IPv6 NDP Table - Hundreds of Entries for Single Mac Address (Apple TV)
-
Hello pfSense Community,
Thought I would check if anyone else has seen this before... my scenario/setup is as follows.
IPv4/IPv6 running both stacks, using DHCP and DHCPv6 on pfSense, with a separate pihole docker on my unRAID server running DNS serving both IPv4/IPv6.
I also run standard DNS on my pfsense for localhost and as a backup, but prefer the pihole management interface over DNSBL... not discounting all of the AMAZING work that has been put in to pfblockerNG, I run that for IPv4/IPv6 block lists, just not DNSBL anymore.
Anyway - everything works just fine and there are zero issues currently, I've had an amazing overall experience with pfsense and the many features.
The question: my NDP Table (IPv6 entries) is insane. I have hundreds and hundreds of entries for just one host... my Apple TV, but 1-2 entries (normal) for everything else. The Apple TV is performing DNS queries and such from each of the addresses (as I'm showing 300+ hosts in pihole... when I've got about 30 devices on my home network).
Apple TV's are a known pain in the butt when they go to sleep... they wreak havoc on my Meraki switches by transitioning to 100Mbps from 1Gbps and show CRC errors like there is a bad cable (this is a known issue and will likely never be fixed by Apple).
Thought I would check if anyone else has experienced this... I believe it's using SLAAC to get it's tons and tons of addresses as my DHCPv6 leases are minimal (I have both DHCPv6 and RA running).
Other than this (likely an Apple issue and mostly cosmetic) - everything is great.
Thanks for the support!
Best Regards,
dg6464
-
This is perfect example of when you just disable IPv6 for this network..
What resource is your appleTV accessing that would require IPv6? None - so if you don't like nonsense what its doing, just disable it..
Unless you want to dig into their code, and figure out why it's doing what its doing, you say its working and this is just cosmetic - so you either live with it... Or just turn it off, its not a required protocol to do anything.. Many ISPs don't even support IPv6..
If you want to play with it, sure - just put your appletv on a different network where IPv6 is not enabled so you don't have to deal with its nonsense..
I don't have IPv6 enabled on any of my iot networks. I have it specifically enabled on the networks that I want to play with it on.. My iot devices or roku's, etc.. have zero use or need for IPv6 - so it just not enabled on those networks. Most of these iot devices can barely do ipv4 correctly, you think they are going to get ipv6 right ;) heheh
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
@johnpoz you are correct - it’s largely cosmetic and not cause for alarm... just seemed like a weird behaviour that I thought I would share with the pfSense community as a potentially interested party and investigate if warranted (even if it’s just a verification the issue is with Apple and me going to them to open up a TVOS bug).
I’m not sure recommending IPv6 be turned off because of a client device bug is the way to go about this though (my traffic is about 50% IPv6 now), or swapping to its own network necessarily...
I believe we should probably all do our part to help move the internet towards IPv6 as the amount of people interested in putting in effort to use it is still somewhat minimal (ie: more people trying to use it and ISP’s natively enabling it... the more developers get feedback to help solve bugs and weird scenarios like this, even if it’s not a bug with pfSense and ends up being a bug request with Apple).
If we believe it’s 100% the Apple TV Device causing the issue and not some odd SLAAC response from pfSense causing it to give a brand new IPv6 due to an IPv6 extension that only Apple uses or something... I’m cool opening up a bug with Apple.
But I am open to verify the above... I’m just not experienced in where to look as to why the Apple TV is asking for so many brand new IP’s and not happy with the first one it gets.
But yeah, I get it... it may not be worth the time of the pfSense team replying and investigating... especially when IoT devices can barely get IPv4 right :). So I appreciate the feedback.
Thanks for your reply!
Best Regards,
dg6464
-
For what it’s worth... I was surprised in the amount of IPv6 traffic I had once I started running dual stack and started tracking DNS requests, without really trying to use IPv6, lol.
50% of my DNS requests AND traffic is now IPv6 and all major services seem to have opened the floodgates (Netflix, Facebook, Instagram, Xbox Live, iCloud... most popular websites).
