RA Daemon "Assisted" Bug Fix (maybe, I'm not sure if this was by design)

aqueeb

Hi Guys,

I just made videos on how to configure IPv6 on pfSense. While I was making them, I noticed that the "Assisted" option in the Router Advertisement Daemon always set the "Managed Address Configuration" flag to set (enabled). Now from what I understood "Assisted" basically is Stateless DHCP. And in Stateless DHCP, clients Autoconfig their addresses using SLAAC and ONLY get their IPv6 Options from the DHCPv6 Server. But the pfSense RA Daemon was not only telling everyone on the network to autoconfigure their IPv6 addresses using SLAAC, but to ALSO get an IPv6 address from the DHCPv6 server.

So I modified the services.inc to write the radvd.conf properly, so that the option, tAdvManagedFlag is set to Off, when we choose Assisted. Now when I choose Assisted and run a packet capture, the Router Advertisement is setting the "Managed Address Configuration" flag to disabled (not set). This is the expected behavior (or at least I think the expected behavior) of Stateless DHCP.

Once I knew where to modify the setting it was fairly simple. I'll document it below:-

One of the functions that runs when you hit save on the Router Advertisements page is services_radvd_configure(), and this function writes the radvd.conf file. This function resides in /etc/inc/services.inc

So open up services.inc and modify the following chunk of code FROM:

switch($dhcpv6ifconf['ramode']) {
case "managed":
case "assist":
$radvdconf .= "\tAdvManagedFlag on;\n";
$radvdconf .= "\tAdvOtherConfigFlag on;\n";
break;
}

TO:

switch($dhcpv6ifconf['ramode']) {
case "managed":
$radvdconf .= "\tAdvManagedFlag on;\n";
$radvdconf .= "\tAdvOtherConfigFlag on;\n";
break;
case "assist":
$radvdconf .= "\tAdvManagedFlag off;\n";
$radvdconf .= "\tAdvOtherConfigFlag on;\n";
break;
}

Save and exit and now your RA Daemon on pfSense is going to advertise the RA's with the "Managed Address Configuration" flag to not set (disabled)!!!

I hope this helps someone out!! I have made a video of this on Youtube showing you step by step how to do this. Part 3 of the following video series explains this (I think around minute 14). http://www.youtube.com/playlist?list=PL4T5Ac0HrL3PeGPoixe8RpHEeZuhf_hDD

Please subscribe to my channel and/or "Like" my videos if anything there helps you out!!!

Kind regards,
Aqueeb.

doktornotor

This is by design… https://redmine.pfsense.org/issues/3057

aqueeb

Alright, so "Assisted" is by design. But then, is there no option for Stateless DHCP? If there is not, I'd like to volunteer to add "Stateless DHCP" option added to the drop down of Router Advertisement page.

Before I start doing that, I'd just like a confirmation, that there indeed is no way of doing Stateless DHCP in pfSense.

Kind regards,
Aqueeb.

aqueeb

I was actually too excited to be able to change something on an open source project as big as pfSense. So I went ahead and modified the appropriate files to add Stateless DHCP. Created a video as I was doing the modifications. Video is at

http://youtu.be/4eVx5y5EO7o

I will also document the changes here.

Files that need to be modified.
1. /usr/local/www/services_router_advertisements.php
2. /etc/inc/services.inc

First we modify the services_router_advertisements.php to add the "Stateless DHCP" option to the drop down box. Super easy:-

CHANGE

$advertise_modes = array("disabled" => "Disabled",
"router" => "Router Only",
"unmanaged" => "Unmanaged",
"managed" => "Managed",
"assist" => "Assisted");

TO

$advertise_modes = array("disabled" => "Disabled",
"router" => "Router Only",
"unmanaged" => "Unmanaged",
"managed" => "Managed",
"assist" => "Assisted",
"stateless_dhcp" => "Stateless DHCP");

Save and Exit. Then modify the file, services.inc. Change is at TWO places:-
CHANGE-ONE
CHANGE FROM

switch($dhcpv6ifconf['ramode']) {
case "managed":
case "assist":
$radvdconf .= "\tAdvManagedFlag on;\n";
$radvdconf .= "\tAdvOtherConfigFlag on;\n";
break;
}

TO

switch($dhcpv6ifconf['ramode']) {
case "managed":
case "assist":
$radvdconf .= "\tAdvManagedFlag on;\n";
$radvdconf .= "\tAdvOtherConfigFlag on;\n";
break;
case "stateless_dhcp":
$radvdconf .= "\tAdvManagedFlag off;\n";
$radvdconf .= "\tAdvOtherConfigFlag on;\n";
break;
}

