Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?
-
@Derelict said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
No, it doesn't. My guess is that when you think it is tolerating it it is really because something has done something to the WAN port that caused another RS to be issued. Could be a down up on WAN for any reason or probably several other things.
A long packet capture would tell the tale there.
Your ISP is broken. They should fix it. At this point I'd try to make an appointment with someone there. VP or higher.
It may well be the case that something is causing the IPv6 to restart but it's not obvious what that would be. I don't have a pcap that captures IPv6 going back up after going down. There are two completely separate, almost identical hyper-v servers, each running the same version of pfsense, connected to the same fibre interface. On one of them IPv6 is solid. On the other it's unreliable. The pcap is from the unreliable one. Both are connected to the same edge router. We haven't had a chance to run a pcap on the other system.
I really doubt a VP is going to take an appointment with a residential subscriber for a bitch session about their network. lolz
-
@bimmerdriver said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
I have a pcap that ran overnight with no unsolicited RA messages. pfsense was dutifully renewing the DHCP lease, but the link wasn't working. The only RA message in the entire pcap was in reply to the RS message sent from pfsense when the link was started. IPv6 worked for a while when the link started, then dropped and did not restore for the duration of the pcap.
Exactly. Because obtaining a gateway (router) is completely disconnected from DHCP in IPv6.
Everything you describe there is exactly what should happen according to RFC4861.
You should be focusing your efforts on your ISP, not your firewall.
I really doubt a VP is going to take an appointment with a residential subscriber for a bitch session about their network. lolz
If you had your ducks in a row and could quickly demonstrate how his network was WRONG the VP might appreciate it.
According to the ISP, the Juniper edge router only sends unsolicited RA with all-nodes multicast address destination. (IMO, it makes sense that it would be multicast for unsolicited RA, no idea why this should be a problem for the CPE.) The CPE doesn't accept this, so it drops the default route and IPv6 drops until something triggers another RS message. For customers who are unlucky and have a Juniper edge router, they don't have working IPv6. The ISP is trying to get Juniper to modify the software to support unicast and they are also looking at modifying the CPE to not expire the default route.
But is sounds like they already know it. pfSense can do a lot of things but it can't fix a broken ISP. Sorry.
What your ISP needs is someone with the cajones to push the necessary change.
-
4.2. Router Advertisement Message Format
Source Address
MUST be the link-local address assigned to the
interface from which this message is sent.Destination Address
Typically the Source Address of an invoking Router
Solicitation or the all-nodes multicast address.That's pretty non-committal and I haven't found anything more authoritative but that says the response to an RS will be unicast to the host sending the RS being responded to and, if unsolicited, it will be to the all-nodes multicast address.
-
Which makes complete sense - you sure wouldn't want to send out multicast every time someone asks for a RS.. Would just generate noise..
-
@bimmerdriver said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
According to the most recent email I got from the ISP, the CPE only accepts unsolicited RA with unicast destination address.
That's nonsense. Unsolicited RAs only go to the multicast address. If they were only sent to the unicast address, how would the router know the unicast address of something that didn't send a request?
-
@bimmerdriver said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
I really doubt a VP is going to take an appointment with a residential subscriber for a bitch session about their network. lolz
Actually, I went through something similar a few months ago. I had a problem where the cable company's CMTS wasn't working properly. I had determined the failure was not on my network and even identified the failing system by name. I had the office of the President involved and finally got it resolved, after a senior tech proved the problem was with a specific CMTS (mine) at the head end.
-
@Derelict said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
That's pretty non-committal and I haven't found anything more authoritative but that says the response to an RS will be unicast to the host sending the RS being responded to and, if unsolicited, it will be to the all-nodes multicast address.
Here's what it says in IPv6 Essentials 3rd ed, by Silvia Hagen, pg 90:
"By inspecting the IP header of the Router Advertisement message, you can determine
whether this Router Advertisement is periodic or was sent in reply to a Solicitation
message. A periodic advertisement’s Destination address will be the all-nodes multicast
address ff02::1. A solicited advertisement’s Destination address will be the address of the
interface that originated the solicitation message. Again, the hop limit is set to 255." -
@johnpoz said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
...your post on the other distro board...
This forum is amazing! Just by following/reading this thread I learned a lot.
On the "other distro board" wasn't even a single reply to the question. Tells it all, doesn't it?Thanks for sharing knowledge and discuss professionally on this forum, really appreciate it!
-
@jahonix said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
On the "other distro board" wasn't even a single reply to the question.
I don't know what that other distro is, but here it's all about networking with pfSense. Many of us here work professionally with networks. This means we tend to know more about networks than users on Linux sites. When I had that problem a few months ago, I found I had to teach both the tier 2 support and senior tech about some of the finer points about IPv6.
-
@JKnott said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
I don't know what that other distro is, but ...
The fork of pfSense, maybe?
