IPv6 Native with Telstra, Australia
-
@dugeem said in IPv6 Native with Telstra, Australia:
@larrikin Putting aside the DHCP6 PD issue - have you tried setting WAN interface IPv6 to SLAAC?
Thanks for your response and interest in this. Telstra has made it clear they don't support SLAAC and only DHCP.
@Derelict Heard back from my Telstra contact. He is away until Monday but he is going to look into it then. Still interested in your thoughts on the ICMP stuff above...
-
@larrikin Exactly which DHCP6 does Telstra claim they support? Stateless (which is reallly SLAAC + DHCP6-PD) or Stateful?
I wouldn't be surprised if they support SLAAC even if they claim not to.
-
@dugeem said in IPv6 Native with Telstra, Australia:
Exactly which DHCP6 does Telstra claim they support? Stateless (which is reallly SLAAC + DHCP6-PD) or Stateful?
I wouldn't be surprised if they support SLAAC even if they claim not to.Stateful. This is consistent with other third party routers who have managed to get their stuff working on Telstra. I think the key here is I have a contact in Telstra who is going to look at the packet captures, compare them against the back end DHCPv6 logs, and see what is going on. Until we have that information, I honestly would just be playing further in the dark, and I'd rather wait for the Telstra chap to get back to me with what's really going on.
-
@larrikin Unfortunately the presence of the ICMPv6 neighbour solicit packet points towards SLAAC in operation.
DHCPv6 operates using IPv6/UDP on port 547.
This may not help right now ... but possibly something for your Telstra contact(s) to investigate.
-
@dugeem said in IPv6 Native with Telstra, Australia:
@larrikin Unfortunately the presence of the ICMPv6 neighbour solicit packet points towards SLAAC in operation.
DHCPv6 operates using IPv6/UDP on port 547.
This may not help right now ... but possibly something for your Telstra contact(s) to investigate.
Wow, I think you are onto something. Care to take a look at this new packet capture? It is certainly showing a lot more now that it did before.
0_1551260385225_packetcapture.cap.zip
I really am in unchartered space here in terms of my knowledge. I've put the WAN interface as SLAAC, and the LAN as SLAAC as well. No idea what the LAN interface should actually be. Not getting any IPv6 addresses yet, but I feel its closer based on the packet capture (although, I may well be mis-reading it and have no idea what I am doing :)).
-
@larrikin said in IPv6 Native with Telstra, Australia:
@dugeem said in IPv6 Native with Telstra, Australia:
@larrikin Unfortunately the presence of the ICMPv6 neighbour solicit packet points towards SLAAC in operation.
DHCPv6 operates using IPv6/UDP on port 547.
This may not help right now ... but possibly something for your Telstra contact(s) to investigate.
Wow, I think you are onto something. Care to take a look at this new packet capture? It is certainly showing a lot more now that it did before.
0_1551260385225_packetcapture.cap.zip
I really am in unchartered space here in terms of my knowledge. I've put the WAN interface as SLAAC, and the LAN as SLAAC as well. No idea what the LAN interface should actually be. Not getting any IPv6 addresses yet, but I feel its closer based on the packet capture (although, I may well be mis-reading it and have no idea what I am doing :)).
Actually, that entire exercise might be a red herring. More info about to follow on further testing.
-
@derelict said in IPv6 Native with Telstra, Australia:
https://www.freebsdfoundation.org/donate/
You said you had someone sympathetic at the ISP. Send them that pcap. Ask why there is no response.
Now this is interesting.
https://forums.whirlpool.net.au/thread/2784659?p=2#r29
If you've got time, I think you'll find that post very, very informative. It just got put up there. I'd love to know what you think.
-
@derelict said in IPv6 Native with Telstra, Australia:
https://www.freebsdfoundation.org/donate/
You said you had someone sympathetic at the ISP. Send them that pcap. Ask why there is no response.
Also, I found an old post from another forum who claimed he got pfsense to work with Telstra and he left an old packet capture of it working. I attach it here. I can't make head or tail of it.
-
The first thing I see in that capture that was responded to is there is no specificity in the request for the PD length so I would uncheck Send IPv6 Prefix Hint.
Also, I found an old post from another forum who claimed he got pfsense to work with Telstra
How about a link to that?
-
@larrikin said in IPv6 Native with Telstra, Australia:
@larrikin Unfortunately the presence of the ICMPv6 neighbour solicit packet points towards SLAAC in operation.
How? Neighbor solicitations are similar to ARP in IPv4. It's how you identify what MAC address on the local subnet to send traffic to.
There will even be Router Solicitations as the gateway is not sent via DHCP.
There is already a successful capture for DHCP6 posted, and Telstra says DHCP6 is the way to do it. And you're CERTAINLY not going to get a prefix delegation over SLAAC.
