Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv6 working but I have to disable gateway monitoring

    Scheduled Pinned Locked Moved IPv6
    36 Posts 6 Posters 4.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • lohphatL
      lohphat @JKnott
      last edited by lohphat

      @JKnott Correct. My assigned /128 was 2604:2000:xxxx:... and the 2604:2000:xxxx::1 address was the first hop of the traceroute -- so that's what I now have as my monitoring address.

      Perhaps this can be considered a common IPv6 gateway config case and the DHCP6 code can be updated to automatically determine the upsteam gateway on its own without manual intervention for ease of configuration.

      The problem I see with the current manual intervention is that if Spectrum issues me a different /128 on the next cablemodem reboot and then the manual gateway monitor address may not be appropriate.

      1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott @lohphat
        last edited by JKnott

        @lohphat said in IPv6 working but I have to disable gateway monitoring:

        I tried both UDP and ICMP pings and the next local IPv6 hop seems to be a reasonable ...::1 address so I will try using that for awhile instead of the Google DNS IPv6 address for gateway monitoring. I'll keep an eye on it.

        If that address has a /128 prefix, I bet it has the same MAC address as the link local.

        IPv6 is a bit different from IPv4 in this regard. In addition to being able to use link local addresses for routing, an interface can have multiple addresses. For example, my desktop computer can have up to 17 addresses. This would be 1 link local and 8 GUA (7 privacy) and 8 ULA (7 privacy) I would have that many after my computer has been up for a week, as there's a new privacy address for each prefix per day, up to 7. Also, that /128 isn't really an interface address, as it's not in any prefix assigned to an interface. It is, however, a valid address for the device.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • N
          Napsterbater @JKnott
          last edited by

          @JKnott said in IPv6 working but I have to disable gateway monitoring:

          If the next hop is also a link local address, he won't be able to ping it or any other LL address beyond the local link.

          If... Not all devices reply with their LL to ICMP (i.e. traceroute).. Such as pfSense itself. Hence a way to possibly sniff the GUA out.

          JKnottJ 1 Reply Last reply Reply Quote 0
          • JKnottJ
            JKnott @Napsterbater
            last edited by JKnott

            @Napsterbater said in IPv6 working but I have to disable gateway monitoring:

            @JKnott said in IPv6 working but I have to disable gateway monitoring:

            If the next hop is also a link local address, he won't be able to ping it or any other LL address beyond the local link.

            If... Not all devices reply with their LL to ICMP (i.e. traceroute).. Such as pfSense itself. Hence a way to possibly sniff the GUA out.

            Also, further testing shows that /128 is not the next hop as I thought, at least not with my ISP. Regardless, the address can still be used for the monitor. I verified this by connecting my notebook computer directly to the modem and running the ip neigh show command, which lists all addresses on the local link. I didn't see that /128 address.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            JKnottJ 1 Reply Last reply Reply Quote 0
            • JKnottJ
              JKnott @JKnott
              last edited by

              @JKnott

              I may have to give this a bit more thought (need some more beer). The link local address may be on the next hop, but since it's not with the prefix, it will be sent to the router, using it's MAC address. When I get a chance, I'll have to fire up Wireshark, to see what's actually happening. I find the networking tools in BSD to be limiting, compared to Linux.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              1 Reply Last reply Reply Quote 0
              • chpalmerC
                chpalmer
                last edited by

                Add :1 to the back of your gateway address and monitor that.

                Triggering snowflakes one by one..
                Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                lohphatL 2 Replies Last reply Reply Quote 0
                • lohphatL
                  lohphat @chpalmer
                  last edited by

                  This post is deleted!
                  1 Reply Last reply Reply Quote 0
                  • lohphatL
                    lohphat @chpalmer
                    last edited by lohphat

                    @chpalmer That's essentially what worked but I had to use traceroute to find the correct form of the address to monitor.

                    IPv6 Link Local
                        fe80::208:a2ff:fe0d:87ab%mvneta2
                    IPv6 Address
                        2604:2000:cfc0:1b:xxxx:yyyy:zzzz:9d5b
                    Subnet mask IPv6
                        128
                    Gateway IPv6
                        fe80::217:10ff:fe88:285b
                    

                    The next upstream hop via traceroute was:

                    2604:2000:cfc0:1b::1
                    

                    However I can't be assured that I'll get the same IPv6 assignment after the cablemodem reboot; so a manual gateway monitor assignment, although working now, is not the optimal solution in case I get a different /128 after a CPE reboot or my ISP reassigning address space on their side. There needs to be a bit more intelligence in the DHCP6 code.

                    1 Reply Last reply Reply Quote 0
                    • chpalmerC
                      chpalmer
                      last edited by

                      @lohphat said in IPv6 working but I have to disable gateway monitoring:

                      However I can't be assured that I'll get the same IPv6 assignment after the cablemodem reboot;

                      That should not matter.. The address should still only be the same distance away and still monitorable.

                      Triggering snowflakes one by one..
                      Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                      lohphatL 1 Reply Last reply Reply Quote 0
                      • lohphatL
                        lohphat @chpalmer
                        last edited by

                        @chpalmer What if my ISP decides to change the local DHCP6 pool to 2604:2000:cfc0:17... then the hop is not longer valid

                        JKnottJ 1 Reply Last reply Reply Quote 0
                        • JKnottJ
                          JKnott @lohphat
                          last edited by

                          @lohphat said in IPv6 working but I have to disable gateway monitoring:

                          @chpalmer What if my ISP decides to change the local DHCP6 pool to 2604:2000:cfc0:17... then the hop is not longer valid

                          Why not use the Google DNS server? That's not likely to change. Also, I doubt they're likely to change the router addresses.

                          PfSense running on Qotom mini PC
                          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                          UniFi AC-Lite access point

                          I haven't lost my mind. It's around here...somewhere...

                          lohphatL 1 Reply Last reply Reply Quote 0
                          • lohphatL
                            lohphat @JKnott
                            last edited by

                            @JKnott As someone who's run IT ops, it a matter of principle for me. I wouldn't want someone using my resources for unintended purposes. A kludge is a kludge -- the right solution needs priority, so I'll deal with the hand I'm dealt until the DHCP6 code gets a little smarter.

                            1 Reply Last reply Reply Quote 0
                            • DerelictD
                              Derelict LAYER 8 Netgate @lohphat
                              last edited by

                              @lohphat said in IPv6 working but I have to disable gateway monitoring:

                              @JKnott OK, I'll try that but the original question still stands: why can't the DHCP6 code figure all this out by itself as it can for the DHCP4 WAN interface?
                              I tried forcing the interface and it still doesn't work with the link local address.

                              Is this what is not working for you?

                              Works fine for DHCP6 on Cox.

                              WAN_DHCP6 fe80::d62c:44ff:fe7d:c819 fe80::d62c:44ff:fe7d:c819%igb5 25.051ms 55.226ms 0.0% Online Interface WAN_DHCP6 Gateway

                              Chattanooga, Tennessee, USA
                              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                              Do Not Chat For Help! NO_WAN_EGRESS(TM)

                              lohphatL 1 Reply Last reply Reply Quote 0
                              • lohphatL
                                lohphat @Derelict
                                last edited by

                                @Derelict I think it's a CPE issue not Spectrum, but that's just a guess.

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.