Comcast IPv6 address issue

MikeV7896

@hendersonmc:

@virgiliomi:

Gateways will always be link-local with IPv6. That's by design. The gateway will also likely have a global address for other purposes (i.e. remote access/management), but link-local addresses are always used for routing. On a Windows PC on your network, if you do ipconfig, the default IPv6 gateway address will be the link-local address for pfSense (IIRC should be fe80::1:1).

And sorry about the . vs _ in the filename. :)

Well, even after regenerating that file, I am getting no IPv6 traffic through the Comcast gateway. There are many advanced settings for IPv6… should I mess with them?

So one more question here… do you have just a modem, or do you have a gateway (modem+router) device from Comcast? Because if you have the latter, that will definitely affect IPv6. Comcast's gateways are not configured for IPv6 prefix delegation (unless you have a business account with static address(es). If you want to run pfSense behind a Comcast gateway, you'll want to put the gateway into Bridge mode, so it functions as just a modem, and let pfSense handle all of the router/firewall functions. Yes, that also means you'll need your own WiFi access point, as the Comcast gateway won't provide local network WiFi anymore either.

hendersonmc

@Gertjan:

he.net uses an IPV4 "server" address on their side - on needs to know all the time what your WAN IPv4 is.
Their setup instructions are clear about that.
Added to that, your WAN IPv4 needs to be 'pingable'.

This sounds to me like the instructions for setting up the tunnel… it is setup and works fine, other than having no AAAA record.

@Gertjan:

On the pfSense side, there exists a tool that does just that - if you set it up.
Go here : Services -> Dynamic DNS -> Dynamic DNS Clients and add a "HE.net Tunnelbroker " type service. The settings are taken from your "he.net IPv6 tunnel account" page.

Thanks for pointing out that pfSense allows more than one Dynamic DNS configuration!

@Gertjan:

he.net uses an IPV4 "server" address on their side - on needs to know all the time what your WAN IPv4 is.
Their setup instructions are clear about that.
Added to that, your WAN IPv4 needs to be 'pingable'.
On the pfSense side, there exists a tool that does just that - if you set it up.
Go here : Services -> Dynamic DNS -> Dynamic DNS Clients and add a "HE.net Tunnelbroker " type service. The settings are taken from your "he.net IPv6 tunnel account" page.
This service, comparable to what No-IP offers btw, will assure that YOUR IPv4 is known all the time at he.net.

Instructions for filling out the pfSense Dynamic DNS Client configuration for HE.net (aka tunnelbroker.net) are right on the configuration page, namely for Hostname you should for "he.net tunnelbroker: Enter the tunnel ID".

That said, I am failing with interesting entries in the system log; consider this…

Jan 3 16:19:22 php-fpm 37351 /services_dyndns_edit.php: Dynamic DNS (311434) There was an error trying to determine the public IP for interface - wan (em0 ).
Jan 3 16:19:22 check_reload_status Syncing firewall
Jan 3 16:19:13 php-fpm 9879 /services_dyndns_edit.php: phpDynDNS (311434): (Unknown Response)
Jan 3 16:19:13 php-fpm 9879 /services_dyndns_edit.php: phpDynDNS (311434): PAYLOAD: abuse
Jan 3 16:19:12 check_reload_status Syncing firewall
Jan 3 16:18:56 php-fpm 7933 /services_dyndns_edit.php: phpDynDNS (311434): (Unknown Response)
Jan 3 16:18:56 php-fpm 7933 /services_dyndns_edit.php: phpDynDNS (311434): PAYLOAD:
Jan 3 16:18:56 check_reload_status Syncing firewall
Jan 3 16:18:40 php-fpm 79049 /services_dyndns_edit.php: Dynamic DNS (311434) There was an error trying to determine the public IP for interface - wan (em0 ).
Jan 3 16:18:40 check_reload_status Syncing firewall

All I am changing to try to get something to work is which interface I am selecting, namely my WAN, IPV6 tunnel, or LAN.

hendersonmc

@virgiliomi:

So one more question here… do you have just a modem, or do you have a gateway (modem+router) device from Comcast? Because if you have the latter, that will definitely affect IPv6. Comcast's gateways are not configured for IPv6 prefix delegation (unless you have a business account with static address(es). If you want to run pfSense behind a Comcast gateway, you'll want to put the gateway into Bridge mode, so it functions as just a modem, and let pfSense handle all of the router/firewall functions. Yes, that also means you'll need your own WiFi access point, as the Comcast gateway won't provide local network WiFi anymore either.

