IPv6 NDP Table - Hundreds of Entries for Single Mac Address (Apple TV)
-
@JKnott of course... overnight I lost public IPv6 connectivity.
WAN had an IPv6 address in the morning, but LAN did not have one (except for the ULA's I'd set).
Any chance you are having issue with IPv6 right today?
Best Regards,
dg6464
-
@dg6464 said in IPv6 NDP Table - Hundreds of Entries for Single Mac Address (Apple TV):
Any chance you are having issue with IPv6 right today?
No. I just got 10/10 at test-ipv6.com.
You'll have to do some investigating. Capture the dhcpv6 packets on the WAN interface. They might tell you something.
-
@JKnott I'm back on as 10/10 for test-ipv6 as well, but it took some troubleshooting again.
It looks like there was a DHCP release / renew again some time during the night and the IPv6 subnet changed (even though I had the "Do not allow PD/Address release" box checked in Interfaces --> WAN). Either that... or for some reason my ULA VIP is taking over as the "main" LAN interface address (the single address that shows on dashboard for the interface... which is usually the global IPv6 address for LAN/WAN and NOT the ULA VIP).
On the main dashboard page (as well as status --> interfaces) it has the ULA address as the address on the LAN interface as the only IPv6 address and was longer getting a proper global IP address (WAN was fine with a global address in it's own prefix).
If I disable DHCPv6/RA and remove the ULA VIP (under Firewall --> Virtual IP's) on LAN... the LAN interface THEN gets a global IP address/range again, I can re-add the ULA VIP, re-instantiate DHCPv6/RA... and add the new Public IPv6 range from LAN in as an RA subnet to broadcast (I'm not even sure if this is necessary, as I think the RA server by default broadcasts the prefix that the LAN gets... in addition to the ULA range... but I manually add the range in as that's what you've said in the past)
I've seen this kind of issue on another thread before as well (in fact, I believe it was potentially yours on reddit or something, but may be mistaken). The major issue being the LAN interface seems to give some sort of priority or first-come-first-served to one or the other IPv6 addresses on the interface at various times, and sometimes reboot.
No idea what's going on with the subnet changes from Rogers. I didn't do anything to the system last night and woke up to the main LAN interface IP address being set to my fda1: VIP interface with no global IP... and it wouldn't get a new global IP until I disabled the VIP (which removed the address from the LAN interface).
It would be ideal if we made it a priority in the next pfSense release moving forward to do this properly (ie: without a VIP required).
Somehow if we were able to assign multiple IP's to the LAN interface more easily (and be able to classify then somehow, maybe as global/ULA/etc)... opposed to using a separate VIP.It just seems like there is some overall flakiness here for some reason... but it may be how the underlying kernel/OS deals with IPv6 and that needs to be addressed first? Who knows.
I know yours seems to be stable @JKnott ... but mine just seems to be stable for short periods. Everything works great, then it just doesn't.
I'm happy to provide my configurations, or do troubleshooting or provide logs... but am not sure if it's even valuable, or if the team is already aware of this, or if maybe, somehow it is a configuration error.
If you think I should open up a separate thread for this and provide whatever info people ask for, I can do so.
Let me know your thoughts.
Best Regards,
dg6464
-
I doubt Rogers is doing a release/renew. I've been on them for over 20 years and have never seen that happen. My IPv4 address is so stable it's virtually static. In fact, I've only once seen it change, when I didn't change some hardware. That was when they made significant changes to the network, requiring new addresses for everyone. This is why I said you should capture DHCPv6 from them, to see if it provides any clues. Just start up Packet Capture and let it run for hours/days. You can use Wireshark to examine the captures.
I can't provide answers, when I don't have any info to work with. My own experience, in all those years, is Rogers doesn't do anything like what you say. I've had IPv4 with them for over 20 years and IPv6 for over 4.
-
@JKnott I agree, however had had Rogers change over the years (mostly based on DOCSIS version migrations and re-IP's)... this seems to be pfSense related.
I did a DHCPv6 capture, captured WAN and DHCPv6 specific ports in promiscuous mode, unplugged the WAN interface, re-plugged the interface... and voila.. the packet capture shows the /56 prefix in there, as well as the WAN interface address.
However... guess what happened? The VIP took over the LAN interface again and shows as the main interface address on the dashboard and interfaces screen.
The second I go in and remove the VIP... the global IP from the prefix pops up as the main LAN interface and stuff starts functioning again. I can then re-add the ULA VIP and all is hunky-dory.
Thoughts? Weird? Configuration issue?
If you want the captures, I can provide them... it's only 4 packets, but has all of the addressing info in it. It all looks fine. Seems to be a problem either with my pfSense configuration, or pfSense's interpretation of IPv6.
Let me know what you you think is needed... if it's the whole pfSense configuration, or snippets - I will provide.
Not sure if there are any particular log files I should look at... I checked through a lot of them and didn't find much (but I don't have DHCPv6 Debug Mode enabled on the WAN Interface).Best Regards,
dg6464
-
How are you creating the VIP? The way I use for unique local addresses is to create the prefix on the Router Advertisement settings. If you do this, you'll also have to create one for the assigned prefix.
-
@JKnott I create the VIP in Firewall --> Virtual IP's, then create an IP Alias and assign to LAN interface.
I thought that was the way to create a VIP (that’s what I’ve seen in previous posts).
Are you saying that if I put the fd00:: prefix under the RA advertisements (as I have right now for both the ULA network, as well as the assigned prefix from the WAN)... it automatically creates a VIP on the routers LAN interface for that ULA prefix?
Thanks!
Best Regards,
dg6464
-
Yes, I also created the address in VIP, but also the prefix on the RA page. Yes, if you create a prefix for the VIP, you will now also have to create one for the assigned prefix, as for some reason, pfSense no longer automatically does that.
-
@JKnott yeah, it seems we are doing the same thing then.
So I have no freakin’ clue why the VIP takes over the LAN interface and won’t allow the LAN to get the global addresses when the WAN interface drops and/or re-does DHCP (and on reboot).
Can anyone think of a potential reason why this would happen?
Or am I into a totally fresh re-build of pfSense as a next recourse?
Just not sure where else to go next with this one to be honest.
I wonder if I can just build from scratch on my Proxmox VM and transfer the config to my hardware pfSense box.
Thanks!
Best Regards,
dg6464
-
Sometimes the best thing to do is start from scratch and make sure it's working first. Then start adding whatever and see if something causes the problem.
-
@JKnott thanks, I might try that to experiment. However, it seems this has been verified and input as a bug on this thread.
Hoping maybe the Netgate folks get to it in a future release... properly getting track interface to work with multiple IP addresses on a LAN interface including GUA and ULA. Definitely some funky routing and "which interface gets priority or sends the traffic and can route" going on... both on the pfSense side (which they can control), as well as the various client OS's (Windows, Mac, Linux, etc). All of them do it differently. Windows machines here always seem to ping everything just fine... Mac's not so much.
If anyone finds a fix / workaround (possibly a script to pull and add the ULA VIP after 5-10 seconds whenever the WAN goes up/down)... let me know and I'd be happy to test it.
Best Regards,
dg6464
