Received delegated /64 prefix, ipv6 outgoing but no incoming?

JKnott

@jhg said in Received delegated /64 prefix, ipv6 outgoing but no incoming?:

I'm not sure how to debug further. Is it possible Comcast isn't forwarding IPv6 even though they gave me a prefix?

Post the actual capture file. It contains far more info that you have here. You could also do a capture during DHCPv6 sequence.

jhg

@JKnott I don't seem to be able to upload a pcap file so I've put two files on Google Drive, one containing the DHCP transaction (which looks normal to me) and a capture of a few minutes of all ipv6 traffic including some attempts to connect over ipv6 to a server I manage.

DHCP transaction: https://drive.google.com/file/d/1GQ30zGm8KETgrPA2ANfkV_D7RQbTsgVH/view?usp=sharing

ipv6 traffic: https://drive.google.com/file/d/1GNVXr_ws71npFKlqSLNTKIZXuvzN9HNh/view?usp=sharing

In the all-ipv6 capture I see only router advertisements from the Comcast DHCP server. There are no replies to any outgoing traffic originated either by the firewall or hosts on the LAN.

JKnott

@jhg

I don't know why you can't upload the file, as I've done that several times. Maybe recent site changes have something to do with it.

However, I just looked at the DHCPv6 capture and it shows what you mentioned about a /64 prefix. If that's all you have, pfSense will have IPv6 but nothing on your LAN will. Change DHCPv6 Prefix Delegation size to whatever the maximum Comcast provides. I have mine set to /56, which provides 256 /64s.

jhg

@JKnott said in Received delegated /64 prefix, ipv6 outgoing but no incoming?:

However, I just looked at the DHCPv6 capture and it shows what you mentioned about a /64 prefix. If that's all you have, pfSense will have IPv6 but nothing on your LAN will. Change DHCPv6 Prefix Delegation size to whatever the maximum Comcast provides. I have mine set to /56, which provides 256 /64s.

Hmmm.... that's inconsistent with my experience, based on two points:

The config hasn't changed from what was working, with /64, on the old system, and it worked perfectly for over a year

"...pfSense will have IPv6..."_ implies that I should be able to ping over ipv6 from the pfSense console, but I can't.

/root: ping -4 google.com
PING google.com (74.125.197.100): 56 data bytes
64 bytes from 74.125.197.100: icmp_seq=0 ttl=106 time=20.513 ms
64 bytes from 74.125.197.100: icmp_seq=1 ttl=106 time=19.469 ms
64 bytes from 74.125.197.100: icmp_seq=2 ttl=106 time=18.815 ms
^C
--- google.com ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 18.815/19.599/20.513/0.699 ms

/root: ping google.com
PING6(56=40+8+8 bytes) 2001:558:6025:a:88d8:92d5:ca61:f002 --> 2607:f8b0:400e:c03::8b
^C
--- google.com ping6 statistics ---
8 packets transmitted, 0 packets received, 100.0% packet loss

jhg

@JKnott OK, this is going to sound crazy.

As a wild-ass shot in the dark, I decided to spoof the WAN MAC back to the old system's value. The sequence was

1. Set the MAC address back to the old value in the web GUI
2. Shutdown/halt pfSense
3. Power-cycle the modem, wait for it to fully connect
4. Power-on pfSense

I now have my old IPv4 public address, but curiously the delegated ipv6 prefix (still /64, hasn't changed) is now working. My LAN hosts and pfSense can send traffic over ipv6.

I have no explanation other than Comcast didn't like my native WAN MAC for some reason. I wish I had more time to find the root cause, but unfortunately other responsibilities take priority now.

JKnott

@jhg

As I mentioned, you need a bigger prefix. I don't know what Comcast supports, but many ISPs use /56. With a 64 prefix size, you are telling Comcast you only want a single /64, which will go to pfSense. There will be nothing left to give to your LAN. This setting has nothing to do with IPv4.

I don't know why the different MAC affects this. In the 6 years I've had the same prefix, both my cable modem and the computer I run pfSense on have been changed. The prefix is retained because the info is stored in the DUID.

Uglybrian

I was curious and did a search for the prefix. Comcast home is a 60.

jhg

@Uglybrian Thanks for that information.

I have a plain vanilla LAN, only a few dozen hosts and no VLANs, so a single /64 should be, and IS, enough.

Can you help me understand @JKnott's statement that if I get a /64 prefix delegation that will not give my LAN hosts ipv6 addresses?

That's not what I see. My pfSense box gets a /64 delegation, PLUS its own IP (not in the delegated prefix) for its WAN adapter. Then pfSense's LAN-side DHCP server uses the /64 for all my LAN hosts. That part has always worked since I originally set up IPv6.

Is @JKnott assuming the /64 will be applied to the WAN adapter, leaving nothing for the LAN side?

(Why it doesn't work if I don't spoof the WAN MAC is an open question I'll have to troubleshoot in the future)

Uglybrian

I’ll do my best to try to explain, but it will be coming from an experienced point of view not from a knowledge viewpoint like jknott.

I’m guessing it works with the spoofed Mac address because when you changed PFS to new equipment. You did not power cycle your modem. So your modem is looking for your old MAC address and not finding it. sometimes with Comcast, I’ve heard you need to call it in and tell them that you have new equipment and they will reset the modem for you. I would try a power cycle first. With PFS disconnected.

Look at status->interfaces and see if your WAN is getting a 128 or 64 IPV6 address. Mine shows a 128 from my ISP.

