lan clients periodically drop ipv6 connectivity
-
Lan clients appear to lose IPV6 connection after a day or two. Packet capture shows the ping going out the wan but no response is received. General IPV6 connectivity works fine prior to this and no longer works after I verify the ping responses stop.
- I'using SLAAC for lan IP addresses
- my ISP provdes a /64 prefix
- as far as i can tell, the client ipv6 network information seems ok (e.g. addresses, gateways, etc.)
- the client ipv6 network information is the same before and after this occurs
- when a lan client stops working, the other lan clients continue to work until they also stop working somtime later
- when the lan clients lose wan ipv6 access, they still retain ipv6 access on the lan (i.e. they can ping each other using ipv6 addresses)
I thought maybe the leases were expiring and the renewed leases were perhaps not being correctly renewed but the RA timeout settings use the default values and seem much shorter than the failure times I'm seeing.
Any ideas on what is happening or how to further diagnose this?
-
I forgot to mention that if I go to Status/Interfaces on the wan interface and click "Release Wan" with "Relinquish Lease" checked and then renew the lease, the clients are once again able to reach ipv6 wan destinations.
-
@gambit100 That is somewhat normal with dynamic IPv6. Name your ISP and country, maybe someone can give more advise.
-
@Bob.Dig Sorry, I should have mentioned this is for Spectrum ISP in the USA
-
Since you're using SLAAC, there should be periodic router advertisements, that provide the IP address etc.. Do you see those? Also, there are no leases with SLAAC. That's a DHCP thing.
You can see the RAs with Wireshark on a client. You can also use Packet Capture on pfSense, but Wireshark is better.
-
@JKnott I see ICMPv6 traffic on both the lan and wan. I'm not a SLACC or RA pro. I've attached a file with a packet capture on the wan (adding it as text gets flagged as spam by akismet for some reason].ICMPv6.txt
-
That file is really not usefull, as it doesn't show the contents.
I ran Wireshark, filtering on ICMP6. Here's a list of the packets received, with the RA in the top row:
Here is the contents of that frame, showing the relevant info. Several items can be expanded further:
This is the sort of thing you need to understand network problems. You can use Packet Capture, in pfSense, but I find Wireshark is much better. Even if you capture with Packet Capture, you're still better off examining the capture with Wireshark.
Now, if you look at the options, you'll see things like assigned addresses and DNS.
-
Sorry about the delay...spectrum was having trouble keeping the network up in this area.
Here is the summary of messages when I connect a client to the LAN
After the client connects, it appears to have the correct network info but can't reach any Ipv6 sites. I then bring the router's WAN interface down and then back up. The client is now able to reach ipv6 sites.
The contents of some of the messages are below.
-
Please do a capture of ICMP6, with at least one router advertisement. Then post the capture file, not just it's contents.
-
@JKnott attached is a packet capture from pfsense on the WAN which includes a RA at record #231. I've also included a wireshark capture on the LAN for the same time period (approximately).
This capture is over the time frame where I bring an android client back on the LAN (WIFI). Before and after the capture period, the client has lost IPV6 connectivity but has IPV4 connectivity before I took it off the LAN and also once brought back on the LAN. The client had IPV6 connectivity a few hours before this but lost that connectivity sometime between that check and a few hours later when I checked again.
Client IPV6:
fe80::20e0:1065:c8e0:d799
2603:9001:7c00:253d:90d9:29d8:f822:ed20
2603:9001:7c00:253d:9c7a:de1f:50ee:52e8 -
@JKnott here is another wireshark capture on the LAN that has RA packets from the pfsense router: packetcapture LAN with RA.pcapng
