Multiple IPV6 Tunnels

mdpugh

You may be right about these the gateway and DNS options being nonfunctional. I'm using a different machine as a DHCPv6 server; pfSense is firewall/router only. To my knowledge DHCPv6 does not presently allow for providing the gateway address, so the field you mention must be an artifact. I'm using 2.1 and I don't see a gateway field on the DHCPv6 Server page.

Here is a Wireshark capture of a router advertisement being sent by my pfSense box:

No. Time Source Destination Protocol Length Info
110 51.158149 fe80::203:47ff:fe72:33fc ff02::1 ICMPv6 142 Router Advertisement from 00:03:47:72:33:fc

Frame 110: 142 bytes on wire (1136 bits), 142 bytes captured (1136 bits)
Ethernet II, Src: Intel_72:33:fc (00:03:47:72:33:fc), Dst: IPv6mcast_00:00:00:01 (33:33:00:00:00:01)
Internet Protocol Version 6, Src: fe80::203:47ff:fe72:33fc (fe80::203:47ff:fe72:33fc), Dst: ff02::1 (ff02::1)
Internet Control Message Protocol v6
Type: Router Advertisement (134)
Code: 0
Checksum: 0x42d3 [correct]
Cur hop limit: 64
Flags: 0xc0
1… .... = Managed address configuration: Set
.1.. .... = Other configuration: Set
..0. .... = Home Agent: Not set
...0 0... = Prf (Default Router Preference): Medium (0)
.... .0.. = Proxy: Not set
.... ..0. = Reserved: 0
Router lifetime (s): 3600
Reachable time (ms): 0
Retrans timer (ms): 0
ICMPv6 Option (Source link-layer address : 00:03:47:72:33:fc)
Type: Source link-layer address (1)
Length: 1 (8 bytes)
Link-layer address: Intel_72:33:fc (00:03:47:72:33:fc)
ICMPv6 Option (MTU : 1280)
Type: MTU (5)
Length: 1 (8 bytes)
Reserved
MTU: 1280
ICMPv6 Option (Prefix information : fd00:ac10::/120)
Type: Prefix information (3)
Length: 4 (32 bytes)
Prefix Length: 120
Flag: 0xc0
Valid Lifetime: 360000
Preferred Lifetime: 360000
Reserved
Prefix: fd00:ac10:: (fd00:ac10::)
ICMPv6 Option (Recursive DNS Server fd00:ac10::66)
Type: Recursive DNS Server (25)
Length: 3 (24 bytes)
Reserved
Lifetime: 900
Recursive DNS Servers: fd00:ac10::66 (fd00:ac10::66)

As you can see, it provides the unique-local address of the router in the Recursive DNS Server option--which would work for you if you're running DNS Forwarding on the pfSense machine if the clients were using the option. My clients appear to ignore it. As I said, I have RAs disabled on all my LAN interfaces and pfSense is still happily sending RAs like the one shown. I don't know what's going down there. Notice also that the Managed and Other flags are set which means that clients that receive this advertisement will expect to get both their addresses and DNS server addresses through DHCPv6.

I'm not sure why you're bridging or why you would need to. The zone ID is going to vary from host to host I think, so I'd expect it to be different. I just tried pinging the link-local address of pfSense without specifying the zone ID and it worked fine (I had to add a new firewall rule to allow it through, though, so don't forget that).

Don't put anything in the prefix delegation fields unless you have another router downstream (which would indeed be a complex setup).

The DNS Servers on the General Setup are used like forwarders. If you have DNS Forwarding enabled and pfSense hasn't already cached the address, pfSense passes DNS requests it receives on to these servers. Since you're using HE, put 2001:470:20::2 in one of these fields. I don't know if the ns#.he.net (# = 1-5) servers do recursion. If not, they wouldn't be useful here.