Just a modem… by special request!

hendersonmc

I tracked down one issue; the dhcp6c process is being started twice for the same interface.

root    58549  0.0  0.1 10096  1832  -  Is    8:07PM    0:00.11 /usr/local/sbin/dhcp6c -d -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_em0.pid em0
root    91097  0.0  0.1 10096  1824  -  Is    8:07PM    0:00.10 /usr/local/sbin/dhcp6c -d -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_em0.pid em0

Does anyone know how the hidden startup files can be corrected? Just editing the interface through the pfSense Interface Configuration editor is not correcting the problem.

Guest

@hendersonmc:

I tracked down one issue; the dhcp6c process is being started twice for the same interface.

That one rears it's ugly head again, I've been working on a fix for that. What version of PFSense are you running?

hendersonmc

Here is the snapshots for the Interface Assignment and WAN Interface windows. All I change in the WAN Interface Configuration is the IPv6 Configuration Type to DHCPV6, then Save and Apply. While starting, I see this

root    15315  1.0  0.1 10096  1828  -  Ss  10:34AM    0:00.00 /usr/local/sbin/dhcp6c -d -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_em0.pid em0
root    74226  1.0  0.1 10460  2072  -  S    10:34AM    0:00.00 /bin/sh /var/etc/dhcp6c_wan_script.sh
root    81074  0.0  0.1 10460  2084  -  S    10:34AM    0:00.00 sh -c ps uxawww | grep dhcp6c 2>&1
root    81512  0.0  0.1 10264  1908  -  S    10:34AM    0:00.00 grep dhcp6c

And then I see this

root    15315  0.0  0.1 10096  1828  -  Is  10:34AM    0:00.00 /usr/local/sbin/dhcp6c -d -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_em0.pid em0
root    80687  0.0  0.1 10460  2084  -  S    10:38AM    0:00.00 sh -c ps uxawww | grep dhcp6c 2>&1
root    81304  0.0  0.1 10264  1908  -  S    10:38AM    0:00.00 grep dhcp6c

The DHCP log looks like this

Jan 4 10:34:33 dhcp6c 15241 failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
Jan 4 10:34:33 dhcp6c 15241 failed initialize control message authentication
Jan 4 10:34:33 dhcp6c 15241 skip opening control port
Jan 4 10:34:48 dhcp6c 15315 XID mismatch

And the system log show this
Jan 4 10:53:26 php-fpm 11639 /system_gateways.php: ROUTING: setting IPv6 default route to fe80::213:5fff:fe05:bfe2%em0
Jan 4 10:53:27 php-fpm 11639 /system_gateways.php: The command '/usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid em1' returned exit code '1', the output was 'Internet Systems Consortium DHCP Server 4.3.4 Copyright 2004-2016 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Config file: /etc/dhcpd.conf Database file: /var/db/dhcpd.leases PID file: /var/run/dhcpd.pid Wrote 0 deleted host decls to leases file. Wrote 0 new dynamic host decls to leases file. Wrote 3 leases to leases file. Listening on BPF/em1/00:22:4d:b0:d3:b8/192.168.10.0/24 Sending on BPF/em1/00:22:4d:b0:d3:b8/192.168.10.0/24 Can't bind to dhcp address: Address already in use Please make sure there is no other dhcp server running and that there's no entry for dhcp or bootp in /etc/inetd.conf. Also make sure you are not running HP JetAdmin software, which includes a bootp server. If you think you have received this mes
Jan 4 10:53:29 php-fpm 11639 /system_gateways.php: The command '/sbin/route delete -host 2001:470:20::2 ' returned exit code '68', the output was 'route: bad address: 2001:470:20::2'
Jan 4 10:53:29 check_reload_status Reloading filter
Jan 4 10:53:29 php-fpm 11639 /system_gateways.php: Removing static route for monitor fe80::213:5fff:fe05:bfe2 and adding a new route through fe80::213:5fff:fe05:bfe2%em0

