IPv6 NDP Table - Hundreds of Entries for Single Mac Address (Apple TV)
-
Yes, I have it checked. That's why I said to use it, as I have been through the changing prefixes. When I started using pfsense, that option wasn't available and my prefix changed several times.
As for the DNS, I let the RAs use the default DNS address which, in my case is a Unique Local Address. Since DNS addresses must be routeable, link local cannot be used for the DNS server.
-
Thanks @JKnott
So I did a quick test. Re-enabled IPv6... tried some stuff with ULA's.
Just can't get it to work right.
Also, I have the follow checked...:
"Do not allow PD/Address release:
dhcp6c will send a release to the ISP on exit, some ISPs then release the allocated address or prefix. This option prevents that signal ever being sent"However, Rogers continues to change my /56 when I reboot (I did an intentional test).
First LAN Prefix 0: 260xx:fexx:7b2x:fe00:xxxx:xxxx:xxxx:xxxx
Second LAN Prefix 0: 26xx:fexx:7b2x:5c00:xxxx:xxxx:xxxx:xxxxTwo digits changed.
So I can't do Global Addresses (which I had working with unRAID, Docker, Pihole ad DNSCrypt... until they changed the prefix and it nuked everything). It's possible, I guess to forgo using Rogers Native IPv6 and get a tunnel and lease from Hurricane or something that will stick...
And I can't seem to get ULA's to work appropriately either... it's an easy pfSense configuration, but there aren't proper parameters to pass in the docker side of things to ensure both addresses hit the docker container properly.
I also wasn't able to get the pfSense ULA virtual IP on the LAN to ping or be pinged (I set fd00::1 /64, as well as I tried /128). I was able to get ULA addresses on all of my regular non-docker devices and was able to ping between them... but was not able to ping the virtual ULA, or any of the docker machines if I was able to get them to grab an address.
So not sure what to do on that.
The NDP entries for the Apple TV only persist on wired, when I have IPv6 enabled, but I am not too worried about that now to be honest... since the only thing it affected was pihole seeing 400+ "clients" on the LAN, which is moot now that I can't use pihole for IPv6.
Might just be worth leaving pihole on IPv4 DNS stuff and using DNSBL for IPv6 DNS and loading the same lists.
Any guidance would be appreciated - if you feel a different post is warranted, I can do that too, or just give up until there's better IPv6 support out there in general.
Thanks!
Best Regards,
dg6464
-
@dg6464 said in IPv6 NDP Table - Hundreds of Entries for Single Mac Address (Apple TV):
However, Rogers continues to change my /56 when I reboot (I did an intentional test).
It doesn't for me.
Also, ULA works fine for me. I'm not sure what your issue is, but I'm beginning to wonder if you're poking around somewhere that's causing the problems. Sometimes the solution is to start from scratch and then start adding stuff and see when it fails.
Rogers is one company I have direct experience with (including working on their network). Other than a problem they had last year, my IPv6 service has been solid for over 4 years.
ULA can be tricky in that when you create it on the Router Advertisements page, you also have to manually set the global address prefix, as that's no longer done automagically. This means, should your prefix from Rogers change, then you have to change the prefix on that page.
BTW, you shouldn't have to keep rebooting pfSense. That's a bad habit from the Windows world. Normally, the only time mine reboots is when it updates to a new version.
-
@JKnott I got it all working the last couple of weeks... the major thing was I didn't have the firewall LAN to ANY rule set up for the virtual IP Alias / assigned subnet that was set up for the ULA's.
The troubleshooting issue I ran in to was I could ping the VIP before setting up the ULA pool on the RA (ie: I could ping the VIP because my Mac was using a global address, which is allowed to ping anything due to the default IPv6 LAN to Any rule).
I would implement the ULA pool in RA / DHCP, renew my IP and wouldn't be able to ping... which I later found out was because my Mac would get the ULA address upon renewal... then be denied pinging the ULA gateway because it was using the ULA address, which had no firewall rule to allow any traffic from the ULA LAN to anything.I also have direct experience with the Rogers network, since the days when they did throttling and such (which was a mess)... and hadn't experienced a weird issue with IPv6 until this (but never really had a specific reason for my IPv6 addresses not to change... they always have).
