"Hide" IPv6 from certain devices?

forbiddenlake

So one or two of my Android devices connect to WiFi, then 2-15s later, disconnect, and do that forever.  When I disable IPv6 on pfSense, this behavior stops and wifi works fine on the device. I'm running 2.3.2-RELEASE-p1, with a TP-Link AC1750 running LEDE (11/11 build) in bridge mode for the WAP + switch duties. I have Comcast and have configured IPv6 in Track Interface mode, with RA set to Unmanaged.

Is there a way to "hide" IPv6 capabilities from just one device?  I would not like to disable it for all devices.

The Android error is as follows and appears to be this bug - if this gives you ideas on alternate ways to fix it on the pfSense end, suggestions welcome.

W IpReachabilityMonitor: FAILURE: LOST_PROVISIONING, NeighborEvent{elapsedMs=18140760, 2601:18f:[...]:fe33:ad], [(null)], RTM_NEWNEIGH, NUD_FAILED}
E WifiNative: : [18,140,763,216 us] DISCONNECT  stack:logDbg - disconnect - handleIpReachabilityLost - -wrap22 - processMessage

From a computer, I can ping6 that IP (it's the pfSense machine) and ip -6 neigh show shows it as REACHABLE, so I'm unclear why Android is detemining NUD_FAILED.

MikeV7896

Reading through that thread, there seemed to be a number of people that tied the issue to wireless security rekeying, which would have nothing to do with pfSense (unless you have a WiFi card/adapter connected to your pfSense box and pfSense is managing the wireless settings).

You might want to look into the wireless security settings on your TP-Link access point and see what the rekeying interval is. You might be able to reduce instances of disconnection by increasing the interval. It looks like the bug has been fixed in the end, it's just up to manufacturers to update their devices.

To address your original question, though… no, there's no way to hide IPv6 from a select device or group of devices. It's all or nothing. You could block certain devices from making connections via IPv6... but they'll still get an IPv6 address.

johnpoz

Yeah there is no way to hide it on a specific network..  But if you were using a real AP that had vlan support you could for sure create a vlan that has ipv6 and an ssid that does not have ipv6.  Just connect your devices to the ssid you want, or get real fancy and use dynamic assigned vlans so you put your clients that have issues with ipv6 in the nonipv6 vlan, etc.

I have ipv6 enabled on my guest vlan and normal wifi vlan for example, but I don't have it on any other wifi vlans.  For example the one I use for iot devices has no ipv6 enabled.

forbiddenlake

Android 7.1.1 didn't fix it. I added another WAP and plugged it in to OPT1 and configured it for IPv4 only.  Not the cleanest solution, but at least I can use IPv6 on the rest of my network AND WiFi on my phone at the same time.

doktornotor

@forbiddenlake:

Android 7.1.1 didn't fix it.

Amazing. Even marking the embarrassing bug as private so that people cannot find it did not fix the issue for Google? I'm shocked!  ::)

forbiddenlake

So I'll want to use this for a few days to confirm, but ..
It appears that manually setting the DNS servers in the RDNSS settings fixes this.
Entering Google's DNS -> works
Entering one Google and the pfSense's IPv6 LAN address -> works
Leaving it blank -> broke
Entering only pfSense's IPv6 LAN address -> broke

Troubleshooting suggestions welcome ..