The WAN Interface looks like this

WAN Interface (wan, em0)
Status                      up
DHCP                        up
MAC Address                  c4:2c:03:05:41:0d - Apple
IPv4 Address                98.195.72.200
Subnet mask IPv4            255.255.248.0
Gateway IPv4                98.195.72.1
IPv6 Link Local              fe80::c62c:3ff:fe05:410d%em0
IPv6 Address                2001:558:6022c40:ffa:c94:3324
Subnet mask IPv6            128
Gateway IPv6                fe80::213:5fff:fe05:bfe2
DNS servers
                            127.0.0.1
                            2001:470:20::2
                            74.82.42.42
                            68.87.85.102
                            208.67.220.220
MTU                          1500
Media                        1000baseT <full-duplex>In/out packets              29523479/11443436 (33.45 GiB/1.06 GiB)
In/out packets (pass)        29523479/11443436 (33.45 GiB/1.06 GiB)
In/out packets (block)        123447/3244    (18.98 MiB/374 KiB)
In/out errors                0/1
Collisions                  0

For my network, the IPv6 traffic is not forwarding. I am still using the public addresses that tunnelbroker gave me on the LAN, which might be a reason, although I can't understand what is wrong.

I am also now noting a strange behavior that the IPv6 traffic that is enabled for logging in the UI is not showing up in formatted logs. Is this because the IPv6 traffic can't be forwarded?</full-duplex>

hendersonmc

@marjohn56:

That one rears it's ugly head again, I've been working on a fix for that. What version of PFSense are you running?

Latest version.

However, at this point, I am thinking that the extra dhcp6c processes are happening because I am shutting down the WAN interface by clearing the Enabled flag in the configuration, saving and applying. I could verify this by repeating the disabling and then checking for the dhcp6c process, but, I doubt that this way of shutting down the interface is the recommended way. If I were to guess, the recommended way is to clearing the Enabled flag, save, and then reboot.

Plus, now that I know this, I can just do the 'killall -9 dhcp6c' command as a workaround if I am unwilling to wait for a reboot…

Guest

@hendersonmc:

@marjohn56:

That one rears it's ugly head again, I've been working on a fix for that. What version of PFSense are you running?

Latest version.

However, at this point, I am thinking that the extra dhcp6c processes are happening because I am shutting down the WAN interface by clearing the Enabled flag in the configuration, saving and applying. I could verify this by repeating the disabling and then checking for the dhcp6c process, but, I doubt that this way of shutting down the interface is the recommended way. If I were to guess, the recommended way is to clearing the Enabled flag, save, and then reboot.

Plus, now that I know this, I can just do the 'killall -9 dhcp6c' command as a workaround if I am unwilling to wait for a reboot…

I was able to replicate the issue, it's quite random but I did see it. If you are not running with dhcp6 before ra you may want to try this patch. I have put a lock inside the rtsold script where it runs dhcp6c, it means it can never run two copies of dhcp6c. If you want to try it then I would ask you to pm me as I will need feedback on your findings.

hendersonmc

Finally solved the dhcp6c process quitting.

Apparently, the tunnelbroker GIF tunnel that I had defined was interfering with the nominal IPv6, even though it was not assigned for any use on the Interfaces (assign) page, because when I deleted it, the WAN interface got an public IPv6 address.

Derelict

Hmm. I have an HE.NET tunnel and happily get DHCPv6 + /56 PD from Cox.

I have been watching it for a while. They are honoring the DUID and not changing my prefix despite new modems and WAN MACs. My IPv4 address with them as changed at least three times since I started getting delegated this prefix.