/60 Prefix delegation from ISP, now what?
-
The point of PD is for your isp to give your router a prefix so it can hand out addresses and route traffic. With a /60, you have 4 bits, which is 0x0-0xf of prefix id, 16 subnets.
Please post your wan, lan and dhcpv6 settings. No need to post all subnets, just one subnet.
Screencaps attached.
In addition, these are the prefixes I am assigned as configured:
[2.3.3-RELEASE][admin@foo.bar.com]/root: ifconfig | grep prefixlen
inet6 fe80::20c:29ff:YYYY:797f%vmx0 prefixlen 64 scopeid 0x1
inet6 2605:6000:9fc0:96:64e1:be1e:57f0:2a8e prefixlen 128
inet6 2605:6001:XXXX:5600:20c:29ff:YYYY:7989 prefixlen 60
inet6 fe80::1:1%vmx1 prefixlen 64 scopeid 0x2
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
inet6 2605:6001:XXXX:5601:20c:29ff:YYYY:7989 prefixlen 60
inet6 fe80::1:1%vmx1_vlan10 prefixlen 64 scopeid 0x7
inet6 2605:6001:XXXX:5602:20c:29ff:YYYY:7989 prefixlen 60
inet6 fe80::1:1%vmx1_vlan20 prefixlen 64 scopeid 0x8
inet6 2605:6001:XXXX:5603:20c:29ff:YYYY:7989 prefixlen 60
inet6 fe80::1:1%vmx1_vlan30 prefixlen 64 scopeid 0x9
inet6 2605:6001:XXXX:5604:20c:29ff:YYYY:7989 prefixlen 60
inet6 fe80::1:1%vmx1_vlan40 prefixlen 64 scopeid 0xa
inet6 2605:6001:XXXX:5605:20c:29ff:YYYY:7989 prefixlen 60
inet6 fe80::1:1%vmx1_vlan50 prefixlen 64 scopeid 0xb
inet6 2605:6001:XXXX:5609:20c:29ff:YYYY:7989 prefixlen 60
inet6 fe80::1:1%vmx1_vlan99 prefixlen 64 scopeid 0xc
-
Screen captures seem okay. There are not multiple /60 prefixes. You are seeing the /64 after the 4 bit id is appended. I don't use VLAN, so have no comment on it. You might want to disable all except wan and lan interfaces to reduce clutter in the log while you sort this out.
Please post Services / DHCPv6 Server & RA / LAN / DHCPv6 Server and Services / DHCPv6 Server & RA / LAN /RA.
Also, take note of the time, then in interfaces / wan, click save then apply. After that, post the system and dhcp logs.
What client are you using? If windows, use ipconfig /release6 and ipconfig /renew6, then ipconfig /all to see status.
Also, run ipv6-test.com and test-ipv6.com. There should be firewall rules to pass icmp4 and icmp6 echo-request.
-
No, ifconfig doesn't lie or play tricks with the prefix lengths no matter how the addresses are configured. Those /60s are really assigned to the VLAN interfaces and that means there are multiple broadcast domains using the same /60 prefix which is 2605:6001:XXXX:5600:: . That configuration can not work, the prefixes on the VLAN interfaces should be /64 when inspected by ifconfig.
-
@kpa:
No, ifconfig doesn't lie or play tricks with the prefix lengths no matter how the addresses are configured. Those /60s are really assigned to the VLAN interfaces and that means there are multiple broadcast domains using the same /60 prefix which is 2605:6001:XXXX:5600:: . That configuration can not work, the prefixes on the VLAN interfaces should be /64 when inspected by ifconfig.
I was thinking that when I originally posted, then I edited the post after I looked at the number of bits. It looks like there is only one /60 but pfsense is just appending the additional 4 bits for each lan. I've never looked at ifconfig with more than one lan before. I don't have a multiple lan config running to look at.
Edit, just looked at ifconfig on my single lan system and it only shows the /64. Dunno what's happening in OP's system. I think he should disable the extra interfaces and make sure he can get it working properly with a single lan first.
