IPv6 NDP Table - Hundreds of Entries for Single Mac Address (Apple TV)

dg6464

@JKnott Thanks!

The goal of using DHCPv6 is to experiment with the original issue at hand for this post... the Apple TV taking tons and tons of addresses via SLAAC. It was one of the suggestions from @NogBadTheBad to try and tweak these settings as he uses a statically assigned IP for his Apple TV and it works fine. I was just having trouble assigning one based on the DUID because the DHCPv6 pool I was using overlapped with the the static assignment I was trying to make. So now hopefully that will be resolved now that I have some more /64's assigned.

First thing I want to try is to statically assign the DUID an IPv6 address and see if it still keeps taking tons of SLAAC addresses.

Secondarily... I have a local pihole DNS server that has an IPv6 address that all other IPv6 clients on the LAN use for both IPv4 and IPv6 DNS resolution. Ideally.. I would assume that should be a static IPv6 address (like it is for IPv4), which I assume I need to do via DHCPv6 reservation so that it never changes? Unless there is a way to do that via SLAAC?

JKnott

@dg6464 said in IPv6 NDP Table - Hundreds of Entries for Single Mac Address (Apple TV):

First thing I want to try is to statically assign the DUID an IPv6 address and see if it still keeps taking tons of SLAAC addresses.

What you may want to try is create an address based on the link local. Remove the fe80:: prefix and replace it with the prefix for that LAN.

dg6464

@JKnott do you mean to create a DHCPv6 reservation for the link local address and DUID? I did some packet captures while it was sleeping... I don't really see anything out of the ordinary from my knowledge, but who knows.

When I look at both Apple TV's, they are constantly flapping from 1Gbps to 100Mbps when they are sleeping, which causes RSTP to move the port from "Disabled->Designated" and "Designated->Disabled". Both have the exact same behaviour:

The ATV 4K has much higher CRC Alignment Errors and Fragments (only while sleeping and negotiated to 100Mbps).

The standard ATV has less CRC errors, no fragments, but does the same STP flapping.

Cable tests performed on both cables, all pairs just fine.

The ATV 4K seems to be the only one filling up the NDP Table gradually (I woke up to 40+ entries again, which end up showing in my pihole as tons and tons of clients when I only have 40 on the LAN), the regular ATV seems to be just fine, staying with 2 entries:

So I am going to chalk it up to a weird wired underlying chipset or driver issue in the ATV4 for the tons and tons of IPv6 addresses and expected sleep behaviour for both.

Next troubleshooting steps will be trying to put some switches in front of both before the Meraki switch (I've got an unmanaged D-Link, as well as a Managed Cisco SMB switch lying around)... just to see if they also flap the port from STP/RSTP messages with the ATV's when they go into sleep mode, and I'll monitor that as well as changes to the NDP Table for IPv6.

Secondarily once done... I'll run in full wireless mode on both to see if it makes a difference. That takes the cables, chipset and drivers off of the table and would leave us with just software on the Apple side if the issue still persists.

Sorry it took me a bit to respond... I totally effed up my unRAID IPv6 configuration as part of this.
I moved it to a static DHCPv6 reservation, but then it somehow made it lose the logical br0 interface, which forced pihole to stop working. I had to completely rebuild my docker.img file and the entire docker network stack and re-import all of the docker containers from a backup, to find that IPv6 was no longer working just inside docker. From there, it took a bunch of troubleshooting to figure out that for some reason... at some point I'd set a fully static IPv6 address on the main unRAID interface using a /128 mask.
This persisted once I went back to DHCP (keeping the /128 mask).

So the fix (finally, apologies), was to set back to static, specify a /64 mask... then I was able to keep it static, or use DHCPv6 again and use a /64 prefix.

Something about the main unRAID interface having a /128 mask wouldn't allow the logical br0 interface to be used for IPv6 underneath.

Anyway - problem solved, but what a PITA kind of day. Now back to looking into this one... will post my findings, but I think as discussed at the start... this thread can be considered a non-issue from a pfSense perspective and really only folks interested in the findings (and future Google Searchers with the same issue) will find it potentially useful.

Best Regards,

dg6464

JKnott

@dg6464 said in IPv6 NDP Table - Hundreds of Entries for Single Mac Address (Apple TV):

@JKnott do you mean to create a DHCPv6 reservation for the link local address and DUID?

When you mentioned "static", I assumed you meant a manual config, if the TV supported it, though you could certainly make a static map of the address. However, I was suggesting that if you did, you might want to make the address have the same suffix as the link local address. With SLAAC and MAC based addresses, that happens automagically. However, that's only cosmetic. It wouldn't make any technical difference.

NogBadTheBad

Tried forcing the LAN ports that the ATV connects to to 1000 Mbps ?

JKnott

@NogBadTheBad

Forcing it at one end only is a bad idea. Either do both ends or leave it auto-negotiate.