I wouldn't muddy the waters.
-
@larrikin said in IPv6 Native with Telstra, Australia:
@Derelict Whilst I think of it, what is going on at the ICMP level where Telstra does respond back to pfsense (neighbor solicit), but pfsense doesn't do anything with Telstra's response? Telstra stated in their email to me that they believe that is part of the problem. What should I say back to Telstra in relation to that?
What packet capture and what response? Please be specific.
-
@derelict said in IPv6 Native with Telstra, Australia:
The first thing I see in that capture that was responded to is there is no specificity in the request for the PD length so I would uncheck Send IPv6 Prefix Hint.
Also, I found an old post from another forum who claimed he got pfsense to work with Telstra
How about a link to that?
I think that packet capture is also a red herring. I have had someone try and replicate those settings and he gets the same result I do. I'll dig up the link though for you.
In the meantime, this link here is our most promising. It's just been done and probably steers us closest to getting this working.
https://forums.whirlpool.net.au/thread/2784659?p=2#r29
-
@derelict said in IPv6 Native with Telstra, Australia:
@larrikin said in IPv6 Native with Telstra, Australia:
@Derelict Whilst I think of it, what is going on at the ICMP level where Telstra does respond back to pfsense (neighbor solicit), but pfsense doesn't do anything with Telstra's response? Telstra stated in their email to me that they believe that is part of the problem. What should I say back to Telstra in relation to that?
What packet capture and what response? Please be specific.
I don't want to lose focus on that other link I just gave you as I think the key to getting this working is in that link.
I think the answer to getting this working lies in this link: https://forums.whirlpool.net.au/thread/2784659?p=2#r29
Note that just got posted with someone else trying to help getting this working.
However, back to answering your question, I am referring to what is in my original post:
Packet capture on my end:
22:13:15.731905 00:0c:29:05:a3:a1 > 33:33:ff:2f:08:93, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::20c:29ff:fe05:a3a1 > ff02::1:ff2f:893: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::4e16:fcff:fe2f:893
source link-address option (1), length 8 (1): 00:0c:29:05:a3:a1
0x0000: 000c 2905 a3a122:13:15.293243 4c:16:fc:2f:08:93 > 33:33:ff:05:a3:a1, ethertype IPv6 (0x86dd), length 96: (class 0xc0, hlim 255, next-header ICMPv6 (58) payload length: 32) 2001:8003:0:bdf:f0:3:9:0 > ff02::1:ff05:a3a1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::20c:29ff:fe05:a3a1
Telstra's logs:
(including the email from the Telstra tech so where it says "I" below, I = Telstra tech guy)
I can see it sending Ipv6 DHCPv6
13:30:59.553687 In
Juniper PCAP Flags [no-L2, In]
-----original packet-----
PFE proto 6 (ipv6): (hlim 1, next-header: UDP (17), length: 146) fe80::20c:29ff:fe05:a3a1.dhcpv6-server > ff02::1:2.dhcpv6-server: [udp sum ok] dhcp6 Relay-forwardIt’s also unable to establish Ipv6 neighbours which I suspect is a reason why it’s not functioning correctly
13:31:01.106029 In
Juniper PCAP Flags [no-L2, In]
-----original packet-----
PFE proto 6 (ipv6): (hlim 255, next-header: ICMPv6 (58), length: 32) fe80::20c:29ff:fe05:a3a1 > ff02::1:ff2f:893: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::4e16:fcff:fe2f:893
source link-address option (1), length 8 (1): 00:0c:29:05:a3:a1
0x0000: 000c 2905 a3a113:31:02.073018 Out
Juniper PCAP Flags [no-L2]
-----original packet-----
PFE proto 6 (ipv6): (class 0xc0, hlim 255, next-header: ICMPv6 (58), length: 32) 2001:8003:0:bdf:f0:3:9:0 > ff02::1:ff05:a3a1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::20c:29ff:fe05:a3a1
source link-address option (1), length 8 (1): 4c:16:fc:2f:08:93
0x0000: 4c16 fc2f 0893 -
Please post captures not textual representations.
-
@derelict said in IPv6 Native with Telstra, Australia:
Please post captures not textual representations.
If you are referring to this link: https://forums.whirlpool.net.au/thread/2784659?p=2#r29
that isn't me or my work. That is someone else. I think he has done an excellent job at uncovering some key details. I've encouraged him to post here, but in the meantime, I'm providing a link so at least you can read what is in that post.
If you want more details from it, I'll proxy that request by posting on that forum asking for it.
-
Not sure why anyone would want to request a "domain-name" from their ISP. It would be an even bigger mystery why requesting one would be required.