Hope this helps! Thanks for the Dynamic DNS info. I'm going to try that now.

joe_cowboy

Here is what the DHCPv6 Server page generates:

/var/dhcpd/etc/dhcpdv6.conf

option domain-name "localdomain";
option ldap-server code 95 = text;
option domain-search-list code 119 = text;

default-lease-time 7200;
max-lease-time 86400;
log-facility local7;
ddns-update-style none;
one-lease-per-client true;
deny duplicates;
ping-check true;
authoritative;
subnet6 2001:470:XXXX:2::/64 {
option dhcp6.name-servers 2001:470:XXXX:2::1;
range6 2001:470:XXXX:2::1000 2001:470:XXXX:2::FFFF;
# Not supported in IPv6; option dhcp6.routers 2001:470:XXXX:2::1;
option domain-name "pfSense.localdomain";
option domain-search-list "";
option dhcp6.name-servers 2001:470:XXXX:2::1;
}

As you can see the dhcp6.routers is commented out and see it does list DNS server IPv6 address (which I stated before I installed the package Bind97 and set it up on my pfSense router).

Thanks for your help. So what would you suggest for settings then.

Why I have a bridge0 set up is because I have a multiport LAN card and 2 USB wifi in the router. I followed a guide on setting it up because I had issues with my cleints not seeing one another on the bridge. I have another thread talking about the isses. Maybe you can look at that thread and see what you think of my last UPDATE: post about issues with FTP. :)

http://forum.pfsense.org/index.php/topic,42811.msg237237.html#msg237237

Thanks again…

mdpugh

I'm going to read your other thread before going any further to try to understand the bridge issue. Each of my pfSense boxes has five interfaces in it so, naturally, having multiple interfaces doesn't by itself necessitate bridging. So, I need to see why you're doing it to reply coherently. In the meantime, have you captured any packets between the boxes to see exactly what pfSense is sending in its Router Advertisements, DHCPv6 Advertisements, and DHCPv6 Replies?

mdpugh

OK. I see what you're doing now. I'm not sure that bridging would interfere with your problems in this thread, so the only thing I would suggest is getting one working flawlessly before proceeding to the next. That's one advantage to having more than one machine providing these services–much easier to troubleshoot.

I thought you'd said you were running DNS on this box, but when I went back to make sure (albeit quickly), I couldn't find it. At any rate, I guess you won't be needing DNS Forwarder, and I'm not sure what, if anything, Bind97 will do with the DNS Server fields in General Setup; I'm not familiar with Bind97 in particular. It can't hurt to populate the fields though. I've got mine set to 2001:470:20::2 and using the WAN_IPv6 gateway now, but it also worked before I selected a GW. Since you've got more than one GW, pfSense may not default to this behavior, so it's probably best to use one of them.

The dhcpdv6.conf looks right to me. The next thing I would do is capture a DHCPv6 _Advertise_ment and see if it has the DNS server option included. It wouldn't hurt to get a _Solicit_ation too and make sure the clients are requesting it. Windows clients request DNS by default, but you never know. If you're right about the DNS option being disabled in pfSense for now, the fact that pfSense is generating a correct config file doesn't necessarily equate to advertising it on the link. The Request and Reply messages also contain the DNS Server option, if you want to check those too. You should be able to see where this is breaking down. Wireshark has been the quintessential troubleshooting tool for me.

mdpugh

Here's something else I'd try. Run something like this on a Windows client and reply with your results:

PS C:\Windows\system32> netsh interface ipv6 show int

Idx Met MTU State Name
–- ---------- ---------- ------------ ---------------------------
1 50 4294967295 connected Loopback Pseudo-Interface 1
16 10 1280 connected Local Area Connection
11 50 1280 disconnected IP6Tunnel
13 50 1280 disconnected isatap.ComPughTerWorx.com
18 10 1280 connected Local Area Connection 2

PS C:\Windows\system32> netsh interface ipv6 show int 18

Interface Local Area Connection 2 Parameters

IfLuid : ethernet_9
IfIndex : 18
State : connected
Metric : 10
Link MTU : 1280 bytes
Reachable Time : 34500 ms
Base Reachable Time : 30000 ms
Retransmission Interval : 1000 ms
DAD Transmits : 1
Site Prefix Length : 64
Site Id : 1
Forwarding : disabled
Advertising : disabled
Neighbor Discovery : enabled
Neighbor Unreachability Detection : enabled
Router Discovery : enabled
Managed Address Configuration : enabled
Other Stateful Configuration : enabled
Weak Host Sends : disabled
Weak Host Receives : disabled
Use Automatic Metric : enabled
Ignore Default Routes : enabled
Advertised Router Lifetime : 1800 seconds
Advertise Default Route : disabled
Current Hop Limit : 64
Force ARPND Wake up patterns : disabled
Directed MAC Wake up patterns : disabled

