lan clients periodically drop ipv6 connectivity

gambit100

@JKnott here is another wireshark capture on the LAN that has RA packets from the pfsense router: packetcapture LAN with RA.pcapng

JKnott

@gambit100 said in lan clients periodically drop ipv6 connectivity:

Packet capture shows the ping going out the wan but no response is received.

This sounds similar to a problem I had almost 7 years ago, but mine didn't correct. There was a problem with my ISP, where they were giving me a bad prefix. My WAN address worked but nothing on my LAN. I tested by using my my notebook computer tethered to my cell phone and set up a data tap to monitor my WAN port. When I pinged from my LAN, I could see it going out, but nothing coming back. When I pinged from my notebook & phone, I didn't see anything coming in. I was able to demonstrate to my ISPs tech support what was happening and he agreed it was a problem at my ISP. Later on, a senior tech came to my home, with his own computer & modem and found the same problem. He then went to the ISPs office and tried with 4 different CMTS and found it worked with 3, but not the one I was connected to. The network guys finally got around to fixing the problem after that, even though I had identified the failing CMTS in my testing earlier.

When the LAN clients lose connectivity, is that totally? Or just to the Internet? Does the LAN prefix change when it fails? If you're getting a bad prefix, as I was, it would certainly cause problems.

It sounds like the problem is with Spectrum, especially since you said they have other problems.

gambit100

@JKnott Currently, my android client has the same /64 prefix as my windows 11 client. My android client cannot connect (ping or http) to ipv6.google.com but can reach other lan clients via ipv6 (ping and http). My windows 11 client can reach other lan clients as will as ipv6.google.com.
When I release and renew the WAN connection via pfsense, I get the same prefix (at least since I've been researching this issue). After the WAN reset, the android client can reach ipv6.google.com by both ping and http.
I'm a bit reluctant to reach out to spectrum as past help attempts haven't been too helpful and involve a lot of steps that aren't usually related to the issue but I guess it's about time I do so.
Initially, I was having ipv6 issues with all lan clients but only the android client is having issues now. Either there was a broader issue that affected all ipv6 clients earlier or it requires more time before the other clients fail and my periodic wan reset restarts the timer on the other clients as well.

Not related to this issue (I assume) but although the spectrum ISP connection is stable now I'm seeing a lot of weird traffic from the WAN now. Malformed packets against my vpn and weird NS packets coming from the spectrum gateway for addresses that don't exist on my network.
13:46:45.736687 IP6 fe80::2bc:60ff:fe92:4419 > ff02::1:ffd7:2: ICMP6, neighbor solicitation, who has 2603:9001:7cf0:d720:0:1062:fd7:2, length 32
13:46:45.758670 IP6 fe80::2bc:60ff:fe92:4419 > ff02::1:ff23:5: ICMP6, neighbor solicitation, who has 2603:9001:7cf0:2350:0:1062:f23:5, length 32
13:46:45.856525 IP6 fe80::2bc:60ff:fe92:4419 > ff02::1:ff48:1: ICMP6, neighbor solicitation, who has 2603:9001:7cf0:4810:0:1062:f48:1, length 32
13:46:45.960992 IP6 fe80::2bc:60ff:fe92:4419 > ff02::1:ff5b:0: ICMP6, neighbor solicitation, who has 2603:9001:7cf0:5b00:0:1062:f5b:0, length 32
13:46:46.028662 IP6 fe80::2bc:60ff:fe92:4419 > ff02::1:ff2a:0: ICMP6, neighbor solicitation, who has 2603:9001:7cf0:2a00:0:1062:f2a:0, length 32
13:46:46.150729 IP6 fe80::2bc:60ff:fe92:4419 > ff02::1:ff7e:1: ICMP6, neighbor solicitation, who has 2603:9001:7cf0:7e10:0:1062:f7e:1, length 32
13:46:46.776291 IP6 fe80::2bc:60ff:fe92:4419 > ff02::1:ffd7:2: ICMP6, neighbor solicitation, who has 2603:9001:7cf0:d720:0:1062:fd7:2, length 32

JKnott

@gambit100 said in lan clients periodically drop ipv6 connectivity:

When I release and renew the WAN connection via pfsense, I get the same prefix (at least since I've been researching this issue). After the WAN reset, the android client can reach ipv6.google.com by both ping and http.