I started noticing honestly when I realized my DNS blocklists weren’t properly implemented for on the IPv6 side... I was able to hit websites no problem for machines using a dual stack.
Anyway, let me know if we should just close the thread and I’ll open a case with Apple to let them know. Not really sure how to investigate what it’s actually doing by myself.
Best Regards,
dg6464
-
@johnpoz said in IPv6 NDP Table - Hundreds of Entries for Single Mac Address (Apple TV):
This is perfect example of when you just disable IPv6 for this network..
My choice would be to get rid of the Apple crap. I'm allergic to the stuff. Disabling IPv6 is short sighted, as the world has to move to IPv6, to get rid of that NAT nonsense.
Take the complaint to Apple and let them fix it. They're the ones who caused the problem.
PfSense running on Qotom mini PC
i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
UniFi AC-Lite access pointI haven't lost my mind. It's around here...somewhere...
-
@dg6464 said in IPv6 NDP Table - Hundreds of Entries for Single Mac Address (Apple TV):
I’m not sure recommending IPv6 be turned off because of a client device bug is the way to go about this though (my traffic is about 50% IPv6 now), or swapping to its own network necessarily...
Is it possible to turn off IPv6 on that one device. As you say, it shouldn't be necessary to disable IPv6 on your network, due to Apple's incompetence.
-
Here's a possible work around. Put a cheap IPv4 only router between that Apple TV and your network or put the TV on it's own subnet, that has only IPv4 enabled.
-
@JKnott said in IPv6 NDP Table - Hundreds of Entries for Single Mac Address (Apple TV):
Disabling IPv6 is short sighted,
Sort sighted for something that is not going to be mainstream for 20 years is not what I would call short sighted.. We all know your the IPv6 fanboy.. But dude - its NOT mainstream yet, and has ZERO actual anything that requires it.. ZERO!!! No matter how much you want it to be..
Name one mainstream anything that requires I have an IPv6 address.. Just 1...
JFC not even amazon supports it yet ;) Like the largest shopping site on the planet, and you can not not even get to it via IPv6..
Telling users to get different hardware because it doesn't play nice with something that has zero mainstream use, make no sense at all..
If it works for them and they have no issues with it, then sure leave it on... But when they have problems with it, or it generates any sort of headache or pita whatever... Then the "simple" solution is to just turn it OFF!! Be it there is something that they actually need it for - then they can turn it back on.. But that is years!!! down the road..
Put a cheap IPv4 only router between that Apple TV
So your suggestion is for him to complicate his setup, vs just click turn it off at pfsense? WTF dude - really!!
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
Short sighted in ignoring something that's essentially for moving the Internet forward. There are many people who cannot get public IPs, because their ISP forces them to use carrier grade NAT. For example, I have a VPN. How would I manage that behind NAT? As for usage, Google shows around 30% and the rate climbing. As it is, there are not enough IPv4 addresses to go around just for mobile devices, let alone everything else.
As for that other router, I suggested it only because of the problem caused by Apple crap. It is Apple and Apple alone that should be fixing this.
It is head in the sand types, who think using NAT and other hacks to get around the IPv4 address shortage is a good idea, that are holding back IPv6. The first problem I recall with NAT was active mode FTP wouldn't work and this was at a time when most FTP clients didn't support passive mode. So, this was over 20 years ago, when NAT was already breaking things. (Back then, I could use FTP between my home computer and work computer, at IBM, as there was no NAT at either end.) Now, with VoIP and some games, we need STUN servers. It also breaks IPSec AH and even causes problems with ESP, such that it is necessary to encapsulate it in UDP, just to get through NAT. Continuing to use IPv4 means hacks on hacks, when the proper solution is to move to IPv6. Then not only will the address problem go away, there will be performance and security benefits too.
Incidentally, I have been running IPv6 for about 10 years. I have yet to see a problem caused by it. On the other hand I have seen some caused by trying to get around the IPv4 address shortage.
-
@JKnott Unfortunately there is no way to specifically turn off IPv6 on an Apple TV... same with an iPhone, they just natively support it as part of their stack.
