Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?
-
Post the pcap.
-
Here is a text dump of the DHCP solicit/advertise. More to follow.
DHCPv6 Message type: Solicit (1) Transaction ID: 0x4d32b4 Client Identifier Option: Client Identifier (1) Length: 14 Value: 0001000123444ec100155d014902 DUID: 0001000123444ec100155d014902 DUID Type: link-layer address plus time (1) Hardware type: Ethernet (1) DUID Time: Jul 20, 2018 00:41:53.000000000 Pacific Daylight Time Link-layer address: 00:15:5d:01:49:02 Elapsed time Option: Elapsed time (8) Length: 2 Value: 0000 Elapsed time: 0ms Option Request Option: Option Request (6) Length: 4 Value: 00170018 Requested Option code: DNS recursive name server (23) Requested Option code: Domain Search List (24) Identity Association for Prefix Delegation Option: Identity Association for Prefix Delegation (25) Length: 12 Value: 000000000000000000000000 IAID: 00000000 T1: 0 T2: 0 DHCPv6 Message type: Advertise (2) Transaction ID: 0x4d32b4 Client Identifier Option: Client Identifier (1) Length: 14 Value: 0001000123444ec100155d014902 DUID: 0001000123444ec100155d014902 DUID Type: link-layer address plus time (1) Hardware type: Ethernet (1) DUID Time: Jul 20, 2018 00:41:53.000000000 Pacific Daylight Time Link-layer address: 00:15:5d:01:49:02 Server Identifier Option: Server Identifier (2) Length: 26 Value: 00020000058330383a62323a35383a34373a61373a633000… DUID: 00020000058330383a62323a35383a34373a61373a633000… DUID Type: assigned by vendor based on Enterprise number (2) Enterprise ID: Juniper Networks/Funk Software (1411) Identifier: 30383a62323a35383a34373a61373a6330000000 Identity Association for Prefix Delegation Option: Identity Association for Prefix Delegation (25) Length: 41 Value: 0000000000000e1000001518001a001900001c2000001d4c… IAID: 00000000 T1: 3600 T2: 5400 IA Prefix Option: IA Prefix (26) Length: 25 Value: 00001c2000001d4c3820010abc7c4a560000000000000000… Preferred lifetime: 7200 Valid lifetime: 7500 Prefix length: 56 Prefix address: 2001:abc:7c4a:5600:: DNS recursive name server Option: DNS recursive name server (23) Length: 32 Value: 20010abcff09010a000000000000005320010abcff09010b… 1 DNS server address: 2001:abc:ff09:10a::53 2 DNS server address: 2001:abc:ff09:10b::53 -
@bimmerdriver Why do we care? This thread is about RAs?
-
@Derelict said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
Post the pcap.
I don't want to post the pcap, but the 'fing spam blocker won't let me post the next pair of messages.
-
Why do we care about DHCP? The gateways are not set using DHCP in IPv6.
-
@Derelict If I posted the RS/RA, someone would be asking to see the DHCP messages, so I intended to post them in sequence.
-
DHCP doesn't matter here. Has nothing whatsoever to do with your ISP not sending RAs as required.
-
Here are the RS/RA messages, if the spam filter will allow it.
Internet Control Message Protocol v6 Type: Router Solicitation (133) Code: 0 Checksum: 0x2efd [correct] [Checksum Status: Good] Reserved: 00000000 ICMPv6 Option (Source link-layer address : 00:15:5d:01:49:02) Type: Source link-layer address (1) Length: 1 (8 bytes) Link-layer address: Microsof_01:49:02 (00:15:5d:01:49:02) Internet Control Message Protocol v6 Type: Router Advertisement (134) Code: 0 Checksum: 0x74bd [correct] [Checksum Status: Good] Cur hop limit: 64 Flags: 0x00, Prf (Default Router Preference): Medium Router lifetime (s): 5400 Reachable time (ms): 0 Retrans timer (ms): 0 ICMPv6 Option (Source link-layer address : 0a:b2:58:47:a2:e4) Type: Source link-layer address (1) Length: 1 (8 bytes) Link-layer address: 0a:b2:58:47:a2:e4 (0a:b2:58:47:a2:e4) -
It has already been established that the ISP responds to an RS with an RA. They need to send periodic RAs and they are not. So that does no good either.
-
You're only at a "karma of three (now 4)" someone else give a
so he's over 5. That's more for editing profiles, etc but it can't hurt. -
@Derelict said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
It has already been established that the ISP responds to an RS with an RA. They need to send periodic RAs and they are not. So that does no good either.
Yes, understood. I'm wondering why pfSense sometimes works in this situation and other times doesn't. As far as I understand, based on correspondence with the ISP, the juniper routers DO NOT send unsolicited RA messages. Shouldn't pfSense always drop the default route after 5400 seconds?
-
They HAVE to send an unsolicited, periodic RA. If juniper has that setting then it is to be used in cases where it is not necessary. This is not a pfSense problem. It is an ISP problem. See RFC4861. The host device is FORBIDDEN from sending another RS unless its interface is shut/no shut, etc.
-
@bimmerdriver said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
@Derelict said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
It has already been established that the ISP responds to an RS with an RA. They need to send periodic RAs and they are not. So that does no good either.
Yes, understood. I'm wondering why pfSense sometimes works in this situation and other times doesn't. As far as I understand, based on correspondence with the ISP, the juniper routers DO NOT send unsolicited RA messages. Shouldn't pfSense always drop the default route after 5400 seconds?
