IPv6 NDP Table - Hundreds of Entries for Single Mac Address (Apple TV)
-
@JKnott Thanks for that - I changed to /56 on Prefix Delegation and rebooted the pfSense and my Rogers modem.
On the LAN side, it appears I now have 0 - FF as an option for IPv6 Prefix ID for the LAN interface (I assume this means it worked switching to /56 on WAN).
On the WAN side, I get a /128 for the interface from a totally different subnet:
WAN Interface:
IPv6 Address: 2607:f798:xxxx:xxxx:xxxx:69e5:2207:a96d
Subnet mask IPv6: 128LAN Interface:
IPv6 Address: 2607:fea8:xxxx:xxxx:xxxx:31ff:fe0a:7e00
Subnet mask IPv6: 64I assume the /128 on the WAN is because I request an IP Address for it as well in the configuration and not just prefix delegations? (ie: I have the following option unselected on the WAN page):
"Request only an IPv6 prefixOnly request an IPv6 prefix, do not request an IPv6 address".
Do you have any particular suggestion for the best way to find the actual /56 prefix assigned to me and calculating the various /64's and subnet boundaries so that I can use the next /64 subnet (prefix 01) for the DHCPv6 Server and a second /64 (prefix 02) for the static DHCPv6 Reservations I would like to make?
Is it easiest to just going to a subnet calculator online or something and put in the IPv6 LAN IP assigned from Prefix 0 automatically and using /56 or something?
There doesn't seem to be an easy way in the pfSense GUI to figure out the actual assigned prefix(s) that I can use.
Thanks!
Best Regards,
dg6464
-
The /128 is entirely normal. It's just an address attached to the WAN interface, but it's not used for routing. With IPv6, link local addresses are often use for routing. As for which prefix you use, that's entirely up to you though, typically, the main LAN is 0. Since a /56 provides 256 /64s, I set up something similar on IPv4. My main LAN is 172.16.0.0 /24 and IPv6 prefix is 0. My VPN is prefix ff and IPv4 subnet is 172.16.255.0. Again though, it's entirely your choice. There's really no need for a subnet calculator, as there is only 1 size of subnet. The actual assigned prefix is done with IPv6 Prefix ID, on each LAN interface, including VLANs. You can choose any value between 0 - ff, though each value can only be used once.
BTW, on IPv6, subnets are referred to as prefixes.
-
@JKnott Thanks! The thing I notice though... is in DHCPv6 configuration doesn't seem to auto-fill the "subnet" spot like @NogBadTheBad ...
Any particular reason this would be?
It even shows this way when I enable the server.
I was looking at using the following:
/64 Subnet 1 (LAN Interface, for SLAAC and such):
2607:fea8:xxxx:xxx0:0:0:0:0 - 2607:fea8:xxxx:xxx0:ffff:ffff:ffff:ffff
/64 Subnet 2 (DHCPv6 Interface):
2607:fea8:xxxx:xxx1:0:0:0:0 - 2607:fea8:xxxx:xxx1:ffff:ffff:ffff:ffff
/64 Subnet 3 (DHCPv6 Static Reservations):
2607:fea8:xxxx:xxx2:0:0:0:0 - 2607:fea8:xxxx:xxx2:ffff:ffff:ffff:ffff
Let me know if you think that looks adequate, or if I have something totally wrong in my head (ie: I am not sure if I need to define a new interface for each IPv6 prefix I defined above, or if they will all work under LAN).
Thanks!
Best Regards,
dg6464
-
The prefix is provided automagically by the router advertisements. That seems OK, though why are you choosing prefixes according to DHCPv6 etc.? I have never used DHCPv6, just SLAAC.
-
@JKnott Thanks!
The goal of using DHCPv6 is to experiment with the original issue at hand for this post... the Apple TV taking tons and tons of addresses via SLAAC. It was one of the suggestions from @NogBadTheBad to try and tweak these settings as he uses a statically assigned IP for his Apple TV and it works fine. I was just having trouble assigning one based on the DUID because the DHCPv6 pool I was using overlapped with the the static assignment I was trying to make. So now hopefully that will be resolved now that I have some more /64's assigned.
First thing I want to try is to statically assign the DUID an IPv6 address and see if it still keeps taking tons of SLAAC addresses.