-
Start Range: 2605:6001:XXXX:5600:0:0:0:0
End Range: 2605:6001:XXXX:560f:ffff:ffff:ffff:ffff
No. of host: 2951479051793528258562605:6001:XXXX:5600:0000:0000:0000:0000-
2605:6001:XXXX:560f:ffff:ffff:ffff:ffffLAN 2605:6001:XXXX:5600:20c:29ff:YYYY:7989/60
^
This zero represents my 16 /64 networks, 0-9, a-fUnless I a misunderstanding how the delegation works (I read rfc3769), they are providing, but more than I am asking for, IMHO. With the Prefix ID
3.1. Number and Length of Delegated Prefixes
The prefix delegation mechanism should allow for delegation of
prefixes of lengths between /48 and /64, inclusively. Other lengths
should also be supported. The mechanism should allow for delegation
of more than one prefix to the customer.So my question is reduced to how should pfSense configure and route for the /64 nets. Something is funky here, I am not not certain where yet.
-
When you request a /60, the prefix id is 4 bits, 0x0 through 0xf. In the lan config, you chose a prefix id for the each lan. The prefix for the lan is isp prefix /60 + prefix id = /64. In the dhcpv6 server, you have always have 64 bits, :: through ::fff:fff:fff:fff. Just use ::1000 to ::2000. Try that and report back.
-
I shut down this virtual, moved it to the VLAN and modified the DHCPv6 range tp the requested ::1000 - ::2000 and got the last address in the scope as expected
Mar 28 17:23:18 dhcpd Request message from fe80::1c7c:c282:96c2:dbbe port 546, transaction ID 0xF0611400
Mar 28 17:23:18 dhcpd Reply NA: address 2605:6001:XXXX:5602::2000 to client with duid 00:01:00:01:60:58:41:20:00:0c:29:22:7a:a9 iaid = 0 valid for 7200 seconds
Mar 28 17:23:18 dhcpd Sending Reply to fe80::1c7c:c282:96c2:dbbe port 546However, there is no Internet access from this host address, with 100% packet loss on ping6 to its gateway interface. The route is in netstat -nr output.
Internet6:
Destination Gateway Flags Netif Expire
default fe80::1:1%en0 UGc en0
default fe80::%utun0 UGcI utun0
::1 ::1 UHL lo0
2605:6001:XXX:5600::/60 link#4 UC en0
2605:6001:XXX:5602::2000 0:c:xx:xx:xx:a9 UHL lo0
2605:6001:XXX:5602:20c:29ff:fe45:7989 link#4 UHLWIi en0\ -
Are the firewall allow lan to any rules enabled? I'm about ready to suggest that you reset to factory defaults and start over. Normally when I do an installation from scratch, I select the WAN and LAN settings for the tracked PD and it just works.
Here is the output from netstat -nr.
Internet6: Destination Gateway Flags Netif Expire default fe80::ea4:2ff:fe29:5001%hn1 UGS hn1 ::1 link#2 UH lo0 2001:569:74b0:e800::/64 link#5 U hn0 2001:569:74b0:e800:215:5dff:fe5c:e21e link#5 UHS lo0 fe80::ea4:2ff:fe29:5001 fe80::ea4:2ff:fe29:5001%hn1 UGHS hn1 fe80::%lo0/64 link#2 U lo0 fe80::1%lo0 link#2 UHS lo0 fe80::%hn0/64 link#5 U hn0 fe80::1:1%hn0 link#5 UHS lo0 fe80::%hn1/64 link#6 U hn1 fe80::215:5dff:fe5c:e21d%hn1 link#6 UHS lo0The default route is the link local address of the edge router. Link #6 is the link local of the pfsense wan.
The configuration is a /56, tracked, with ::1000 to ::2000 dhcpv6 range using assisted RA. Very few changes to defaults.
-
Can you post a screen capture of gateway and interface status?
Can you also post the output of ps aux | grep dhc?
It should look like this:
root 5956 0.0 0.1 10496 2392 - Is 19:29 0:00.00 dhclient: hn1 [priv] (dhclient) _dhcp 10823 0.0 0.1 10496 2508 - Ss 19:30 0:00.00 dhclient: hn1 (dhclient) root 13245 0.0 0.1 8348 2344 - Is 19:30 0:00.00 /usr/local/sbin/dhcp6c -D -n -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_hn1.pid hn1 root 20475 0.0 0.1 8204 2184 - Is 19:30 0:00.01 /usr/local/sbin/dhcpleases -l /var/dhcpd/var/db/dhcpd.leases -d localdomain -p /var/run/unbound.pid -u /var/unbound/dhcpleases_entries.conf -h /etc/hosts dhcpd 34339 0.0 0.7 22808 13488 - Ss 19:30 0:00.01 /usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpd.conf -pf /var/run/dhcpd.pid hn0 dhcpd 34911 0.0 0.6 20760 11272 - Ss 19:30 0:00.01 /usr/local/sbin/dhcpd -6 -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpdv6.conf -pf /var/run/dhcpdv6.pid hn0 root 35364 0.0 0.1 6152 1924 - Is 19:30 0:00.00 /usr/local/sbin/dhcpleases6 -c /usr/local/bin/php-cgi -f /usr/local/sbin/prefixes.php|/bin/sh -l /var/dhcpd/var/db/dhcpd6.leases root 56370 0.0 0.1 10448 2524 - Ss 19:30 0:00.01 /usr/sbin/syslogd -s -c -c -l /var/dhcpd/var/run/log -P /var/run/syslog.pid -f /etc/syslog.confI'm using unbound and it's configured to register static mappings and leases.