CHANGE-TWO
CHANGE FROM

switch($dhcpv6ifconf['ramode']) {
case "managed":
$radvdconf .= "\t\tAdvOnLink on;\n";
$radvdconf .= "\t\tAdvAutonomous off;\n";
$radvdconf .= "\t\tAdvRouterAddr on;\n";
break;
case "router":
$radvdconf .= "\t\tAdvOnLink off;\n";
$radvdconf .= "\t\tAdvAutonomous off;\n";
$radvdconf .= "\t\tAdvRouterAddr on;\n";
break;
case "assist":
$radvdconf .= "\t\tAdvOnLink on;\n";
$radvdconf .= "\t\tAdvAutonomous on;\n";
$radvdconf .= "\t\tAdvRouterAddr on;\n";
break;
case "unmanaged":
$radvdconf .= "\t\tAdvOnLink on;\n";
$radvdconf .= "\t\tAdvAutonomous on;\n";
$radvdconf .= "\t\tAdvRouterAddr on;\n";
break;
}

TO

switch($dhcpv6ifconf['ramode']) {
case "managed":
$radvdconf .= "\t\tAdvOnLink on;\n";
$radvdconf .= "\t\tAdvAutonomous off;\n";
$radvdconf .= "\t\tAdvRouterAddr on;\n";
break;
case "router":
$radvdconf .= "\t\tAdvOnLink off;\n";
$radvdconf .= "\t\tAdvAutonomous off;\n";
$radvdconf .= "\t\tAdvRouterAddr on;\n";
break;
case "stateless_dhcp":
case "assist":
$radvdconf .= "\t\tAdvOnLink on;\n";
$radvdconf .= "\t\tAdvAutonomous on;\n";
$radvdconf .= "\t\tAdvRouterAddr on;\n";
break;
case "unmanaged":
$radvdconf .= "\t\tAdvOnLink on;\n";
$radvdconf .= "\t\tAdvAutonomous on;\n";
$radvdconf .= "\t\tAdvRouterAddr on;\n";
break;
}

For CHANGE-TWO all we do is add the line
case "stateless_dhcp":
above
case "assist":

Save and exit

And that's it guys. After this, when you choose the option Stateless DHCP, the Managed Flag in Router Advertisements will be not set (disabled)!!

I hope this helps someone out!

Kind regards,
Aqueeb.

al

In the case of adding another option I would suggest to clean up the text on the Router Advertisements option on services_router_advertisements.php so that each option is explained in a bullet list, because it is kind of messy right now. It would help first time IPv6 users to easier understand the options and their scope/consequences (well briefly).

al :-)

aqueeb

Hi Al,

I think the way pfSense's team has described it is because they have dumbed it down. Maybe a description describing what each setting does with the way it sets the RA packet flags?

If you have any suggestions let me know, I'll probably draft something up Wednesday night and post here.

Kind regards,
Aqueeb.

doktornotor

What exactly are you "fixing" here? You've duplicated Unmanaged.

aqueeb

Unmanaged sets the "Other Configuration" flag to not set (disabled). So if I wanted my DHCP server to give out DNS servers, NTP servers, SIP servers, AND I wanted my clients to use SLAAC, pfSense does not allow me to do that. I think the term is "Stateless DHCP" where you can have your IPv6 computers use Stateless Address Autoconfiguration, but ALSO get DHCP options, WITHOUT getting a DHCP address. And that is what I've fixed.

Am I missing something???

Kind regards,
Aqueeb.

doktornotor

What are your clients? Because that's exactly what "assisted" does, as is… without any fixes. With Windows clients at least.

aqueeb

"Assisted" ALSO gives out an IPv6 address. I do NOT want my clients to get an IPv6 address from my DHCPv6 server. I want them to ONLY get the extra DHCPv6 options.

I've made a quick 2 minute video demostrating EXACTLY what I mean.

http://youtu.be/gYzv-uEvExY

Kind regards,
Aqueeb.

doktornotor

Again, depends on the client. We're going in circles here; "assisted" produces exact same result as your "stateless" with Windows.

aqueeb

I am talking about Windows clients.

Assisted gives out IPv6 addresses from the DHCP pool to windows clients, agreed??
Assisted also gives out DHCP options to clients, like dns, agreed?

Unmanaged, asks the windows client, to autoconfigure itself, using SLAAC, but does NOT ask the client to get extra options from DHCP, agreed? So if I used Unamaged, my windows client, autoconfigures itself with an IPv6 address, but DOES NOT have any DNS servers, agreed??

My custom option "Stateless DHCP", asks the client to NOT GET an IPv6 address from DHCP, BUT DO GET DNS servers from DHCP, AND TO ALSO configure itself using SLAAC.

I am using Windows 7 x64 SP1 by the way. Which clients are you talking about by the way?

How are we going in circles?

Kind regards,
Aqueeb.

doktornotor

@aqueeb:

Assisted gives out IPv6 addresses from the DHCP pool to windows clients, agreed??