NogBadTheBad

Yup I concur thinking about it, there's no way to do the ATV end.

dg6464

@JKnott is correct @NogBadTheBad ... the Apple TV’s don’t have the ability to force a specific speed/duplex.

I forced to 1Gbps at one end (switch) and the ATV’s both disconnected and wouldn’t reconnect.

Will continue some testing today with going pure wireless, as well as an unmanaged switch in between and report back.

Best Regards,

dg6464

NogBadTheBad

Think I've found the culprit, Energy Efficient Ethernet:-

https://community.meraki.com/t5/Switching/Port-Speed-Changing/td-p/1913

dg6464

@NogBadTheBad yes, this is correct. It’s also noted in the Meraki case that I sent near the start of the thread:

https://community.meraki.com/t5/Switching/AppleTV-4K-Ethernet-Madness/td-p/41254

He did quite a bit of troubleshooting already and has the case in with Meraki, who is also talking to Apple apparently.

The latest update was January 2020... so hopefully we will see a fix at some point in the next few Apple TV TVOS releases and potentially Meraki switch OS’s as well (although the issue seems to be persistent in Meraki, Cisco and Ubiquiti switches... so I doubt all vendors have done it wrong, it likely lies specifically with Apple).

Since the issue seems to persist in some Apple TV 4K’s and not others... I’d assume it has to do with the included wired chipset and associated driver.

Best Regards,

dg6464

dg6464

So quick question @JKnott ... I ran into a major IPv6 issue last night to the point where it totally dickered my entire LAN and all IPv6 services and some IPv4 services as well because docker images stopped functioning that serve both... I’ll keep it in this thread as I was still trying to troubleshoot things for this NDP Table/Apple TV issue.

Situation: Rogers gave me a new IPv6 prefix when I rebooted.

What happened: even though I have the option in interfaces configured to “not change my prefix” (I cant remember the setting) all WAN/LAN interface IP’s and the entire LAN subnet prefix totally changed.

This caused some docker containers (ie: pihole and DNScrypt) to stop working, because the static assignment for the main unRAID interface was now wrong.

I believe this is because the definitions I used on the interfaces were static and tied to the global IPv6 prefix lease.

Should I be setting these to automatic opposed to static?
And subsequently for LAN services like DNS... set the actual DNS server IP’s (in my DHCP / DJCPv6/RA pools) as the link-local fe80: IP’s?

Reason being... literally everything I configured for DNS needed to change when the IPv6 prefix changed. It legit broke everything. My pihole and DNScrypt dockers, in fact wouldn’t boot anymore because the IPv6 global address assigned to the main unRAID interface was no longer valid; so of course same goes for the IPv6 IP’s set on docker containers and in DHCPv6/RA leases.

Thoughts?

I’ve totally disabled IPv6 at this point out of frustration... as it happened at like 11pm last night :(.

Thanks!

Best Regards,

dg6464

JKnott

@dg6464

I have no experience with Docker, so I can't answer any questions about it. However, my prefix stopped changing when I made that setting. Did you do anything else that might have caused it to change?

dg6464

@JKnott only a reboot, unfortunately. That’s all I did, was reboot pfSense.

With IPv6 disabled, the option isn’t there.

Can you remind me by chance of what the option is and if you’ve got it checked or not checked?

Do you have any other services on your LAN (DNS, NTP, or anything) that serve using IPv6 addresses? If so do you use link local or their global address to advertise via DHCPv6/RA?

Thanks!

Best Regards,

dg6464

JKnott

@dg6464

The option is Do not allow PD/Address release and prevents the prefix from changing. Rebooting without that setting will cause a prefix change. It has no effect on IPv4.

Yes, my entire network runs IPv6, so pfSense provides NTP & DNS. Link local addresses are used for a lot of things, including router & neighbour advertisements. Unlike IPv4, IPv6 can't function without link local addresses. They're even often used for routing.

BTW, you normally don't have to reboot pfSense, other than when updating the system.

dg6464

@JKnott thanks.

So you’ve got that box checked?

Also... for DNS/NTP... in your RA settings, do you use your LAN’s link-local IP as the DNS server? Or the global?

Or you just don’t put an entry in for DNS Server and pfSense automatically uses a chosen address (I assume it’s LAN link-local)?

Thanks again!

Best Regards,

dg6464

JKnott

@dg6464

Yes, I have it checked. That's why I said to use it, as I have been through the changing prefixes. When I started using pfsense, that option wasn't available and my prefix changed several times.

As for the DNS, I let the RAs use the default DNS address which, in my case is a Unique Local Address. Since DNS addresses must be routeable, link local cannot be used for the DNS server.

dg6464

Thanks @JKnott

So I did a quick test. Re-enabled IPv6... tried some stuff with ULA's.

Just can't get it to work right.

Also, I have the follow checked...:

"Do not allow PD/Address release:
dhcp6c will send a release to the ISP on exit, some ISPs then release the allocated address or prefix. This option prevents that signal ever being sent"

However, Rogers continues to change my /56 when I reboot (I did an intentional test).