Which, as much as people don't like Apple... I completely agree that the transition to IPv6 should be seamless and the approach should be exactly that, just hide and obfuscate any complexities and it should "just work". Leave complexities to us geeks in the background to work out.
For the purposes of the thread here, I don't necessarily want to get into the IPv6 debate - I agree a full migration is definitely a long way out... but also agree that we should definitely be part of the driving force to move as many folks as possible towards it (at least that are capable to move there), as NAT and such is really just a workaround for improper connectivity and lack of addresses to give out.
But at the same time, we need to let client OS developers (iOS, Android, Windows, Linux, etc) know when they do something that might not necessarily be wrong according to standards... but could and will be a complete PITA to manage and administer from an IT standpoint in the long-term.
Thanks for the banter folks - I'll see what the process is to open up a bug/ticket with Apple. As I don't think their intention for an Apple TV is for a single one to show up as a hot mess of hundreds of IPv6 addresses utilized for no real purpose.
Best Regards,
dg6464
-
Odd I have 2 Apple TVs and don't have hundreds of entries for a single MAC address.
I have DHCPv6 static mapings for the devices.
Andy
1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22
-
Take the complaint to Apple and let them fix it. They're the ones who caused the problem.
I'd suggest the issue lies elsewhere see my previous post.
-
Perhaps @dg6464's TV is defective. I have never heard of any device doing that on IPv4 or IPv6. According to his description, each of the NDP entries is for a different IP address, but same MAC. There should only be a few but certainly not hundreds.
Perhaps he could run Packet Capture, foltering on the TV's MAC address and ICMP6, to see what's happening.
-
Apple TV's are a known pain in the butt when they go to sleep... they wreak havoc on my Meraki switches by transitioning to 100Mbps from 1Gbps and show CRC errors like there is a bad cable (this is a known issue and will likely never be fixed by Apple).
No CRC errors on the LAN port it's connected to here either, sure you don't have a cable issue ?
Andy
1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22
-
What speed does yours come up at? Autonegotiation should cause it do come up at the best possible.
Certainly a different cable should be tried. A flaky (pardon the tech jargon
) cable can cause the devices to think they can run at Gb, but the cable only permits 100 Mb. -
1 Gig, I think the previous versions ran 10/100 ports.
-
@NogBadTheBad this is an Apple TV issue only when it goes to sleep... this is an Apple TV 4K, but I believe it's the same for all Apple TV's.
On my Meraki switch, it re-negotiates to 10/100 down from it'a usual 1Gbps... then shows CRC errors for the time it's asleep.
Otherwise - I do a speedtest and get 1Gbps down.. have tested cables and such. I've got 3 Cat6 drops in that room to my basement switch... definitely not a cable.
I'll try and find the article where someone else stated this is a common Apple TV "sleep" problem and is the same with multiple vendors switches.
Best Regards,
dg6464
-
@JKnott so I just did a packet capture (albeit too big, it's like 107MB for just 30 seconds or so as I turned it on, booted up Netflix and Plex).
However... before doing so I cleared the NDP entires for the Apple TV.
They haven't come back.
So maybe while I was doing some IPv6 Testing or implementing IPv6 DNS on my pihole, it somehow generated a ton of these entries and they just stayed?
Not sure - but I will monitor moving forward.
-
@NogBadTheBad this might be a way of getting around it... if I just assign a static DHCPv6 for the MAC address. I'll give it a try if the NDP table issue keeps happening.
This will also be a simple way for me to keep the hostnames in check and make it easier to know what is what.
Did you find that the Apple TV's actually received a DHCPv6 address when you configured it?
Where did you configure those static DHCPv6 addresses? When I go to configure one it asks for a DUID and has no specific spot for the MAC Address?
Thanks!
Best Regards,
dg6464
-
What makes you think my ATV doesn’t go to sleep?
Have you got a spare lan port on your router to try and connect it to directly dos a test.
I originally let my ATV get a random IPv6 address then fixed it using the DUID address in the status - dhcpv6 leases page.