PS C:\Windows\system32>

joe_cowboy

I am I am running BIND97 package Name Server/DNS. So far it will resolve any IPv6 address and Name using nslookup. Even the local IPv6 address: www6.pfsense.localdoamin or ipv6.pfsense.localdomain. What I put in my zone records.

C:\Windows\system32> netsh interface ipv6 show int

Idx Met MTU State Name
–- ---------- ---------- ------------ ---------------------------
1 50 4294967295 connected Loopback Pseudo-Interface 1
13 64 1500 connected Wireless Network Connection
14 50 1280 disconnected isatap.local
15 5 1500 disconnected Wireless Network Connection 2
12 50 1280 connected Teredo Tunneling Pseudo-Interface
17 50 1280 disconnected isatap.{17833B82-C5E9-4494-B44F-48984733BA06}
19 50 1280 disconnected isatap.{063A2798-F022-487E-A745-DD0A1BDE0E62}

C:\Windows\system32> netsh interface ipv6 show int 13

joe_cowboy

Wire Shark Capture:

12 0.699003 fe80::aac9:adff:fe39:dfb ff02::1 ICMPv6 166 Router Advertisement from aa:c9:ad:39:0d:fb

Frame 12: 166 bytes on wire (1328 bits), 166 bytes captured (1328 bits)
Ethernet II, Src: aa:c9:ad:39:0d:fb (aa:c9:ad:39:0d:fb), Dst: IPv6mcast_00:00:00:01 (33:33:00:00:00:01)
Internet Protocol Version 6, Src: fe80::aac9:adff:fe39:dfb (fe80::aac9:adff:fe39:dfb), Dst: ff02::1 (ff02::1)
Internet Control Message Protocol v6
Type: Router Advertisement (134)
Code: 0
Checksum: 0xec6d [correct]
Cur hop limit: 64
Flags: 0xc0
1… .... = Managed address configuration: Set
.1.. .... = Other configuration: Set
..0. .... = Home Agent: Not set
...0 0... = Prf (Default Router Preference): Medium (0)
.... .0.. = Proxy: Not set
.... ..0. = Reserved: 0
Router lifetime (s): 1800
Reachable time (ms): 0
Retrans timer (ms): 0
ICMPv6 Option (Source link-layer address : aa:c9:ad:39:0d:fb)
Type: Source link-layer address (1)
Length: 1 (8 bytes)
Link-layer address: aa:c9:ad:39:0d:fb (aa:c9:ad:39:0d:fb)
ICMPv6 Option (Prefix information : 2001:470:2d8f:2::/64)
Type: Prefix information (3)
Length: 4 (32 bytes)
Prefix Length: 64
Flag: 0xc0
1... .... = On-link flag(L): Set
.1.. .... = Autonomous address-configuration flag(A): Set
..0. .... = Router address flag(R): Not set
...0 0000 = Reserved: 0
Valid Lifetime: 2592000
Preferred Lifetime: 604800
Reserved
Prefix: 2001:470:2d8f:2:: (2001:470:2d8f:2::)
ICMPv6 Option (Recursive DNS Server 2001:470:2d8f:2::1)
Type: Recursive DNS Server (25)
Length: 3 (24 bytes)
Reserved
Lifetime: 900
Recursive DNS Servers: 2001:470:2d8f:2::1 (2001:470:2d8f:2::1)
ICMPv6 Option (DNS Search List Option pfSense.localdomain)
Type: DNS Search List Option (31)
Length: 4 (32 bytes)
Reserved
Lifetime: 900
Domain Names: pfSense.localdomain
Padding

mdpugh

These seem correct at first glance. Have you captured any of the DHCPv6 messages?

joe_cowboy

What kind of messages do you want? What are you wanting me to capture with WireShark?

