Old IPv6 addresses may continue to be used after DHCP or RA changes #12947 - not fixed?

UweV

Hello,

I upgraded t the latest 2.8 beta (2.8.0-BETA (amd64) built on Tue Apr 1 4:29:00 CEST 2025).

https://redmine.pfsense.org/issues/12947
-> Old IPv6 addresses may continue to be used after DHCP or RA changes #12947

I submitted this bug in the past and it's not fixed:
https://redmine.pfsense.org/issues/15906

It has been classified as a duplicate. But I'm not sure if that was correct, because I have still the same issues and IPv6 communication is still broken after an IPv6 prefix change on WAN.
"Has duplicate Bug #15906: After an IPv6 prefix and IP change on the WAN interface the LAN interface IPs and delegated IPv6 prefixes don’t get updated".

I assume bug report https://redmine.pfsense.org/issues/15625 is also related to this.

I can provide logs etc. if someone would like to investigate further.
Thank you.

marcosm

The DHCP6 client script has been changed to call rc.newwanipv6 on RENEW which deals with the issue I was able to reproduce:
https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/646389402feb2dd94171d7c81d4be67feef4f8d8

If it's still an issue for you however, there may be something else going on. Can you show the output of ifconfig before and after the issue happens as well as both the full system and DHCP logs covering the period when the issue happens?

UweV

@marcosm

I modified the IPv6 addresses slightly (xx.xx) - not to publish my full IPs here.

Before:
Upstream router:
IPv6-Prefix: 2003:xx:xx43:7f00::/56

[2.8.0-BETA][admin@pfSense-ipv6.home.arpa]/root: ifconfig
vtnet0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: WAN
options=800b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE>
ether 02:11:32:2d:5b:36
inet 192.168.7.253 netmask 0xffffff00 broadcast 192.168.7.255
inet6 fe80::11:32ff:fe2d:5b36%vtnet0 prefixlen 64 scopeid 0x1
inet6 fdc7:326a:c353:0:11:32ff:fe2d:5b36 prefixlen 64 autoconf pltime 3600 vltime 7200
inet6 2003:xx:xx43:7f00:11:32ff:fe2d:5b36 prefixlen 64 autoconf pltime 1424 vltime 7200
media: Ethernet autoselect (10Gbase-T <full-duplex>)
status: active
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
vtnet1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: VLAN20
options=800b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE>
ether 02:11:32:22:a9:2f
inet 192.168.20.253 netmask 0xffffff00 broadcast 192.168.20.255
inet6 fe80::11:32ff:fe22:a92f%vtnet1 prefixlen 64 scopeid 0x2
inet6 fe80::1:1%vtnet1 prefixlen 64 scopeid 0x2
inet6 2003:xx:xx43:7ff8:11:32ff:fe22:a92f prefixlen 64
media: Ethernet autoselect (10Gbase-T <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
vtnet2: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: VLAN30
options=800b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE>
ether 02:11:32:23:ab:b3
inet 192.168.30.253 netmask 0xffffff00 broadcast 192.168.30.255
inet6 fe80::11:32ff:fe23:abb3%vtnet2 prefixlen 64 scopeid 0x3
inet6 fe80::1:1%vtnet2 prefixlen 64 scopeid 0x3
inet6 2003:xx:xx43:7ff9:11:32ff:fe23:abb3 prefixlen 64
media: Ethernet autoselect (10Gbase-T <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

After:(I initiated a IPv6 prefix change, all client IPv6 communication stops)
Upstream router:
New IPv6-Prefix: 2003:xx:xx02:2200::/56

[2.8.0-BETA][admin@pfSense-ipv6.home.arpa]/root: ifconfig
vtnet0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: WAN
options=800b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE>
ether 02:11:32:2d:5b:36
inet 192.168.7.253 netmask 0xffffff00 broadcast 192.168.7.255
inet6 fe80::11:32ff:fe2d:5b36%vtnet0 prefixlen 64 scopeid 0x1
inet6 fdc7:326a:c353:0:11:32ff:fe2d:5b36 prefixlen 64 autoconf pltime 3600 vltime 7200
inet6 2003:xx:xx43:7f00:11:32ff:fe2d:5b36 prefixlen 64 deprecated autoconf pltime 0 vltime 7132
inet6 2003:xx:xx02:2200:11:32ff:fe2d:5b36 prefixlen 64 autoconf pltime 1731 vltime 7200
media: Ethernet autoselect (10Gbase-T <full-duplex>)
status: active
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
vtnet1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: VLAN20
options=800b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE>
ether 02:11:32:22:a9:2f
inet 192.168.20.253 netmask 0xffffff00 broadcast 192.168.20.255
inet6 fe80::11:32ff:fe22:a92f%vtnet1 prefixlen 64 scopeid 0x2
inet6 fe80::1:1%vtnet1 prefixlen 64 scopeid 0x2
inet6 2003:xx:xx43:7ff8:11:32ff:fe22:a92f prefixlen 64
media: Ethernet autoselect (10Gbase-T <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
vtnet2: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: VLAN30
options=800b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE>
ether 02:11:32:23:ab:b3
inet 192.168.30.253 netmask 0xffffff00 broadcast 192.168.30.255
inet6 fe80::11:32ff:fe23:abb3%vtnet2 prefixlen 64 scopeid 0x3
inet6 fe80::1:1%vtnet2 prefixlen 64 scopeid 0x3
inet6 2003:xx:xx43:7ff9:11:32ff:fe23:abb3 prefixlen 64
media: Ethernet autoselect (10Gbase-T <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

