DHCPv6 not issuing IPv6 addresses with RA set to managed or assisted #16133

muddyfeet

Continuing here after logging issue #16133.

Have updated from a working CE 2.7.2 config using ISC DHCP and where RA advertisements are set to Assisted mode. In 2.7.2 all clients received a valid SLAAC address and a valid DHCPv6 address. Static DHCPv6 allocations worked fine.

After the upgrade to the beta of 2.80 (2.8.0.b.20250407.1736.1500029) with no change to the configuration results in no DHCPv6 addresses being handed out. SLAAC still works.

Changing the RA mode to Managed results in no addresses other than link-local being assigned to the clients.

Changing to Kea DHCP has no effect on the above results.

DHCPv6 prefixes on all LAN-side networks are set to track the WAN prefix.

I have run packet captures from one of the Windows 11 clients and can see the IMCPv6 Router Advertisements, and the DHCPv6 Solicit, Advertise, Request, and Reply packets coming from the 2.7.2 pfSense. On the upgraded 2.8.0 pfSense I can only see the Router Advertisements and the Solicit message. It seems like the DHCPv6 service (ISC or KEA) is either not getting the Solicit, or the responses are being blocked.

Would value any wisdom on this. Thanks.

muddyfeet

Ok, so after trying to figure out what was going on here for a number of days, I've found that restoring a backup config from CE 2.7.2 into the upgraded 2.8.0 system resolves the issue.

It feels like the upgrade process corrupted something in the DHCPv6 config (which was not visible on in the GUI) preventing DHCPv6 addresses being handed out.

marcosm

Appreciate the follow up! Are you able to reproduce the issue and compare the config files from after the upgrade and after the restore?

muddyfeet

Yes, the issue is reproduceable. I am running pfSense on Proxmox and can restore to the last 2.7.2 Proxmox VM backup. Running an upgrade on the 2.7.2 system will result in non-functioning DHCPv6. I've compared the pfSense xml backup files and there are no significant differences.

When I did the pfSense restore from xml backup, I saw that it seemed to delete the packages to bring the system back to a default state, load the xml backup config file, then reloaded the packages (I'm not familiar with the restore process). I wonder whether there was some corruption in a related config file that was fixed when it was brought back to the default state in prep for the restore.

I'll keep experimenting and will report if I notice anything that might have caused the issue.

As an aside - I ran a packet capture from the non-functioning pfSense 2.8.0 and was unable to see any DHCPv6 packets on the LAN interface including the Solicit packet sent to ff02::1:2, whereas I could see them on 2.7.2 - matching up with the wireshark captures from the Windows 11 client I posted on Redmine. It seemed like the interface was not a member of the ff02::1:2 multicast group - despite it showing it was with "ifmcstat -g"

marcosm

After it breaks with the upgrade, does it show any remaining updates if you run pfSense-upgrade from the console? Are the services actually running - you can compare the output of ps auxwwd. Does it remain broken even after a reboot?

muddyfeet

The problem is back again and a restore from a 2.8.0 backup doesn't fix it. Output of ps auxwwd is attached below (ip4 addresses have been edited before posting). Not sure when it started again - I did a recent upgrade to 2.8.0.b.20250510.1412 from the previous 2.8.0.b version which may have caused it. Reinstalling the packages doesn't help. pfSense-upgrade says there is nothing to do.

Happy to run any diagnostics that you can think of.

