Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [Solved] IPv6 Track Interface doesn't work - static IP works

    Scheduled Pinned Locked Moved IPv6
    15 Posts 3 Posters 3.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Terabit
      last edited by

      I can capture those packages on WAN:
      Shouldn't this be a sign that I actually get a /62?
      Or am I missing something?

      No.     Time           Source                Destination           Protocol Length Source Port Destination Port Info
           70 12.089014      fe80::xxxx:xxxx:xxxx:xxxx ff02::1:2             DHCPv6   143    dhcpv6-client dhcpv6-server    Solicit XID: 0xc96b25 CID: 0001000122a857aea0369fyyyyyy 
      
      DHCPv6
          Message type: Solicit (1)
          Transaction ID: 0xc96b25
          Client Identifier
              Option: Client Identifier (1)
              Length: 14      
              DUID: 0001000122a857aea0369fyyyyyy
              DUID Type: link-layer address plus time (1)
              Hardware type: Ethernet (1)
              DUID Time: Jun  4, 2018 22:03:58.000000000 Mitteleuropäische Sommerzeit
              Link-layer address: a0:36:9f:ii:ii:ii
          Elapsed time
              Option: Elapsed time (8)
              Length: 2       
              Elapsed time: 0ms
          Option Request
              Option: Option Request (6)
              Length: 4      
              Requested Option code: DNS recursive name server (23)
              Requested Option code: Domain Search List (24)
          Identity Association for Prefix Delegation
              Option: Identity Association for Prefix Delegation (25)
              Length: 41        
              IAID: 00000000
              T1: 0
              T2: 0
              IA Prefix
                  Option: IA Prefix (26)
                  Length: 25
                  Preferred lifetime: infinity
                  Valid lifetime: infinity
                  Prefix length: 62
                  Prefix address: :: (::)
      
      No.     Time           Source                Destination           Protocol Length Source Port Destination Port Info
           71 12.089891      fe80::yyyy:yyyy:yyyy:yyyy fe80::xxxx:xxxx:xxxx:xxxx DHCPv6   184    dhcpv6-server dhcpv6-client    Advertise XID: 0xc96b25 CID: 0001000122a857aea0369fyyyyyy 
      
      DHCPv6
          Message type: Advertise (2)
          Transaction ID: 0xc96b25
          Server Identifier
              Option: Server Identifier (2)
              Length: 10
              DUID: 00030001002207jjjjjj
              DUID Type: link-layer address (3)
              Hardware type: Ethernet (1)
              Link-layer address: 00:22:07:jj:jj:jj
          Client Identifier
              Option: Client Identifier (1)
              Length: 14
              DUID: 0001000122a857aea0369fyyyyyy
              DUID Type: link-layer address plus time (1)
              Hardware type: Ethernet (1)
              DUID Time: Jun  4, 2018 22:03:58.000000000 Mitteleuropäische Sommerzeit
              Link-layer address: a0:36:9f:ii:ii:ii
          SOL_MAX_RT
              Option: SOL_MAX_RT (82)
              Length: 4
          DNS recursive name server
              Option: DNS recursive name server (23)
              Length: 16
               1 DNS server address: fe80::yyyy:yyyy:yyyy:yyyy (fe80::yyyy:yyyy:yyyy:yyyy)
          Domain Search List
              Option: Domain Search List (24)
              Length: 5
              DNS Domain Search List
                  Domain Search List FQDN: lan
          Reconfigure Accept
              Option: Reconfigure Accept (20)
              Length: 0
          Identity Association for Prefix Delegation
              Option: Identity Association for Prefix Delegation (25)
              Length: 41
              IAID: 00000000
              T1: 19827
              T2: 31723
              IA Prefix
                  Option: IA Prefix (26)
                  Length: 25         
                  Preferred lifetime: 39654
                  Valid lifetime: 50454
                  Prefix length: 62
                  Prefix address: 2003:xxxx:xxxx:201c::
      
      No.     Time           Source                Destination           Protocol Length Source Port Destination Port Info
          120 15.830114      fe80::xxxx:xxxx:xxxx:xxxx ff02::1:2             DHCPv6   157    dhcpv6-client dhcpv6-server    Request XID: 0xd0c619 CID: 0001000122a857aea0369fyyyyyy 
      