First LAN Prefix 0: 260xx:fexx:7b2x:fe00:xxxx:xxxx:xxxx:xxxx
Second LAN Prefix 0: 26xx:fexx:7b2x:5c00:xxxx:xxxx:xxxx:xxxx

Two digits changed.

So I can't do Global Addresses (which I had working with unRAID, Docker, Pihole ad DNSCrypt... until they changed the prefix and it nuked everything). It's possible, I guess to forgo using Rogers Native IPv6 and get a tunnel and lease from Hurricane or something that will stick...

And I can't seem to get ULA's to work appropriately either... it's an easy pfSense configuration, but there aren't proper parameters to pass in the docker side of things to ensure both addresses hit the docker container properly.

I also wasn't able to get the pfSense ULA virtual IP on the LAN to ping or be pinged (I set fd00::1 /64, as well as I tried /128). I was able to get ULA addresses on all of my regular non-docker devices and was able to ping between them... but was not able to ping the virtual ULA, or any of the docker machines if I was able to get them to grab an address.

So not sure what to do on that.

The NDP entries for the Apple TV only persist on wired, when I have IPv6 enabled, but I am not too worried about that now to be honest... since the only thing it affected was pihole seeing 400+ "clients" on the LAN, which is moot now that I can't use pihole for IPv6.

Might just be worth leaving pihole on IPv4 DNS stuff and using DNSBL for IPv6 DNS and loading the same lists.

Any guidance would be appreciated - if you feel a different post is warranted, I can do that too, or just give up until there's better IPv6 support out there in general.

Thanks!

Best Regards,

dg6464

JKnott

@dg6464 said in IPv6 NDP Table - Hundreds of Entries for Single Mac Address (Apple TV):

However, Rogers continues to change my /56 when I reboot (I did an intentional test).

It doesn't for me.

Also, ULA works fine for me. I'm not sure what your issue is, but I'm beginning to wonder if you're poking around somewhere that's causing the problems. Sometimes the solution is to start from scratch and then start adding stuff and see when it fails.

Rogers is one company I have direct experience with (including working on their network). Other than a problem they had last year, my IPv6 service has been solid for over 4 years.

ULA can be tricky in that when you create it on the Router Advertisements page, you also have to manually set the global address prefix, as that's no longer done automagically. This means, should your prefix from Rogers change, then you have to change the prefix on that page.

BTW, you shouldn't have to keep rebooting pfSense. That's a bad habit from the Windows world. Normally, the only time mine reboots is when it updates to a new version.

dg6464

@JKnott I got it all working the last couple of weeks... the major thing was I didn't have the firewall LAN to ANY rule set up for the virtual IP Alias / assigned subnet that was set up for the ULA's.

The troubleshooting issue I ran in to was I could ping the VIP before setting up the ULA pool on the RA (ie: I could ping the VIP because my Mac was using a global address, which is allowed to ping anything due to the default IPv6 LAN to Any rule).
I would implement the ULA pool in RA / DHCP, renew my IP and wouldn't be able to ping... which I later found out was because my Mac would get the ULA address upon renewal... then be denied pinging the ULA gateway because it was using the ULA address, which had no firewall rule to allow any traffic from the ULA LAN to anything.

I also have direct experience with the Rogers network, since the days when they did throttling and such (which was a mess)... and hadn't experienced a weird issue with IPv6 until this (but never really had a specific reason for my IPv6 addresses not to change... they always have).

I haven't done any reboots since, but will check periodically now if the subnet changes when I perform my next update (I've taken note of both WAN and LAN subet's).

I was able to get the ULA addresses assigned (fdxx:xxxx:xxxx::/48) and pinging on the LAN for local stuff (dynamically via RA and DHCP for normal hosts) and statically for certain things like pihole and server machines and those pihole devices serving DNS using the local IPv4 addresses, as well as the ULA addresses, but they automatically use their global IPv6 addresses to communicate outbound for DNS queries to OpenDNS IPv6 servers and such.

I used the RFC Generator for ULA Addresses (using the MAC of my LAN interface to generate 40 bits randomly and assigned the first /64 of the /48 to my local LAN for ULA):
[https://cd34.com/rfc4193/](link url)

The pfSense side of things, I rarely reboot - in the case of the reboot above... I believe it was an update.

All is good in the hood now.

But that pesky Apple TV 4K still takes a ton of addresses that show up in the NDP table when it's wired. Must just be a chipset and driver thing.

Thanks again for the support - I think we can close this one off.

If anyone has any questions on the ULA config with IPv6, RA and DHCPv6, I'd be happy to help.

dg6464

@JKnott of course... overnight I lost public IPv6 connectivity.

WAN had an IPv6 address in the morning, but LAN did not have one (except for the ULA's I'd set).

Any chance you are having issue with IPv6 right today?

Best Regards,

dg6464