USER      PID  %CPU %MEM    VSZ   RSS TT  STAT STARTED     TIME COMMAND
root        0   0.0  0.0      0   768  -  DLs  11:48    0:00.48 [kernel]
root       11 200.0  0.0      0    32  -  RNL  11:48   22:20.83 - [idle]
root       12   1.0  0.0      0   544  -  WL   11:48    0:17.42 - [intr]
root        1   0.0  0.1  12380  1156  -  ILs  11:48    0:00.03 - /sbin/init
root      424   0.0  1.4 111380 29348  -  Ss   11:48    0:00.01 |-- php-fpm: master process (/usr/local/lib/php-fpm.conf) (php-fpm)
root      425   0.0  2.4 144728 48968  -  I    11:48    0:00.56 | |-- php-fpm: pool nginx (php-fpm)
root      426   0.0  2.4 144728 48712  -  I    11:48    0:00.59 | |-- php-fpm: pool nginx (php-fpm)
root    82097   0.0  2.0 111592 41720  -  I    11:51    0:00.40 | |-- php-fpm: pool nginx (php-fpm)
root    85555   0.0  2.5 146776 50284  -  I    11:48    0:00.58 | `-- php-fpm: pool nginx (php-fpm)
root      477   0.0  0.1  14556  2960  -  INs  11:48    0:00.01 |-- /usr/local/sbin/check_reload_status
root      479   0.0  0.1  14556  2768  -  IN   11:48    0:00.00 | `-- check_reload_status: Monitoring daemon of check_reload_status (check_reload_status)
unbound   481   0.0  2.0  61376 39940  -  Ss   11:56    0:00.23 |-- /usr/local/sbin/unbound -c /var/unbound/unbound.conf
root      682   0.0  0.2  15676  4044  -  Is   11:48    0:00.01 |-- /sbin/devd -q -f /etc/pfSense-devd.conf
root     3976   0.0  0.6  33712 11476  -  Is   11:57    0:00.00 |-- lldpd: monitor. (lldpd)
_lldpd   4426   0.0  0.6  33712 11588  -  S    11:57    0:00.01 | `-- lldpd: 2 neighbors. (lldpd)
root    10829   0.0  0.2  14312  3244  -  SCs  11:48    0:00.08 |-- /usr/sbin/syslogd -O rfc3164 -s -c -c -l /var/dhcpd/var/run/log -P /var/run/syslog.pid -f /etc/syslog.conf
root    11535   0.0  0.2  14312  3080  -  I    11:48    0:00.00 |-- syslogd: syslogd.casper (syslogd)
root    11777   0.0  0.1  14312  2868  -  Is   11:48    0:00.00 |-- syslogd: system.net (syslogd)
root    12534   0.0  1.1  50392 23052  -  S    11:56    0:00.12 |-- /usr/local/sbin/kea-dhcp4 -c /usr/local/etc/kea/kea-dhcp4.conf
root    12554   0.0  0.1  14088  2404  -  Is   11:48    0:00.00 |-- daemon: sshguard[12874] (daemon)
root    12874   0.0  0.1  14648  2928  -  I    11:48    0:00.00 | `-- /bin/sh /usr/local/sbin/sshguard -i /var/run/sshguard.pid
root    13040   0.0  0.1  14240  2692  -  SC   11:48    0:00.05 |   |-- tail -F -n 0 /var/log/auth.log
root    13176   0.0  0.2  20640  4740  -  IC   11:48    0:00.00 |   |-- /usr/local/libexec/sshg-parser
root    13210   0.0  0.2  14616  3200  -  IC   11:48    0:00.00 |   |-- /usr/local/libexec/sshg-blocker
root    13255   0.0  0.1  14648  2924  -  I    11:48    0:00.00 |   `-- /bin/sh /usr/local/sbin/sshguard -i /var/run/sshguard.pid
root    15965   0.0  0.1  14648  2920  -  I    11:48    0:00.00 |     `-- /bin/sh /usr/local/libexec/sshg-fw-pf
root    13141   0.0  1.1  43696 21964  -  S    11:56    0:00.04 |-- /usr/local/sbin/kea-dhcp6 -c /usr/local/etc/kea/kea-dhcp6.conf
root    13762   0.0  0.2  14616  3184  -  Is   11:48    0:00.00 |-- sshg-blocker: system.net (sshg-blocker)
root    14390   0.0  0.1  14240  2620  -  S    11:48    0:00.03 |-- tail: system.fileargs (tail)
root    16488   0.0  0.5  32960 10148  -  Is   11:48    0:00.00 |-- nginx: master process /usr/local/sbin/nginx -c /var/etc/nginx-webConfigurator.conf (nginx)
root    16489   0.0  0.6  35520 12016  -  I    11:48    0:00.07 | |-- nginx: worker process (nginx)
root    16593   0.0  0.5  32960 10676  -  I    11:48    0:00.00 | `-- nginx: worker process (nginx)
root    16852   0.0  0.2  20640  4540  -  Is   11:48    0:00.00 |-- sshg-parser: system.net (sshg-parser)
root    19757   0.0  0.2  14648  3088  -  SN   11:56    0:00.03 |-- /bin/sh /var/db/rrd/updaterrd.sh
