Getting new IPv6 prefix

Derelict

Depends on the ISP, I suppose. If it's saved it should be changed there though.

JKnott

I'll try DUID-LLT. I have saved the original dhcpc6_duid file.

JKnott

Changing the DUID type and rebooting did not change my prefix.

Derelict

Sounds like an ISP problem. Does the dhcp6c log show you sending the new DUID and them sending the same thing?

Guarantee if I was to change mine I'd get a new PD from Cox.

JKnott

Where is that log? I don't see it in /var/log or /var/db.

Derelict

It's in Status > System Logs, DHCP. Filter on process dhcp6c.

Be sure debug logs are enabled in the dhcp6 section on Interfaces > WAN. They can just be left enabled. It's not a lot of additional logging but it's valuable.

JKnott

Here's what they show.

Feb 4 16:34:49 dhcp6c 481 Sending Solicit
Feb 4 16:34:49 dhcp6c 481 set client ID (len 14)
Feb 4 16:34:49 dhcp6c 481 set elapsed time (len 2)
Feb 4 16:34:49 dhcp6c 481 set option request (len 4)
Feb 4 16:34:49 dhcp6c 481 set IA_PD prefix
Feb 4 16:34:49 dhcp6c 481 set IA_PD

That doesn't tell me much, so I'll have to fire up Wireshark.

It's really annoying that my prefix changed when I didn't want it to and doesn't when I do.

Derelict

That doesn't look like debug is enabled. It will show the DUID sent, etc.

JKnott

@derelict

The only debug item I see on the WAN page is "Start DHCP6 client in debug mode", which is enabled.

Derelict

Then you should have more descriptive output there,

JKnott

@derelict

Tried again:
Feb 4 20:48:06 dhcp6c 481 IA_PD: ID=0, T1=0, T2=0
Feb 4 20:48:06 dhcp6c 481 get DHCP option status code, len 56
Feb 4 20:48:06 dhcp6c 481 status code: no prefixes
Feb 4 20:48:06 dhcp6c 481 get DHCP option DNS, len 32
Feb 4 20:48:06 dhcp6c 481 dhcp6c Received REQUEST
Feb 4 20:48:06 dhcp6c 481 nameserver[0] 2607:f798:18:10:0:640:7125:5204
Feb 4 20:48:06 dhcp6c 481 nameserver[1] 2607:f798:18:10:0:640:7125:5198
Feb 4 20:48:06 dhcp6c 481 make an IA: PD-0
Feb 4 20:48:06 dhcp6c 481 status code for PD-0: no prefixes
Feb 4 20:48:06 dhcp6c 481 IA PD-0 is invalidated
Feb 4 20:48:06 dhcp6c 481 remove an IA: PD-0
Feb 4 20:48:06 dhcp6c 481 reset a timer on re0, state=INIT, timeo=0, retrans=677
Feb 4 20:48:06 dhcp6c 481 executes /var/etc/dhcp6c_wan_dhcp6withoutra_script.sh
Feb 4 20:48:08 dhcp6c 481 script "/var/etc/dhcp6c_wan_dhcp6withoutra_script.sh" terminated
Feb 4 20:48:08 dhcp6c 481 removing an event on re0, state=REQUEST
Feb 4 20:48:08 dhcp6c 481 removing server (ID: 00:01:00:01:15:9b:b6:e5:00:21:28:5f:d2:b7)
Feb 4 20:48:08 dhcp6c 481 got an expected reply, sleeping.
Feb 4 20:48:08 dhcp6c 481 Sending Solicit
Feb 4 20:48:08 dhcp6c 481 a new XID (feda7) is generated
Feb 4 20:48:08 dhcp6c 481 set client ID (len 14)
Feb 4 20:48:08 dhcp6c 481 set elapsed time (len 2)
Feb 4 20:48:08 dhcp6c 481 set option request (len 4)
Feb 4 20:48:08 dhcp6c 481 set IA_PD prefix
Feb 4 20:48:08 dhcp6c 481 set IA_PD
Feb 4 20:48:08 dhcp6c 481 send solicit to ff02::1:2%re0
Feb 4 20:48:08 dhcp6c 481 reset a timer on re0, state=SOLICIT, timeo=0, retrans=1038
Feb 4 20:48:09 dhcp6c 481 Sending Solicit
Feb 4 20:48:09 dhcp6c 481 set client ID (len 14)
Feb 4 20:48:09 dhcp6c 481 set elapsed time (len 2)
Feb 4 20:48:09 dhcp6c 481 set option request (len 4)
Feb 4 20:48:09 dhcp6c 481 set IA_PD prefix
Feb 4 20:48:09 dhcp6c 481 set IA_PD
Feb 4 20:48:09 dhcp6c 481 send solicit to ff02::1:2%re0
Feb 4 20:48:09 dhcp6c 481 reset a timer on re0, state=SOLICIT, timeo=1, retrans=2027
Feb 4 20:48:11 dhcp6c 481 Sending Solicit
Feb 4 20:48:11 dhcp6c 481 set client ID (len 14)
Feb 4 20:48:11 dhcp6c 481 set elapsed time (len 2)
Feb 4 20:48:11 dhcp6c 481 set option request (len 4)
Feb 4 20:48:11 dhcp6c 481 set IA_PD prefix
Feb 4 20:48:11 dhcp6c 481 set IA_PD
Feb 4 20:48:11 dhcp6c 481 send solicit to ff02::1:2%re0
Feb 4 20:48:11 dhcp6c 481 reset a timer on re0, state=SOLICIT, timeo=2, retrans=4070
Feb 4 20:48:15 dhcp6c 481 Sending Solicit
Feb 4 20:48:15 dhcp6c 481 set client ID (len 14)
Feb 4 20:48:15 dhcp6c 481 set elapsed time (len 2)
Feb 4 20:48:15 dhcp6c 481 set option request (len 4)
Feb 4 20:48:15 dhcp6c 481 set IA_PD prefix
Feb 4 20:48:15 dhcp6c 481 set IA_PD
Feb 4 20:48:15 dhcp6c 481 send solicit to ff02::1:2%re0
Feb 4 20:48:15 dhcp6c 481 reset a timer on re0, state=SOLICIT, timeo=3, retrans=8103