I don't understand your point. ISPs that work and adhere to standards send periodic RAs.
-
@bimmerdriver said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
far as I understand, based on correspondence with the ISP, the juniper routers DO NOT send unsolicited RA messages.
Says who? 2 second google
https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/no-unsolicited-ra-edit-enhanced-universal-edge-overrides.htmlSo they have that SET!!! Per previous comments, etc. as well
Says that the DEFAULT is to send them..
Disable the default transmission and periodic refresh of unsolicited Router Advertisement messages by the router when the subscriber interface is created, and at configured periodic intervals thereafter. When you include the no-unsolicited-ra statement, the router sends Router Advertisement messages and associated periodic refresh messages only when it receives a Router Solicitation message from the subscriber.
BTW - that link is first hit on google for "juniper routers unsolicited RA"
Couple hits down is your post on the other distro board.. Posting the same link - so you KNOW its not default and that they set it, not that they DO NOT do it...
If the RFC says the host is "forbidden" from sending RS... You think pfsense should break the rfc and send RS anyway, because some ISP doesn't know how to configure their own choice of hardware? To be standard?
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
Based on RFC4861 I cannot see that as ever working unless you have coded your subscriber devices to violate RFC4861 by periodically sending RSs, thus breaking your subscribers' ability to use compliant devices.
-
Yeah not sure why they added the "option" but prob some feature request for some bigger odd ball network doing odd things, etc.
But it sure is not "default" nor is with the RFCs - so yeah could break a lot of shit..
-
@Derelict My point is that sometimes, pfSense tolerates the absence of RA messages and IPv6 continues to work. Other times, IPv6 drops after a couple of hours. It can be restored by save / apply on the WAN I/F.
-
No, it doesn't. My guess is that when you think it is tolerating it it is really because something has done something to the WAN port that caused another RS to be issued. Could be a down up on WAN for any reason or probably several other things.
A long packet capture would tell the tale there.
Your ISP is broken. They should fix it. At this point I'd try to make an appointment with someone there. VP or higher.
-
@johnpoz said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
@bimmerdriver said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
far as I understand, based on correspondence with the ISP, the juniper routers DO NOT send unsolicited RA messages.
Says who? 2 second google
https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/no-unsolicited-ra-edit-enhanced-universal-edge-overrides.htmlSo they have that SET!!!
Says that the DEFAULT is to send them..
Disable the default transmission and periodic refresh of unsolicited Router Advertisement messages by the router when the subscriber interface is created, and at configured periodic intervals thereafter. When you include the no-unsolicited-ra statement, the router sends Router Advertisement messages and associated periodic refresh messages only when it receives a Router Solicitation message from the subscriber.
BTW - that link is first hit on google for "juniper routers unsolicited RA"
Couple hits down is your post on the other distro board.. Posting the same link - so you KNOW its not default and that they set it, not that they DO NOT do it...
If the RFC says the host is "forbidden" from sending RS... You think pfsense should break the rfc and send RS anyway, because some ISP doesn't know how to configure their own choice of hardware? To be standard?
I have a pcap that ran overnight with no unsolicited RA messages. pfsense was dutifully renewing the DHCP lease, but the link wasn't working. The only RA message in the entire pcap was in reply to the RS message sent from pfsense when the link was started. IPv6 worked for a while when the link started, then dropped and did not restore for the duration of the pcap.
The link to Juniper describing the "feature" is from June 2019. Not likely that very many ISPs will push out an update overnight and I'm not sure it would fix the problem the ISP is having.
RFC 4861 says the following for RA destination address: Typically the Source Address of an invoking Router Solicitation or the all-nodes multicast address.
According to the most recent email I got from the ISP, the CPE only accepts unsolicited RA with unicast destination address. (In my case, with a Nokia edge router, that's what my modem is receiving for both the solicited and unsolicited RA messages.) According to the ISP, the Juniper edge router only sends unsolicited RA with all-nodes multicast address destination. (IMO, it makes sense that it would be multicast for unsolicited RA, no idea why this should be a problem for the CPE.) The CPE doesn't accept this, so it drops the default route and IPv6 drops until something triggers another RS message. For customers who are unlucky and have a Juniper edge router, they don't have working IPv6. The ISP is trying to get Juniper to modify the software to support unicast and they are also looking at modifying the CPE to not expire the default route.
It's a pretty pathetic situation when major companies can't / won't make interoperable network equipment. It's not like IPv6 was invented yesterday.
-
@Derelict said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
No, it doesn't. My guess is that when you think it is tolerating it it is really because something has done something to the WAN port that caused another RS to be issued. Could be a down up on WAN for any reason or probably several other things.
A long packet capture would tell the tale there.
Your ISP is broken. They should fix it. At this point I'd try to make an appointment with someone there. VP or higher.
It may well be the case that something is causing the IPv6 to restart but it's not obvious what that would be. I don't have a pcap that captures IPv6 going back up after going down. There are two completely separate, almost identical hyper-v servers, each running the same version of pfsense, connected to the same fibre interface. On one of them IPv6 is solid. On the other it's unreliable. The pcap is from the unreliable one. Both are connected to the same edge router. We haven't had a chance to run a pcap on the other system.
I really doubt a VP is going to take an appointment with a residential subscriber for a bitch session about their network. lolz