UweV

system - general:

Apr 7 16:54:59 check_reload_status 472 Reloading filter
Apr 7 16:54:58 php-fpm 397 /rc.newwanipv6: Gateway, NONE AVAILABLE
Apr 7 16:54:58 php-fpm 397 /rc.newwanipv6: Gateway, NONE AVAILABLE
Apr 7 16:54:19 php-fpm 397 /rc.newwanipv6: rc.newwanipv6: on (IP address: 2003:xx:xx02:2200:11:32ff:fe2d:5b36) (interface: wan) (real interface: vtnet0).
Apr 7 16:54:19 php-fpm 397 /rc.newwanipv6: rc.newwanipv6: Info: starting on vtnet0 due to RENEW.

UweV

I cannot post the DHCP logs because the forum software flags it as SPAM

UweV

in there another option for sending you logs?

marcosm

You can upload everything here:
https://nc.netgate.com/nextcloud/s/9RnP5LzP7eYBX7C

UweV

I uploaded the first document - I will upload a second soon.
I'm documenting the full cycle until most issues are cleared up automatically. This takes multiple hours (IPv6 client are offline).

UweV

2nd document uploaded.

fyi - a pfSense reboot fixes everything after an IPv6 prefix change.

UweV

Thank you for the patch.
It looks like it is not solving the issue.
3rd document uploaded.

marcosm

Further testing here shows that when the lease is renewed the downstream interfaces were updated by dhcp6c with the new prefix (vmx4 is the LAN, vmx1 is the WAN):

Apr 8 10:02:13 	dhcp6c 	37136 	Sending Renew
Apr 8 10:02:13 	dhcp6c 	37136 	dhcp6c Received INFO
Apr 8 10:02:13 	dhcp6c 	37136 	add an address 2001:db8:a:a::aab0/128 on vmx1
Apr 8 10:02:13 	dhcp6c 	37136 	Sending Renew
Apr 8 10:02:13 	dhcp6c 	37136 	dhcp6c Received INFO
Apr 8 10:02:13 	dhcp6c 	37136 	add an address 2001:db8:c:0:250:56ff:feb2:a5f1/64 on vmx4
Apr 8 10:02:13 	dhcp6c 	37136 	remove an address 2001:db8:b:18:250:56ff:feb2:a5f1/64 on vmx4

As I understand, in order for the client to update its interfaces with the new prefix outside of the scheduled times it would need to receive an unsolicited reconfigure message (RFC6644). From the logs provided so far, I'm not seeing this happening. This seems to align with the reported behavior on redmine stating that "This situation resolves only after 1.5 to 2 hours."

FWIW "reconfigure" messages are not supported by Kea according to their documentation, and it seems to be the case for ISC dhcpd as well.

UweV

@marcosm DHCPv6 is not enabled on the pfSense. RA is used with router mode "unmanaged".
-> Stateless Address Auto-Configuration (SLAAC)

I assume the tracked LAN interfaces of the pfSense need to get first new delegated IPv6 prefix and a new IPv6 IP assigned.
That is not happening.

vtnet0 = WAN Interface
vtnet1 = VLAN20 = LAN Interface

vtnet0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: WAN
options=800b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE>
ether 02:11:32:2d:5b:36
inet 192.168.7.253 netmask 0xffffff00 broadcast 192.168.7.255
...
inet6 2003:xx:xx1c:6a00:11:32ff:fe2d:5b36 prefixlen 64 autoconf pltime 1183 vltime 7200
media: Ethernet autoselect (10Gbase-T <full-duplex>)
status: active
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
vtnet1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
description: VLAN20
options=800b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE>
ether 02:11:32:22:a9:2f
inet 192.168.20.253 netmask 0xffffff00 broadcast 192.168.20.255
inet6 2003:xx:xx01:cf8:11:32ff:fe22:a92f prefixlen 64
media: Ethernet autoselect (10Gbase-T <full-duplex>)
status: active
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

UweV

To be able to do testing with you I switched to RA router mode "managed" and enabled DHCPv6 service (ISC DHCP for now) on the LAN interfaces.

