Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?

    Scheduled Pinned Locked Moved IPv6
    50 Posts 6 Posters 7.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bimmerdriver @JKnott
      last edited by

      @JKnott said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:

      @bimmerdriver said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:

      I'm not sure if this is the situation with my ISP, but apparently Juniper considers it to be an "Enhanced Subscriber Management" feature to disable unsolicited RA.

      Here is a link: no-unsolicited-ra (Enhanced Subscriber Management)

      ??? <insert WTF? emoticon here>

      My sentiments, exactly. WTF?!?!?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by Derelict

        Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?

        No. In fact the specification prohibits it.

        RFC4861
        Router Solicitations may be sent after any of the following events:

        • The interface is initialized at system startup time.
        • The interface is reinitialized after a temporary interface
          failure or after being temporarily disabled by system
          management.
        • The system changes from being a router to being a host, by
          having its IP forwarding capability turned off by system
          management.
        • The host attaches to a link for the first time.
        • The host re-attaches to a link after being detached for some
          time.

        Once the host sends a Router Solicitation, and receives a valid
        Router Advertisement with a non-zero Router Lifetime, the host MUST
        desist from sending additional solicitations
        on that interface, until
        the next time one of the above events occurs.

        If your ISP isn't sending RAs they are wrong. And it sounds like everyone involved knows they're wrong. Your time would likely be better spent lobbying them to fix their network than looking for workarounds.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        B 1 Reply Last reply Reply Quote 1
        • B
          bimmerdriver @Derelict
          last edited by

          @Derelict said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:

          RFC4861

          Good catch. Thank you for posting this information. I sent it to my contact at the ISP.

          JKnottJ 1 Reply Last reply Reply Quote 0
          • JKnottJ
            JKnott @bimmerdriver
            last edited by

            @bimmerdriver said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:

            I sent it to my contact at the ISP.

            I also sent it to Juniper this afternoon. According to that RFC, any connection will fail after 6000 seconds, if the router does not send out periodic RAs.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            DerelictD 1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate @JKnott
              last edited by

              @JKnott said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:

              I also sent it to Juniper this afternoon. According to that RFC, any connection will fail after 6000 seconds, if the router does not send out periodic RAs.

              Heads up that while the principles are unchanged, those RA timers were tweaked by RFC8319.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              JKnottJ 1 Reply Last reply Reply Quote 0
              • JKnottJ
                JKnott @Derelict
                last edited by

                @Derelict said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:

                Heads up that while the principles are unchanged, those RA timers were tweaked by RFC8319.

                That's still only 18.2 hours.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                1 Reply Last reply Reply Quote 0
                • B
                  bimmerdriver
                  last edited by

                  I'm trying to post a text dump of the DHCP solicit/advertise + DHCP request/reply + ICMP solicit/advertise and there is an error saying, "Post content was flagged as spam by Akismet.com". Is there a way around this?

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Post the pcap.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • B
                      bimmerdriver
                      last edited by

                      Here is a text dump of the DHCP solicit/advertise. More to follow.

                      DHCPv6
                          Message type: Solicit (1)
                          Transaction ID: 0x4d32b4
                          Client Identifier
                              Option: Client Identifier (1)
                              Length: 14
                              Value: 0001000123444ec100155d014902
                              DUID: 0001000123444ec100155d014902
                              DUID Type: link-layer address plus time (1)
                              Hardware type: Ethernet (1)
                              DUID Time: Jul 20, 2018 00:41:53.000000000 Pacific Daylight Time
                              Link-layer address: 00:15:5d:01:49:02
                          Elapsed time
                              Option: Elapsed time (8)
                              Length: 2
                              Value: 0000
                              Elapsed time: 0ms
                          Option Request
                              Option: Option Request (6)
                              Length: 4
                              Value: 00170018
                              Requested Option code: DNS recursive name server (23)
                              Requested Option code: Domain Search List (24)
                          Identity Association for Prefix Delegation
                              Option: Identity Association for Prefix Delegation (25)
                              Length: 12
                              Value: 000000000000000000000000
                              IAID: 00000000
                              T1: 0
                              T2: 0
                      
                      DHCPv6
                          Message type: Advertise (2)
                          Transaction ID: 0x4d32b4
                          Client Identifier
                              Option: Client Identifier (1)
                              Length: 14
                              Value: 0001000123444ec100155d014902
                              DUID: 0001000123444ec100155d014902
                              DUID Type: link-layer address plus time (1)
                              Hardware type: Ethernet (1)
                              DUID Time: Jul 20, 2018 00:41:53.000000000 Pacific Daylight Time
                              Link-layer address: 00:15:5d:01:49:02
                          Server Identifier
                              Option: Server Identifier (2)
                              Length: 26
                              Value: 00020000058330383a62323a35383a34373a61373a633000…
                              DUID: 00020000058330383a62323a35383a34373a61373a633000…
                              DUID Type: assigned by vendor based on Enterprise number (2)
                              Enterprise ID: Juniper Networks/Funk Software (1411)
                              Identifier: 30383a62323a35383a34373a61373a6330000000
                          Identity Association for Prefix Delegation
                              Option: Identity Association for Prefix Delegation (25)
                              Length: 41
                              Value: 0000000000000e1000001518001a001900001c2000001d4c…
                              IAID: 00000000
                              T1: 3600
                              T2: 5400
                              IA Prefix
                                  Option: IA Prefix (26)
                                  Length: 25
                                  Value: 00001c2000001d4c3820010abc7c4a560000000000000000…
                                  Preferred lifetime: 7200
                                  Valid lifetime: 7500
                                  Prefix length: 56
                                  Prefix address: 2001:abc:7c4a:5600::
                          DNS recursive name server
                              Option: DNS recursive name server (23)
                              Length: 32
                              Value: 20010abcff09010a000000000000005320010abcff09010b…
                               1 DNS server address: 2001:abc:ff09:10a::53
                               2 DNS server address: 2001:abc:ff09:10b::53
                      
                      DerelictD 1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate @bimmerdriver
                        last edited by

                        @bimmerdriver Why do we care? This thread is about RAs?

