[Solved] IPv6 Track Interface doesn't work - static IP works
-
I can capture those packages on WAN:
Shouldn't this be a sign that I actually get a /62?
Or am I missing something?No. Time Source Destination Protocol Length Source Port Destination Port Info 70 12.089014 fe80::xxxx:xxxx:xxxx:xxxx ff02::1:2 DHCPv6 143 dhcpv6-client dhcpv6-server Solicit XID: 0xc96b25 CID: 0001000122a857aea0369fyyyyyy DHCPv6 Message type: Solicit (1) Transaction ID: 0xc96b25 Client Identifier Option: Client Identifier (1) Length: 14 DUID: 0001000122a857aea0369fyyyyyy DUID Type: link-layer address plus time (1) Hardware type: Ethernet (1) DUID Time: Jun 4, 2018 22:03:58.000000000 Mitteleuropäische Sommerzeit Link-layer address: a0:36:9f:ii:ii:ii Elapsed time Option: Elapsed time (8) Length: 2 Elapsed time: 0ms Option Request Option: Option Request (6) Length: 4 Requested Option code: DNS recursive name server (23) Requested Option code: Domain Search List (24) Identity Association for Prefix Delegation Option: Identity Association for Prefix Delegation (25) Length: 41 IAID: 00000000 T1: 0 T2: 0 IA Prefix Option: IA Prefix (26) Length: 25 Preferred lifetime: infinity Valid lifetime: infinity Prefix length: 62 Prefix address: :: (::) No. Time Source Destination Protocol Length Source Port Destination Port Info 71 12.089891 fe80::yyyy:yyyy:yyyy:yyyy fe80::xxxx:xxxx:xxxx:xxxx DHCPv6 184 dhcpv6-server dhcpv6-client Advertise XID: 0xc96b25 CID: 0001000122a857aea0369fyyyyyy DHCPv6 Message type: Advertise (2) Transaction ID: 0xc96b25 Server Identifier Option: Server Identifier (2) Length: 10 DUID: 00030001002207jjjjjj DUID Type: link-layer address (3) Hardware type: Ethernet (1) Link-layer address: 00:22:07:jj:jj:jj Client Identifier Option: Client Identifier (1) Length: 14 DUID: 0001000122a857aea0369fyyyyyy DUID Type: link-layer address plus time (1) Hardware type: Ethernet (1) DUID Time: Jun 4, 2018 22:03:58.000000000 Mitteleuropäische Sommerzeit Link-layer address: a0:36:9f:ii:ii:ii SOL_MAX_RT Option: SOL_MAX_RT (82) Length: 4 DNS recursive name server Option: DNS recursive name server (23) Length: 16 1 DNS server address: fe80::yyyy:yyyy:yyyy:yyyy (fe80::yyyy:yyyy:yyyy:yyyy) Domain Search List Option: Domain Search List (24) Length: 5 DNS Domain Search List Domain Search List FQDN: lan Reconfigure Accept Option: Reconfigure Accept (20) Length: 0 Identity Association for Prefix Delegation Option: Identity Association for Prefix Delegation (25) Length: 41 IAID: 00000000 T1: 19827 T2: 31723 IA Prefix Option: IA Prefix (26) Length: 25 Preferred lifetime: 39654 Valid lifetime: 50454 Prefix length: 62 Prefix address: 2003:xxxx:xxxx:201c:: No. Time Source Destination Protocol Length Source Port Destination Port Info 120 15.830114 fe80::xxxx:xxxx:xxxx:xxxx ff02::1:2 DHCPv6 157 dhcpv6-client dhcpv6-server Request XID: 0xd0c619 CID: 0001000122a857aea0369fyyyyyy DHCPv6 Message type: Request (3) Transaction ID: 0xd0c619 Client Identifier Option: Client Identifier (1) Length: 14 DUID: 0001000122a857aea0369fyyyyyy DUID Type: link-layer address plus time (1) Hardware type: Ethernet (1) DUID Time: Jun 4, 2018 22:03:58.000000000 Mitteleuropäische Sommerzeit Link-layer address: a0:36:9f:ii:ii:ii Server Identifier Option: Server Identifier (2) Length: 10 DUID: 00030001002207jjjjjj DUID Type: link-layer address (3) Hardware type: Ethernet (1) Link-layer address: 00:22:07:jj:jj:jj Elapsed time Option: Elapsed time (8) Length: 2 Elapsed time: 2680ms Option Request Option: Option Request (6) Length: 4 Requested Option code: DNS recursive name server (23) Requested Option code: Domain Search List (24) Identity Association for Prefix Delegation Option: Identity Association for Prefix Delegation (25) Length: 41 IAID: 00000000 T1: 0 T2: 0 IA Prefix Option: IA Prefix (26) Length: 25 Preferred lifetime: 39654 Valid lifetime: 50454 Prefix length: 62 Prefix address: 2003:xxxx:xxxx:201c:: No. Time Source Destination Protocol Length Source Port Destination Port Info 121 15.830970 fe80::yyyy:yyyy:yyyy:yyyy fe80::xxxx:xxxx:xxxx:xxxx DHCPv6 216 dhcpv6-server dhcpv6-client Reply XID: 0xd0c619 CID: 0001000122a857aea0369fyyyyyy DHCPv6 Message type: Reply (7) Transaction ID: 0xd0c619 Server Identifier Option: Server Identifier (2) Length: 10 DUID: 00030001002207jjjjjj DUID Type: link-layer address (3) Hardware type: Ethernet (1) Link-layer address: 00:22:07:jj:jj:jj Client Identifier Option: Client Identifier (1) Length: 14 DUID: 0001000122a857aea0369fyyyyyy DUID Type: link-layer address plus time (1) Hardware type: Ethernet (1) DUID Time: Jun 4, 2018 22:03:58.000000000 Mitteleuropäische Sommerzeit Link-layer address: a0:36:9f:ii:ii:ii SOL_MAX_RT Option: SOL_MAX_RT (82) Length: 4 DNS recursive name server Option: DNS recursive name server (23) Length: 16 1 DNS server address: fe80::yyyy:yyyy:yyyy:yyyy (fe80::yyyy:yyyy:yyyy:yyyy) Domain Search List Option: Domain Search List (24) Length: 5 DNS Domain Search List Domain Search List FQDN: lan Reconfigure Accept Option: Reconfigure Accept (20) Length: 0 Authentication Option: Authentication (11) Length: 28 Protocol: 3 Algorithm: 1 RDM: 0 Replay Detection: .... Authentication Information: .... Identity Association for Prefix Delegation Option: Identity Association for Prefix Delegation (25) Length: 41 IAID: 00000000 T1: 19825 T2: 31720 IA Prefix Option: IA Prefix (26) Length: 25 Preferred lifetime: 39650 Valid lifetime: 50450 Prefix length: 62 Prefix address: 2003:xxxx:xxxx:201c:: No. Time Source Destination Protocol Length Source Port Destination Port Info 122 19.350272 fe80::xxxx:xxxx:xxxx:xxxx ff02::1:2 DHCPv6 157 dhcpv6-client dhcpv6-server Request XID: 0xd0c619 CID: 0001000122a857aea0369fyyyyyy DHCPv6 Message type: Request (3) Transaction ID: 0xd0c619 Client Identifier Option: Client Identifier (1) Length: 14 DUID: 0001000122a857aea0369fyyyyyy DUID Type: link-layer address plus time (1) Hardware type: Ethernet (1) DUID Time: Jun 4, 2018 22:03:58.000000000 Mitteleuropäische Sommerzeit Link-layer address: a0:36:9f:ii:ii:ii Server Identifier Option: Server Identifier (2) Length: 10 DUID: 00030001002207jjjjjj DUID Type: link-layer address (3) Hardware type: Ethernet (1) Link-layer address: 00:22:07:jj:jj:jj Elapsed time Option: Elapsed time (8) Length: 2 Elapsed time: 6200ms Option Request Option: Option Request (6) Length: 4 Requested Option code: DNS recursive name server (23) Requested Option code: Domain Search List (24) Identity Association for Prefix Delegation Option: Identity Association for Prefix Delegation (25) Length: 41 IAID: 00000000 T1: 0 T2: 0 IA Prefix Option: IA Prefix (26) Length: 25 Preferred lifetime: 39654 Valid lifetime: 50454 Prefix length: 62 Prefix address: 2003:xxxx:xxxx:201c:: No. Time Source Destination Protocol Length Source Port Destination Port Info 123 19.351088 fe80::yyyy:yyyy:yyyy:yyyy fe80::xxxx:xxxx:xxxx:xxxx DHCPv6 216 dhcpv6-server dhcpv6-client Reply XID: 0xd0c619 CID: 0001000122a857aea0369fyyyyyy DHCPv6 Message type: Reply (7) Transaction ID: 0xd0c619 Server Identifier Option: Server Identifier (2) Length: 10 DUID: 00030001002207jjjjjj DUID Type: link-layer address (3) Hardware type: Ethernet (1) Link-layer address: 00:22:07:jj:jj:jj Client Identifier Option: Client Identifier (1) Length: 14 DUID: 0001000122a857aea0369fyyyyyy DUID Type: link-layer address plus time (1) Hardware type: Ethernet (1) DUID Time: Jun 4, 2018 22:03:58.000000000 Mitteleuropäische Sommerzeit Link-layer address: a0:36:9f:ii:ii:ii SOL_MAX_RT Option: SOL_MAX_RT (82) Length: 4 DNS recursive name server Option: DNS recursive name server (23) Length: 16 1 DNS server address: fe80::yyyy:yyyy:yyyy:yyyy (fe80::yyyy:yyyy:yyyy:yyyy) Domain Search List Option: Domain Search List (24) Length: 5 DNS Domain Search List Domain Search List FQDN: lan Reconfigure Accept Option: Reconfigure Accept (20) Length: 0 Authentication Option: Authentication (11) Length: 28 Protocol: 3 Algorithm: 1 RDM: 0 Replay Detection: .... Authentication Information: .... Identity Association for Prefix Delegation Option: Identity Association for Prefix Delegation (25) Length: 41 IAID: 00000000 T1: 19823 T2: 31716 IA Prefix Option: IA Prefix (26) Length: 25 Preferred lifetime: 39646 Valid lifetime: 50446 Prefix length: 62 Prefix address: 2003:xxxx:xxxx:201c:: -
Try different Prefix Delegation size. Instead of 62 try 60 or 56.