root    51316   0.0  0.1  13984  2268  -  SNC  11:59    0:00.00 | `-- sleep 60
root    29764   0.0  0.1  14072  2716  -  Is   11:48    0:00.01 |-- /usr/local/sbin/radvd -p /var/run/radvd.pid -C /var/etc/radvd.conf -m syslog
root    29995   0.0  2.1  70428 41968  -  Ss   11:48    0:00.09 |-- php_wg: WireGuard service (php_wg)
root    35814   0.0  0.1  14184  2832  -  Ss   11:48    0:00.01 |-- /usr/sbin/cron -s
root    36421   0.0  0.3  18860  5132  -  Is   11:48    0:00.00 |-- /usr/local/bin/qemu-ga -d -v -l /var/log/qemu-ga.log
root    41425   0.0  0.1  14408  2856  -  Is   11:56    0:00.00 |-- dhclient: system.syslog (dhclient)
root    42768   0.0  0.1  14408  3016  -  Is   11:56    0:00.00 |-- dhclient: vtnet1 [priv] (dhclient)
root    47523   0.0  0.5  23964 10092  -  Is   11:48    0:00.00 |-- sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups (sshd)
root    87289   0.0  0.6  24120 11528  -  Ss   11:51    0:00.04 | `-- sshd: root@pts/0 (sshd)
root    87567   0.0  0.2  14648  3444  0  Is   11:51    0:00.01 |   `-- -sh (sh)
root    88103   0.0  0.2  14648  3148  0  I    11:51    0:00.00 |     `-- /bin/sh /etc/rc.initial
root    93132   0.0  0.2  14984  4640  0  S    11:51    0:00.01 |       `-- /bin/tcsh
root    56502   0.0  0.2  14716  3292  0  R+   12:00    0:00.00 |         `-- ps auxwwd
_dhcp   54179   0.0  0.2  14412  3152  -  SCs  11:56    0:00.00 |-- dhclient: vtnet1 (dhclient)
root    54865   0.0  0.1  14132  2732  -  Is   11:56    0:00.00 |-- /usr/local/sbin/dhcp6c -d -n -c /var/etc/dhcp6c.conf -p /var/run/dhcp6c.pid vtnet1
root    58127   0.0  0.1  14696  3032  -  Is   11:56    0:00.02 |-- /usr/local/bin/dpinger -S -r 0 -i WAN_DHCP6 -B fe80::be24:11ff:febd:9dd0%vtnet1 -p /var/run/dpinger_WAN_DHCP6~fe80::be24:11ff:febd:9dd0%vtnet1~fe80::2a2:ff:feb2:c2%vtnet1.pid -u /var/run/dpinger_WAN_DHCP6~fe80::be24:11ff:febd:9dd0%vtnet1~fe80::2a2:ff:feb2:c2%vtnet1.sock -C /etc/rc.gateway_alarm -d 1 -s 500 -l 2000 -t 60000 -A 1000 -D 500 -L 20 fe80::2a2:ff:feb2:c2%vtnet1
root    58528   0.0  0.1  14696  2952  -  Is   11:56    0:00.02 |-- /usr/local/bin/dpinger -S -r 0 -i WAN_DHCP -B xxx.xxx.xxx.83 -p /var/run/dpinger_WAN_DHCP~xxx.xxx.xxx.83~xxx.xxx.xxx.1.pid -u /var/run/dpinger_WAN_DHCP~xxx.xxx.xxx.83~xxx.xxx.xxx.1.sock -C /etc/rc.gateway_alarm -d 1 -s 500 -l 2000 -t 60000 -A 1000 -D 500 -L 20 xxx.xxx.xxx.1
root    58813   0.0  0.1  14696  2952  -  Is   11:56    0:00.02 |-- /usr/local/bin/dpinger -S -r 0 -i LANGW -B 172.20.0.1 -p /var/run/dpinger_LANGW~172.20.0.1~172.20.0.1.pid -u /var/run/dpinger_LANGW~172.20.0.1~172.20.0.1.sock -C /etc/rc.gateway_alarm -d 1 -s 500 -l 2000 -t 60000 -A 1000 -D 500 -L 20 172.20.0.1
root    72098   0.0  0.1  13984  2340  -  Is   11:48    0:00.00 |-- /usr/local/bin/minicron 240 /var/run/ping_hosts.pid /usr/local/bin/ping_hosts.sh
root    72714   0.0  0.1  13984  2360  -  I    11:48    0:00.00 | `-- minicron: helper /usr/local/bin/ping_hosts.sh  (minicron)
root    72794   0.0  0.1  13984  2340  -  Is   11:48    0:00.00 |-- /usr/local/bin/minicron 300 /var/run/ipsec_keepalive.pid /usr/local/bin/ipsec_keepalive.php
root    73136   0.0  0.1  13984  2360  -  I    11:48    0:00.00 | `-- minicron: helper /usr/local/bin/ipsec_keepalive.php  (minicron)
root    73225   0.0  0.1  13984  2348  -  Is   11:48    0:00.00 |-- /usr/local/bin/minicron 3600 /var/run/expire_accounts.pid /usr/local/sbin/fcgicli -f /etc/rc.expireaccounts
root    73624   0.0  0.1  13984  2372  -  I    11:48    0:00.00 | `-- minicron: helper /usr/local/sbin/fcgicli -f /etc/rc.expireaccounts  (minicron)
root    73954   0.0  0.1  13984  2344  -  Is   11:48    0:00.00 |-- /usr/local/bin/minicron 86400 /var/run/update_alias_url_data.pid /usr/local/sbin/fcgicli -f /etc/rc.update_alias_url_data