-
@derelict said in IPv6 Native with Telstra, Australia:
Not sure why anyone would want to request a "domain-name" from their ISP. It would be an even bigger mystery why requesting one would be required.
I hear you, but the key thing he has done a packet capture of a successful DHCPv6 connection to Telstra and then comparing that to trying to get pfsense working. I think its the closest and best way to troubleshoot this. He even points out in the working version (which isn't using pfsense) what it takes to get it working as it shows how Telstra has implemented IPv6 and perhaps why pfsense isn't working with it.
-
@derelict said in IPv6 Native with Telstra, Australia:
Please post captures not textual representations.
I truly think our answer lies i this post. Do you mind reading it and giving me your thoughts?
https://forums.whirlpool.net.au/thread/2784659?p=2#r29
As stated above, I can go back to that guy and ask any questions you have (I've encouraged him to come to this forum and participate in this thread, but so far he hasn't yet).
-
If you find that an IA-NA and IA-PD are required you can add them in the advanced configuration.
If you find they REQUIRE you request option 34 I guess you're out of luck and you'll need to use something else. I highly doubt that is the case.
The default dhcp6c configuration file is here:
/var/etc/dhcp6c_wan.confYou can copy that to /root with
cp /var/etc/dhcp6c_wan.conf /root/orig_dhcp6c_wan.confThen make a working copy with
cp /root/orig_dhcp6c_wan.conf /root/working_dhcp6c_wan.confThen you can edit
/root/working_dhcp6c_wan.confto your heart's content using these as your guide:https://www.freebsd.org/cgi/man.cgi?query=dhcp6c.conf&sektion=5&apropos=0&manpath=FreeBSD+11.0-RELEASE+and+Ports#Interface_statement
https://www.freebsd.org/cgi/man.cgi?query=dhcp6c&sektion=8&apropos=0&manpath=FreeBSD+11.0-RELEASE+and+Ports
You can kill the existing dhcp6c with
killall dhcp6cThen manually run it with your custom configuration file:
/usr/local/sbin/dhcp6c -D -f -c /root/working_dhcp6c_wan.conf eth0Substituting eth0 with the physical interface name of your WAN.
You can make changes in the gui and look at what it places in /var/etc/dhcp6c_wan.conf and use that as a guide. Keep in mind you will have to kill that automatically-started dhcp6c process after saving before running your debug foreground process.
Then, if you get it working, you have the original file saved and you can:
diff /root/orig_dhcp6c_wan.conf /root/working_dhcp6c_wan.confto get the changes required.
As long as you don't find something is required that FreeBSD's dhcp6c does not do (like option 34) you should be able to get it working.
The FIRST step in this process is giving up the notion that FreeBSD/pfSense is doing something wrong, like not responding to neighbor discovery. It obviously responds to proper neighbor discovery or nobody's IPv6 would ever work on any provider anywhere. This is obviously not the case.
If they want to press that issue then you will need to pcap on the WAN to be sure you are actually receiving what they say they are sending.
-
@derelict Here is where I am stuck. I can't give the capture files, so I'll have to use text. Here is a successful DHCP request with Telstra:
Working DHCP (not pfsense)
00:00:04.375540 IP6 (flowlabel 0x46adf, hlim 1, next-header UDP (17) payload length: 80) fe80::3cb2:bc83:1dd4:589c.546 > ff02::1:2.547: [bad udp cksum 0x6d8e -> 0x4cff!] dhcp6 solicit (xid=80f112 (client-ID hwaddr/time type 1 time 604416232 001c42a0251a) (option-request DNS-server DNS-search-list Client-FQDN SNTP-servers) (elapsed-time 750) (IA_NA IAID:1117791514 T1:3600 T2:5400) (IA_PD IAID:1117791514 T1:3600 T2:5400))
Note the T1 and T2 values above.
Not working (pfsense)
10:32:08.063065 00:0c:29:05:a3:a1 > 33:33:00:01:00:02, ethertype IPv6 (0x86dd), length 132: (hlim 1, next-header UDP (17) payload length: 78) fe80::20c:29ff:fe05:a3a1.546 > ff02::1:2.547: [udp sum ok] dhcp6 solicit (xid=756a16 (client-ID hwaddr/time type 1 time 604501842 000c2905a3a1) (IA_NA IAID:1117791514 T1:0 T2:0) (elapsed-time 3186) (option-request DNS-server DNS-search-list SNTP-servers) (IA_PD IAID:1117791514 T1:0 T2:0))
See how pfsense uses 0 for both T1 and T2? I cannot find a way to change those values to patch T1:3600 T2:5400. That may or may not be the difference between this working or not. It certainly is the only difference in the DHCP request now between the one working versus the one not working.
