Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?
-
As I posted in another thread, What is expected behaviour of pfSense if ISP edge router does not send periodic RA?, my ISP has a problem with some of their edge routers where they do not send unsolicited RA messages. This is causing IPv6 to break around 2 hours after the I/F is restarted. The ISP knows about this problem, but it has not been fixed. Is there a way to periodically trigger pfSense to send an RS?
-
I'm not sure if this is the situation with my ISP, but apparently Juniper considers it to be an "Enhanced Subscriber Management" feature to disable unsolicited RA.
Here is a link: no-unsolicited-ra (Enhanced Subscriber Management)
-
@bimmerdriver said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
I'm not sure if this is the situation with my ISP, but apparently Juniper considers it to be an "Enhanced Subscriber Management" feature to disable unsolicited RA.
Here is a link: no-unsolicited-ra (Enhanced Subscriber Management)
??? <insert WTF? emoticon here>
-
@JKnott said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
@bimmerdriver said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
I'm not sure if this is the situation with my ISP, but apparently Juniper considers it to be an "Enhanced Subscriber Management" feature to disable unsolicited RA.
Here is a link: no-unsolicited-ra (Enhanced Subscriber Management)
??? <insert WTF? emoticon here>
My sentiments, exactly. WTF?!?!?
-
Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?
No. In fact the specification prohibits it.
RFC4861
Router Solicitations may be sent after any of the following events:- The interface is initialized at system startup time.
- The interface is reinitialized after a temporary interface
failure or after being temporarily disabled by system
management. - The system changes from being a router to being a host, by
having its IP forwarding capability turned off by system
management. - The host attaches to a link for the first time.
- The host re-attaches to a link after being detached for some
time.
Once the host sends a Router Solicitation, and receives a valid
Router Advertisement with a non-zero Router Lifetime, the host MUST
desist from sending additional solicitations on that interface, until
the next time one of the above events occurs.If your ISP isn't sending RAs they are wrong. And it sounds like everyone involved knows they're wrong. Your time would likely be better spent lobbying them to fix their network than looking for workarounds.
-
@Derelict said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
RFC4861
Good catch. Thank you for posting this information. I sent it to my contact at the ISP.
-
@bimmerdriver said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
I sent it to my contact at the ISP.
I also sent it to Juniper this afternoon. According to that RFC, any connection will fail after 6000 seconds, if the router does not send out periodic RAs.
-
@JKnott said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
I also sent it to Juniper this afternoon. According to that RFC, any connection will fail after 6000 seconds, if the router does not send out periodic RAs.
Heads up that while the principles are unchanged, those RA timers were tweaked by RFC8319.
-
@Derelict said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
Heads up that while the principles are unchanged, those RA timers were tweaked by RFC8319.
That's still only 18.2 hours.
-
I'm trying to post a text dump of the DHCP solicit/advertise + DHCP request/reply + ICMP solicit/advertise and there is an error saying, "Post content was flagged as spam by Akismet.com". Is there a way around this?
-
Post the pcap.
-
Here is a text dump of the DHCP solicit/advertise. More to follow.
DHCPv6 Message type: Solicit (1) Transaction ID: 0x4d32b4 Client Identifier Option: Client Identifier (1) Length: 14 Value: 0001000123444ec100155d014902 DUID: 0001000123444ec100155d014902 DUID Type: link-layer address plus time (1) Hardware type: Ethernet (1) DUID Time: Jul 20, 2018 00:41:53.000000000 Pacific Daylight Time Link-layer address: 00:15:5d:01:49:02 Elapsed time Option: Elapsed time (8) Length: 2 Value: 0000 Elapsed time: 0ms Option Request Option: Option Request (6) Length: 4 Value: 00170018 Requested Option code: DNS recursive name server (23) Requested Option code: Domain Search List (24) Identity Association for Prefix Delegation Option: Identity Association for Prefix Delegation (25) Length: 12 Value: 000000000000000000000000 IAID: 00000000 T1: 0 T2: 0 DHCPv6 Message type: Advertise (2) Transaction ID: 0x4d32b4 Client Identifier Option: Client Identifier (1) Length: 14 Value: 0001000123444ec100155d014902 DUID: 0001000123444ec100155d014902 DUID Type: link-layer address plus time (1) Hardware type: Ethernet (1) DUID Time: Jul 20, 2018 00:41:53.000000000 Pacific Daylight Time Link-layer address: 00:15:5d:01:49:02 Server Identifier Option: Server Identifier (2) Length: 26 Value: 00020000058330383a62323a35383a34373a61373a633000… DUID: 00020000058330383a62323a35383a34373a61373a633000… DUID Type: assigned by vendor based on Enterprise number (2) Enterprise ID: Juniper Networks/Funk Software (1411) Identifier: 30383a62323a35383a34373a61373a6330000000 Identity Association for Prefix Delegation Option: Identity Association for Prefix Delegation (25) Length: 41 Value: 0000000000000e1000001518001a001900001c2000001d4c… IAID: 00000000 T1: 3600 T2: 5400 IA Prefix Option: IA Prefix (26) Length: 25 Value: 00001c2000001d4c3820010abc7c4a560000000000000000… Preferred lifetime: 7200 Valid lifetime: 7500 Prefix length: 56 Prefix address: 2001:abc:7c4a:5600:: DNS recursive name server Option: DNS recursive name server (23) Length: 32 Value: 20010abcff09010a000000000000005320010abcff09010b… 1 DNS server address: 2001:abc:ff09:10a::53 2 DNS server address: 2001:abc:ff09:10b::53
-
@bimmerdriver Why do we care? This thread is about RAs?
-
@Derelict said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
Post the pcap.
I don't want to post the pcap, but the 'fing spam blocker won't let me post the next pair of messages.
-
Why do we care about DHCP? The gateways are not set using DHCP in IPv6.
-
@Derelict If I posted the RS/RA, someone would be asking to see the DHCP messages, so I intended to post them in sequence.
-
DHCP doesn't matter here. Has nothing whatsoever to do with your ISP not sending RAs as required.
-
Here are the RS/RA messages, if the spam filter will allow it.
Internet Control Message Protocol v6 Type: Router Solicitation (133) Code: 0 Checksum: 0x2efd [correct] [Checksum Status: Good] Reserved: 00000000 ICMPv6 Option (Source link-layer address : 00:15:5d:01:49:02) Type: Source link-layer address (1) Length: 1 (8 bytes) Link-layer address: Microsof_01:49:02 (00:15:5d:01:49:02) Internet Control Message Protocol v6 Type: Router Advertisement (134) Code: 0 Checksum: 0x74bd [correct] [Checksum Status: Good] Cur hop limit: 64 Flags: 0x00, Prf (Default Router Preference): Medium Router lifetime (s): 5400 Reachable time (ms): 0 Retrans timer (ms): 0 ICMPv6 Option (Source link-layer address : 0a:b2:58:47:a2:e4) Type: Source link-layer address (1) Length: 1 (8 bytes) Link-layer address: 0a:b2:58:47:a2:e4 (0a:b2:58:47:a2:e4)
-
It has already been established that the ISP responds to an RS with an RA. They need to send periodic RAs and they are not. So that does no good either.
-
You're only at a "karma of three (now 4)" someone else give a so he's over 5. That's more for editing profiles, etc but it can't hurt.