IPv6 NDP Table - Hundreds of Entries for Single Mac Address (Apple TV)

IsaacFL

@dg6464 said in IPv6 NDP Table - Hundreds of Entries for Single Mac Address (Apple TV):

@JKnott do you think it's worth running RA in "Managed" mode then, to force DHCPv6? Not sure if I am in a world of hurt for all of the IP's that have been assigned using SLAAC / RA already though (likely my pihole DNS servers IP, unRAID's IPv6 IP and such). Not sure if I turn off Assisted mode and move to Managed if the existing used IP's will show up as leases.

Honestly if most things are compatible with DHCPv6 now and don't require SLAAC / RA's and autoconfigure... i'd almost rather manage the DHCPv6 leases just like I manage the DHCP IPv4 leases today... one by one from the pool as a round-robin and configuring reservations when it makes sense.

I find that "unmanaged" SLAAC mode works the best with most devices like these media devices and IOT type devices. DHCPv6 implementation on some of these types of devices are hit or miss, but SLAAC always seems to work.

The support for SLAAC in the RFCs are mandatory for hosts, whereas DHCPv6 host support is "optional".

IsaacFL

@JKnott said in IPv6 NDP Table - Hundreds of Entries for Single Mac Address (Apple TV):

@johnpoz said in IPv6 NDP Table - Hundreds of Entries for Single Mac Address (Apple TV):

This is perfect example of when you just disable IPv6 for this network..

My choice would be to get rid of the Apple crap. I'm allergic to the stuff. Disabling IPv6 is short sighted, as the world has to move to IPv6, to get rid of that NAT nonsense.

Take the complaint to Apple and let them fix it. They're the ones who caused the problem.

Apple works perfectly fine with ipv6, actually, one of the best. I think the issue here is the network itself is misconfigured..

NogBadTheBad

Personally I think the issue lies with the Meraki switch, I can't understand why the speed changes to 100 Mbps when the ATV sleeps, my screenshots occured what the ATV was asleep.

I have 1 ATV connected to ethernet & 1 connected via Wi-Fi both don't have the issue you're seeing.

I'm using switches from the Linksys Business range.

Do you have a spare port on the router that you could set up as a new test lan and connect the ATV directly to it?

dg6464

@NogBadTheBad Thanks for the insight - I've also got the same setup... my one Apple-TV 4K, connected via LAN and the other Apple TV connected via WiFi.

The issue (as per the Meraki thread) seems to persist beyond just Meraki switches when the Apple TV sleeps... and is only an issue for wired clients.

You may be correct, however in that the Apple TV could be giving the issue because it's wired specifically, so likely it would fix the issue to just move totally to wireless, but what is the fun in that? :).

I've attached some screenshots of the NDP table as of this morning... the ATV4 is gradually grabbing more IPv6 IP's via RA / SLAAC it seems.

I can run some experiments and see if the other ATV does the same on wireless, as well as wired if need be, I can capture packets from both the pfSense box, as well as all packets on the switch ports (there's a make .pcap function on the switch... so I assume I'd also see the L2 switch negotiation messages if I get the .pcap from the switch.

There IS a DHCP lease that contains the ATV4's MAC address in it (as part of the DUID), but doesn't actually specifically show that as the MAC Address as an entry in the DHCPv6 lease table (screenshot attached). When I try to create a reservation for that DUID it gives me an error as well, not sure why... seems my DUID formatting is wrong (but it came directly from clicking the "+" and trying to add via the pfSense formatting and reserve function itself).

NogBadTheBad

Are you trying to allocate a fixed IP that's been handed out via DHCPv6 and is in the available range, you need to hand out an IP from outside the range.

I set my range to 2a02:xxxx:xxxx:4::64 - 2a02:xxxx:xxxx:4::fe and allocate 2a02:xxxx:xxxx:4::ABCD where ABCD = the last octet of my IPv4 address converted to hex.

andy@mac-pro ~ % host livingroom-atv
livingroom-atv has address 172.16.4.12
livingroom-atv has IPv6 address 2a02:xxxx:xxxx:4:c
andy@mac-pro ~ %

FYI the last few digits of the DUID contain the device MAC address.

BTW Those are different IPv6 addresses from your DHCPv6 scope that are being handed out to the same MAC address.

Think you need to do an extended packet capture on the router itself and try and figure out why the router is handing out multiple IPv6 addresses to the same MAC when it should reuse the same address thats being handed out.

https://docs.netgate.com/pfsense/en/latest/book/services/ipv6-dhcp-server-and-router-advertisements.html

Here is how my IOT subnet is setup for DHCPv6

JKnott

@NogBadTheBad said in IPv6 NDP Table - Hundreds of Entries for Single Mac Address (Apple TV):

Are you trying to allocate a fixed IP that's been handed out via DHCPv6 and is in the available range

Does pfSense allow that with IPv6? It certainly doesn't with IPv4.