I have noticed that pfsense won't work at all if it doesn't match what the ISP is actually providing.
I was testing different router packages with ipv6 about a few months ago and initially I couldn't get pfsense to work because I thought my ISP provided a /60.
I tried a Mikrotik router and it worked, and what I saw was that even though I asked for the /60, the Mikrotik somehow figured out that the ISP was providing a /56 and it configured itself to work that way.
So I went back to the pfsense and put in 56 for the prefix delegation size and then it worked. It doesn't do the auto negotiation for the prefix at least with my ISP.
-
I already tried all possibilities (with reboot, etc.) and I can only get a /62.
I also confirmed this is the "correct" choice with an ISP engineer. (They will assign /56 later, btw.)The problem is:
The Track Interface does not work, I won't get an IPv6 on LAN with that.
But when I request a 62 and use the 2003:xxxx:xxxx:201c:: prefix as a static IPv6, everything works.
The packet captures also seem to confirm that can I request /62 and actually get the /62 prefix.So the problem seems to lie on the pfSense Track Interface side of things, either me making a mistake or some kind of bug/compatibility issue.
Or did I miss something?
Thanks for your time and effort, by the way. -
@terabit said in IPv6 Track Interface doesn't work - static IP works:
I already tried all possibilities (with reboot, etc.) and I can only get a /62.
I also confirmed this is the “correct” choice with an ISP engineer. (They will assign /56 later, btw.)
The problem is:
The Track Interface does not work, I won’t get an IPv6 on LAN with that.
But when I request a 62 and use the 2003:xxxx:xxxx:201c:: prefix as a static IPv6, everything works.
The packet captures also seem to confirm that can I request /62 and actually get the /62 prefix.
So the problem seems to lie on the pfSense Track Interface side of things, either me making a mistake or some kind of bug/compatibility issue.
Or did I miss something?
Thanks for your time and effort, by the way.Track Interface works fine, IF the prefix is obtained correctly. If Track isn't working it is either a configuration issue, or you aren't really getting a prefix.
One other thing I have noticed is that my cable modem sometimes will get fussy, with 2 many pfsense reboots. So you might try rebooting the cable modem too.
-
@isaacfl When talking about rebooting I always meant both, ISP router and pfSense.
Then I wonder how the packages on WAN side should look like, if that's not the correct way to get the prefix. -
@terabit said in IPv6 Track Interface doesn't work - static IP works:
Jun 7 10:10:08 dhcp6c 13806 get DHCP option DNS, len 16
Jun 7 10:10:08 dhcp6c 13806 get DHCP option domain search list, len 5
Jun 7 10:10:08 dhcp6c 13806 get DHCP option IA_PD, len 18
Jun 7 10:10:08 dhcp6c 13806 IA_PD: ID=0, T1=0, T2=0
Jun 7 10:10:08 dhcp6c 13806 get DHCP option status code, len 2
Jun 7 10:10:08 dhcp6c 13806 status code: no prefixes
Jun 7 10:10:08 dhcp6c 13806 dhcp6c Received REQUEST
Jun 7 10:10:08 dhcp6c 13806 nameserver[0] fe80::yyyy:yyyy:yyyy:yyyy
Jun 7 10:10:08 dhcp6c 13806 Domain search list[0] lan.
Jun 7 10:10:08 dhcp6c 13806 make an IA: PD-0
Jun 7 10:10:08 dhcp6c 13806 status code for PD-0: no prefixes
Jun 7 10:10:08 dhcp6c 13806 IA PD-0 is invalidated
Jun 7 10:10:08 dhcp6c 13806 remove an IA: PD-0Whatever they are sending, dhcp6c doesn't like it. I can look at the exchange further but you'll need to post the actual pcap, not a textual representation of it.