      DHCPv6
          Message type: Request (3)
          Transaction ID: 0xd0c619
          Client Identifier
              Option: Client Identifier (1)
              Length: 14
              DUID: 0001000122a857aea0369fyyyyyy
              DUID Type: link-layer address plus time (1)
              Hardware type: Ethernet (1)
              DUID Time: Jun  4, 2018 22:03:58.000000000 Mitteleuropäische Sommerzeit
              Link-layer address: a0:36:9f:ii:ii:ii
          Server Identifier
              Option: Server Identifier (2)
              Length: 10
              DUID: 00030001002207jjjjjj
              DUID Type: link-layer address (3)
              Hardware type: Ethernet (1)
              Link-layer address: 00:22:07:jj:jj:jj
          Elapsed time
              Option: Elapsed time (8)
              Length: 2
              Elapsed time: 2680ms
          Option Request
              Option: Option Request (6)
              Length: 4
              Requested Option code: DNS recursive name server (23)
              Requested Option code: Domain Search List (24)
          Identity Association for Prefix Delegation
              Option: Identity Association for Prefix Delegation (25)
              Length: 41
              IAID: 00000000
              T1: 0
              T2: 0
              IA Prefix
                  Option: IA Prefix (26)
                  Length: 25            
                  Preferred lifetime: 39654
                  Valid lifetime: 50454
                  Prefix length: 62
                  Prefix address: 2003:xxxx:xxxx:201c::
      
      No.     Time           Source                Destination           Protocol Length Source Port Destination Port Info
          121 15.830970      fe80::yyyy:yyyy:yyyy:yyyy fe80::xxxx:xxxx:xxxx:xxxx DHCPv6   216    dhcpv6-server dhcpv6-client    Reply XID: 0xd0c619 CID: 0001000122a857aea0369fyyyyyy 
      
      DHCPv6
          Message type: Reply (7)
          Transaction ID: 0xd0c619
          Server Identifier
              Option: Server Identifier (2)
              Length: 10
              DUID: 00030001002207jjjjjj
              DUID Type: link-layer address (3)
              Hardware type: Ethernet (1)
              Link-layer address: 00:22:07:jj:jj:jj
          Client Identifier
              Option: Client Identifier (1)
              Length: 14
              DUID: 0001000122a857aea0369fyyyyyy
              DUID Type: link-layer address plus time (1)
              Hardware type: Ethernet (1)
              DUID Time: Jun  4, 2018 22:03:58.000000000 Mitteleuropäische Sommerzeit
              Link-layer address: a0:36:9f:ii:ii:ii
          SOL_MAX_RT
              Option: SOL_MAX_RT (82)
              Length: 4
          DNS recursive name server
              Option: DNS recursive name server (23)
              Length: 16
               1 DNS server address: fe80::yyyy:yyyy:yyyy:yyyy (fe80::yyyy:yyyy:yyyy:yyyy)
          Domain Search List
              Option: Domain Search List (24)
              Length: 5
              DNS Domain Search List
                  Domain Search List FQDN: lan
          Reconfigure Accept
              Option: Reconfigure Accept (20)
              Length: 0
          Authentication
              Option: Authentication (11)
              Length: 28
              Protocol: 3
              Algorithm: 1
              RDM: 0
              Replay Detection: ....
              Authentication Information: ....
          Identity Association for Prefix Delegation
              Option: Identity Association for Prefix Delegation (25)
              Length: 41
              IAID: 00000000
              T1: 19825
              T2: 31720
              IA Prefix
                  Option: IA Prefix (26)
                  Length: 25          
                  Preferred lifetime: 39650
                  Valid lifetime: 50450
                  Prefix length: 62
                  Prefix address: 2003:xxxx:xxxx:201c::
      
      No.     Time           Source                Destination           Protocol Length Source Port Destination Port Info
          122 19.350272      fe80::xxxx:xxxx:xxxx:xxxx ff02::1:2             DHCPv6   157    dhcpv6-client dhcpv6-server    Request XID: 0xd0c619 CID: 0001000122a857aea0369fyyyyyy 
      
