Comcast IPv6 address issue
-
@virgiliomi:
Gateways will always be link-local with IPv6. That's by design. The gateway will also likely have a global address for other purposes (i.e. remote access/management), but link-local addresses are always used for routing. On a Windows PC on your network, if you do ipconfig, the default IPv6 gateway address will be the link-local address for pfSense (IIRC should be fe80::1:1).
And sorry about the . vs _ in the filename. :)
Well, even after regenerating that file, I am getting no IPv6 traffic through the Comcast gateway. There are many advanced settings for IPv6… should I mess with them?
So one more question here… do you have just a modem, or do you have a gateway (modem+router) device from Comcast? Because if you have the latter, that will definitely affect IPv6. Comcast's gateways are not configured for IPv6 prefix delegation (unless you have a business account with static address(es). If you want to run pfSense behind a Comcast gateway, you'll want to put the gateway into Bridge mode, so it functions as just a modem, and let pfSense handle all of the router/firewall functions. Yes, that also means you'll need your own WiFi access point, as the Comcast gateway won't provide local network WiFi anymore either.
-
he.net uses an IPV4 "server" address on their side - on needs to know all the time what your WAN IPv4 is.
Their setup instructions are clear about that.
Added to that, your WAN IPv4 needs to be 'pingable'.This sounds to me like the instructions for setting up the tunnel… it is setup and works fine, other than having no AAAA record.
On the pfSense side, there exists a tool that does just that - if you set it up.
Go here : Services -> Dynamic DNS -> Dynamic DNS Clients and add a "HE.net Tunnelbroker " type service. The settings are taken from your "he.net IPv6 tunnel account" page.Thanks for pointing out that pfSense allows more than one Dynamic DNS configuration!
he.net uses an IPV4 "server" address on their side - on needs to know all the time what your WAN IPv4 is.
Their setup instructions are clear about that.
Added to that, your WAN IPv4 needs to be 'pingable'.
On the pfSense side, there exists a tool that does just that - if you set it up.
Go here : Services -> Dynamic DNS -> Dynamic DNS Clients and add a "HE.net Tunnelbroker " type service. The settings are taken from your "he.net IPv6 tunnel account" page.
This service, comparable to what No-IP offers btw, will assure that YOUR IPv4 is known all the time at he.net.Instructions for filling out the pfSense Dynamic DNS Client configuration for HE.net (aka tunnelbroker.net) are right on the configuration page, namely for Hostname you should for "he.net tunnelbroker: Enter the tunnel ID".
That said, I am failing with interesting entries in the system log; consider this…
Jan 3 16:19:22 php-fpm 37351 /services_dyndns_edit.php: Dynamic DNS (311434) There was an error trying to determine the public IP for interface - wan (em0 ).
Jan 3 16:19:22 check_reload_status Syncing firewall
Jan 3 16:19:13 php-fpm 9879 /services_dyndns_edit.php: phpDynDNS (311434): (Unknown Response)
Jan 3 16:19:13 php-fpm 9879 /services_dyndns_edit.php: phpDynDNS (311434): PAYLOAD: abuse
Jan 3 16:19:12 check_reload_status Syncing firewall
Jan 3 16:18:56 php-fpm 7933 /services_dyndns_edit.php: phpDynDNS (311434): (Unknown Response)
Jan 3 16:18:56 php-fpm 7933 /services_dyndns_edit.php: phpDynDNS (311434): PAYLOAD:
Jan 3 16:18:56 check_reload_status Syncing firewall
Jan 3 16:18:40 php-fpm 79049 /services_dyndns_edit.php: Dynamic DNS (311434) There was an error trying to determine the public IP for interface - wan (em0 ).
Jan 3 16:18:40 check_reload_status Syncing firewallAll I am changing to try to get something to work is which interface I am selecting, namely my WAN, IPV6 tunnel, or LAN.