NogBadTheBad

@JKnott said in IPv6 NDP Table - Hundreds of Entries for Single Mac Address (Apple TV):

@NogBadTheBad said in IPv6 NDP Table - Hundreds of Entries for Single Mac Address (Apple TV):

Are you trying to allocate a fixed IP that's been handed out via DHCPv6 and is in the available range

Does pfSense allow that with IPv6? It certainly doesn't with IPv4.

That's why I mentioned it, I don't think it does. it doesn't.

Also the setting on his DHCPv6 server doesn't look correct.

dg6464

@NogBadTheBad Thanks for the quick response... it may be worth diving into my overall IPv6 configuration, then... as I think it might require some tweaking.

My ISP gives me a /64 to use for my LAN from what I can tell... so that means (since I believe /64 is the minimum recommended LAN segment to use) that I only get one segment to use for IPv6?

That segment is automatically used for SLAAC since I believe clients use the local address of the RA router in addition to their DUID to make their own addresses (the IPv6 address assigned to the LAN interface by default).

That segment is ALSO used as my range for my DHCPv6 server.

I assume what you have is a /60 or something and you are able to use separate non-overlapping /64's for the different spots... one /64 on you main LAN, one for your IOT (which is used for SLAAC on both)... one /64 for your DHCPv6 subnets on each LAN as well?

Screenshots of my configuration and IP's provided.

It's likely I've got something mixed up... as my ranges are much simpler (since I only have the one block to use, I omitted the beginning of the addresses since it's assumed by the LAN interfaces leased info, I thought.

dg6464

@NogBadTheBad You are correct, this is a misconfiguration... as for some reason I thought it was supported on IPv4 and that's what I was doing. I was incorrect.

I use 192.168.1.0 /24 as my LAN subnet and thought I had set the DHCP Pool for the whole thing, but I did not it's only 192.168.1.130 - 254.

But I am not sure there is a way to do this in IPv6 anyway with a /64 is there?

Best Regards,

dg6464

NogBadTheBad

@dg6464 said in IPv6 NDP Table - Hundreds of Entries for Single Mac Address (Apple TV):

@NogBadTheBad Thanks for the quick response... it may be worth diving into my overall IPv6 configuration, then... as I think it might require some tweaking.

My ISP gives me a /64 to use for my LAN from what I can tell... so that means (since I believe /64 is the minimum recommended LAN segment to use) that I only get one segment to use for IPv6?

That segment is automatically used for SLAAC since I believe clients use the local address of the RA router in addition to their DUID to make their own addresses (the IPv6 address assigned to the LAN interface by default).

That segment is ALSO used as my range for my DHCPv6 server.

I assume what you have is a /60 or something and you are able to use separate non-overlapping /64's for the different spots... one /64 on you main LAN, one for your IOT (which is used for SLAAC on both)... one /64 for your DHCPv6 subnets on each LAN as well?

Yes /64 is really the minimum for an IPv6 LAN segment.

RIPE recommend everyone gets a /48:-
https://www.ripe.net/publications/docs/ripe-690

I've been allocated a /48 that I split on a /64 boundary, my ISP routes the /48 to my WAN interface.

I'd be tempted to change your settings so they look like mine, I don't have track interface set on my interfaces I have 2a02:xxxx:xxxx:1::1, 2a02:xxxx:xxxx:2::1, etc ... set as a static.

dg6464

@NogBadTheBad I was just using the suggested pfSense settings from my ISP, Rogers:

https://communityforums.rogers.com/t5/Internet/Rogers-IPv6-Status/td-p/146117/page/33

Rogers IPv6 Settings for pFSense firewall

In WAN Interface menu:

Use IPv4 connectivity as parent interface: yes
Request only a IPv6 prefix: no
DHCPv6 Prefix Delegation Size: 64
Send IPv6 prefix hint: yes

In LAN Interface menu:

IPv6 Configuration Type: track interface
IPv6 Interface: WAN
IPv6 Prefix ID: 0
In Advanced Settings / Network menu:

Allow IPv6: enabled

Thoughts? Is this Rogers just issuing a /64? Does that mean I just have to stick with SLAAC on the only /64 subnet given (I assume the IP information based on the address my LAN interface gets) and no DHCPv6?

Thanks!

Best Regards,

dg6464

NogBadTheBad

@dg6464 funny enough @JKnott is mentioned on the link you posted.

JKnott

@dg6464 said in IPv6 NDP Table - Hundreds of Entries for Single Mac Address (Apple TV):

DHCPv6 Prefix Delegation Size: 64

If you're on Rogers, then you can use /56. That info in the link was posted when Rogers only offered a /64. The info was updated in a later post.

Also, select Do not allow PD/Address release. Otherwise, it won't take much for your prefix to change. I found all it took was to disconnect/reconnect the WAN cable.

JKnott

@NogBadTheBad said in IPv6 NDP Table - Hundreds of Entries for Single Mac Address (Apple TV):

RIPE recommend everyone gets a /48

Many people are still stuck in the IPv4 address shortage mindset and can't comprehend how many IPv6 addresses there are. There are enough /48s to give every single person on earth over 4000 of them and that's with only 1/8th of the IPv6 addresss space allocated to global unique addresses. I have a /56, which seems adequate for now.

dg6464

@JKnott Thanks for that - I changed to /56 on Prefix Delegation and rebooted the pfSense and my Rogers modem.

