IPv6 Connectivity problem in vm

Bob.Dig

Thanks, but please let us stay on topic, why, now a second, windows machine is loosing its IPv6 connectivity somewhat and how to troubleshoot for that.

Gertjan

@Bob-Dig said in IPv6 Connectivity problem in vm:

let us stay on topic

Exactly. So, start feeding 'us' with some (far !) more info.
Saying : it's doesn't work doesn't allow someone to help you.

I do presume it isn't a VM issue, although, I have no means to exclude it neither.

@Gertjan said in IPv6 Connectivity problem in vm:

The client (?) that looses IPv6 : it's using 'DHCPv6' ? You set up the DHCPv6 server ? How ? "DHCPv6 log" says what ?

Bob.Dig

@Gertjan That vm is using DHCPv6.
Right after a reboot it is looking good like shown in the second picture. That picture is taken from another vm, which also has this problem.

Screenshot_2020-03-11 pfSense localdomain - Services DHCPv6 Server RA PRIVATSWITCH DHCPv6 Server.jpg

Screenshot_2020-03-11 pfSense localdomain - Services DHCPv6 Server RA PRIVATSWITCH Router Advertisements.png

Gertjan

This :

is missing the Prefix. For me, something like ":: to ffff:ffff;ffff;ffff;ffff" isn't normal at all.

How is your LAN interface (yours is called PRIVATESWITCH) set up ?

It should have some 'IPv6' related settings like :

Most often it's set up as a Static IPv6 - or "tracking interface", the others are more rare (?)
Normally, if your ISP assigned you a "fixed" "/64", you put that one on your LAN interface, and the LAN interafce will have abcd.efgh......... ::1 mask /65

Also, you should see in the DHCPv6 server status page that it delivered an IPv6 from the pool.

Like :

Logs : idem : this is a a snippet of one of the leases you can see in the image above :

so I know that 'my' pfSense is actually handing over an Ipv6 friom my pool to one of the LAN devices that was asking for an IPv6.

Bob.Dig

@Gertjan

You can see in the first picture, that it got an IP from DHCPv6

I mean, it is running for a while and than there is no connectivity sais the test-site, although ping6 from pfsense works.

Gertjan

When you select Track Interface, there are IPv6 things to set up :

These :

I guess, because I never sued that facility before - that you should select your WAN type interface.
And a "prefix" that was given to you by the ISP ...
And, I guess.

Bob.Dig

@Gertjan Sure.

Screenshot_2020-03-11 pfSense localdomain - Interfaces PrivatSwitch (hn2).png

Bob.Dig

Problem still persist, help for diagnosing would be much appreciated.

-dualstack WAN, no IPv6 tunnel
-Host Win10 with Hyper-V
-Client (VM): Windows 10 (two different versions tested) have problems
-Client (VM): ubuntu on that same interface has no problem!

Just disabling and then enabling the adapter in Windows makes the ipv6-test-site work again (for some time).

Bob.Dig

Is it normal that the expirations shown under NDP Table are changing all the time? e.g. it shows almost 24 hours and some seconds later it is only 30 seconds. That happens all the time.

Next I will try "Change DHCPv6 display lease time from UTC to local time" in the DHCPv6 Server, maybe Windows wants that...

Gertjan

Why did you decide to use "Interface Tracking" ?
As per ISP information ?

According to https://docs.netgate.com/pfsense/en/latest/book/interfaces/ipv6-wan-types.html#track-interface there should be lines in the logs related to this delegation exchange. Are there any logs lines ? Logs lines are the principal source of information when debugging - and you have none ??

You have a dual WAN (also a very error prone thing) : you're tracking the right WAN interface ?
And what about System > Routing > Gateways : is the right gateway selected ?

edit : NDP uses ICMP6 for discovering "who lives on a network segment" and is somewhat comparable with the ARP protocol used by IPv4. It's build into the IPv6 kernel and driver stack part, and doesn't need any user configuration. ( although : block ICMP6 on your LAN type interface and you'll "break" IPv6 )
See https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol

Bob.Dig

@Gertjan I don't have dual wan and track interface is the default in pfSense. What is wrong with that?

"Change DHCPv6 display lease time from UTC to local time" didn't help.

Bob.Dig

@Gertjan I appreciate your help but you have a total different setup with that he-tunnel and probably not having dualstack on your wan.

Bob.Dig

When I do a "route print" in the windows vm, there is a difference between full connectivity and problematic connectivity. The following (first) line is missing after some time.

IPv6 Route Table
Active Routes:
If Metric Network Destination Gateway
9 271 ::/0 fe80::215:5dff:fe01:7507

This is the PrivatSwitch Interface.

Bob.Dig

I found this in the logs:
route 0::/0 lifetime (60) conflicts with AdvDefaultLifetime (0), default routes will flap!

So I guess it is a problem with radvd. Ubuntu has no problem with that but windows does. I remember when I was adding the second LAN-Interface called Privat Switch, it was missing the defaults at least under Router Advertisements completely. I also switched the interfaces once, which one should get IPv6 and which one not. So something is broken there.

Is there a way in pfSense to bring the defaults to that setting?

JKnott

@Bob-Dig said in IPv6 Connectivity problem in vm:

So I guess it is a problem with radvd. Ubuntu has no problem with that but windows does.

I have 2 computers with Windows 10 in VirtualBox on Linux. Neither have a problem with radvd. You can run Wireshark in Windows and watch for ICMP6 to see what's happening.

Bob.Dig

@JKnott Thanks. But I guess you don't have those problems under
Status - System Logs - SystemRouting like I have, log was flooded with:

route 0::/0 lifetime (60) conflicts with AdvDefaultLifetime (0), default routes will flap!

So after I changed the Router lifetime to 1000s in ServicesDHCPv6 Server & RA PRIVATSWITCHRouter Advertisements
Later I get those log entries flooding:

Mar 13 08:58:28 	radvd 	81932 	version 2.18 started
Mar 13 08:58:29 	radvd 	82558 	attempting to reread config file
Mar 13 08:58:29 	radvd 	82558 	resuming normal operation
Mar 13 08:58:31 	radvd 	82558 	attempting to reread config file
Mar 13 08:58:31 	radvd 	82558 	resuming normal operation
Mar 13 08:58:45 	radvd 	82558 	attempting to reread config file
Mar 13 08:58:45 	radvd 	82558 	resuming normal operation

Also I am using the 2.5.0-DEVELOPMENT Branch

So is it possible to reset the DHCPv6 Server & RA, because there seems to be the problem.

Gertjan

Dono if this is related : https://redmine.pfsense.org/projects/pfsense/issues?per_page=100&query_id=104, look for the 'radv' occurrences on the list.

@JKnott : you're using 2.5.0 - and if so, what version ?

Bob.Dig

@Gertjan 2.5.0 get updates three times a day and I am remembering the problem with no defaults for the DHCPv6 Server & RA was only when I was adding the second LAN-Interface later on. So probably no one noticed it.

If I can't reset it, I will have to go back to 2.4.* and do everything manually.

Gertjan

There is no reset button.

But what you can do, is saving your config, and then reset to default the entire setup.
When done, take a look at the config xml file, look for 'radv', and compare and copy if needed that part into your config.xml.

This a a part of the config, related to 'radv' :

You'll find two blocks of these, as you have two LAN type interfaces.

When you edited (if needed), you import back in your config file.

Bob.Dig

What I finally did was deleting the interface and then creating it new. This time there seems to be no problem.

Thanks everybody.

I have to read more log files to get a sense, when there is something not ok.

Also I crafted some new IPv6 addresses in the DHCPv6 Server, like this one:
::192:168:2:37