Nope. Not what I can see here.

aqueeb

You may not be running a DHCPv6 server or you may have something else wrong with your configuration.

And that's besides the point anyway.

"Assisted" sets the "Managed Address Configuration" flag to SET (enabled) in the Router Advertisement packet, where as my custom option "Stateless DHCP" sets that same flag to NOT SET (disabled). You can do a packet capture of Router Advertisements using wireshark to verify what I am saying.

All the other options "Router Only", "Unmanaged", "Managed","Assisted", do NOT have a combination of the following flags:-

"Managed Address Configuration" to NOT SET
"Other Configuration" to SET
"OnLink" to SET
"Autonomous" to SET

And this combination is REQUIRED for Stateless DHCP to work. And Stateless DHCP is something I have not come up with myself. It is an RFC (https://tools.ietf.org/rfc/rfc3736.txt).

And the above combination is what I have added as a FIX.

You can argue to the end of time, that what I have done, is what is already implemented in pfSense. For that, I suggest 2 things.

1. Look at the radvd.conf file that is generated with each of the modes ("Router Only", "Unmanaged", etc.). You will see that none of the radvd.conf auto-generated contains the above mentioned combination.

2. Do a packet capture of the Router Advertisement packet, in each of the modes, and then compare the flags that are set. Again you will find, that the combination required for Stateless DHCP to work, is missing.

And I HAVE done all of the above, and now I am convinced that the custom option "Stateless DHCP", should NOT be custom, it should be a part of the standard pfSense install.

Kind regards,
Aqueeb.

doktornotor

@aqueeb:

You may not be running a DHCPv6 server or you may have something else wrong with your configuration.

I damn sure am running a DHCPv6 server. The only way to get W7/8/8.1 a DHCP6 lease is to set radvd to Managed. Otherwise, stateless IP outside of the DHCP range is used. Vista I don't have. IPv6 in XP sucks enormously. I can do all wireshark you want and that does not change a thing - since what happens heavily depends on the DHCP client, which apparently you refuse to acknowledge.

Now, with Assisted, e.g. one HP printer gets both stateful and stateless IPs, so do some Apple devices. Some printers do not get any IPv6 with Managed. Linux is a complete mess, depending on distro, its age, NetworkManager being used or not and which version, sysctl config, etc. etc. etc. So yeah, anyone can add yet another option, will not make the mess any more consistent. And then someone will come and invent yet something else. ::)

razzfazz

@aqueeb:

And this combination is REQUIRED for Stateless DHCP to work. And Stateless DHCP is something I have not come up with myself. It is an RFC (https://tools.ietf.org/rfc/rfc3736.txt).

Unless I'm missing something, that RFC only deals with the DHCP side of things; it doesn't address advertisement flags at all. Are you saying that your clients are not getting an address at all in this scenario? If you just don't want your DHCP server to give out stateful addresses at all, that really seems like more of a configuration issue with the DHCP server than with the advertisements.

aqueeb

@razzfazz:

Unless I'm missing something, that RFC only deals with the DHCP side of things; it doesn't address advertisement flags at all. Are you saying that your clients are not getting an address at all in this scenario? If you just don't want your DHCP server to give out stateful addresses at all, that really seems like more of a configuration issue with the DHCP server than with the advertisements.

In IPv6, clients requesting an IP need to have two conditions fulfilled. One is to have a DHCP server and the second is to receive a Router Advertisement packet with the Managed flag SET. Clients will NOT get an IP, if either of these conditions are not met.

@doktornotor:

I damn sure am running a DHCPv6 server. The only way to get W7/8/8.1 a DHCP6 lease is to set radvd to Managed.

The ONLY way to get ANY DHCP6 client to get a DHCP6 lease IS to set the Managed flag to SET, which the "Managed" mode does.
Which the "Assisted" mode does.
Which the "Router Only" mode DOES NOT.
Which the "Unmanaged" mode DOES NOT.

Hence NO MATTER WHAT you do on the DHCPv6 Tab, your clients will NOT get an IP address from the DHCP server in, "Router Only" and "Unmanaged" mode.

@doktornotor:

Otherwise, stateless IP outside of the DHCP range is used. Vista I don't have. IPv6 in XP sucks enormously. I can do all wireshark you want and that does not change a thing - since what happens heavily depends on the DHCP client, which apparently you refuse to acknowledge.

Only reason I have not commented on the client side of things is because I am only talking about how the flags in the RA packet are set. And because the RA packet is sent out by the router ONLY, the point what the clients do, is moot.

@doktornotor:

Now, with Assisted, e.g. one HP printer gets both stateful and stateless IPs, so do some Apple devices.