On the LAN side, it appears I now have 0 - FF as an option for IPv6 Prefix ID for the LAN interface (I assume this means it worked switching to /56 on WAN).

On the WAN side, I get a /128 for the interface from a totally different subnet:

WAN Interface:

IPv6 Address: 2607:f798:xxxx:xxxx:xxxx:69e5:2207:a96d
Subnet mask IPv6: 128

LAN Interface:

IPv6 Address: 2607:fea8:xxxx:xxxx:xxxx:31ff:fe0a:7e00
Subnet mask IPv6: 64

I assume the /128 on the WAN is because I request an IP Address for it as well in the configuration and not just prefix delegations? (ie: I have the following option unselected on the WAN page):

"Request only an IPv6 prefixOnly request an IPv6 prefix, do not request an IPv6 address".

Do you have any particular suggestion for the best way to find the actual /56 prefix assigned to me and calculating the various /64's and subnet boundaries so that I can use the next /64 subnet (prefix 01) for the DHCPv6 Server and a second /64 (prefix 02) for the static DHCPv6 Reservations I would like to make?

Is it easiest to just going to a subnet calculator online or something and put in the IPv6 LAN IP assigned from Prefix 0 automatically and using /56 or something?

There doesn't seem to be an easy way in the pfSense GUI to figure out the actual assigned prefix(s) that I can use.

Thanks!

Best Regards,

dg6464

JKnott

@dg6464

The /128 is entirely normal. It's just an address attached to the WAN interface, but it's not used for routing. With IPv6, link local addresses are often use for routing. As for which prefix you use, that's entirely up to you though, typically, the main LAN is 0. Since a /56 provides 256 /64s, I set up something similar on IPv4. My main LAN is 172.16.0.0 /24 and IPv6 prefix is 0. My VPN is prefix ff and IPv4 subnet is 172.16.255.0. Again though, it's entirely your choice. There's really no need for a subnet calculator, as there is only 1 size of subnet. The actual assigned prefix is done with IPv6 Prefix ID, on each LAN interface, including VLANs. You can choose any value between 0 - ff, though each value can only be used once.

BTW, on IPv6, subnets are referred to as prefixes.

dg6464

@JKnott Thanks! The thing I notice though... is in DHCPv6 configuration doesn't seem to auto-fill the "subnet" spot like @NogBadTheBad ...

Any particular reason this would be?

It even shows this way when I enable the server.

I was looking at using the following:

/64 Subnet 1 (LAN Interface, for SLAAC and such):

2607:fea8:xxxx:xxx0:0:0:0:0 - 2607:fea8:xxxx:xxx0:ffff:ffff:ffff:ffff

/64 Subnet 2 (DHCPv6 Interface):

2607:fea8:xxxx:xxx1:0:0:0:0 - 2607:fea8:xxxx:xxx1:ffff:ffff:ffff:ffff

/64 Subnet 3 (DHCPv6 Static Reservations):

2607:fea8:xxxx:xxx2:0:0:0:0 - 2607:fea8:xxxx:xxx2:ffff:ffff:ffff:ffff

Let me know if you think that looks adequate, or if I have something totally wrong in my head (ie: I am not sure if I need to define a new interface for each IPv6 prefix I defined above, or if they will all work under LAN).

Thanks!

Best Regards,

dg6464

JKnott

@dg6464

The prefix is provided automagically by the router advertisements. That seems OK, though why are you choosing prefixes according to DHCPv6 etc.? I have never used DHCPv6, just SLAAC.

dg6464

@JKnott Thanks!

The goal of using DHCPv6 is to experiment with the original issue at hand for this post... the Apple TV taking tons and tons of addresses via SLAAC. It was one of the suggestions from @NogBadTheBad to try and tweak these settings as he uses a statically assigned IP for his Apple TV and it works fine. I was just having trouble assigning one based on the DUID because the DHCPv6 pool I was using overlapped with the the static assignment I was trying to make. So now hopefully that will be resolved now that I have some more /64's assigned.

First thing I want to try is to statically assign the DUID an IPv6 address and see if it still keeps taking tons of SLAAC addresses.

Secondarily... I have a local pihole DNS server that has an IPv6 address that all other IPv6 clients on the LAN use for both IPv4 and IPv6 DNS resolution. Ideally.. I would assume that should be a static IPv6 address (like it is for IPv4), which I assume I need to do via DHCPv6 reservation so that it never changes? Unless there is a way to do that via SLAAC?

JKnott

@dg6464 said in IPv6 NDP Table - Hundreds of Entries for Single Mac Address (Apple TV):

First thing I want to try is to statically assign the DUID an IPv6 address and see if it still keeps taking tons of SLAAC addresses.

What you may want to try is create an address based on the link local. Remove the fe80:: prefix and replace it with the prefix for that LAN.