IPv6 Sanity Check - delegated prefixes & inbound icmp questions

fabrizior

After much study, stress, trial-and-error, and patience with Xfinity residential internet "technical support" (term used loosely), I have IPv6 working (for the most part) for a couple of subnets. Managed to get a /60 delegated prefix working, though the cablemodem status still shows a completely different delegated prefix!

Would like to get some feedback on a couple of remaining concerns please.

First, the aforementioned delegated prefix mismatch between the Xfinity cablemodem (Aris TG1682G / XB3) in bridge mode and PFSense...

The cablemodem shows a delegated prefix of 2601:403:4300:2510::/64 though I've asked for a /60 prefix and logs show I received it - actually two different prefixes (last one got used); e.g. 2601:403:4380:2260::/60. Why two, and any clue why they're different than what the modem is reporting???

Time           	Proc	PID  	Message
Jan 15 15:11:03	dhcp6c	85730	got an expected reply, sleeping.
Jan 15 15:11:03	dhcp6c	85730	removing an event on em0, state=RENEW
Jan 15 15:11:03	dhcp6c	85730	script "/var/etc/dhcp6c_wan_script.sh" terminated
Jan 15 15:11:03	dhcp6c	       dhcp6c renew, no change - bypassing update on em0
Jan 15 15:11:03	dhcp6c	85730	executes /var/etc/dhcp6c_wan_script.sh
Jan 15 15:11:03	dhcp6c	85730	update a prefix 2601:403:4380:2260::/60 pltime=345590, vltime=345590
Jan 15 15:11:03	dhcp6c	85730	update an IA: PD-0
Jan 15 15:11:03	dhcp6c	85730	nameserver[1] 2001:558:feed::2
Jan 15 15:11:03	dhcp6c	85730	nameserver[0] 2001:558:feed::1
Jan 15 15:11:03	dhcp6c	85730	dhcp6c Received INFO
Jan 15 15:11:03	dhcp6c	85730	get DHCP option DNS, len 32
Jan 15 15:11:03	dhcp6c	85730	IA_PD prefix: 2601:403:4380:2260::/60 pltime=345590 vltime=345590
Jan 15 15:11:03	dhcp6c	85730	get DHCP option IA_PD prefix, len 25
Jan 15 15:11:03	dhcp6c	85730	IA_PD: ID=0, T1=172795, T2=276472
Jan 15 15:11:03	dhcp6c	85730	get DHCP option IA_PD, len 41
Jan 15 15:11:03	dhcp6c	85730	DUID: 00:01:00:01:22:xx:xx:xx:xx:xx:xx:xx:xx:ef
Jan 15 15:11:03	dhcp6c	85730	get DHCP option server ID, len 14
Jan 15 15:11:03	dhcp6c	85730	DUID: 00:01:00:01:25:xx:xx:xx:xx:xx:xx:xx:xx:ae
Jan 15 15:11:03	dhcp6c	85730	get DHCP option client ID, len 14
Jan 15 15:11:03	dhcp6c	85730	receive reply from fe80::201:5cff:fea3:b846%em0 on em0
Jan 15 15:11:03	dhcp6c	85730	reset a timer on em0, state=RENEW, timeo=1, retrans=20762
Jan 15 15:11:03	dhcp6c	85730	send renew to ff02::1:2%em0
Jan 15 15:11:03	dhcp6c	85730	set IA_PD
Jan 15 15:11:03	dhcp6c	85730	set IA_PD prefix
Jan 15 15:11:03	dhcp6c	85730	set option request (len 4)
Jan 15 15:11:03	dhcp6c	85730	set elapsed time (len 2)
Jan 15 15:11:03	dhcp6c	85730	set server ID (len 14)
Jan 15 15:11:03	dhcp6c	85730	set client ID (len 14)
Jan 15 15:11:03	dhcp6c	85730	Sending Renew

Also, the pfSense WAN interface shows an IPv6 address of 2001:558:6007:85:xxxx:xxxx:xxxx:xxxx - clearly not in the delegated prefix network. Why?

My pfSense LAN interface has: 2601:403:4380:2261:xxxx:xxxx:xxxx:xxxx
and the OPT1 interface has 2601:403:4380:2262:xxxx:xxxx:xxxx:xxxx
These are clearly in the delegated range and have the correct assigned prefix ID as the subnet bits.