      DHCPv6
          Message type: Request (3)
          Transaction ID: 0xd0c619
          Client Identifier
              Option: Client Identifier (1)
              Length: 14
              DUID: 0001000122a857aea0369fyyyyyy
              DUID Type: link-layer address plus time (1)
              Hardware type: Ethernet (1)
              DUID Time: Jun  4, 2018 22:03:58.000000000 Mitteleuropäische Sommerzeit
              Link-layer address: a0:36:9f:ii:ii:ii
          Server Identifier
              Option: Server Identifier (2)
              Length: 10
              DUID: 00030001002207jjjjjj
              DUID Type: link-layer address (3)
              Hardware type: Ethernet (1)
              Link-layer address: 00:22:07:jj:jj:jj
          Elapsed time
              Option: Elapsed time (8)
              Length: 2
              Elapsed time: 6200ms
          Option Request
              Option: Option Request (6)
              Length: 4      
              Requested Option code: DNS recursive name server (23)
              Requested Option code: Domain Search List (24)
          Identity Association for Prefix Delegation
              Option: Identity Association for Prefix Delegation (25)
              Length: 41
              IAID: 00000000
              T1: 0
              T2: 0
              IA Prefix
                  Option: IA Prefix (26)
                  Length: 25           
                  Preferred lifetime: 39654
                  Valid lifetime: 50454
                  Prefix length: 62
                  Prefix address: 2003:xxxx:xxxx:201c::
      
      No.     Time           Source                Destination           Protocol Length Source Port Destination Port Info
          123 19.351088      fe80::yyyy:yyyy:yyyy:yyyy fe80::xxxx:xxxx:xxxx:xxxx DHCPv6   216    dhcpv6-server dhcpv6-client    Reply XID: 0xd0c619 CID: 0001000122a857aea0369fyyyyyy 
      
      DHCPv6
          Message type: Reply (7)
          Transaction ID: 0xd0c619
          Server Identifier
              Option: Server Identifier (2)
              Length: 10
              DUID: 00030001002207jjjjjj
              DUID Type: link-layer address (3)
              Hardware type: Ethernet (1)
              Link-layer address: 00:22:07:jj:jj:jj
          Client Identifier
              Option: Client Identifier (1)
              Length: 14
              DUID: 0001000122a857aea0369fyyyyyy
              DUID Type: link-layer address plus time (1)
              Hardware type: Ethernet (1)
              DUID Time: Jun  4, 2018 22:03:58.000000000 Mitteleuropäische Sommerzeit
              Link-layer address: a0:36:9f:ii:ii:ii
          SOL_MAX_RT
              Option: SOL_MAX_RT (82)
              Length: 4
          DNS recursive name server
              Option: DNS recursive name server (23)
              Length: 16
               1 DNS server address: fe80::yyyy:yyyy:yyyy:yyyy (fe80::yyyy:yyyy:yyyy:yyyy)
          Domain Search List
              Option: Domain Search List (24)
              Length: 5        
              DNS Domain Search List
                  Domain Search List FQDN: lan
          Reconfigure Accept
              Option: Reconfigure Accept (20)
              Length: 0
          Authentication
              Option: Authentication (11)
              Length: 28
              Protocol: 3
              Algorithm: 1
              RDM: 0
              Replay Detection: ....
              Authentication Information: ....
          Identity Association for Prefix Delegation
              Option: Identity Association for Prefix Delegation (25)
              Length: 41
              IAID: 00000000
              T1: 19823
              T2: 31716
              IA Prefix
                  Option: IA Prefix (26)
                  Length: 25
                  Preferred lifetime: 39646
                  Valid lifetime: 50446
                  Prefix length: 62
                  Prefix address: 2003:xxxx:xxxx:201c::
      
      
      1 Reply Last reply Reply Quote 0
      • IsaacFLI
        IsaacFL
        last edited by

        Try different Prefix Delegation size. Instead of 62 try 60 or 56.

        I have noticed that pfsense won't work at all if it doesn't match what the ISP is actually providing.

        I was testing different router packages with ipv6 about a few months ago and initially I couldn't get pfsense to work because I thought my ISP provided a /60.

        I tried a Mikrotik router and it worked, and what I saw was that even though I asked for the /60, the Mikrotik somehow figured out that the ISP was providing a /56 and it configured itself to work that way.

        So I went back to the pfsense and put in 56 for the prefix delegation size and then it worked. It doesn't do the auto negotiation for the prefix at least with my ISP.

        1 Reply Last reply Reply Quote 0
        • T
          Terabit
          last edited by

          I already tried all possibilities (with reboot, etc.) and I can only get a /62.
          I also confirmed this is the "correct" choice with an ISP engineer. (They will assign /56 later, btw.)