The reason why your devices are REQUESTING an address from the DHCP server AND autoconfiguring themselves is because in "Assisted" mode, BOTH flags are SET.

The Managed flag is SET.
The Autonomous flag is SET.

@doktornotor:

Some printers do not get any IPv6 with Managed.

I'd like to know the model numbers of these printers. Without a packet capture of the packets sent out by your printers, my guess is as good as yours as to WHY they are NOT getting any IPv6 addresses from the DHCP server. Maybe there is something on the websites of these printers manufacturers that may clue me in to their current behaviour.

@doktornotor:

Linux is a complete mess, depending on distro, its age, NetworkManager being used or not and which version, sysctl config, etc. etc. etc.

Sorry to hear you have such trouble with Linux. Give me a distro name that you are having trouble with and I'll try and find out what is the source of your trouble.

@doktornotor:

So yeah, anyone can add yet another option, will not make the mess any more consistent. And then someone will come and invent yet something else. ::)

I can't say what someone else WILL or WILL NOT do. Only that, thankfully, I have not invented something. Just added on an option to the pfSense router that it is obviously lacking.

Not ONE of the modes in pfSense generate a RA packet, which

Have the "Managed" flag UNSET
AND
the "Other Configuration" flag SET
AND
the "Autoconf" flag SET

These are required flags for 2 things to happen on the client:-
1. Get ONLY Other options from DHCP (NOT an IPv6 address)
2. Use Stateless Address Autoconfiguration to create your own IPv6 address.

These 2 things working together is called Stateless DHCP in IPv6.

Kind regards,
Aqueeb.

doktornotor

I'm having no trouble, thanks. I simply live with reality, which is that

some printers have broken firmware
implementations differ between platforms
implementations change in time
the RFCs/specs change in time and new ones are being created
etc. etc. etc.

Now, I think you made it pretty clear you cannot live without your magic combo of flags for unspecified reason. Have a nice day.

aqueeb

@doktornotor:

I'm having no trouble, thanks. I simply live with reality, which is that

some printers have broken firmware

implementations differ between platforms

implementations change in time

the RFCs/specs change in time and new ones are being created

etc. etc. etc.

I never argued with any of the above mentioned issues. I do not understand why are you even bringing them up.

@doktornotor:

Now, I think you made it pretty clear you cannot live without your magic combo of flags for unspecified reason. Have a nice day.

How is it MY magic combo, when AT THE CURRENT MOMENT, implementing Stateless DHCP, involves having those flags set??

If I understand you correctly, I should not be using Stateless DHCP because I don't have a reason for it? Or because your experience with the current crop of clients tells you that it is pointless?

Have you ever considered that my environment is not the same as yours? That the clients I do have (Windows 7 x64 SP1) play very nice with IPv6. And if my clients DO play nice with IPv6, I should be left high and dry because pfSense does not support an industry standard?

I'm confused as to why you think that implementing a standard, when that standard actually makes your life easier, is a pointless thing??

Since you mentioned that I have not specified my reasons, here they are:-

I have just implemented port forwarding for 45 pc's all running ipv6 and Windows 7 x64 SP1. All I needed to do was create the appropriate port forwarding rules. No need to to add address reservations in DHCP, since all are autoconfiguring themselves with the same IPv6 address everytime. BUT, how do I assign DNS servers, if I'm NOT using DHCpv6??? Enter "MY magic combo".

You have a nice day too!

al

Hi

It is late here, where I live so I'll try to make it short :-)

Regarding stateless DHCP I have found something that supports Aqueeb's arguments.
Microsoft mentions it here:
http://technet.microsoft.com/en-us/library/cc753493.aspx

But yes it is really a jungle with all these possible options although each of them (likely) have their use case.

Now regarding my earlier suggestion aligning the descriptions of the individual options in a list would help changing services_router_advertisements.php:

Select the Operating Mode for the Router Advertisement (RA) Daemon. Use "Router Only" to only advertise this router, "Unmanaged" for Router Advertising with Stateless Autoconfig, "Managed" for assignment through (a) DHCPv6 Server, "Assisted" for DHCPv6 Server assignment combined with Stateless Autoconfig It is not required to activate this DHCPv6 server when set to "Managed", this can be another host on the network

e.g. into:
–--

Router Only: Use only to advertise this router
Unmanaged: For Router advertising with Stateless Autoconfig. IPv6 address is client configured
Managed: For assignment through (a) DHCPv6 Server
Assisted: DHCPv6 Server assignment (Managed) combined with Stateless Autoconfig (Unmanaged)
Stateless DHCPv6: All DHCPv6 options except IPv6 address which is client configured (Unmanaged)

It is not required to activate this DHCPv6 server when set to "Managed", this can be another host on the network
–--

Although I might haven't nailed every description perfectly I think this is more helpful for the user. Please feel free to comment :-)