So it's not that far off the track as "other Linux sites" might be. -
@JKnott said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
I don't know what that other distro is
hehe - yeah bimmerdriver posted pretty much same question over on the forums for the distro that I will not name ;) I mentioned that in my posted about the juniper setting not being default to not send unsolicated RAs.
Its like 3rd or 4th listing on the google search I stated - if you want to find it.. Its crickets over there for his question..
-
@JKnott said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
@bimmerdriver said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
According to the most recent email I got from the ISP, the CPE only accepts unsolicited RA with unicast destination address.
That's nonsense. Unsolicited RAs only go to the multicast address. If they were only sent to the unicast address, how would the router know the unicast address of something that didn't send a request?
I'm not going to post the email, but that's what I was told.
-
@bimmerdriver said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
I'm not going to post the email, but that's what I was told.
Perhaps it's time to escalate. I find the first level support isn't much good for unusual problems, so I wind up asking for 2nd level right off. Even then, I had to explain how DHCPv6-PD worked to the tier 2 guy, including how the assigned address is not used for routing etc. I walked him through things to try, while I monitored with Packet Capture or Wireshark, tested through my cell phone and more. Then they guys who were responsible for fixing the problem refused, as I had my own equipment beyond the modem, even though the problem was proven to not be at my end. It took a lot of effort, but I finally got the problem resolved. You might have to do the same.
What did that guy say about the RFC that shows how it's supposed to work?
BTW, that book I quoted from is an excellent IPv6 reference.
-
@JKnott I'm not going to dox my contact, but "that guy" is not in first or second or any other level of support. He is an engineer. It's not that he doesn't understand what the RFCs say, but rather that these issues reflect vendor-supplied cpe and edge routers and the respective vendors won't cooperate in a timely manner or at all to resolve them. If I disagree with anything he says, it's that these issues are being tolerated and in some cases accommodated, rather than being corrected.
-
@bimmerdriver said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
If I disagree with anything he says, it's that these issues are being tolerated and in some cases accommodated, rather than being corrected.
What happens with other customers? I doubt pfSense is the only router that has this issue. With that sort of attitude, perhaps it's time to find another ISP. I don't understand the point of offering a service that won't work with most of the devices out there. If you've been following here long enough, you're no doubt aware some providers have some strange ideas.
-
@JKnott said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
@bimmerdriver said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
If I disagree with anything he says, it's that these issues are being tolerated and in some cases accommodated, rather than being corrected.
What happens with other customers? I doubt pfSense is the only router that has this issue. With that sort of attitude, perhaps it's time to find another ISP. I don't understand the point of offering a service that won't work with most of the devices out there. If you've been following here long enough, you're no doubt aware some providers have some strange ideas.
ISPs usually hide behind the position that if you aren't using their equipment, they are not obligated to provide any support. This is what you would get from first or second level support from virtually any ISP in my experience. You have to admit that only a very small portion of the subscriber base is using anything other than the ISP-supplied CPE.
As for switching ISPs, been there, done that. The only alternative is Shaw and they suck even more than Telus.
-
@bimmerdriver Seems they could un-disable unsolicited RAs to adhere to the standard and their devices could continue to operate outside the standard, send RSs, and get unicast RAs in response. Both should work in that case.
-
@bimmerdriver said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
ISPs usually hide behind the position that if you aren't using their equipment, they are not obligated to provide any support. This is what you would get from first or second level support from virtually any ISP in my experience. You have to admit that only a very small portion of the subscriber base is using anything other than the ISP-supplied CPE.
As for switching ISPs, been there, done that. The only alternative is Shaw and they suck even more than Telus.I'm on Rogers and use their modem in bridge mode, with a computer running pfSense as my firewall/router. As I mentioned, the guys responsible for maintaining the network didn't want to do anything because I had my own router/firewall, even though I was able to prove the problem was not on my network and could even identify the failing system by name. On top of that, both tier 2 support and a senior tech verified it was a Rogers problem. It was only after the senior tech brought his own modem to my home, found it failed and then took it to the head end and tested with my CMTS and 3 others, but found it only failed with mine, that they finally got around to fixing the problem. If I hadn't stuck with it and even contacted the office of the president, it would likely not be fixed and this was a problem that affected everyone on my node. Since the engineer refuses to be compliant with the RFC, then I'd say escalate to upper management and let them know their engineer is refusing to be compliant with published Internet specifications. Perhaps contacting the CRTC or CCTS might be in order.
-
@bimmerdriver were you ever able to figure out a solution for this? I'm assuming the ISP involved is Telus. They appear to be uninterested in changing this behaviour despite my attempts to point out they are not following the RFC. The only solution they've offered is to swap out the network hardware for one of their newer modems that ignores the RFC.
-
@jdu-9999 You're correct, the ISP is Telus. To be honest, I had better things to do, so I basically gave up. I'm curious about who you talked to. Can we take this offline?