IPv6 NDP Table - Hundreds of Entries for Single Mac Address (Apple TV)
-
@JKnott Thanks! The thing I notice though... is in DHCPv6 configuration doesn't seem to auto-fill the "subnet" spot like @NogBadTheBad ...
Any particular reason this would be?
It even shows this way when I enable the server.
I was looking at using the following:
/64 Subnet 1 (LAN Interface, for SLAAC and such):
2607:fea8:xxxx:xxx0:0:0:0:0 - 2607:fea8:xxxx:xxx0:ffff:ffff:ffff:ffff
/64 Subnet 2 (DHCPv6 Interface):
2607:fea8:xxxx:xxx1:0:0:0:0 - 2607:fea8:xxxx:xxx1:ffff:ffff:ffff:ffff
/64 Subnet 3 (DHCPv6 Static Reservations):
2607:fea8:xxxx:xxx2:0:0:0:0 - 2607:fea8:xxxx:xxx2:ffff:ffff:ffff:ffff
Let me know if you think that looks adequate, or if I have something totally wrong in my head (ie: I am not sure if I need to define a new interface for each IPv6 prefix I defined above, or if they will all work under LAN).
Thanks!
Best Regards,
dg6464
-
The prefix is provided automagically by the router advertisements. That seems OK, though why are you choosing prefixes according to DHCPv6 etc.? I have never used DHCPv6, just SLAAC.
-
@JKnott Thanks!
The goal of using DHCPv6 is to experiment with the original issue at hand for this post... the Apple TV taking tons and tons of addresses via SLAAC. It was one of the suggestions from @NogBadTheBad to try and tweak these settings as he uses a statically assigned IP for his Apple TV and it works fine. I was just having trouble assigning one based on the DUID because the DHCPv6 pool I was using overlapped with the the static assignment I was trying to make. So now hopefully that will be resolved now that I have some more /64's assigned.
First thing I want to try is to statically assign the DUID an IPv6 address and see if it still keeps taking tons of SLAAC addresses.
Secondarily... I have a local pihole DNS server that has an IPv6 address that all other IPv6 clients on the LAN use for both IPv4 and IPv6 DNS resolution. Ideally.. I would assume that should be a static IPv6 address (like it is for IPv4), which I assume I need to do via DHCPv6 reservation so that it never changes? Unless there is a way to do that via SLAAC?
-
@dg6464 said in IPv6 NDP Table - Hundreds of Entries for Single Mac Address (Apple TV):
First thing I want to try is to statically assign the DUID an IPv6 address and see if it still keeps taking tons of SLAAC addresses.
What you may want to try is create an address based on the link local. Remove the fe80:: prefix and replace it with the prefix for that LAN.
-
@JKnott do you mean to create a DHCPv6 reservation for the link local address and DUID? I did some packet captures while it was sleeping... I don't really see anything out of the ordinary from my knowledge, but who knows.
When I look at both Apple TV's, they are constantly flapping from 1Gbps to 100Mbps when they are sleeping, which causes RSTP to move the port from "Disabled->Designated" and "Designated->Disabled". Both have the exact same behaviour:
The ATV 4K has much higher CRC Alignment Errors and Fragments (only while sleeping and negotiated to 100Mbps).
The standard ATV has less CRC errors, no fragments, but does the same STP flapping.
Cable tests performed on both cables, all pairs just fine.
The ATV 4K seems to be the only one filling up the NDP Table gradually (I woke up to 40+ entries again, which end up showing in my pihole as tons and tons of clients when I only have 40 on the LAN), the regular ATV seems to be just fine, staying with 2 entries:
So I am going to chalk it up to a weird wired underlying chipset or driver issue in the ATV4 for the tons and tons of IPv6 addresses and expected sleep behaviour for both.
Next troubleshooting steps will be trying to put some switches in front of both before the Meraki switch (I've got an unmanaged D-Link, as well as a Managed Cisco SMB switch lying around)... just to see if they also flap the port from STP/RSTP messages with the ATV's when they go into sleep mode, and I'll monitor that as well as changes to the NDP Table for IPv6.
Secondarily once done... I'll run in full wireless mode on both to see if it makes a difference. That takes the cables, chipset and drivers off of the table and would leave us with just software on the Apple side if the issue still persists.
Sorry it took me a bit to respond... I totally effed up my unRAID IPv6 configuration as part of this.
