IPv6 Native with Telstra, Australia
-
Here are the logs. Want another packet capture too?
Feb 27 10:26:01 dhcp6c 48288 reset a timer on em0, state=SOLICIT, timeo=4, retrans=16326
Feb 27 10:26:01 dhcp6c 48288 send solicit to ff02::1:2%em0
Feb 27 10:26:01 dhcp6c 48288 set IA_PD
Feb 27 10:26:01 dhcp6c 48288 set IA_PD prefix
Feb 27 10:26:01 dhcp6c 48288 set option request (len 4)
Feb 27 10:26:01 dhcp6c 48288 set elapsed time (len 2)
Feb 27 10:26:01 dhcp6c 48288 set client ID (len 14)
Feb 27 10:26:01 dhcp6c 48288 Sending Solicit
Feb 27 10:25:53 dhcp6c 48288 reset a timer on em0, state=SOLICIT, timeo=3, retrans=8065
Feb 27 10:25:53 dhcp6c 48288 send solicit to ff02::1:2%em0
Feb 27 10:25:53 dhcp6c 48288 set IA_PD
Feb 27 10:25:53 dhcp6c 48288 set IA_PD prefix
Feb 27 10:25:53 dhcp6c 48288 set option request (len 4)
Feb 27 10:25:53 dhcp6c 48288 set elapsed time (len 2)
Feb 27 10:25:53 dhcp6c 48288 set client ID (len 14)
Feb 27 10:25:53 dhcp6c 48288 Sending Solicit
Feb 27 10:25:49 dhcp6c 48288 reset a timer on em0, state=SOLICIT, timeo=2, retrans=3982
Feb 27 10:25:49 dhcp6c 48288 send solicit to ff02::1:2%em0
Feb 27 10:25:49 dhcp6c 48288 set IA_PD
Feb 27 10:25:49 dhcp6c 48288 set IA_PD prefix
Feb 27 10:25:49 dhcp6c 48288 set option request (len 4)
Feb 27 10:25:49 dhcp6c 48288 set elapsed time (len 2)
Feb 27 10:25:49 dhcp6c 48288 set client ID (len 14)
Feb 27 10:25:49 dhcp6c 48288 Sending Solicit
Feb 27 10:25:47 dhcp6c 48288 reset a timer on em0, state=SOLICIT, timeo=1, retrans=2083
Feb 27 10:25:47 dhcp6c 48288 send solicit to ff02::1:2%em0
Feb 27 10:25:47 dhcp6c 48288 set IA_PD
Feb 27 10:25:47 dhcp6c 48288 set IA_PD prefix
Feb 27 10:25:47 dhcp6c 48288 set option request (len 4)
Feb 27 10:25:47 dhcp6c 48288 set elapsed time (len 2)
Feb 27 10:25:47 dhcp6c 48288 set client ID (len 14)
Feb 27 10:25:47 dhcp6c 48288 Sending Solicit -
@derelict 0_1551224042344_packetcapture.cap.zip
That's the latest packet capture based on turning on "request only an IPv6 prefix".
-
@derelict said in IPv6 Native with Telstra, Australia:
OK and what did the dhcp6c logs look like when you only enabled that and tried it?
You're going to have to be a lot more forthcoming with information. We can't test it from here. Only you can.
Mate - really appreciate you helping me. Apologies if I am not giving enough info. I'll just assume from here on in to include logs and packet captures every time you ask me to change something. Shout out if you need more info than those things.
What just seems strange to me is this whole neighbor solicitation thing on ICMP. It doesn't seem to be able to get past that and onto UDP.
-
@derelict This is the only info I can get out of the Telstra router which does get a valid IPv6 address. Not sure its helpful, but thought I'd give it to you:
01.01.2018 11:01:08 DHCPv6: Request on eth0, interval 4000ms.