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        B 1 Reply Last reply Reply Quote 0
                        • B
                          bimmerdriver
                          last edited by

                          @Derelict said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:

                          Post the pcap.

                          I don't want to post the pcap, but the 'fing spam blocker won't let me post the next pair of messages.

                          1 Reply Last reply Reply Quote 1
                          • DerelictD
                            Derelict LAYER 8 Netgate
                            last edited by

                            Why do we care about DHCP? The gateways are not set using DHCP in IPv6.

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • B
                              bimmerdriver @Derelict
                              last edited by

                              @Derelict If I posted the RS/RA, someone would be asking to see the DHCP messages, so I intended to post them in sequence.

                              1 Reply Last reply Reply Quote 0
                              • DerelictD
                                Derelict LAYER 8 Netgate
                                last edited by

                                DHCP doesn't matter here. Has nothing whatsoever to do with your ISP not sending RAs as required.

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • B
                                  bimmerdriver
                                  last edited by

                                  Here are the RS/RA messages, if the spam filter will allow it.

                                  Internet Control Message Protocol v6
                                      Type: Router Solicitation (133)
                                      Code: 0
                                      Checksum: 0x2efd [correct]
                                      [Checksum Status: Good]
                                      Reserved: 00000000
                                      ICMPv6 Option (Source link-layer address : 00:15:5d:01:49:02)
                                          Type: Source link-layer address (1)
                                          Length: 1 (8 bytes)
                                          Link-layer address: Microsof_01:49:02 (00:15:5d:01:49:02)
                                  
                                  Internet Control Message Protocol v6
                                      Type: Router Advertisement (134)
                                      Code: 0
                                      Checksum: 0x74bd [correct]
                                      [Checksum Status: Good]
                                      Cur hop limit: 64
                                      Flags: 0x00, Prf (Default Router Preference): Medium
                                      Router lifetime (s): 5400
                                      Reachable time (ms): 0
                                      Retrans timer (ms): 0
                                      ICMPv6 Option (Source link-layer address : 0a:b2:58:47:a2:e4)
                                          Type: Source link-layer address (1)
                                          Length: 1 (8 bytes)
                                          Link-layer address: 0a:b2:58:47:a2:e4 (0a:b2:58:47:a2:e4)
                                  
                                  1 Reply Last reply Reply Quote 1
                                  • DerelictD
                                    Derelict LAYER 8 Netgate
                                    last edited by

                                    It has already been established that the ISP responds to an RS with an RA. They need to send periodic RAs and they are not. So that does no good either.

                                    Chattanooga, Tennessee, USA
                                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                    B 1 Reply Last reply Reply Quote 1
                                    • DerelictD
                                      Derelict LAYER 8 Netgate
                                      last edited by

                                      You're only at a "karma of three (now 4)" someone else give a 👍 so he's over 5. That's more for editing profiles, etc but it can't hurt.

                                      Chattanooga, Tennessee, USA
                                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                      1 Reply Last reply Reply Quote 0
                                      • B
                                        bimmerdriver @Derelict
                                        last edited by bimmerdriver

                                        @Derelict said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:

                                        It has already been established that the ISP responds to an RS with an RA. They need to send periodic RAs and they are not. So that does no good either.

                                        Yes, understood. I'm wondering why pfSense sometimes works in this situation and other times doesn't. As far as I understand, based on correspondence with the ISP, the juniper routers DO NOT send unsolicited RA messages. Shouldn't pfSense always drop the default route after 5400 seconds?

                                        DerelictD johnpozJ 2 Replies Last reply Reply Quote 0
                                        • DerelictD
                                          Derelict LAYER 8 Netgate
                                          last edited by Derelict

                                          They HAVE to send an unsolicited, periodic RA. If juniper has that setting then it is to be used in cases where it is not necessary. This is not a pfSense problem. It is an ISP problem. See RFC4861. The host device is FORBIDDEN from sending another RS unless its interface is shut/no shut, etc.

                                          Chattanooga, Tennessee, USA
                                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                          1 Reply Last reply Reply Quote 0
                                          • DerelictD
                                            Derelict LAYER 8 Netgate @bimmerdriver
                                            last edited by

                                            @bimmerdriver

                                            @bimmerdriver said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:

                                            @Derelict said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:

                                            It has already been established that the ISP responds to an RS with an RA. They need to send periodic RAs and they are not. So that does no good either.

                                            Yes, understood. I'm wondering why pfSense sometimes works in this situation and other times doesn't. As far as I understand, based on correspondence with the ISP, the juniper routers DO NOT send unsolicited RA messages. Shouldn't pfSense always drop the default route after 5400 seconds?

                                            I don't understand your point. ISPs that work and adhere to standards send periodic RAs.

                                            Chattanooga, Tennessee, USA
                                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                            B 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.