I do not think that the communication DHCPv6 service to the clients on the LAN subnets is the initial/first/main issue.

The pfSense interfaces do not get an IPv6 address with the new prefix and the new prefix is also not listed in the DHCPv6 service config screen.

To resolve both issues manually as a workaround I'm going to the WAN interface and save and apply.
Afterthat everything is correct:

Interfaces got a valid IPv6
new prefix is listed on DHCPv6 service config screen
clients get a new IPv6 IP with correct prefix assigned
client have Internet connectivity.

This is listed in the system logs while doing the "WAN interface and save and apply."

68c80eb0-60f7-47fe-8250-a57e891e4056-Pasted Graphic 4.png

I assume not all tasks are required on a upstream router IPv6 prefix change.
But some needs to be initiated automatically to allow client IPv6 communication again.

Thanks for your support.

UweV

Pfsense-IPv6-280beta_v4 uploaded.

The DHCPv6 / RA sends the new prefix and assigns a new IP address to the WAN interface on pfSense.

2.8.0-BETA][admin@pfSense-ipv6.home.arpa]/root: ifconfig vtnet0 | grep 2003
inet6 2003:xx:xx1e:c800:11:32ff:fe28:7ee6 prefixlen 64 deprecated autoconf pltime 0 vltime 7087
inet6 2003:xx:xx32:7c00:11:32ff:fe28:7ee6 prefixlen 64 autoconf pltime 1687 vltime 7200

The old IP gets deprecated and the new IP is listed.
I added the radvdump to the document.
To me this part of the process looks good.

I assume based on the IPv6 IP change on the WAN interface the pfSense software needs to take action (run a script etc.)

assign new IPv6 IPs to all LAN interfaces
assign the new prefix to all DHCPv6 services on all LAN Interfaces

Please let me know if you need more information or remote access to my pfSense test VM.
Thank you.

marcosm

SLAAC can only help with the WAN prefix and not the delegated prefixes for LAN. In order for pfSense to know that the PD has changed outside of the normal times, DHCPv6 with RFC664 would be needed. If you still think something is being done incorrectly, run a packet capture on pfSense's WAN interface and reproduce the issue. Is there something there that tells pfSense that the PD has changed in order for pfSense to update its LANs?

UweV

So you assume that the upstream internet router does not tell pfSense that the prefix delegation has changed - correct?

I started a packet capture on WAN - uploaded.
The upstream router got this prefix assigned:
IPv6 prefix: 2003:e2:xx39:3700::/56

fyi - I do not know how to filter the capture correctly for this purpose.
on the same subnet an IPv4 carp cluster is running, too.

UweV

upstream router settings:

marcosm

@UweV

So you assume that the upstream internet router does not tell pfSense that the prefix delegation has changed - correct?

Yes. The PCAP shows the server sending Router Advertisement's for the new prefix as expected which allows pfSense to update its route table and WAN, but it will not affect the delegated prefixes tracked by the LAN interfaces.

UweV

@marcosm

I will try to troubleshoot with the internet router vendor.

Do you know how to filter for these specific packages? (PD)

Would it be possible to run a script every minute to check for WAN interface IPv6 prefix change (IP only) and if there is a change then request by another script a new delegated prefix from the internet router?
FYI: someone worked on a workaround two years ago. I think it's no longer working now:
https://github.com/geschke/ccw-ipv6

If many internet router are not handling the delegated prefix change correctly, would it be possible to implement a workaround in pfSense?
Like:

add a question / checkbox in the WAN Interface (or LAN config screens) configuration screen:
x request a new delegated prefix if an IPv6 IP prefix change is detected
then update the tracked interfaces and the DHCPv6 and RA services on LAN networks

Thanks for your feedback.

UweV

packetcapture-vtnet0-20250411155701.pcap -> contains a prefix delegation change initiated by a WAN interface save&apply. You should see the request from the pfSense and the answer from the upstream internet router in this capture file.

IPv6 prefix assigned to upstream internet router by internet provider: 2003:e2:8703:e000::/56
Delegated to pfSense: 2003:e2:8703:e0f8::/61