01.01.2018 11:01:10 DHCPv6: gets IPv6 address: 2001:8003:f00:3209:ac01:1e31:de2d:8725/128, valid/preferred: 3600/3600, PD: 2001:8003:Xxxx:6600::/56, valid/preferred: 3600/3600, gateway: fe80::4e16:fcff:fe2f:893, DNS: -
@derelict More DHCPv6 logs from a reboot:
Feb 27 10:45:51 dhcp6c 50809 reset a timer on em0, state=SOLICIT, timeo=0, retrans=1091
Feb 27 10:45:51 dhcp6c 50809 send solicit to ff02::1:2%em0
Feb 27 10:45:51 dhcp6c 50809 set IA_PD
Feb 27 10:45:51 dhcp6c 50809 set IA_PD prefix
Feb 27 10:45:51 dhcp6c 50809 set option request (len 4)
Feb 27 10:45:51 dhcp6c 50809 set elapsed time (len 2)
Feb 27 10:45:51 dhcp6c 50809 set client ID (len 14)
Feb 27 10:45:51 dhcp6c 50809 a new XID (57b82e) is generated
Feb 27 10:45:51 dhcp6c 50809 Sending Solicit
Feb 27 10:45:50 dhcp6c 50809 reset a timer on em0, state=INIT, timeo=0, retrans=891
Feb 27 10:45:50 dhcp6c 50646 called
Feb 27 10:45:50 dhcp6c 50646 called
Feb 27 10:45:50 dhcp6c 50646 <3>end of sentence [;] (1)
Feb 27 10:45:50 dhcp6c 50646 <3>end of closure [}] (1)
Feb 27 10:45:50 dhcp6c 50646 <3>end of sentence [;] (1)
Feb 27 10:45:50 dhcp6c 50646 <3>end of closure [}] (1)
Feb 27 10:45:50 dhcp6c 50646 <3>end of sentence [;] (1)
Feb 27 10:45:50 dhcp6c 50646 <3>[8] (1)
Feb 27 10:45:50 dhcp6c 50646 <3>[sla-len] (7)
Feb 27 10:45:50 dhcp6c 50646 <3>end of sentence [;] (1)
Feb 27 10:45:50 dhcp6c 50646 <3>[0] (1)
Feb 27 10:45:50 dhcp6c 50646 <3>[sla-id] (6)
Feb 27 10:45:50 dhcp6c 50646 <3>begin of closure [{] (1)
Feb 27 10:45:50 dhcp6c 50646 <5>[em1] (3)
Feb 27 10:45:50 dhcp6c 50646 <3>[prefix-interface] (16)
Feb 27 10:45:50 dhcp6c 50646 <3>end of sentence [;] (1)
Feb 27 10:45:50 dhcp6c 50646 <3>[infinity] (8)
Feb 27 10:45:50 dhcp6c 50646 <3>[56] (2)
Feb 27 10:45:50 dhcp6c 50646 <3>[/] (1)
Feb 27 10:45:50 dhcp6c 50646 <3>[::] (2)
Feb 27 10:45:50 dhcp6c 50646 <3>[prefix] (6)
Feb 27 10:45:50 dhcp6c 50646 <13>begin of closure [{] (1)
Feb 27 10:45:50 dhcp6c 50646 <13>[0] (1)
Feb 27 10:45:50 dhcp6c 50646 <13>[pd] (2)
Feb 27 10:45:50 dhcp6c 50646 <3>[id-assoc] (8)
Feb 27 10:45:50 dhcp6c 50646 <3>end of sentence [;] (1)
Feb 27 10:45:50 dhcp6c 50646 <3>end of closure [}] (1)
Feb 27 10:45:50 dhcp6c 50646 <3>comment [# we'd like some nameservers please] (35)
Feb 27 10:45:50 dhcp6c 50646 <3>end of sentence [;] (1)
Feb 27 10:45:50 dhcp6c 50646 <3>["/var/etc/dhcp6c_wan_script.sh"] (31)
Feb 27 10:45:50 dhcp6c 50646 <3>[script] (6)
Feb 27 10:45:50 dhcp6c 50646 <3>end of sentence [;] (1)
Feb 27 10:45:50 dhcp6c 50646 <3>[domain-name] (11)
Feb 27 10:45:50 dhcp6c 50646 <3>[request] (7)
Feb 27 10:45:50 dhcp6c 50646 <3>end of sentence [;] (1)
Feb 27 10:45:50 dhcp6c 50646 <3>[domain-name-servers] (19)
Feb 27 10:45:50 dhcp6c 50646 <3>[request] (7)
Feb 27 10:45:50 dhcp6c 50646 <3>comment [# request prefix delegation] (27)
Feb 27 10:45:50 dhcp6c 50646 <3>end of sentence [;] (1)
Feb 27 10:45:50 dhcp6c 50646 <3>[0] (1)
Feb 27 10:45:50 dhcp6c 50646 <3>[ia-pd] (5)
Feb 27 10:45:50 dhcp6c 50646 <3>[send] (4)