Secondarily... I have a local pihole DNS server that has an IPv6 address that all other IPv6 clients on the LAN use for both IPv4 and IPv6 DNS resolution. Ideally.. I would assume that should be a static IPv6 address (like it is for IPv4), which I assume I need to do via DHCPv6 reservation so that it never changes? Unless there is a way to do that via SLAAC?
-
@dg6464 said in IPv6 NDP Table - Hundreds of Entries for Single Mac Address (Apple TV):
First thing I want to try is to statically assign the DUID an IPv6 address and see if it still keeps taking tons of SLAAC addresses.
What you may want to try is create an address based on the link local. Remove the fe80:: prefix and replace it with the prefix for that LAN.
-
@JKnott do you mean to create a DHCPv6 reservation for the link local address and DUID? I did some packet captures while it was sleeping... I don't really see anything out of the ordinary from my knowledge, but who knows.
When I look at both Apple TV's, they are constantly flapping from 1Gbps to 100Mbps when they are sleeping, which causes RSTP to move the port from "Disabled->Designated" and "Designated->Disabled". Both have the exact same behaviour:
The ATV 4K has much higher CRC Alignment Errors and Fragments (only while sleeping and negotiated to 100Mbps).
The standard ATV has less CRC errors, no fragments, but does the same STP flapping.
Cable tests performed on both cables, all pairs just fine.
The ATV 4K seems to be the only one filling up the NDP Table gradually (I woke up to 40+ entries again, which end up showing in my pihole as tons and tons of clients when I only have 40 on the LAN), the regular ATV seems to be just fine, staying with 2 entries:
So I am going to chalk it up to a weird wired underlying chipset or driver issue in the ATV4 for the tons and tons of IPv6 addresses and expected sleep behaviour for both.
Next troubleshooting steps will be trying to put some switches in front of both before the Meraki switch (I've got an unmanaged D-Link, as well as a Managed Cisco SMB switch lying around)... just to see if they also flap the port from STP/RSTP messages with the ATV's when they go into sleep mode, and I'll monitor that as well as changes to the NDP Table for IPv6.
Secondarily once done... I'll run in full wireless mode on both to see if it makes a difference. That takes the cables, chipset and drivers off of the table and would leave us with just software on the Apple side if the issue still persists.
Sorry it took me a bit to respond... I totally effed up my unRAID IPv6 configuration as part of this.
I moved it to a static DHCPv6 reservation, but then it somehow made it lose the logical br0 interface, which forced pihole to stop working. I had to completely rebuild my docker.img file and the entire docker network stack and re-import all of the docker containers from a backup, to find that IPv6 was no longer working just inside docker. From there, it took a bunch of troubleshooting to figure out that for some reason... at some point I'd set a fully static IPv6 address on the main unRAID interface using a /128 mask.
This persisted once I went back to DHCP (keeping the /128 mask).So the fix (finally, apologies), was to set back to static, specify a /64 mask... then I was able to keep it static, or use DHCPv6 again and use a /64 prefix.
Something about the main unRAID interface having a /128 mask wouldn't allow the logical br0 interface to be used for IPv6 underneath.
Anyway - problem solved, but what a PITA kind of day. Now back to looking into this one... will post my findings, but I think as discussed at the start... this thread can be considered a non-issue from a pfSense perspective and really only folks interested in the findings (and future Google Searchers with the same issue) will find it potentially useful.
Best Regards,
dg6464
-
@dg6464 said in IPv6 NDP Table - Hundreds of Entries for Single Mac Address (Apple TV):
@JKnott do you mean to create a DHCPv6 reservation for the link local address and DUID?
When you mentioned "static", I assumed you meant a manual config, if the TV supported it, though you could certainly make a static map of the address. However, I was suggesting that if you did, you might want to make the address have the same suffix as the link local address. With SLAAC and MAC based addresses, that happens automagically. However, that's only cosmetic. It wouldn't make any technical difference.
-
Tried forcing the LAN ports that the ATV connects to to 1000 Mbps ?
-
Forcing it at one end only is a bad idea. Either do both ends or leave it auto-negotiate.
-
Yup I concur thinking about it, there's no way to do the ATV end.
-
@JKnott is correct @NogBadTheBad ... the Apple TV’s don’t have the ability to force a specific speed/duplex.