          The problem is:
          The Track Interface does not work, I won't get an IPv6 on LAN with that.
          But when I request a 62 and use the 2003:xxxx:xxxx:201c:: prefix as a static IPv6, everything works.
          The packet captures also seem to confirm that can I request /62 and actually get the /62 prefix.

          So the problem seems to lie on the pfSense Track Interface side of things, either me making a mistake or some kind of bug/compatibility issue.

          Or did I miss something?
          Thanks for your time and effort, by the way.

          IsaacFLI 1 Reply Last reply Reply Quote 0
          • IsaacFLI
            IsaacFL @Terabit
            last edited by

            @terabit said in IPv6 Track Interface doesn't work - static IP works:

            I already tried all possibilities (with reboot, etc.) and I can only get a /62.
            I also confirmed this is the “correct” choice with an ISP engineer. (They will assign /56 later, btw.)
            The problem is:
            The Track Interface does not work, I won’t get an IPv6 on LAN with that.
            But when I request a 62 and use the 2003:xxxx:xxxx:201c:: prefix as a static IPv6, everything works.
            The packet captures also seem to confirm that can I request /62 and actually get the /62 prefix.
            So the problem seems to lie on the pfSense Track Interface side of things, either me making a mistake or some kind of bug/compatibility issue.
            Or did I miss something?
            Thanks for your time and effort, by the way.

            Track Interface works fine, IF the prefix is obtained correctly. If Track isn't working it is either a configuration issue, or you aren't really getting a prefix.

            One other thing I have noticed is that my cable modem sometimes will get fussy, with 2 many pfsense reboots. So you might try rebooting the cable modem too.

            T 1 Reply Last reply Reply Quote 0
            • T
              Terabit @IsaacFL
              last edited by

              @isaacfl When talking about rebooting I always meant both, ISP router and pfSense.
              Then I wonder how the packages on WAN side should look like, if that's not the correct way to get the prefix.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                @terabit said in IPv6 Track Interface doesn't work - static IP works:

                Jun 7 10:10:08 dhcp6c 13806 get DHCP option DNS, len 16
                Jun 7 10:10:08 dhcp6c 13806 get DHCP option domain search list, len 5
                Jun 7 10:10:08 dhcp6c 13806 get DHCP option IA_PD, len 18
                Jun 7 10:10:08 dhcp6c 13806 IA_PD: ID=0, T1=0, T2=0
                Jun 7 10:10:08 dhcp6c 13806 get DHCP option status code, len 2
                Jun 7 10:10:08 dhcp6c 13806 status code: no prefixes
                Jun 7 10:10:08 dhcp6c 13806 dhcp6c Received REQUEST
                Jun 7 10:10:08 dhcp6c 13806 nameserver[0] fe80::yyyy:yyyy:yyyy:yyyy
                Jun 7 10:10:08 dhcp6c 13806 Domain search list[0] lan.
                Jun 7 10:10:08 dhcp6c 13806 make an IA: PD-0
                Jun 7 10:10:08 dhcp6c 13806 status code for PD-0: no prefixes
                Jun 7 10:10:08 dhcp6c 13806 IA PD-0 is invalidated
                Jun 7 10:10:08 dhcp6c 13806 remove an IA: PD-0

                Whatever they are sending, dhcp6c doesn't like it. I can look at the exchange further but you'll need to post the actual pcap, not a textual representation of it.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • T
                  Terabit
                  last edited by Terabit

                  Here is the capture file (link removed) of what happens on the WAN side of pfSense.
                  I filtered some stuff out, mainly endless pages of DNS stuff my PC was asking for in the background.
                  If any important bits are missing please tell me, I will fix the file/do another capture in that case.

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    What is in /var/etc/dhcp6c_wan.conf in the id-assoc pd 0 secion?

                    This is mine for a /56

                    I would expect yours to be a /62 with sla-len of 2 and sla-id of 0 through 3 if they are all defined.

                    id-assoc pd 0 {
                            prefix ::/56 infinity;
                            prefix-interface igb1.223 {
                                    sla-id 1;
                                    sla-len 8;
                            };
                            prefix-interface igb1.999 {
                                    sla-id 2;
                                    sla-len 8;
                            };
                            prefix-interface lagg0.1003 {
                                    sla-id 3;
                                    sla-len 8;
                            };
                            prefix-interface lagg0.1004 {
                                    sla-id 16;
                                    sla-len 8;
                            };
                            prefix-interface lagg0.224 {
                                    sla-id 4;
                                    sla-len 8;
                            };
                    };
                    