Feb 27 10:45:50 dhcp6c 50646 <3>begin of closure [{] (1)
Feb 27 10:45:50 dhcp6c 50646 <5>[em0] (3)
Feb 27 10:45:50 dhcp6c 50646 <3>[interface] (9)
Feb 27 10:45:50 dhcp6c 50646 skip opening control port
Feb 27 10:45:50 dhcp6c 50646 failed initialize control message authentication
Feb 27 10:45:50 dhcp6c 50646 failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
Feb 27 10:45:50 dhcp6c 50646 extracted an existing DUID from /var/db/dhcp6c_duid: 00:01:00:01:24:07:f7:52:00:0c:29:05:a3:a1 -
That doesn't show a DHCP attempt.
You might want to reset to defaults and start over.
Resetting everything related to the WAN DHCP6 should be enough but nobody knows what you've clicked to try to fix this.
-
@larrikin Well then that whirlpool link you posted is wrong because obviously it issues a WAN IP address.
-
Did you get traffic on IPv6/UDP/547 on the WAN? If that's not happening nothing is going to work.
-
@derelict said in IPv6 Native with Telstra, Australia:
@larrikin Well then that whirlpool link you posted is wrong because obviously it issues a WAN IP address.
Welcome to my confusion of the land of contradictions with the information that is out there on how Telstra IPv6 actually works :). The Telstra modem I showed you above has a WAN v6IP address. There is another Telstra modem I have where it doesn't get a WAN v6IP address. It's different per their modems.
-
@derelict said in IPv6 Native with Telstra, Australia:
Did you get traffic on IPv6/UDP/547 on the WAN? If that's not happening nothing is going to work.
I only get the ICMP traffic with the neighbor solicitation that you see in the packet capture. Telstra responds to my pfsense request using ICMP neighbor solicitation, but my pfsense doesn't seem to do anything with their response, so it just goes into a perpetual loop. That's the problem from Telstra's perspective.
-
@derelict said in IPv6 Native with Telstra, Australia:
That doesn't show a DHCP attempt.
You might want to reset to defaults and start over.
Resetting everything related to the WAN DHCP6 should be enough but nobody knows what you've clicked to try to fix this.
I've done exactly that. The config I have is exactly the one you've asked me to do. I have nothing else configured. Let me know if you want screen shots. I've literally disabled everything. I've even factory reset pfsense. Then freshly did the config as per what you asked. That is the config that is currently live.
-
@derelict said in IPv6 Native with Telstra, Australia:
Did you get traffic on IPv6/UDP/547 on the WAN? If that's not happening nothing is going to work.
I've reached back out to Telstra quoting you exactly on the above, and pointing them to this thread. I think that I need Telstra's engagement on this if we are to take it further. It seems from your side (correct me if I am wrong), that you feel I'm doing the right things in terms of config, and the fact we are literally seeing nothing on UDP, shows something is up on Telstra's end.
