6 2001:558:6025:a:88d8:92d5:ca61:f002 > 2001:558:100d:7d::3: ICMP6, echo request, id 57023, seq 15545, length 9 19:12:32.366878 IP6 2001:558:6025:a:88d8:92d5:ca61:f002 > 2001:558:100d:7d::3: ICMP6, echo request, id 57023, seq 15546, length 9 19:12:32.592374 IP6 fe80::21c:73ff:fe00:99 > ff02::1: ICMP6, router advertisement, length 128 19:12:32.890022 IP6 2001:558:6025:a:88d8:92d5:ca61:f002 > 2001:558:100d:7d::3: ICMP6, echo request, id 57023, seq 15547, length 9 19:12:33.420034 IP6 2001:558:6025:a:88d8:92d5:ca61:f002 > 2001:558:100d:7d::3: ICMP6, echo request, id 57023, seq 15548, length 9 19:12:33.950015 IP6 2001:558:6025:a:88d8:92d5:ca61:f002 > 2001:558:100d:7d::3: ICMP6, echo request, id 57023, seq 15549, length 9 19:12:34.457795 IP6 2001:558:6025:a:88d8:92d5:ca61:f002 > 2001:558:100d:7d::3: ICMP6, echo request, id 57023, seq 15550, length 9 19:12:34.923786 IP6 fe80::21c:73ff:fe00:99 > ff02::1: ICMP6, router advertisement, length 128 19:12:34.990021 IP6 2001:558:6025:a:88d8:92d5:ca61:f002 > 2001:558:100d:7d::3: ICMP6, echo request, id 57023, seq 15551, length 9 19:12:35.522284 IP6 2001:558:6025:a:88d8:92d5:ca61:f002 > 2001:558:100d:7d::3: ICMP6, echo request, id 57023, seq 15552, length 9 19:12:35.608886 IP6 fe80::21c:73ff:fe00:99 > ff02::1: ICMP6, router advertisement, length 128 19:12:36.052048 IP6 2001:558:6025:a:88d8:92d5:ca61:f002 > 2001:558:100d:7d::3: ICMP6, echo request, id 57023, seq 15553, length 9 19:12:36.568275 IP6 2001:558:6025:a:88d8:92d5:ca61:f002 > 2001:558:100d:7d::3: ICMP6, echo request, id 57023, seq 15554, length 9 19:12:37.100552 IP6 2001:558:6025:a:88d8:92d5:ca61:f002 > 2001:558:100d:7d::3: ICMP6, echo request, id 57023, seq 15555, length 9 19:12:37.628050 IP6 2001:558:6025:a:88d8:92d5:ca61:f002 > 2001:558:100d:7d::3: ICMP6, echo request, id 57023, seq 15556, length 9 19:12:38.158053 IP6 2001:558:6025:a:88d8:92d5:ca61:f002 > 2001:558:100d:7d::3: ICMP6, echo request, id 57023, seq 15557, length 9 19:12:38.484408 IP6 fe80::21c:73ff:fe00:99 > ff02::1: ICMP6, router advertisement, length 128 19:12:38.690290 IP6 2001:558:6025:a:88d8:92d5:ca61:f002 > 2001:558:100d:7d::3: ICMP6, echo request, id 57023, seq 15558, length 9 19:12:39.208039 IP6 2001:558:6025:a:88d8:92d5:ca61:f002 > 2001:558:100d:7d::3: ICMP6, echo request, id 57023, seq 15559, length 9 19:12:39.352559 IP6 fe80::21c:73ff:fe00:99 > ff02::1: ICMP6, router advertisement, length 128 19:12:39.733039 IP6 2001:558:6025:a:88d8:92d5:ca61:f002 > 2001:558:100d:7d::3: ICMP6, echo request, id 57023, seq 15560, length 9 19:12:40.236560 IP6 2001:558:6025:a:88d8:92d5:ca61:f002 > 2001:558:100d:7d::3: ICMP6, echo request, id 57023, seq 15561, length 9 19:12:40.768049 IP6 2001:558:6025:a:88d8:92d5:ca61:f002 > 2001:558:100d:7d::3: ICMP6, echo request, id 57023, seq 15562, length 9 19:12:41.294778 IP6 2001:558:6025:a:88d8:92d5:ca61:f002 > 2001:558:100d:7d::3: ICMP6, echo request, id 57023, seq 15563, length 9 ^C 31 packets captured 437 packets received by filter 0 packets dropped by kernelI'm not sure how to debug further. Is it possible Comcast isn't forwarding IPv6 even though they gave me a prefix?
