T-Mobile cellular service on a netgear LM1200 modem no ipv6 gateway
-
@dem said in T-Mobile cellular service on a netgear LM1200 modem no ipv6 gateway:
If your T-Mobile LTE connection is like mine your IPv6 address and gateway will change often, sometimes multiple times a day. With a tracking interface this will cause your entire LAN to renumber itself every time the address changes, potentially breaking any existing IPv6 connections.
That is bizarre. There's a setting to prevent release of the prefix. Do you have that set?
-
@jknott said in T-Mobile cellular service on a netgear LM1200 modem no ipv6 gateway:
That is bizarre. There's a setting to prevent release of the prefix. Do you have that set?
To quote the pfSense Manual again:
"Do not allow PD/Address release: Prevents the operating system from sending a DHCPv6 release message on exit."
But the RA (shown in a previous message above) contains only the "O" flag, which means: "Stateless DHCP: The firewall will send out RA packets and addresses can be assigned to clients by SLAAC while providing additional information such as DNS and NTP from DHCPv6."
So there's no DHCPv6 server on the T-Mobile side assigning the address in the first place, as far as I can determine.
-
@dem said in T-Mobile cellular service on a netgear LM1200 modem no ipv6 gateway:
So there's no DHCPv6 server on the T-Mobile side assigning the address in the first place, as far as I can determine.
Do a packet capture on the WAN port for DHCPv6-PD. The packets should contain the prefix for your LAN.
I have attached a DHCPv6-PD capture.
Use Wireshark to take a look at frame 15 where you will see this:
The last line shown is the prefix provided by my ISP. If you don't see that on the pfsense WAN port, you will not be able to provide IPv6 on the LAN.
PfSense running on Qotom mini PC
i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
UniFi AC-Lite access pointI haven't lost my mind. It's around here...somewhere...
-
@jknott said in T-Mobile cellular service on a netgear LM1200 modem no ipv6 gateway:
If you don't see that on the pfsense WAN port, you will not be able to provide IPv6 on the LAN.
As I mentioned previously, everything works fine after both devices are rebooted, but IPv6 stops working the first time the address changes.
-
Dumb question but how do I do a packet capture for just DHCPv6? I don't see that as a filter on the pfsense GUI. I tried ports 546 and 547. Would that work?
-
Thanks again to all who have replied. I'm learning more today than in a while, even after the pfsense hangout about IPv6 from @jimp in 2015.
Here is what wireshark analyzed from packets captured (546 or 547) on the pfsense interface for my cellular modem in bridge mode. The interface is configured at DHCPv6. No other configuration changes. I released and then renewed the lease from the modem.
Frame 2: 130 bytes on wire (1040 bits), 130 bytes captured (1040 bits)
Encapsulation type: Ethernet (1)
Arrival Time: May 18, 2021 14:49:16.414066000 Eastern Daylight Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1621363756.414066000 seconds
[Time delta from previous captured frame: 0.609042000 seconds]
[Time delta from previous displayed frame: 0.609042000 seconds]
[Time since reference or first frame: 0.609042000 seconds]
Frame Number: 2
Frame Length: 130 bytes (1040 bits)
Capture Length: 130 bytes (1040 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ipv6:udp:dhcpv6]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Globalsc_0b:1d:2f (f0:ad:4e:0b:1d:2f), Dst: IPv6mcast_01:00:02 (33:33:00:01:00:02)
Destination: IPv6mcast_01:00:02 (33:33:00:01:00:02)
Source: Globalsc_0b:1d:2f (f0:ad:4e:0b:1d:2f)
Type: IPv6 (0x86dd)
Internet Protocol Version 6, Src: fe80::f2ad:4eff:fe0b:1d2f, Dst: ff02::1:2
0110 .... = Version: 6
.... 0000 0000 .... .... .... .... .... = Traffic Class: 0x00 (DSCP: CS0, ECN: Not-ECT)
.... 0000 00.. .... .... .... .... .... = Differentiated Services Codepoint: Default (0)
.... .... ..00 .... .... .... .... .... = Explicit Congestion Notification: Not ECN-Capable Transport (0)
.... .... .... 0000 0000 0000 0000 0000 = Flow Label: 0x00000
Payload Length: 76
Next Header: UDP (17)
Hop Limit: 1
Source Address: fe80::f2ad:4eff:fe0b:1d2f
Destination Address: ff02::1:2
[Source SA MAC: Globalsc_0b:1d:2f (f0:ad:4e:0b:1d:2f)]
User Datagram Protocol, Src Port: 546, Dst Port: 547
Source Port: 546
Destination Port: 547
Length: 76
Checksum: 0xe3b5 [unverified]
[Checksum Status: Unverified]
[Stream index: 0]
[Timestamps]
UDP payload (68 bytes)
DHCPv6
Message type: Solicit (1)
Transaction ID: 0x1840b4
Client Identifier
Option: Client Identifier (1)
Length: 14
DUID: 000100012831f67ef0ad4e0b1d2f
DUID Type: link-layer address plus time (1)
Hardware type: Ethernet (1)
DUID Time: May 14, 2021 23:03:26.000000000 Eastern Daylight Time
Link-layer address: f0:ad:4e:0b:1d:2f
Identity Association for Non-temporary Address
Option: Identity Association for Non-temporary Address (3)
Length: 12
IAID: 00000000
T1: 0
T2: 0
Elapsed time
Option: Elapsed time (8)
Length: 2
Elapsed time: 0ms
Option Request
Option: Option Request (6)
Length: 4
Requested Option code: DNS recursive name server (23)
Requested Option code: Domain Search List (24)
Identity Association for Prefix Delegation
Option: Identity Association for Prefix Delegation (25)
Length: 12
IAID: 00000000
T1: 0
T2: 0As far as I can tell, I am not receiving the needed IPV6 prefix. Correct?
-Devan
-
In Packet Capture, filter on DHCPv6, port 546 or 547. Doesn't matter which. If you have an external connection method, such as a data tap, you can connect a computer and run Wireshark. You'll want to capture it during a reboot, so as to get the entire sequence. If you're using Packet Capture, shut down pfsense and disconnect the WAN cable. Then boot up pfsense, start Packet Capture and reconnect the WAN cable.
-
@ddbnj said in T-Mobile cellular service on a netgear LM1200 modem no ipv6 gateway:
Here is what wireshark analyzed from packets captured (546 or 547) on the pfsense interface for my cellular modem in bridge mode.
It's better to upload the capture file, as I did above. There's a lot of detail in those captures and you really need to use Wireshark to analyze it.
-
I have been doing this via a site to site VPN. Since this will involve physical access, I will visit the site next week and try all the above.
When I get a capture file, I'll revist this.
Thanks,
Devan
-
Then I can only assume you didn't reboot pfsense. That's pretty much necessary to get the full sequence. Otherwise, you only get renewals.