That sounds like when you do that, you remind them you're there. It sounds like a routing issue. Also, the only Android issue I'm aware of is it doesn't support DHCP6, but that wouldn't apply if you're using SLAAC.

There is one thing you can try. That is run without pfSense and use the modem's router. If it fails again, then it's definitely an ISP problem. This was also the case here. When it failed, my next door neighbour also failed and he uses only the modem router. I also know ISPs will not do much to resolve issues if you're using your own router. How often does this issue happen? I hope you're not stuck without pfSense for too long. As I mentioned, the problem still happened when the tech took his modem & computer to the office and it still failed there, when connected to the CMTS I was on.
BTW, do any of your neighbours have this problem?

Here's the error message I was getting when it failed and identified the failing CMTS.

Status code
Option: Status code (13)
Length: 56
Value: 00064e6f2070726566697820617661696c61626c65206f6e...
Status Code: NoPrefixAvail (6)
Status Message: No prefix available on Link 'CMTS89.WLFDLE-BNDL1-GRP3'

I used Wireshark to capture this on the WAN interface, when I captured the DHCP6 sequence, using the data tap I made. Of course, since you can clear your problem, it would be difficult to do this. You'd have to capture all the DHCP6 packets until it failed.

BTW, a few years later, I was doing some work in my ISP's local office and found that CMTS89!

SteveITS

@JKnott

sounds like a routing issue

That was my thought but OP says it works on Windows the entire time.

JKnott

@SteveITS

That doesn't make sense. He said reconnecting the WAN side clears it, but that shouldn't have anything to do with Windows vs Android.

I just noticed something curious, but I don't know if it has anything to do with this. In his router advertisement, in his DNS search list, he has home.com. That used to be an email provider that some ISPs used to use before it went bust. My ISP Rogers was one of them. He shouldn't be using real domain names for that. If he doesn't have an appropriate one, then he should be using one of those dummy top level domain names. I don't recall what they were, as I have my own registered domain name, which I use.

When Rogers was using @home, I created a joke account "the_lights_are_on_but_no_ones@home.com".

SteveITS

@JKnott said in lan clients periodically drop ipv6 connectivity:

That doesn't make sense

That was also one of my thoughts. :)

gambit100

@SteveITS "home.com" is just a domain I used when setting up my home network on pfsense, mainly because I suffer from a severe lack of imagination. Worse, my gateway/firewall is firewall.home.com. Since that's just local on my lan I'm not sure if that is a problem since I'm not familiar with "home.com" mentioned above but I suppose it could be a factor.

JKnott

@gambit100

I doubt it is related to your problem, it just caught my eye. The problem is should you ever need to connect to a home.com network, it won't work. That's why they came up with a top level domain name to be used for that sort of thing, in that it will never be assigned to anyone.

gambit100

This problem has been solved after working with my spectrum ISP. The issue was on their side as opposed to an issue with my pfsense router. Just adding some info to this thread in case someone else has a similar issue. Based on comments from @JKnott above I started concentrating on issues between my router and my ISP. What I first noticed was that my router was sending IPv6 renew packets out the WAN interface but no response was ever received.

My understanding (although I'm not an expert here) is that this is a way for IPv6 routers to request the current prefix be renewed instead of waiting for it to expire. Since I never got a response, I assume the LAN client IPv6 connections expired and were therefore dropped by the ISP. I'm not clear why they
dropped at different times.
After my ISP replaced the cable to my house and did some unknown changes on their end, I started seeing the following messages in the router system log every day or two and everything is now working correctly.
"Oct 22 08:20:33 php-fpm 422 /rc.newwanipv6: rc.newwanipv6: Info: starting on igb0."