I moved it to a static DHCPv6 reservation, but then it somehow made it lose the logical br0 interface, which forced pihole to stop working. I had to completely rebuild my docker.img file and the entire docker network stack and re-import all of the docker containers from a backup, to find that IPv6 was no longer working just inside docker. From there, it took a bunch of troubleshooting to figure out that for some reason... at some point I'd set a fully static IPv6 address on the main unRAID interface using a /128 mask.
This persisted once I went back to DHCP (keeping the /128 mask).So the fix (finally, apologies), was to set back to static, specify a /64 mask... then I was able to keep it static, or use DHCPv6 again and use a /64 prefix.
Something about the main unRAID interface having a /128 mask wouldn't allow the logical br0 interface to be used for IPv6 underneath.
Anyway - problem solved, but what a PITA kind of day. Now back to looking into this one... will post my findings, but I think as discussed at the start... this thread can be considered a non-issue from a pfSense perspective and really only folks interested in the findings (and future Google Searchers with the same issue) will find it potentially useful.
Best Regards,
dg6464
-
@dg6464 said in IPv6 NDP Table - Hundreds of Entries for Single Mac Address (Apple TV):
@JKnott do you mean to create a DHCPv6 reservation for the link local address and DUID?
When you mentioned "static", I assumed you meant a manual config, if the TV supported it, though you could certainly make a static map of the address. However, I was suggesting that if you did, you might want to make the address have the same suffix as the link local address. With SLAAC and MAC based addresses, that happens automagically. However, that's only cosmetic. It wouldn't make any technical difference.
-
Tried forcing the LAN ports that the ATV connects to to 1000 Mbps ?
-
Forcing it at one end only is a bad idea. Either do both ends or leave it auto-negotiate.
-
Yup I concur thinking about it, there's no way to do the ATV end.
-
@JKnott is correct @NogBadTheBad ... the Apple TV’s don’t have the ability to force a specific speed/duplex.
I forced to 1Gbps at one end (switch) and the ATV’s both disconnected and wouldn’t reconnect.
Will continue some testing today with going pure wireless, as well as an unmanaged switch in between and report back.
Best Regards,
dg6464
-
Think I've found the culprit, Energy Efficient Ethernet:-
https://community.meraki.com/t5/Switching/Port-Speed-Changing/td-p/1913
-
@NogBadTheBad yes, this is correct. It’s also noted in the Meraki case that I sent near the start of the thread:
https://community.meraki.com/t5/Switching/AppleTV-4K-Ethernet-Madness/td-p/41254
He did quite a bit of troubleshooting already and has the case in with Meraki, who is also talking to Apple apparently.
The latest update was January 2020... so hopefully we will see a fix at some point in the next few Apple TV TVOS releases and potentially Meraki switch OS’s as well (although the issue seems to be persistent in Meraki, Cisco and Ubiquiti switches... so I doubt all vendors have done it wrong, it likely lies specifically with Apple).
Since the issue seems to persist in some Apple TV 4K’s and not others... I’d assume it has to do with the included wired chipset and associated driver.
Best Regards,
dg6464
-
So quick question @JKnott ... I ran into a major IPv6 issue last night to the point where it totally dickered my entire LAN and all IPv6 services and some IPv4 services as well because docker images stopped functioning that serve both... I’ll keep it in this thread as I was still trying to troubleshoot things for this NDP Table/Apple TV issue.
Situation: Rogers gave me a new IPv6 prefix when I rebooted.
What happened: even though I have the option in interfaces configured to “not change my prefix” (I cant remember the setting) all WAN/LAN interface IP’s and the entire LAN subnet prefix totally changed.
This caused some docker containers (ie: pihole and DNScrypt) to stop working, because the static assignment for the main unRAID interface was now wrong.
I believe this is because the definitions I used on the interfaces were static and tied to the global IPv6 prefix lease.
Should I be setting these to automatic opposed to static?
And subsequently for LAN services like DNS... set the actual DNS server IP’s (in my DHCP / DJCPv6/RA pools) as the link-local fe80: IP’s?Reason being... literally everything I configured for DNS needed to change when the IPv6 prefix changed. It legit broke everything. My pihole and DNScrypt dockers, in fact wouldn’t boot anymore because the IPv6 global address assigned to the main unRAID interface was no longer valid; so of course same goes for the IPv6 IP’s set on docker containers and in DHCPv6/RA leases.
Thoughts?
I’ve totally disabled IPv6 at this point out of frustration... as it happened at like 11pm last night :(.
Thanks!
Best Regards,
dg6464
-
I have no experience with Docker, so I can't answer any questions about it. However, my prefix stopped changing when I made that setting. Did you do anything else that might have caused it to change?