The only thing I cannot rationalise is Telstra's point that Telstra is responding to pfsense on ICMP neighbor solicitation and pfsense doesn't do anything with it. I think their position is that unless pfsense deals with that, then the problem is on the pfsense side of the fence.
Thoughts?
-
@derelict said in IPv6 Native with Telstra, Australia:
That doesn't show a DHCP attempt.
You might want to reset to defaults and start over.
Resetting everything related to the WAN DHCP6 should be enough but nobody knows what you've clicked to try to fix this.
I've just re-read this and your comment "that doesn't show a DHCP attempt" intrigues me. Is that a Telstra side issue or a pfsense side issue?
Again, I've factory reset my pfsense, and configured it the way you've asked. Is this a bug with pfsense? I am lost as to what you are suggesting the root cause might be. Is this likely a pfsense config issue or a Telstra issue?
Remember Telstra has stated this:
I can see it sending Ipv6 DHCPv6
13:30:59.553687 In
Juniper PCAP Flags [no-L2, In]
-----original packet-----
PFE proto 6 (ipv6): (hlim 1, next-header: UDP (17), length: 146) fe80::20c:29ff:fe05:a3a1.dhcpv6-server > ff02::1:2.dhcpv6-server: [udp sum ok] dhcp6 Relay-forwardIt’s also unable to establish Ipv6 neighbours which I suspect is a reason why it’s not functioning correctly
13:31:01.106029 In
Juniper PCAP Flags [no-L2, In]
-----original packet-----
PFE proto 6 (ipv6): (hlim 255, next-header: ICMPv6 (58), length: 32) fe80::20c:29ff:fe05:a3a1 > ff02::1:ff2f:893: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::4e16:fcff:fe2f:893
source link-address option (1), length 8 (1): 00:0c:29:05:a3:a1
0x0000: 000c 2905 a3a113:31:02.073018 Out
Juniper PCAP Flags [no-L2]
-----original packet-----
PFE proto 6 (ipv6): (class 0xc0, hlim 255, next-header: ICMPv6 (58), length: 32) 2001:8003:0:bdf:f0:3:9:0 > ff02::1:ff05:a3a1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::20c:29ff:fe05:a3a1
source link-address option (1), length 8 (1): 4c:16:fc:2f:08:93
0x0000: 4c16 fc2f 0893 -
@larrikin No. Your side needs to ask for a DHCP6 from the provider.
If you packet capture on the WAN as I described above and edit/save a DHCP6 WAN interface and you do not see DHCP6 packets in the capture, you are very likely doing something completely wrong. No, it's not a bug in pfSense as I have illustrated above. Thousands and thousands and thousands of people are successfully using pfSense and DHCP6. Me included.
Your ISP cannot do anything to stop at least the DHCP6 Solicit packet going out your WAN. If that is not there, you are doing it wrong.
-
@derelict said in IPv6 Native with Telstra, Australia:
@larrikin No. Your side needs to ask for a DHCP6 from the provider.
If you packet capture on the WAN as I described above and edit/save a DHCP6 WAN interface and you do not see DHCP6 packets in the capture, you are very likely doing something completely wrong. No, it's not a bug in pfSense as I have illustrated above. Thousands and thousands and thousands of people are successfully using pfSense and DHCP6. Me included.
Your ISP cannot do anything to stop at least the DHCP6 Solicit packet going out your WAN. If that is not there, you are doing it wrong.
What am I doing wrong? I've following the exact config you suggested precisely. I factory reset the pfsense firewall and then simply configured it as exactly as you instructed. I've even attached the packet capture since doing that above.
-
I don't know. You have yet to produce a packet capture of IPv6/udp/547 on the WAN while a DHCP6 negotiation is going on. No idea if the traffic is there or not, or what it contains. Unfortunately, I can't do it for you.
https://forum.netgate.com/post/826507
-
@derelict said in IPv6 Native with Telstra, Australia:
I don't know. You have yet to produce a packet capture of IPv6/udp/547 on the WAN while a DHCP6 negotiation is going on. No idea if the traffic is there or not, or what it contains. Unfortunately, I can't do it for you.
https://forum.netgate.com/post/826507
How can I capture something that doesn't exist? I literally gave you the packet capture.
