IPv6 working but I have to disable gateway monitoring

JKnott

@lohphat

Then you'll have to use some other address.

lohphat

@JKnott I'm wondering what the monitoring process is. It may be that the IPv6 gateway doesn't respond to ICMP pings.

So I've reverted to using the Google DNS address as the monitoring address altough I hate using someone's services as a monitoring point as it's unsolicited traffic. Using the local CPE gateway is still the obvious best solution.

sigh

JKnott

@lohphat said in IPv6 working but I have to disable gateway monitoring:

It may be that the IPv6 gateway doesn't respond to ICMP pings.

The way to verify that is with Packet Capture. If you see them going out, but no response then that's the issue. You might also try with a known address, such as Google's DNS servers. You can use 2001:4860:4860::8888 and 2001:4860:4860::8844. You can also try pinging from the command line, remembering to specify the interface.

lohphat

@JKnott Yeah, I tried to ping the gateway local link and 100% packet loss but pinging the Google DNS IPv6 addresses worked. Must be a Spectrum or a Motorola/Arris cabelmodem config.

JKnott

@lohphat

Where did you ping from? If pinging a link local address, you have to do it from a computer on the same link. This means you have to ping from pfSense, not a computer behind it.

lohphat

@JKnott Correct. I pinged from the diagnostic menu in the pfSense UI and specified the interface as well. No joy.

Napsterbater

@lohphat
Why not do a trace route and find and use the first hop that responds as the target for the monitor?

lohphat

@Napsterbater Because in a redundant path BGP environment, there may be multiple paths from the local POP and whichever I select may be a dynamic route which may sometimes be down for maintenance. This presumes Spectrum has a brain cell, but I digress...

Napsterbater

@lohphat
Though the first thing to show in a trace may just be the CMTSs GUA, thus just as good as the Link Local.

Just because the LL doesn't respond doesn't mean the GUA wont. Though depends on the configuration of course

JKnott

@lohphat

Correct. I pinged from the diagnostic menu in the pfSense UI and specified the interface as well. No joy.

I wonder why they would do that. Given it can't be pinged from beyond the local links, the usual security reasons for doing so don't apply.

JKnott

@Napsterbater said in IPv6 working but I have to disable gateway monitoring:

@lohphat
Why not do a trace route and find and use the first hop that responds as the target for the monitor?

If the next hop is also a link local address, he won't be able to ping it or any other LL address beyond the local link.

lohphat

@JKnott My guess is that it's dependent on the OEM firmware IPv6 for the cablemodem, in my case a Motorola/Arris unit. It may not be the ISP's choice.

I tried both UDP and ICMP pings and the next local IPv6 hop seems to be a reasonable ...::1 address so I will try using that for awhile instead of the Google DNS IPv6 address for gateway monitoring. I'll keep an eye on it.

However this case might be interesting for the DHCP6 code owners to look oup for unrespondive link local WAN gateways and perhaps compensate by doing an ICMP traceroute and using the first hop's address.

JKnott

@JKnott said in IPv6 working but I have to disable gateway monitoring:

If the next hop is also a link local address, he won't be able to ping it or any other LL address beyond the local link.

I just did some testing. My gateway link local address also does not respond to a ping. However, traceroute shows an address with a /128 prefix. Both that address and the link local have the same MAC address, so that is the address to use for monitoring. This demonstrates what I have often mentioned, while link local addresses are often used for routing, the interface will usually have a /128 prefix for a routeable address that can be used for testing, etc.

lohphat

@JKnott Correct. My assigned /128 was 2604:2000:xxxx:... and the 2604:2000:xxxx::1 address was the first hop of the traceroute -- so that's what I now have as my monitoring address.

Perhaps this can be considered a common IPv6 gateway config case and the DHCP6 code can be updated to automatically determine the upsteam gateway on its own without manual intervention for ease of configuration.

The problem I see with the current manual intervention is that if Spectrum issues me a different /128 on the next cablemodem reboot and then the manual gateway monitor address may not be appropriate.

JKnott

@lohphat said in IPv6 working but I have to disable gateway monitoring:

I tried both UDP and ICMP pings and the next local IPv6 hop seems to be a reasonable ...::1 address so I will try using that for awhile instead of the Google DNS IPv6 address for gateway monitoring. I'll keep an eye on it.

If that address has a /128 prefix, I bet it has the same MAC address as the link local.

IPv6 is a bit different from IPv4 in this regard. In addition to being able to use link local addresses for routing, an interface can have multiple addresses. For example, my desktop computer can have up to 17 addresses. This would be 1 link local and 8 GUA (7 privacy) and 8 ULA (7 privacy) I would have that many after my computer has been up for a week, as there's a new privacy address for each prefix per day, up to 7. Also, that /128 isn't really an interface address, as it's not in any prefix assigned to an interface. It is, however, a valid address for the device.

Napsterbater

@JKnott said in IPv6 working but I have to disable gateway monitoring:

If the next hop is also a link local address, he won't be able to ping it or any other LL address beyond the local link.

If... Not all devices reply with their LL to ICMP (i.e. traceroute).. Such as pfSense itself. Hence a way to possibly sniff the GUA out.

JKnott

@Napsterbater said in IPv6 working but I have to disable gateway monitoring:

@JKnott said in IPv6 working but I have to disable gateway monitoring:

If the next hop is also a link local address, he won't be able to ping it or any other LL address beyond the local link.

If... Not all devices reply with their LL to ICMP (i.e. traceroute).. Such as pfSense itself. Hence a way to possibly sniff the GUA out.

Also, further testing shows that /128 is not the next hop as I thought, at least not with my ISP. Regardless, the address can still be used for the monitor. I verified this by connecting my notebook computer directly to the modem and running the ip neigh show command, which lists all addresses on the local link. I didn't see that /128 address.

JKnott

@JKnott

I may have to give this a bit more thought (need some more beer). The link local address may be on the next hop, but since it's not with the prefix, it will be sent to the router, using it's MAC address. When I get a chance, I'll have to fire up Wireshark, to see what's actually happening. I find the networking tools in BSD to be limiting, compared to Linux.

chpalmer

Add :1 to the back of your gateway address and monitor that.

lohphat

This post is deleted!