-
@virgiliomi:
So one more question here… do you have just a modem, or do you have a gateway (modem+router) device from Comcast? Because if you have the latter, that will definitely affect IPv6. Comcast's gateways are not configured for IPv6 prefix delegation (unless you have a business account with static address(es). If you want to run pfSense behind a Comcast gateway, you'll want to put the gateway into Bridge mode, so it functions as just a modem, and let pfSense handle all of the router/firewall functions. Yes, that also means you'll need your own WiFi access point, as the Comcast gateway won't provide local network WiFi anymore either.
Just a modem… by special request!
-
I tracked down one issue; the dhcp6c process is being started twice for the same interface.
root 58549 0.0 0.1 10096 1832 - Is 8:07PM 0:00.11 /usr/local/sbin/dhcp6c -d -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_em0.pid em0
root 91097 0.0 0.1 10096 1824 - Is 8:07PM 0:00.10 /usr/local/sbin/dhcp6c -d -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_em0.pid em0Does anyone know how the hidden startup files can be corrected? Just editing the interface through the pfSense Interface Configuration editor is not correcting the problem.
-
I tracked down one issue; the dhcp6c process is being started twice for the same interface.
That one rears it's ugly head again, I've been working on a fix for that. What version of PFSense are you running?
-
Here is the snapshots for the Interface Assignment and WAN Interface windows. All I change in the WAN Interface Configuration is the IPv6 Configuration Type to DHCPV6, then Save and Apply. While starting, I see this
root 15315 1.0 0.1 10096 1828 - Ss 10:34AM 0:00.00 /usr/local/sbin/dhcp6c -d -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_em0.pid em0
root 74226 1.0 0.1 10460 2072 - S 10:34AM 0:00.00 /bin/sh /var/etc/dhcp6c_wan_script.sh
root 81074 0.0 0.1 10460 2084 - S 10:34AM 0:00.00 sh -c ps uxawww | grep dhcp6c 2>&1
root 81512 0.0 0.1 10264 1908 - S 10:34AM 0:00.00 grep dhcp6cAnd then I see this
root 15315 0.0 0.1 10096 1828 - Is 10:34AM 0:00.00 /usr/local/sbin/dhcp6c -d -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_em0.pid em0
root 80687 0.0 0.1 10460 2084 - S 10:38AM 0:00.00 sh -c ps uxawww | grep dhcp6c 2>&1
root 81304 0.0 0.1 10264 1908 - S 10:38AM 0:00.00 grep dhcp6cThe DHCP log looks like this
Jan 4 10:34:33 dhcp6c 15241 failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
Jan 4 10:34:33 dhcp6c 15241 failed initialize control message authentication
Jan 4 10:34:33 dhcp6c 15241 skip opening control port
Jan 4 10:34:48 dhcp6c 15315 XID mismatchAnd the system log show this
Jan 4 10:53:26 php-fpm 11639 /system_gateways.php: ROUTING: setting IPv6 default route to fe80::213:5fff:fe05:bfe2%em0
Jan 4 10:53:27 php-fpm 11639 /system_gateways.php: The command '/usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid em1' returned exit code '1', the output was 'Internet Systems Consortium DHCP Server 4.3.4 Copyright 2004-2016 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Config file: /etc/dhcpd.conf Database file: /var/db/dhcpd.leases PID file: /var/run/dhcpd.pid Wrote 0 deleted host decls to leases file. Wrote 0 new dynamic host decls to leases file. Wrote 3 leases to leases file. Listening on BPF/em1/00:22:4d:b0:d3:b8/192.168.10.0/24 Sending on BPF/em1/00:22:4d:b0:d3:b8/192.168.10.0/24 Can't bind to dhcp address: Address already in use Please make sure there is no other dhcp server running and that there's no entry for dhcp or bootp in /etc/inetd.conf. Also make sure you are not running HP JetAdmin software, which includes a bootp server. If you think you have received this mes
Jan 4 10:53:29 php-fpm 11639 /system_gateways.php: The command '/sbin/route delete -host 2001:470:20::2 ' returned exit code '68', the output was 'route: bad address: 2001:470:20::2'