-
If it doesn't exist you are doing something wrong. I have no idea what that is.
If you set WAN to DHCP6 and save it, there will be outbound IPv6/UDP/547 traffic. Period.
-
@derelict said in IPv6 Native with Telstra, Australia:
If it doesn't exist you are doing something wrong. I have no idea what that is.
If you set WAN to DHCP6 and save it, there will be outbound IPv6/UDP/547 traffic. Period.Except there isn't. I don't know how to convince you otherwise. There just isn't. I've factory reset pfsense twice, and done that exact packet capture. It isn't there. I even have pfsense configured like you suggested.
So unfortunately in this case, your statement that it will be there isn't true. I wish it were...
-
Ugh. Yes they do. Look at the packet capture settings again.
-
@derelict said in IPv6 Native with Telstra, Australia:
Ugh. Yes they do. Look at the packet capture settings again.
Here are my packet capture settings. Nice and simple. Capture ANY IPv6 traffic. If I just do UDP, NOTHING shows up at all. Nada. Zilch.
So if I pair it back to all IPv6, I get the packet capture that I've attached above.
-
If we screen connect and I fix this, what will you donate to the FreeBSD foundation?
-
@derelict With that exact packet capture rule, here is what I captured using exactly that.
-
Right. You have to start the capture, capturing enough packets to get what you are interested in (say 100000) THEN edit/save WAN to trigger a DHCP6 event.
I did not say to capture all IPv6. I said to capture IPv6 UDP 547. We are not interested in ANYTHING except DHCP6.
-
@derelict said in IPv6 Native with Telstra, Australia:
If we screen connect and I fix this, what will you donate to the FreeBSD foundation?
Mate - take it to the bank that I will. And if you don't, you post in here that you were wrong :) lol.
-
@larrikin said in IPv6 Native with Telstra, Australia:
Mate - take it to the bank that I will. And if you don't, you post in here that you were wrong :) lol.
How much?
-
@derelict said in IPv6 Native with Telstra, Australia:
Right. You have to start the capture, capturing enough packets to get what you are interested in (say 100000) THEN edit/save WAN to trigger a DHCP6 event.
I did not say to capture all IPv6. I said to capture IPv6 UDP 547. We are not interested in ANYTHING except DHCP6.
Well, that work flow I missed :). So I've just done what you've said and you are right, and I am wrong. Here is the packet capture of UDP 547.
But if you fix IPv6 for me and get it going, I'll donate US$50. Fair?
-
So the ISP is not responding. Go back to them with that. I can't do anything about that.
-
@derelict said in IPv6 Native with Telstra, Australia:
So the ISP is not responding. Go back to them with that. I can't do anything about that.
Sweet. I will do exactly that and report back. I'll donate the US$50 once I'm up and running with IPv6 given the time you've spent on this for me. Tell me how I actually do the donation - is there a link?
-
https://www.freebsdfoundation.org/donate/
You said you had someone sympathetic at the ISP. Send them that pcap. Ask why there is no response.
-
@derelict said in IPv6 Native with Telstra, Australia:
https://www.freebsdfoundation.org/donate/
You said you had someone sympathetic at the ISP. Send them that pcap. Ask why there is no response.
Just did exactly that. He is a good guy and actually runs a large part of the network. He'll look into this if he has time (technically this is unsupported but he is a techo at heart and likes to see things working). Basically I'm relying on his good will. Let's see what he says.
-
@derelict said in IPv6 Native with Telstra, Australia:
https://www.freebsdfoundation.org/donate/
You said you had someone sympathetic at the ISP. Send them that pcap. Ask why there is no response.