I haven't done any reboots since, but will check periodically now if the subnet changes when I perform my next update (I've taken note of both WAN and LAN subet's).
I was able to get the ULA addresses assigned (fdxx:xxxx:xxxx::/48) and pinging on the LAN for local stuff (dynamically via RA and DHCP for normal hosts) and statically for certain things like pihole and server machines and those pihole devices serving DNS using the local IPv4 addresses, as well as the ULA addresses, but they automatically use their global IPv6 addresses to communicate outbound for DNS queries to OpenDNS IPv6 servers and such.
I used the RFC Generator for ULA Addresses (using the MAC of my LAN interface to generate 40 bits randomly and assigned the first /64 of the /48 to my local LAN for ULA):
[https://cd34.com/rfc4193/](link url)The pfSense side of things, I rarely reboot - in the case of the reboot above... I believe it was an update.
All is good in the hood now.
But that pesky Apple TV 4K still takes a ton of addresses that show up in the NDP table when it's wired. Must just be a chipset and driver thing.
Thanks again for the support - I think we can close this one off.
If anyone has any questions on the ULA config with IPv6, RA and DHCPv6, I'd be happy to help.
-
@JKnott of course... overnight I lost public IPv6 connectivity.
WAN had an IPv6 address in the morning, but LAN did not have one (except for the ULA's I'd set).
Any chance you are having issue with IPv6 right today?
Best Regards,
dg6464
-
@dg6464 said in IPv6 NDP Table - Hundreds of Entries for Single Mac Address (Apple TV):
Any chance you are having issue with IPv6 right today?
No. I just got 10/10 at test-ipv6.com.
You'll have to do some investigating. Capture the dhcpv6 packets on the WAN interface. They might tell you something.
-
@JKnott I'm back on as 10/10 for test-ipv6 as well, but it took some troubleshooting again.
It looks like there was a DHCP release / renew again some time during the night and the IPv6 subnet changed (even though I had the "Do not allow PD/Address release" box checked in Interfaces --> WAN). Either that... or for some reason my ULA VIP is taking over as the "main" LAN interface address (the single address that shows on dashboard for the interface... which is usually the global IPv6 address for LAN/WAN and NOT the ULA VIP).
On the main dashboard page (as well as status --> interfaces) it has the ULA address as the address on the LAN interface as the only IPv6 address and was longer getting a proper global IP address (WAN was fine with a global address in it's own prefix).
If I disable DHCPv6/RA and remove the ULA VIP (under Firewall --> Virtual IP's) on LAN... the LAN interface THEN gets a global IP address/range again, I can re-add the ULA VIP, re-instantiate DHCPv6/RA... and add the new Public IPv6 range from LAN in as an RA subnet to broadcast (I'm not even sure if this is necessary, as I think the RA server by default broadcasts the prefix that the LAN gets... in addition to the ULA range... but I manually add the range in as that's what you've said in the past)
I've seen this kind of issue on another thread before as well (in fact, I believe it was potentially yours on reddit or something, but may be mistaken). The major issue being the LAN interface seems to give some sort of priority or first-come-first-served to one or the other IPv6 addresses on the interface at various times, and sometimes reboot.
No idea what's going on with the subnet changes from Rogers. I didn't do anything to the system last night and woke up to the main LAN interface IP address being set to my fda1: VIP interface with no global IP... and it wouldn't get a new global IP until I disabled the VIP (which removed the address from the LAN interface).
It would be ideal if we made it a priority in the next pfSense release moving forward to do this properly (ie: without a VIP required).
Somehow if we were able to assign multiple IP's to the LAN interface more easily (and be able to classify then somehow, maybe as global/ULA/etc)... opposed to using a separate VIP.It just seems like there is some overall flakiness here for some reason... but it may be how the underlying kernel/OS deals with IPv6 and that needs to be addressed first? Who knows.
I know yours seems to be stable @JKnott ... but mine just seems to be stable for short periods. Everything works great, then it just doesn't.
I'm happy to provide my configurations, or do troubleshooting or provide logs... but am not sure if it's even valuable, or if the team is already aware of this, or if maybe, somehow it is a configuration error.