Jan 4 10:53:29 check_reload_status Reloading filter
Jan 4 10:53:29 php-fpm 11639 /system_gateways.php: Removing static route for monitor fe80::213:5fff:fe05:bfe2 and adding a new route through fe80::213:5fff:fe05:bfe2%em0The WAN Interface looks like this
WAN Interface (wan, em0)
Status up
DHCP up
MAC Address c4:2c:03:05:41:0d - Apple
IPv4 Address 98.195.72.200
Subnet mask IPv4 255.255.248.0
Gateway IPv4 98.195.72.1
IPv6 Link Local fe80::c62c:3ff:fe05:410d%em0
IPv6 Address 2001:558:6022
c40:ffa:c94:3324
Subnet mask IPv6 128
Gateway IPv6 fe80::213:5fff:fe05:bfe2
DNS servers
127.0.0.1
2001:470:20::2
74.82.42.42
68.87.85.102
208.67.220.220
MTU 1500
Media 1000baseT <full-duplex>In/out packets 29523479/11443436 (33.45 GiB/1.06 GiB)
In/out packets (pass) 29523479/11443436 (33.45 GiB/1.06 GiB)
In/out packets (block) 123447/3244 (18.98 MiB/374 KiB)
In/out errors 0/1
Collisions 0For my network, the IPv6 traffic is not forwarding. I am still using the public addresses that tunnelbroker gave me on the LAN, which might be a reason, although I can't understand what is wrong.
I am also now noting a strange behavior that the IPv6 traffic that is enabled for logging in the UI is not showing up in formatted logs. Is this because the IPv6 traffic can't be forwarded?</full-duplex>
-
@marjohn56:
That one rears it's ugly head again, I've been working on a fix for that. What version of PFSense are you running?
Latest version.
However, at this point, I am thinking that the extra dhcp6c processes are happening because I am shutting down the WAN interface by clearing the Enabled flag in the configuration, saving and applying. I could verify this by repeating the disabling and then checking for the dhcp6c process, but, I doubt that this way of shutting down the interface is the recommended way. If I were to guess, the recommended way is to clearing the Enabled flag, save, and then reboot.
Plus, now that I know this, I can just do the 'killall -9 dhcp6c' command as a workaround if I am unwilling to wait for a reboot…
-
@marjohn56:
That one rears it's ugly head again, I've been working on a fix for that. What version of PFSense are you running?
Latest version.
However, at this point, I am thinking that the extra dhcp6c processes are happening because I am shutting down the WAN interface by clearing the Enabled flag in the configuration, saving and applying. I could verify this by repeating the disabling and then checking for the dhcp6c process, but, I doubt that this way of shutting down the interface is the recommended way. If I were to guess, the recommended way is to clearing the Enabled flag, save, and then reboot.
Plus, now that I know this, I can just do the 'killall -9 dhcp6c' command as a workaround if I am unwilling to wait for a reboot…
I was able to replicate the issue, it's quite random but I did see it. If you are not running with dhcp6 before ra you may want to try this patch. I have put a lock inside the rtsold script where it runs dhcp6c, it means it can never run two copies of dhcp6c. If you want to try it then I would ask you to pm me as I will need feedback on your findings.
-
Finally solved the dhcp6c process quitting.
Apparently, the tunnelbroker GIF tunnel that I had defined was interfering with the nominal IPv6, even though it was not assigned for any use on the Interfaces (assign) page, because when I deleted it, the WAN interface got an public IPv6 address.
-
Hmm. I have an HE.NET tunnel and happily get DHCPv6 + /56 PD from Cox.
I have been watching it for a while. They are honoring the DUID and not changing my prefix despite new modems and WAN MACs. My IPv4 address with them as changed at least three times since I started getting delegated this prefix.