@Derelict Whilst I think of it, what is going on at the ICMP level where Telstra does respond back to pfsense (neighbor solicit), but pfsense doesn't do anything with Telstra's response? Telstra stated in their email to me that they believe that is part of the problem. What should I say back to Telstra in relation to that?
-
@larrikin Putting aside the DHCP6 PD issue - have you tried setting WAN interface IPv6 to SLAAC?
-
@dugeem said in IPv6 Native with Telstra, Australia:
@larrikin Putting aside the DHCP6 PD issue - have you tried setting WAN interface IPv6 to SLAAC?
Thanks for your response and interest in this. Telstra has made it clear they don't support SLAAC and only DHCP.
@Derelict Heard back from my Telstra contact. He is away until Monday but he is going to look into it then. Still interested in your thoughts on the ICMP stuff above...
-
@larrikin Exactly which DHCP6 does Telstra claim they support? Stateless (which is reallly SLAAC + DHCP6-PD) or Stateful?
I wouldn't be surprised if they support SLAAC even if they claim not to.
-
@dugeem said in IPv6 Native with Telstra, Australia:
Exactly which DHCP6 does Telstra claim they support? Stateless (which is reallly SLAAC + DHCP6-PD) or Stateful?
I wouldn't be surprised if they support SLAAC even if they claim not to.Stateful. This is consistent with other third party routers who have managed to get their stuff working on Telstra. I think the key here is I have a contact in Telstra who is going to look at the packet captures, compare them against the back end DHCPv6 logs, and see what is going on. Until we have that information, I honestly would just be playing further in the dark, and I'd rather wait for the Telstra chap to get back to me with what's really going on.
-
@larrikin Unfortunately the presence of the ICMPv6 neighbour solicit packet points towards SLAAC in operation.
DHCPv6 operates using IPv6/UDP on port 547.
This may not help right now ... but possibly something for your Telstra contact(s) to investigate.
-
@dugeem said in IPv6 Native with Telstra, Australia:
@larrikin Unfortunately the presence of the ICMPv6 neighbour solicit packet points towards SLAAC in operation.
DHCPv6 operates using IPv6/UDP on port 547.
This may not help right now ... but possibly something for your Telstra contact(s) to investigate.
Wow, I think you are onto something. Care to take a look at this new packet capture? It is certainly showing a lot more now that it did before.
0_1551260385225_packetcapture.cap.zip
I really am in unchartered space here in terms of my knowledge. I've put the WAN interface as SLAAC, and the LAN as SLAAC as well. No idea what the LAN interface should actually be. Not getting any IPv6 addresses yet, but I feel its closer based on the packet capture (although, I may well be mis-reading it and have no idea what I am doing :)).
-
@larrikin said in IPv6 Native with Telstra, Australia:
@dugeem said in IPv6 Native with Telstra, Australia:
@larrikin Unfortunately the presence of the ICMPv6 neighbour solicit packet points towards SLAAC in operation.
DHCPv6 operates using IPv6/UDP on port 547.
This may not help right now ... but possibly something for your Telstra contact(s) to investigate.
Wow, I think you are onto something. Care to take a look at this new packet capture? It is certainly showing a lot more now that it did before.
0_1551260385225_packetcapture.cap.zip
I really am in unchartered space here in terms of my knowledge. I've put the WAN interface as SLAAC, and the LAN as SLAAC as well. No idea what the LAN interface should actually be. Not getting any IPv6 addresses yet, but I feel its closer based on the packet capture (although, I may well be mis-reading it and have no idea what I am doing :)).
Actually, that entire exercise might be a red herring. More info about to follow on further testing.
-
@derelict said in IPv6 Native with Telstra, Australia:
https://www.freebsdfoundation.org/donate/
You said you had someone sympathetic at the ISP. Send them that pcap. Ask why there is no response.
Now this is interesting.
https://forums.whirlpool.net.au/thread/2784659?p=2#r29
If you've got time, I think you'll find that post very, very informative. It just got put up there. I'd love to know what you think.