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • T
                      Terabit
                      last edited by Terabit

                      Yep, seems to be alright.

                      id-assoc pd 0 {
                      	prefix ::/62 infinity;
                      	prefix-interface igb1 {
                      		sla-id 0;
                      		sla-len 2;
                      	};
                      };
                      
                      

                      I noticed something:
                      The logs are a bit different now. They say:

                      Jun 9 21:27:32	dhcp6c	62162	Sending Request
                      Jun 9 21:27:32	dhcp6c	62162	set client ID (len 14)
                      Jun 9 21:27:32	dhcp6c	62162	set server ID (len 10)
                      Jun 9 21:27:32	dhcp6c	62162	set elapsed time (len 2)
                      Jun 9 21:27:32	dhcp6c	62162	set option request (len 4)
                      Jun 9 21:27:32	dhcp6c	62162	set IA_PD prefix
                      Jun 9 21:27:32	dhcp6c	62162	set IA_PD
                      Jun 9 21:27:32	dhcp6c	62162	send request to ff02::1:2%igb0
                      Jun 9 21:27:32	dhcp6c	62162	reset a timer on igb0, state=REQUEST, timeo=9, retrans=27750
                      Jun 9 21:27:32	dhcp6c	62162	receive reply from fe80::...%igb0 on igb0
                      Jun 9 21:27:32	dhcp6c	62162	get DHCP option server ID, len 10
                      Jun 9 21:27:32	dhcp6c	62162	DUID: ...
                      Jun 9 21:27:32	dhcp6c	62162	get DHCP option client ID, len 14
                      Jun 9 21:27:32	dhcp6c	62162	DUID: ...
                      Jun 9 21:27:32	dhcp6c	62162	get DHCP option opt_82, len 4
                      Jun 9 21:27:32	dhcp6c	62162	unknown or unexpected DHCP6 option opt_82, len 4
                      Jun 9 21:27:32	dhcp6c	62162	get DHCP option DNS, len 16
                      Jun 9 21:27:32	dhcp6c	62162	get DHCP option domain search list, len 5
                      Jun 9 21:27:32	dhcp6c	62162	get DHCP option opt_20, len 0
                      Jun 9 21:27:32	dhcp6c	62162	unknown or unexpected DHCP6 option opt_20, len 0
                      Jun 9 21:27:32	dhcp6c	62162	get DHCP option authentication, len 28
                      Jun 9 21:27:32	dhcp6c	62162	proto: reconfig, alg: HMAC-MD5, RDM: mono counter, RD: ...
                      

                      Which is sending and decoding the request.
                      E.g. decoding the option 20 that the ISP router sends is all parsed (or skipped) - up to this point.
                      And then:

                      Jun 9 21:27:32	dhcp6c	62162	unsupported authentication protocol: 1
                      Jun 9 21:27:32	dhcp6c	62162	failed to parse options
                      Jun 9 21:28:00	dhcp6c	62162	no responses were received
                      

                      It stops!
                      But after the Authentication part comes the IA_PD!
                      Could it be that after failing at decoding the authentication protocol pfSense just ignores the rest of the packet?

                      Edit 2: I had a look at the source code, it seems the dhcp6c doesn't support the Reconfigure Key Authentication Protocol yet?
                      https://github.com/hrs-allbsd/wide-dhcpv6/blob/freebsd/dhcp6c.c#L2010
                      (Source as per https://forum.netgate.com/topic/126501/where-to-find-source-code-of-pfsense-dhcp-and-dhcpv6-cleints/4)
                      Looks like it discards the packet afterwards and ignores the IA_PD which comes right after the Authentication block...

                      Edit: After rebooting ISP router and pfSense box, the first seven repeats are like the logs I posted earlier in the thread (with status code: no prefixes), after that it's what I just posted now (with unsupported authentication protocol: 1)

                      1 Reply Last reply Reply Quote 0
                      • T
                        Terabit
                        last edited by Terabit

                        I contacted the ISP about the Reconfigure Key Authentication Protocol issue and they confirmed there is a bug in the version of odhcpd they're using.
                        The server sends the reconfigure-accept option, even though the client didn't ask for it.
                        In the case of pfSense reconfiguration isn't even implemented yet, as far as I can see.

                        They told me this will be fixed on their router in Q3.
                        So I guess this mystery is solved!

                        1 Reply Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate
                          last edited by

                          Nice digging. Thanks for getting back.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.