-
Here is the capture file (link removed) of what happens on the WAN side of pfSense.
I filtered some stuff out, mainly endless pages of DNS stuff my PC was asking for in the background.
If any important bits are missing please tell me, I will fix the file/do another capture in that case. -
What is in /var/etc/dhcp6c_wan.conf in the id-assoc pd 0 secion?
This is mine for a /56
I would expect yours to be a /62 with sla-len of 2 and sla-id of 0 through 3 if they are all defined.
id-assoc pd 0 { prefix ::/56 infinity; prefix-interface igb1.223 { sla-id 1; sla-len 8; }; prefix-interface igb1.999 { sla-id 2; sla-len 8; }; prefix-interface lagg0.1003 { sla-id 3; sla-len 8; }; prefix-interface lagg0.1004 { sla-id 16; sla-len 8; }; prefix-interface lagg0.224 { sla-id 4; sla-len 8; }; }; -
Yep, seems to be alright.
id-assoc pd 0 { prefix ::/62 infinity; prefix-interface igb1 { sla-id 0; sla-len 2; }; };I noticed something:
The logs are a bit different now. They say:Jun 9 21:27:32 dhcp6c 62162 Sending Request Jun 9 21:27:32 dhcp6c 62162 set client ID (len 14) Jun 9 21:27:32 dhcp6c 62162 set server ID (len 10) Jun 9 21:27:32 dhcp6c 62162 set elapsed time (len 2) Jun 9 21:27:32 dhcp6c 62162 set option request (len 4) Jun 9 21:27:32 dhcp6c 62162 set IA_PD prefix Jun 9 21:27:32 dhcp6c 62162 set IA_PD Jun 9 21:27:32 dhcp6c 62162 send request to ff02::1:2%igb0 Jun 9 21:27:32 dhcp6c 62162 reset a timer on igb0, state=REQUEST, timeo=9, retrans=27750 Jun 9 21:27:32 dhcp6c 62162 receive reply from fe80::...%igb0 on igb0 Jun 9 21:27:32 dhcp6c 62162 get DHCP option server ID, len 10 Jun 9 21:27:32 dhcp6c 62162 DUID: ... Jun 9 21:27:32 dhcp6c 62162 get DHCP option client ID, len 14 Jun 9 21:27:32 dhcp6c 62162 DUID: ... Jun 9 21:27:32 dhcp6c 62162 get DHCP option opt_82, len 4 Jun 9 21:27:32 dhcp6c 62162 unknown or unexpected DHCP6 option opt_82, len 4 Jun 9 21:27:32 dhcp6c 62162 get DHCP option DNS, len 16 Jun 9 21:27:32 dhcp6c 62162 get DHCP option domain search list, len 5 Jun 9 21:27:32 dhcp6c 62162 get DHCP option opt_20, len 0 Jun 9 21:27:32 dhcp6c 62162 unknown or unexpected DHCP6 option opt_20, len 0 Jun 9 21:27:32 dhcp6c 62162 get DHCP option authentication, len 28 Jun 9 21:27:32 dhcp6c 62162 proto: reconfig, alg: HMAC-MD5, RDM: mono counter, RD: ...Which is sending and decoding the request.
E.g. decoding the option 20 that the ISP router sends is all parsed (or skipped) - up to this point.
And then:Jun 9 21:27:32 dhcp6c 62162 unsupported authentication protocol: 1 Jun 9 21:27:32 dhcp6c 62162 failed to parse options Jun 9 21:28:00 dhcp6c 62162 no responses were receivedIt stops!
But after the Authentication part comes the IA_PD!
Could it be that after failing at decoding the authentication protocol pfSense just ignores the rest of the packet?Edit 2: I had a look at the source code, it seems the dhcp6c doesn't support the Reconfigure Key Authentication Protocol yet?
https://github.com/hrs-allbsd/wide-dhcpv6/blob/freebsd/dhcp6c.c#L2010
(Source as per https://forum.netgate.com/topic/126501/where-to-find-source-code-of-pfsense-dhcp-and-dhcpv6-cleints/4)
Looks like it discards the packet afterwards and ignores the IA_PD which comes right after the Authentication block...Edit: After rebooting ISP router and pfSense box, the first seven repeats are like the logs I posted earlier in the thread (with status code: no prefixes), after that it's what I just posted now (with unsupported authentication protocol: 1)
-
I contacted the ISP about the Reconfigure Key Authentication Protocol issue and they confirmed there is a bug in the version of odhcpd they're using.
The server sends the reconfigure-accept option, even though the client didn't ask for it.
In the case of pfSense reconfiguration isn't even implemented yet, as far as I can see.They told me this will be fixed on their router in Q3.
So I guess this mystery is solved! -
Nice digging. Thanks for getting back.