-
@JKnott only a reboot, unfortunately. That’s all I did, was reboot pfSense.
With IPv6 disabled, the option isn’t there.
Can you remind me by chance of what the option is and if you’ve got it checked or not checked?
Do you have any other services on your LAN (DNS, NTP, or anything) that serve using IPv6 addresses? If so do you use link local or their global address to advertise via DHCPv6/RA?
Thanks!
Best Regards,
dg6464
-
The option is Do not allow PD/Address release and prevents the prefix from changing. Rebooting without that setting will cause a prefix change. It has no effect on IPv4.
Yes, my entire network runs IPv6, so pfSense provides NTP & DNS. Link local addresses are used for a lot of things, including router & neighbour advertisements. Unlike IPv4, IPv6 can't function without link local addresses. They're even often used for routing.
BTW, you normally don't have to reboot pfSense, other than when updating the system.
-
@JKnott thanks.
So you’ve got that box checked?
Also... for DNS/NTP... in your RA settings, do you use your LAN’s link-local IP as the DNS server? Or the global?
Or you just don’t put an entry in for DNS Server and pfSense automatically uses a chosen address (I assume it’s LAN link-local)?
Thanks again!
Best Regards,
dg6464
-
Yes, I have it checked. That's why I said to use it, as I have been through the changing prefixes. When I started using pfsense, that option wasn't available and my prefix changed several times.
As for the DNS, I let the RAs use the default DNS address which, in my case is a Unique Local Address. Since DNS addresses must be routeable, link local cannot be used for the DNS server.
-
Thanks @JKnott
So I did a quick test. Re-enabled IPv6... tried some stuff with ULA's.
Just can't get it to work right.
Also, I have the follow checked...:
"Do not allow PD/Address release:
dhcp6c will send a release to the ISP on exit, some ISPs then release the allocated address or prefix. This option prevents that signal ever being sent"However, Rogers continues to change my /56 when I reboot (I did an intentional test).
First LAN Prefix 0: 260xx:fexx:7b2x:fe00:xxxx:xxxx:xxxx:xxxx
Second LAN Prefix 0: 26xx:fexx:7b2x:5c00:xxxx:xxxx:xxxx:xxxxTwo digits changed.
So I can't do Global Addresses (which I had working with unRAID, Docker, Pihole ad DNSCrypt... until they changed the prefix and it nuked everything). It's possible, I guess to forgo using Rogers Native IPv6 and get a tunnel and lease from Hurricane or something that will stick...
And I can't seem to get ULA's to work appropriately either... it's an easy pfSense configuration, but there aren't proper parameters to pass in the docker side of things to ensure both addresses hit the docker container properly.
I also wasn't able to get the pfSense ULA virtual IP on the LAN to ping or be pinged (I set fd00::1 /64, as well as I tried /128). I was able to get ULA addresses on all of my regular non-docker devices and was able to ping between them... but was not able to ping the virtual ULA, or any of the docker machines if I was able to get them to grab an address.
So not sure what to do on that.
The NDP entries for the Apple TV only persist on wired, when I have IPv6 enabled, but I am not too worried about that now to be honest... since the only thing it affected was pihole seeing 400+ "clients" on the LAN, which is moot now that I can't use pihole for IPv6.
Might just be worth leaving pihole on IPv4 DNS stuff and using DNSBL for IPv6 DNS and loading the same lists.
Any guidance would be appreciated - if you feel a different post is warranted, I can do that too, or just give up until there's better IPv6 support out there in general.
Thanks!
Best Regards,
dg6464
-
@dg6464 said in IPv6 NDP Table - Hundreds of Entries for Single Mac Address (Apple TV):
However, Rogers continues to change my /56 when I reboot (I did an intentional test).
It doesn't for me.
Also, ULA works fine for me. I'm not sure what your issue is, but I'm beginning to wonder if you're poking around somewhere that's causing the problems. Sometimes the solution is to start from scratch and then start adding stuff and see when it fails.
Rogers is one company I have direct experience with (including working on their network). Other than a problem they had last year, my IPv6 service has been solid for over 4 years.
ULA can be tricky in that when you create it on the Router Advertisements page, you also have to manually set the global address prefix, as that's no longer done automagically. This means, should your prefix from Rogers change, then you have to change the prefix on that page.
BTW, you shouldn't have to keep rebooting pfSense. That's a bad habit from the Windows world. Normally, the only time mine reboots is when it updates to a new version.