root    74173   0.0  0.1  13984  2368  -  I    11:48    0:00.00 | `-- minicron: helper /usr/local/sbin/fcgicli -f /etc/rc.update_alias_url_data  (minicron)
root    92412   0.0  0.2  14748  3624  -  Ss   11:48    0:00.05 |-- /usr/local/sbin/filterlog -i pflog0 -p /var/run/filterlog.pid
root    93247   0.0  0.4  24688  8440  -  Ss   11:48    0:00.05 |-- /usr/local/sbin/ntpd -g -c /var/etc/ntpd.conf -p /var/run/ntpd.pid
root    77240   0.0  0.1  14108  2456 u0  Is+  11:48    0:00.00 |-- /usr/libexec/getty 3wire ttyu0
root    75988   0.0  0.1  14108  2456 v0  Is+  11:48    0:00.00 |-- /usr/libexec/getty Pc ttyv0
root    76214   0.0  0.1  14108  2460 v1  Is+  11:48    0:00.00 |-- /usr/libexec/getty Pc ttyv1
root    76377   0.0  0.1  14108  2456 v2  Is+  11:48    0:00.00 |-- /usr/libexec/getty Pc ttyv2
root    76449   0.0  0.1  14108  2456 v3  Is+  11:48    0:00.00 |-- /usr/libexec/getty Pc ttyv3
root    76544   0.0  0.1  14108  2464 v4  Is+  11:48    0:00.00 |-- /usr/libexec/getty Pc ttyv4
root    76751   0.0  0.1  14108  2456 v5  Is+  11:48    0:00.00 |-- /usr/libexec/getty Pc ttyv5
root    76955   0.0  0.1  14108  2456 v6  Is+  11:48    0:00.00 |-- /usr/libexec/getty Pc ttyv6
root    76991   0.0  0.1  14108  2460 v7  Is+  11:48    0:00.00 `-- /usr/libexec/getty Pc ttyv7
root        2   0.0  0.0      0    32  -  WL   11:48    0:00.22 - [clock]
root        3   0.0  0.0      0    48  -  DL   11:48    0:00.00 - [crypto]
root        4   0.0  0.0      0    48  -  DL   11:48    0:00.27 - [cam]
root        5   0.0  0.0      0    16  -  DL   11:48    0:00.00 - [busdma]
root        7   0.0  0.0      0    16  -  DL   11:48    0:00.10 - [pf purge]
root        8   0.0  0.0      0    16  -  DL   11:48    0:00.07 - [rand_harvestq]
root        9   0.0  0.0      0    48  -  DL   11:48    0:00.05 - [pagedaemon]
root       10   0.0  0.0      0    16  -  DL   11:48    0:00.00 - [audit]
root       13   0.0  0.0      0    32  -  DL   11:48    0:00.00 - [ng_queue]
root       14   0.0  0.0      0    48  -  DL   11:48    0:00.00 - [geom]
root       15   0.0  0.0      0    16  -  DL   11:48    0:00.00 - [sequencer 00]
root       16   0.0  0.0      0    80  -  DL   11:48    0:00.01 - [usb]
root       17   0.0  0.0      0    16  -  DL   11:48    0:00.00 - [vmdaemon]
root       18   0.0  0.0      0    48  -  DL   11:48    0:00.02 - [bufdaemon]
root       19   0.0  0.0      0    16  -  DL   11:48    0:00.00 - [vnlru]
root       20   0.0  0.0      0    16  -  DL   11:48    0:00.01 - [syncer]
root       21   0.0  0.0      0    16  -  DL   11:48    0:00.00 - [ALQ Daemon]

muddyfeet

A restore from a 2.7.2 backup config into the 2.8.0b instance no longer works either as it did last time

muddyfeet

Problem now solved. Issue was with multicast snooping on Proxmox host. Issuing the command below on the host solved the problem.

echo 0 > /sys/devices/virtual/net/vmbr0/bridge/multicast_snooping

muddyfeet

So, the weird thing is that with the original 2.7.2 pfSense guest, the multicast packets traversed the Proxmox linux bridge fine. In the 2.8.0 pfSense guest, they do not get through the linux bridge.

My multicast setup has IGMP v3/MLD v2 enabled on all my HP V1910 switches. The central switch runs the IGMP/MLD queriers. This switch is connected to the Proxmox host which runs the standard linux bridge setup. pfSense is plugged into that bridge via virtio network interfaces (one for each VLAN).

I'm happy to run without snooping on the Proxmox bridge and have set the following in /etc/network/interfaces on the Proxmox host to turn off snooping permanently.

bridge-mcsnoop 0

But I'm none the wiser why the 2.7.2 system was fine but the 2.8.0 system is not.