Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?
-
@Derelict said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
Heads up that while the principles are unchanged, those RA timers were tweaked by RFC8319.
That's still only 18.2 hours.
-
I'm trying to post a text dump of the DHCP solicit/advertise + DHCP request/reply + ICMP solicit/advertise and there is an error saying, "Post content was flagged as spam by Akismet.com". Is there a way around this?
-
Post the pcap.
-
Here is a text dump of the DHCP solicit/advertise. More to follow.
DHCPv6 Message type: Solicit (1) Transaction ID: 0x4d32b4 Client Identifier Option: Client Identifier (1) Length: 14 Value: 0001000123444ec100155d014902 DUID: 0001000123444ec100155d014902 DUID Type: link-layer address plus time (1) Hardware type: Ethernet (1) DUID Time: Jul 20, 2018 00:41:53.000000000 Pacific Daylight Time Link-layer address: 00:15:5d:01:49:02 Elapsed time Option: Elapsed time (8) Length: 2 Value: 0000 Elapsed time: 0ms Option Request Option: Option Request (6) Length: 4 Value: 00170018 Requested Option code: DNS recursive name server (23) Requested Option code: Domain Search List (24) Identity Association for Prefix Delegation Option: Identity Association for Prefix Delegation (25) Length: 12 Value: 000000000000000000000000 IAID: 00000000 T1: 0 T2: 0 DHCPv6 Message type: Advertise (2) Transaction ID: 0x4d32b4 Client Identifier Option: Client Identifier (1) Length: 14 Value: 0001000123444ec100155d014902 DUID: 0001000123444ec100155d014902 DUID Type: link-layer address plus time (1) Hardware type: Ethernet (1) DUID Time: Jul 20, 2018 00:41:53.000000000 Pacific Daylight Time Link-layer address: 00:15:5d:01:49:02 Server Identifier Option: Server Identifier (2) Length: 26 Value: 00020000058330383a62323a35383a34373a61373a633000… DUID: 00020000058330383a62323a35383a34373a61373a633000… DUID Type: assigned by vendor based on Enterprise number (2) Enterprise ID: Juniper Networks/Funk Software (1411) Identifier: 30383a62323a35383a34373a61373a6330000000 Identity Association for Prefix Delegation Option: Identity Association for Prefix Delegation (25) Length: 41 Value: 0000000000000e1000001518001a001900001c2000001d4c… IAID: 00000000 T1: 3600 T2: 5400 IA Prefix Option: IA Prefix (26) Length: 25 Value: 00001c2000001d4c3820010abc7c4a560000000000000000… Preferred lifetime: 7200 Valid lifetime: 7500 Prefix length: 56 Prefix address: 2001:abc:7c4a:5600:: DNS recursive name server Option: DNS recursive name server (23) Length: 32 Value: 20010abcff09010a000000000000005320010abcff09010b… 1 DNS server address: 2001:abc:ff09:10a::53 2 DNS server address: 2001:abc:ff09:10b::53 -
@bimmerdriver Why do we care? This thread is about RAs?
-
@Derelict said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
Post the pcap.
I don't want to post the pcap, but the 'fing spam blocker won't let me post the next pair of messages.
-
Why do we care about DHCP? The gateways are not set using DHCP in IPv6.
-
@Derelict If I posted the RS/RA, someone would be asking to see the DHCP messages, so I intended to post them in sequence.
-
DHCP doesn't matter here. Has nothing whatsoever to do with your ISP not sending RAs as required.
-
Here are the RS/RA messages, if the spam filter will allow it.