Derelict

Looks like upstream is not responding.

JKnott

@derelict said in Getting new IPv6 prefix:

Looks like upstream is not responding.

That wouldn't surprise me. There's definitely a routing problem to my LAN prefix, though to the WAN address is fine. I was able to demonstrate that to 2nd level support. The problem is getting someone beyond them to fix this. At least this narrows down the problem area somewhat. Incidentally, I was doing some work in my ISPs head ends, a couple of months ago, but not the one I connect to. However, that work had nothing to do with IP.

JKnott

@derelict said in Getting new IPv6 prefix:

Looks like upstream is not responding.

Do you know what to look for in the router solicitations and advertisements. Also, I've noticed something curious in the advertisements, the lifetimes are infinite!

JKnott

I've been examining the router advertisements and noticed something else. I see several prefixes provided, all with /64. However, I don't see mine, which should be a /56. I've attached the Wireshark capture file. This was captured as pfSense was booting up. I filtered on the WAN interface link local address and ICMP6.

0_1549381817002_bootup_capture.pcapng

bimmerdriver

Did you try changing the MAC of the WAN port? That might work.

JKnott

@bimmerdriver said in Getting new IPv6 prefix:

Did you try changing the MAC of the WAN port? That might work.

Yes, I did and no it didn't. The problem I'm trying to resolve, is a routing problem with my ISP, where traffic for my network doesn't even reach my firewall. It even fails when I have the modem in gateway mode. I have proven it's a routing problem to tier support, but they can't get the people responsible for maintaining the network to fix it.

bimmerdriver

@jknott How many prefixes will your ISP allow you to have? If your system insists on using the same prefix, try another instance of pfsense while the other one is still running. I haven't seen any evidence of a limit from Telus. I have at four separate prefixes at any one time (modem, main pfsense, test pfsense, other).

JKnott

@bimmerdriver said in Getting new IPv6 prefix:

@jknott How many prefixes will your ISP allow you to have? If your system insists on using the same prefix, try another instance of pfsense while the other one is still running. I haven't seen any evidence of a limit from Telus. I have at four separate prefixes at any one time (modem, main pfsense, test pfsense, other).

The problem is not with pfSense. It also happens when I put my modem into gateway mode. I get an IPv6 address on my computer, but can't get to the Internet with it. What my investigation shows is that pinging, www.yahoo.com for example, works from my firewall, but not anything behind it. I also had the tier 2 support person try pinging, while I watched traffic between my modem and firewall. When he pinged my firewall, it worked and I could see the packets coming and going. When he pinged my computer behind the firewall, the packets weren't even passing from the modem to firewall. The only significant difference is the prefix for my firewall is different from devices behind the firewall, so the problem is likely a routing error of some sort. I also examined the router advertisements, from my ISP, when my firewall booted up. I should see my prefix and /56 length. I see neither, but I see several /64 prefixes that have nothing to do with my network and one doesn't even appear to be from the range my ISP has. Those RAs also have an infinite lifetime, which I don't ever recall seeing before. The problem is clearly with my ISP, but the network support people don't seem to want to look into the problem, despite my talking to the ISP's Office of the President. Today, I filed a complaint with CCTS, because of the lack of action on this, despite tier 2 support recognizing the problem is with the network. This has been dragging on for about a month now.

My original question here about changing prefixes was because things that would normally cause a prefix change didn't. Prior to that option to not release the prefix, just disconnecting/reconnecting the Ethernet cable between the modem and pfSense would cause a prefix change, but not now.

bimmerdriver

@jknott You asked if there was a way to get a new prefix. I gave you a way that should work if your ISP allows you to request multiple prefixes.

My ISP is Telus. My service is VDSL. Telus supports PD, but they only provide a prefix, not an address. The modem gets a prefix, which is used for any device that connects to the LAN. I do not use this LAN. The only devices on it are the PVR and STB.

One of the ports is bridged. I have a switch on this port and there are multiple routers, including my main pfsense router that serves my LAN, as well as some virtual routers that I use to test different versions before I install them on the main system. They all have their own completely separate /56. If I create a new VM, it will get its own /56. The only limitation is that for any given MAC, there can only be one prefix.

If I connect a Windows PC to the bridged port, it will not get an IPv6 address or prefix, because Windows doesn't support PD. (But even though it doesn't get an IPv6 address, I can still use it to run wireshark, so I can observe the ICMP and DHCP packets for PD and RA of the routers.)