If you think I should open up a separate thread for this and provide whatever info people ask for, I can do so.
Let me know your thoughts.
Best Regards,
dg6464
-
I doubt Rogers is doing a release/renew. I've been on them for over 20 years and have never seen that happen. My IPv4 address is so stable it's virtually static. In fact, I've only once seen it change, when I didn't change some hardware. That was when they made significant changes to the network, requiring new addresses for everyone. This is why I said you should capture DHCPv6 from them, to see if it provides any clues. Just start up Packet Capture and let it run for hours/days. You can use Wireshark to examine the captures.
I can't provide answers, when I don't have any info to work with. My own experience, in all those years, is Rogers doesn't do anything like what you say. I've had IPv4 with them for over 20 years and IPv6 for over 4.
-
@JKnott I agree, however had had Rogers change over the years (mostly based on DOCSIS version migrations and re-IP's)... this seems to be pfSense related.
I did a DHCPv6 capture, captured WAN and DHCPv6 specific ports in promiscuous mode, unplugged the WAN interface, re-plugged the interface... and voila.. the packet capture shows the /56 prefix in there, as well as the WAN interface address.
However... guess what happened? The VIP took over the LAN interface again and shows as the main interface address on the dashboard and interfaces screen.
The second I go in and remove the VIP... the global IP from the prefix pops up as the main LAN interface and stuff starts functioning again. I can then re-add the ULA VIP and all is hunky-dory.
Thoughts? Weird? Configuration issue?
If you want the captures, I can provide them... it's only 4 packets, but has all of the addressing info in it. It all looks fine. Seems to be a problem either with my pfSense configuration, or pfSense's interpretation of IPv6.
Let me know what you you think is needed... if it's the whole pfSense configuration, or snippets - I will provide.
Not sure if there are any particular log files I should look at... I checked through a lot of them and didn't find much (but I don't have DHCPv6 Debug Mode enabled on the WAN Interface).Best Regards,
dg6464
-
How are you creating the VIP? The way I use for unique local addresses is to create the prefix on the Router Advertisement settings. If you do this, you'll also have to create one for the assigned prefix.
-
@JKnott I create the VIP in Firewall --> Virtual IP's, then create an IP Alias and assign to LAN interface.
I thought that was the way to create a VIP (that’s what I’ve seen in previous posts).
Are you saying that if I put the fd00:: prefix under the RA advertisements (as I have right now for both the ULA network, as well as the assigned prefix from the WAN)... it automatically creates a VIP on the routers LAN interface for that ULA prefix?
Thanks!
Best Regards,
dg6464
-
Yes, I also created the address in VIP, but also the prefix on the RA page. Yes, if you create a prefix for the VIP, you will now also have to create one for the assigned prefix, as for some reason, pfSense no longer automatically does that.
-
@JKnott yeah, it seems we are doing the same thing then.
So I have no freakin’ clue why the VIP takes over the LAN interface and won’t allow the LAN to get the global addresses when the WAN interface drops and/or re-does DHCP (and on reboot).
Can anyone think of a potential reason why this would happen?
Or am I into a totally fresh re-build of pfSense as a next recourse?
Just not sure where else to go next with this one to be honest.
I wonder if I can just build from scratch on my Proxmox VM and transfer the config to my hardware pfSense box.
Thanks!
Best Regards,
dg6464
-
Sometimes the best thing to do is start from scratch and make sure it's working first. Then start adding whatever and see if something causes the problem.
-
@JKnott thanks, I might try that to experiment. However, it seems this has been verified and input as a bug on this thread.
Hoping maybe the Netgate folks get to it in a future release... properly getting track interface to work with multiple IP addresses on a LAN interface including GUA and ULA. Definitely some funky routing and "which interface gets priority or sends the traffic and can route" going on... both on the pfSense side (which they can control), as well as the various client OS's (Windows, Mac, Linux, etc). All of them do it differently. Windows machines here always seem to ping everything just fine... Mac's not so much.
If anyone finds a fix / workaround (possibly a script to pull and add the ULA VIP after 5-10 seconds whenever the WAN goes up/down)... let me know and I'd be happy to test it.
Best Regards,
dg6464