Other questions:

• Why is the WAN IPv6 Gateway Address a link-local address (fe80::201:5cff:fea3:b846)?

• For the LAN IPv6 configs set to Track Interface (WAN), is there any way to customize/set a preferred host address rather than the seemingly randomly assigned address? call me old-fashioned... I'd prefer them to be ::1

(edit: the LAN/OPT1 IPv6 link-local addresses are fe80::1:1 and fe80::2:1 respectively. It seems the other hosts on the networks are using the link-local addresses as their default gateways. I need to do some more reading, evidently.)

• Understanding that the IPv6 firewall rules are hidden and should not be screwed with, what would be preventing in-bound ICMP to my IPv6 hosts? sites like https://ipv6-test.com are indicating everything's fine except ping tests. Well, that and the expected lack of host name resolution, but I've only set that up in unbound, no external DDNS. Internal AAAA and PTR lookup is working fine.

Process followed to set up IPv6 with /60 prefix (had a /64 previously):

System > Advanced > Networking
Allow IPv6: CHECKED

WAN:

• Use IPv4 connectivity as parent interface: CHECKED
• Request only an IPv6 prefix: NOT CHECKED
• DHCPv6 Prefix Delegation Size: 60
• Send IPv6 prefix hint: CHECKED
• Debug: CHECKED
• Do not wait for an RA: NOT CHECKED
• Do not allow PD/Address release: NOT CHECKED (temporarily)
• Block private networks and loopback addresses: CHECKED
• Block bogon networks: NOT CHECKED

LAN:

• IPv6 - Track Interface, Select WAN
• IPv6 Prefix ID: 1 (e.g. 2601:aaaa:bbbb:ccc1::/64)

OPT1:

• IPv6 - Track Interface, Select WAN
• IPv6 Prefix ID: 2 (e.g. 2601:aaaa:bbbb:ccc2::/64)

Delete /var/db/dhcp6_duid
power down modem
reboot pfSense
power up modem
renew WAN lease

Reconfigure WAN:

• Do not allow PD/Address release: CHECKED

Running 2.4.4-RELEASE-p3 (amd64) / FreeBSD 11.2-RELEASE-p10
on a Protectli FW6C-0 Vault (Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz, 8GB RAM)
with pfBlockerNG 2.1.4_20 and Snort 3.2.9.10, among others...

Thanks,
Fabrizio

junicast

Hi Fabrizio

the main question is quite hard to answer. Those transfer net configurations differ between providers. There are a couple of different practices. Can you do a traceroute6 from a host in your lan into the internet. That might shed some light.

@fabrizior said in IPv6 Sanity Check - delegated prefixes & inbound icmp questions:

Why is the WAN IPv6 Gateway Address a link-local address (fe80::201:5cff:fea3:b846)?

This is common practice. Link-Local addresses are automatically being configured and also being used for router advertisements.

@fabrizior said in IPv6 Sanity Check - delegated prefixes & inbound icmp questions:

For the LAN IPv6 configs set to Track Interface (WAN), is there any way to customize/set a preferred host address rather than the seemingly randomly assigned address? call me old-fashioned... I'd prefer them to be ::1

Don't go with such addresses. A small portion of your privacy / security depends on the so called privacy extensions, which should be active on your client devices. If you insist on having your preferred IP addresses you might assign them statically or use DHCPv6. DHCPv6 though doesn't work with every client because not every client OS does offer a decent DHCPv6 client implementation.

JKnott

@fabrizior said in IPv6 Sanity Check - delegated prefixes & inbound icmp questions:

Why is the WAN IPv6 Gateway Address a link-local address (fe80::201:5cff:fea3:b846)?

For the LAN IPv6 configs set to Track Interface (WAN), is there any way to customize/set a preferred host address rather than the seemingly randomly assigned address? call me old-fashioned... I'd prefer them to be ::1

Link local addresses are often used for routing. All a router needs to know is how to get to the next hop. A link local address is fine for that. If you're also assigned a WAN address, it will likely not be used for routing.

With SLAAC, there is one consistent address, based on the MAC, or a random number. You can spoof the MAC to give you what you want. You can also use manual configuration. If you're using DHCPv6 on the LAN, you can create specific mappings to what you want.