Even though you did a restore from back up, I would still double check all IPV six settings. Head over to your interfaces, then your WAN. Scroll down and take a look at DHCP6 Client configuration. What size prefix is showing in (prefix delegation size). I don’t know if this is how it works, but if it’s 64 ,then I’m guessing Comcast will only give you IPv6 addresses for only one interface, your WAN. If the 64 is showing there, I would change it to a 60, reboot PFS and see what happens, Then triple check all your settings.

jhg

@Uglybrian I'm still having trouble understanding.

I have power-cycled the modem numerous times, especially after any pfSense configuration change.

My pfSense is now working correctly with a /64 delegated prefix (I now have a problem with DNS over an OpenVPN ptp connection but that's out of scope for this thread)

What I still don't understand is why a delegated /64 would ever be an issue unless I needed a set of prefixes (up to 16 for Comcast home). The pfSense WAN adapter received its own ipv6 address, and the delegated prefix is used by the LAN-side DHCP server. It all looks good at this point.

Uglybrian

I’m sorry I couldn’t explain it better but your question is beyond my scope.

Gertjan

@jhg said in Received delegated /64 prefix, ipv6 outgoing but no incoming?:

I have power-cycled the modem numerous times

You mean : using Diagnostics > Reboot and selecting Normal Reboot, right ?
Power-cycling is one of the best ways to kill your device (file system).

jhg

@Gertjan power cycled the modem not the pfsense box.

Gertjan

@jhg said in Received delegated /64 prefix, ipv6 outgoing but no incoming?:

the modem

Yeah, it was staring at me.
Coffee works now, thanks

jhg

@Gertjan I'm still having trouble getting IPV6 working after upgrading my hardware. It was working perfectly for a year. Here's what I see:

• I have captured the DHCP transaction with Comcast. They assign me a "non-temporary" address for the WAN adapter and also provide a delegated /64 prefix
• The DHCPv6 server (ISC) on the pfSense box uses the delegated prefix to provide IPv6 addresses to LAN clients.
• LAN clients can communicate with each other over IPv6.
• LAN clients can sent IPv6 packets to remote hosts (i.e. Google), and those packets exit the firewall on the WAN interface, as shown by a packet capture.
• Replies to any outgoing IPv6 packets are not seen at the pfSense WAN interface.

Notes
1, To satisfy @JKnott's statement that I need to request a larger delegated prefix (which I don't understand) I changed to /60 in the Interfaces/WAN configuration screen. This had no effect, and AFAICT from the captured DHCP transaction, pfSense didn't send a delegated prefix length in the DHCP SOLICIT packet.
2. I have power-cycled the MODEM and rebooted pfSense. The results are always the same.

Questions:

1. Do I have a configuration problem, or is Comcast somehow blocking IPv6 responses
2. There used to be a screen/tab in the Web Configurator that mentioned the delegated prefix, but I can no longer seem to find it. I believe it was in System/Advanced/Networking but it seems to have vanished. Where is the delegated prefix mentioned in the UI?

Gertjan

@jhg said in Received delegated /64 prefix, ipv6 outgoing but no incoming?:

I need to request a larger delegated prefix (which I don't understand) I changed to /60

Me neither. My ISP fiber router tells me it has a /56 for me. By every ISP router's LAN device, like my pfSEnse, can get only a 00 prefix, and a IPv6 is chosen to be the WAN IPv6 - like any other router's IPv6 ISP LAN client (PC printer etc ) and my pfSense can just ask one (1) /64, which is use on the pfSense LAN (IPv6 mode = tracking).

I've been getting the $eb prefix since day one :

Asking fir a /65, or bigger : fail.
But ok, I know, this is a known behavior and we era waiting for this to get resolved.

Btw : your other question, posted elsewhere : when you "spoof mac" an interface, this is the MAC being used, the original NIC MAC won't be references anymore.
I never had to do mac spoofing myself (modem days are over in France) but be ware :
Me thinking out loud here.
When you power up the modem first, and have it settled in.
And then pfSense, whet will the modem see initially ? the original WAN NIC MAC before it gets spoofed ? Or is a spoofed MAC power recycle resistant ?
Without ever seeing it, the original MAC isn't used or known on the network when it is spoofed.

@jhg said in Received delegated /64 prefix, ipv6 outgoing but no incoming?:

Do I have a configuration problem, or is Comcast somehow blocking IPv6 responses

Put pfSense aside.
Use any other device you have, like a PC. Can you get IPv6 now working ?

jhg

@Gertjan @JKnott

I tried connecting my Windows 11 laptop directly to the modem.

In that case, the DHCP transaction did not request a delegated prefix, so the Comcast DHCP server assigned only one address. IPv6 connectivity came up immediately and based on monitoring with Wireshark was operating normally. dhcp6-windows.pcap

So I have to conclude there's a problem with pfSense, since I now have NO IPv6 connectivity at all, even from the pfSense command line.

Can someone more knowledgeable than me examine this pcap file and tell me if they see anything wrong with the transaction? dhcp6-4.pcap

Suggestions?

jhg

Solved, and it's not pretty.

A debug message pointed me to /var/db/dhcp6c_duid containing text. So I removed the file to give DHCP6 a chance to start fresh. Then I disabled and re-enabled the WAN interface, and now everything's working.

When I look at that file now, it's binary, not text. Somehow, that file was preventing IPv6 connectivity.

Now all I have to do is reboot a few LAN devices that are hanging on to their old delegated prefix :-)