Internet Control Message Protocol v6 Type: Router Solicitation (133) Code: 0 Checksum: 0x2efd [correct] [Checksum Status: Good] Reserved: 00000000 ICMPv6 Option (Source link-layer address : 00:15:5d:01:49:02) Type: Source link-layer address (1) Length: 1 (8 bytes) Link-layer address: Microsof_01:49:02 (00:15:5d:01:49:02) Internet Control Message Protocol v6 Type: Router Advertisement (134) Code: 0 Checksum: 0x74bd [correct] [Checksum Status: Good] Cur hop limit: 64 Flags: 0x00, Prf (Default Router Preference): Medium Router lifetime (s): 5400 Reachable time (ms): 0 Retrans timer (ms): 0 ICMPv6 Option (Source link-layer address : 0a:b2:58:47:a2:e4) Type: Source link-layer address (1) Length: 1 (8 bytes) Link-layer address: 0a:b2:58:47:a2:e4 (0a:b2:58:47:a2:e4) -
It has already been established that the ISP responds to an RS with an RA. They need to send periodic RAs and they are not. So that does no good either.
-
You're only at a "karma of three (now 4)" someone else give a
so he's over 5. That's more for editing profiles, etc but it can't hurt. -
@Derelict said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
It has already been established that the ISP responds to an RS with an RA. They need to send periodic RAs and they are not. So that does no good either.
Yes, understood. I'm wondering why pfSense sometimes works in this situation and other times doesn't. As far as I understand, based on correspondence with the ISP, the juniper routers DO NOT send unsolicited RA messages. Shouldn't pfSense always drop the default route after 5400 seconds?
-
They HAVE to send an unsolicited, periodic RA. If juniper has that setting then it is to be used in cases where it is not necessary. This is not a pfSense problem. It is an ISP problem. See RFC4861. The host device is FORBIDDEN from sending another RS unless its interface is shut/no shut, etc.
-
@bimmerdriver said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
@Derelict said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
It has already been established that the ISP responds to an RS with an RA. They need to send periodic RAs and they are not. So that does no good either.
Yes, understood. I'm wondering why pfSense sometimes works in this situation and other times doesn't. As far as I understand, based on correspondence with the ISP, the juniper routers DO NOT send unsolicited RA messages. Shouldn't pfSense always drop the default route after 5400 seconds?
I don't understand your point. ISPs that work and adhere to standards send periodic RAs.
-
@bimmerdriver said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
far as I understand, based on correspondence with the ISP, the juniper routers DO NOT send unsolicited RA messages.
Says who? 2 second google
https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/no-unsolicited-ra-edit-enhanced-universal-edge-overrides.htmlSo they have that SET!!! Per previous comments, etc. as well
Says that the DEFAULT is to send them..
Disable the default transmission and periodic refresh of unsolicited Router Advertisement messages by the router when the subscriber interface is created, and at configured periodic intervals thereafter. When you include the no-unsolicited-ra statement, the router sends Router Advertisement messages and associated periodic refresh messages only when it receives a Router Solicitation message from the subscriber.
BTW - that link is first hit on google for "juniper routers unsolicited RA"
Couple hits down is your post on the other distro board.. Posting the same link - so you KNOW its not default and that they set it, not that they DO NOT do it...
If the RFC says the host is "forbidden" from sending RS... You think pfsense should break the rfc and send RS anyway, because some ISP doesn't know how to configure their own choice of hardware? To be standard?
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
Based on RFC4861 I cannot see that as ever working unless you have coded your subscriber devices to violate RFC4861 by periodically sending RSs, thus breaking your subscribers' ability to use compliant devices.
-
Yeah not sure why they added the "option" but prob some feature request for some bigger odd ball network doing odd things, etc.
But it sure is not "default" nor is with the RFCs - so yeah could break a lot of shit..
-
@Derelict My point is that sometimes, pfSense tolerates the absence of RA messages and IPv6 continues to work. Other times, IPv6 drops after a couple of hours. It can be restored by save / apply on the WAN I/F.
-
No, it doesn't. My guess is that when you think it is tolerating it it is really because something has done something to the WAN port that caused another RS to be issued. Could be a down up on WAN for any reason or probably several other things.
A long packet capture would tell the tale there.
Your ISP is broken. They should fix it. At this point I'd try to make an appointment with someone there. VP or higher.