I forced to 1Gbps at one end (switch) and the ATV’s both disconnected and wouldn’t reconnect.
Will continue some testing today with going pure wireless, as well as an unmanaged switch in between and report back.
Best Regards,
dg6464
-
Think I've found the culprit, Energy Efficient Ethernet:-
https://community.meraki.com/t5/Switching/Port-Speed-Changing/td-p/1913
-
@NogBadTheBad yes, this is correct. It’s also noted in the Meraki case that I sent near the start of the thread:
https://community.meraki.com/t5/Switching/AppleTV-4K-Ethernet-Madness/td-p/41254
He did quite a bit of troubleshooting already and has the case in with Meraki, who is also talking to Apple apparently.
The latest update was January 2020... so hopefully we will see a fix at some point in the next few Apple TV TVOS releases and potentially Meraki switch OS’s as well (although the issue seems to be persistent in Meraki, Cisco and Ubiquiti switches... so I doubt all vendors have done it wrong, it likely lies specifically with Apple).
Since the issue seems to persist in some Apple TV 4K’s and not others... I’d assume it has to do with the included wired chipset and associated driver.
Best Regards,
dg6464
-
So quick question @JKnott ... I ran into a major IPv6 issue last night to the point where it totally dickered my entire LAN and all IPv6 services and some IPv4 services as well because docker images stopped functioning that serve both... I’ll keep it in this thread as I was still trying to troubleshoot things for this NDP Table/Apple TV issue.
Situation: Rogers gave me a new IPv6 prefix when I rebooted.
What happened: even though I have the option in interfaces configured to “not change my prefix” (I cant remember the setting) all WAN/LAN interface IP’s and the entire LAN subnet prefix totally changed.
This caused some docker containers (ie: pihole and DNScrypt) to stop working, because the static assignment for the main unRAID interface was now wrong.
I believe this is because the definitions I used on the interfaces were static and tied to the global IPv6 prefix lease.
Should I be setting these to automatic opposed to static?
And subsequently for LAN services like DNS... set the actual DNS server IP’s (in my DHCP / DJCPv6/RA pools) as the link-local fe80: IP’s?Reason being... literally everything I configured for DNS needed to change when the IPv6 prefix changed. It legit broke everything. My pihole and DNScrypt dockers, in fact wouldn’t boot anymore because the IPv6 global address assigned to the main unRAID interface was no longer valid; so of course same goes for the IPv6 IP’s set on docker containers and in DHCPv6/RA leases.
Thoughts?
I’ve totally disabled IPv6 at this point out of frustration... as it happened at like 11pm last night :(.
Thanks!
Best Regards,
dg6464
-
I have no experience with Docker, so I can't answer any questions about it. However, my prefix stopped changing when I made that setting. Did you do anything else that might have caused it to change?
-
@JKnott only a reboot, unfortunately. That’s all I did, was reboot pfSense.
With IPv6 disabled, the option isn’t there.
Can you remind me by chance of what the option is and if you’ve got it checked or not checked?
Do you have any other services on your LAN (DNS, NTP, or anything) that serve using IPv6 addresses? If so do you use link local or their global address to advertise via DHCPv6/RA?
Thanks!
Best Regards,
dg6464
-
The option is Do not allow PD/Address release and prevents the prefix from changing. Rebooting without that setting will cause a prefix change. It has no effect on IPv4.
Yes, my entire network runs IPv6, so pfSense provides NTP & DNS. Link local addresses are used for a lot of things, including router & neighbour advertisements. Unlike IPv4, IPv6 can't function without link local addresses. They're even often used for routing.
BTW, you normally don't have to reboot pfSense, other than when updating the system.
-
@JKnott thanks.
So you’ve got that box checked?
Also... for DNS/NTP... in your RA settings, do you use your LAN’s link-local IP as the DNS server? Or the global?
Or you just don’t put an entry in for DNS Server and pfSense automatically uses a chosen address (I assume it’s LAN link-local)?
Thanks again!
Best Regards,
dg6464
-
Yes, I have it checked. That's why I said to use it, as I have been through the changing prefixes. When I started using pfsense, that option wasn't available and my prefix changed several times.
As for the DNS, I let the RAs use the default DNS address which, in my case is a Unique Local Address. Since DNS addresses must be routeable, link local cannot be used for the DNS server.