-
@jhg said in Received delegated /64 prefix, ipv6 outgoing but no incoming?:
I'm not sure how to debug further. Is it possible Comcast isn't forwarding IPv6 even though they gave me a prefix?
Post the actual capture file. It contains far more info that you have here. You could also do a capture during DHCPv6 sequence.
-
@JKnott I don't seem to be able to upload a pcap file so I've put two files on Google Drive, one containing the DHCP transaction (which looks normal to me) and a capture of a few minutes of all ipv6 traffic including some attempts to connect over ipv6 to a server I manage.
DHCP transaction: https://drive.google.com/file/d/1GQ30zGm8KETgrPA2ANfkV_D7RQbTsgVH/view?usp=sharing
ipv6 traffic: https://drive.google.com/file/d/1GNVXr_ws71npFKlqSLNTKIZXuvzN9HNh/view?usp=sharing
In the all-ipv6 capture I see only router advertisements from the Comcast DHCP server. There are no replies to any outgoing traffic originated either by the firewall or hosts on the LAN.
-
I don't know why you can't upload the file, as I've done that several times. Maybe recent site changes have something to do with it.
However, I just looked at the DHCPv6 capture and it shows what you mentioned about a /64 prefix. If that's all you have, pfSense will have IPv6 but nothing on your LAN will. Change DHCPv6 Prefix Delegation size to whatever the maximum Comcast provides. I have mine set to /56, which provides 256 /64s.
-
@JKnott said in Received delegated /64 prefix, ipv6 outgoing but no incoming?:
However, I just looked at the DHCPv6 capture and it shows what you mentioned about a /64 prefix. If that's all you have, pfSense will have IPv6 but nothing on your LAN will. Change DHCPv6 Prefix Delegation size to whatever the maximum Comcast provides. I have mine set to /56, which provides 256 /64s.
Hmmm.... that's inconsistent with my experience, based on two points:
The config hasn't changed from what was working, with /64, on the old system, and it worked perfectly for over a year
"...pfSense will have IPv6..."_ implies that I should be able to ping over ipv6 from the pfSense console, but I can't.
/root: ping -4 google.com PING google.com (74.125.197.100): 56 data bytes 64 bytes from 74.125.197.100: icmp_seq=0 ttl=106 time=20.513 ms 64 bytes from 74.125.197.100: icmp_seq=1 ttl=106 time=19.469 ms 64 bytes from 74.125.197.100: icmp_seq=2 ttl=106 time=18.815 ms ^C --- google.com ping statistics --- 3 packets transmitted, 3 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 18.815/19.599/20.513/0.699 ms /root: ping google.com PING6(56=40+8+8 bytes) 2001:558:6025:a:88d8:92d5:ca61:f002 --> 2607:f8b0:400e:c03::8b ^C --- google.com ping6 statistics --- 8 packets transmitted, 0 packets received, 100.0% packet loss -
@JKnott OK, this is going to sound crazy.
As a wild-ass shot in the dark, I decided to spoof the WAN MAC back to the old system's value. The sequence was
- Set the MAC address back to the old value in the web GUI
- Shutdown/halt pfSense
- Power-cycle the modem, wait for it to fully connect
- Power-on pfSense
I now have my old IPv4 public address, but curiously the delegated ipv6 prefix (still /64, hasn't changed) is now working. My LAN hosts and pfSense can send traffic over ipv6.
I have no explanation other than Comcast didn't like my native WAN MAC for some reason. I wish I had more time to find the root cause, but unfortunately other responsibilities take priority now.
-
As I mentioned, you need a bigger prefix. I don't know what Comcast supports, but many ISPs use /56. With a 64 prefix size, you are telling Comcast you only want a single /64, which will go to pfSense. There will be nothing left to give to your LAN. This setting has nothing to do with IPv4.
I don't know why the different MAC affects this. In the 6 years I've had the same prefix, both my cable modem and the computer I run pfSense on have been changed. The prefix is retained because the info is stored in the DUID.