Thanks again…

mdpugh

Start with a DHCPv6 Solicit and its accompanying DHCPv6 Advertisement. That's probably enough to see what's happening (or not).

mdpugh

On a Windows client type ipconfig /release6 in a Powershell (or command prompt) window. The start Wireshark capturing on an interface that will request an IPv6 address from pfSense. Return to Powershell and type ipconfig /renew6. Stop capture and examine the DHCPv6 messages between machines. Post here if you like or send me the capture file.

mdpugh

Are you positive that the client is getting the IPv6 address from the server? The client you ran ipconfig on should have an address ending in :ebcf provided you haven't released it since running Wireshark. Here is what I'm not seeing: DHCPv6 Request and DHCPv6 Reply. The fact that an Advertise message appears in response to each Solicit proves that your server is hearing your client. The client is then supposed to respond to the Advertise with a Request and, finally, the server answers with a Reply. The absence of the Request indicates to me that your client isn't responding (or responding properly) to the server. But if the client is getting an IPv6 address from the server, then we have a more complicated scenario because it's responding to the Advertise only in part. I'll have to do some digging to see at what point in the message/response sequence the client commits to the address. There is enough information in the Advertise for the client to extract the offered address, but there is also enough for it to get the DNS server address, so why one and not the other? No matter what, though, the client should be sending a Request and it isn't.

joe_cowboy

This is happening to all clients on the network even on LAN. The Wireshark output I sent you was on WLAN.

Thanks again for looking at the Wireshark data.

-Joe Cowboy

mdpugh

Get the client in an identical state to what it was in immediately after the Wireshark capture you sent me (the corrected one). Then run ipconfig /all and netsh interface ipv6 show int where <int#>is the interface that just obtained the IPv6 address from pfSense. You can post the results here, obfuscate addresses if desired, or e-mail them to me. The second Wireshark capture looks like this should be working.</int#>

joe_cowboy

Thank you for all your extensive help mdpugh. Figured out the major foobar from you help…. I had for the interface Bridge the wrong IPv6 address: I didn't have the proper Routed IPv6 Prefixes range of address. So that issue is fixed now. I can get to IPv6 websites now. So the DHCPv6 now hands out the correct Routed IPv6 Prefixes range and also the DNS server IPv6 address but still not the GATWAY IPv6 address. That is still a work on progress from the pfSense team getting that to work.

However the other issue is still happening with the other two tunnels I have set up. The Gateways still show Offline.

-Joe Cowboy

mdpugh

As I understand it, the current specification dictates that the router hand out only its link-local address in the RA (not counting a link-local CARP address, I suppose ;D) and that DHCPv6 not distribute any gateway address. I don't know if providing additional functionality violates the specification per se, but the spec doesn't call for it, and it shouldn't be counted upon. Is that correct? Or would it be outright nonconformance?

joe_cowboy

Has anybody tried setting up two or more HE.net tunnels on their pfSense router with multiple WAN interfaces? Where each WAN has it's own tunnel? If so does your TUNNNEL GATEWAY that is not associated with the main WAN interface show Oneline. Why I say that WAN1 and WAN2 Tunnels show offline. I have deleted the tunnels multiple times and recreating them.

Another thought if you group them aka loadbalance these tunnels would you have to manually add a IPv6 address to the interface the DHCPv6 server sits on "Routed /64" subnet from HE.net tunnel. Then also statically add an IPv6 address on your client machines from each of the "Routed /64" subnet tunnels?

Thanks for your help.

mdpugh

What are your pfSense configurations for all three tunnel interfaces? Show IPv6 address, IPv6 gateway, IPv4 endpoints, etc.

yon

Me too. I have setup Second ipv6 tunnel via Second WAN, but it is show offline. :(

yon

I find once creat second ipv6 tunnel in interface,then all ipv6 tunnel link will offline.

Multiple IPV6 Tunnels

Interface Local Area Connection 2 Parameters

Interface Wireless Network Connection Parameters