-
Good call on the new deployment, but I am still not yet working like I'd expect. The hard part is I am not "sure" what should be happening, haha. I am deploying IPv6 to learn about all of this and I've done a lot of reading but I'd expect that both DHCPv6 and RA are both pretty much automatic on pfSense.
For today I need to rip this out, so I can work. I am dropping back to only 1 VLAN with IPv6 and will see what I can sniff when I have some free time today.
-
I recommend making only the required changes to defaults to get it working, then have your way with it.
When I do a fresh installation, after the initial setup, all I have to change to get ipv6 working is to set the wan configuration, the lan configuration and dhcpv6. It literally takes a few minutes.
On the dashboard, enable interface and gateway status so you can confirm that the gateways are working.
WAN: ipv4: DHCP, ipv6: DHCP6. The DHCP6 client settings depend on your ISP. Try setting /60 and prefix hint.
LAN: ipv4: static, ipv6, tracking WAN.
dhcpv6: enable range ::1000 to ::2000.
It doesn't hurt to reboot at this stage, but interface / wan save, apply or status interface wan release, renew should accomplish the same thing.
That's all you should have to do to get dhcp and dhcp6 leases on your lan. If you set up unbound, you will see the same dhc* processes that I posted above.
If you're using a windows client, ipconfig /release, ipconfig /renew, ipconfig /release6, ipconfig /renew6 will result in leases. (Or disable and enable the adapter should do the same thing.)
If you want to verify everything with ipv6-test.com, also enable allow firewall rules in pfsense for icmp4 and icmp6 echo-request, as well as virtual machine monitoring ipv6 echo-request on the windows client.
Later, you may want to enable the setting wan / do not allow PD release. That will make it more likely that your prefix stays the same.
-
I recommend making only the required changes to defaults to get it working, then have your way with it.
Hey bimmerdriver and all,
Oh C'mon man, This is IT stuff, need to cowboy up! Change controls are for sissys!!! (kidding)I did flatten the network and removed VLANs. On reboot I am good to go from Windows, Mac and Linux. Now I have a functional base config which includes IPv6 from the ISP (TWC/Spectrum). I am going to add a single VLAN shortly and will report back once I have some additional details. At present the config is as follows:
*** Welcome to pfSense 2.3.3-RELEASE-p1 (amd64 full-install) on host***
WAN (wan) -> vmx0 -> v4/DHCP4: 76.999.999.68/19
v6/DHCP6: 2605:6000:XXXX:96:4474:ffff:0000:d98a/128
LAN (lan) -> vmx1 -> v4: 192.168.1.254/24
v6/t6: 2605:6001:XXXX:7e00:20c:ffff:0000:ac01/60I can see the /60 is allocated, I am operating under the assumption that I am following the correct process for VLAN creation and assignment, since I used them in IPv4:
Interfaces -> VLAN -> Add
Interfaces -> Interface Assignments -> Add (the VLAN I just created to the LAN interface) -
Landed here, listening but not issuing SLACC or DHCPv6. Doing some caps and poking around.
Mar 29 19:48:51 dhcpd Multiple interfaces match the same subnet: vmx1 vmx1_vlan10 Mar 29 19:48:51 dhcpd Multiple interfaces match the same shared network: vmx1 vmx1_vlan10 Mar 29 19:48:51 dhcpd Bound to *:547 Mar 29 19:48:51 dhcpd Listening on Socket/5/vmx1_vlan10/2605:6001:XXXX:7e00::/60 Mar 29 19:48:51 dhcpd Sending on Socket/5/vmx1_vlan10/2605:6001:XXXX:7e00::/60 Mar 29 19:48:51 dhcpd Listening on Socket/5/vmx1/2605:6001:XXXX:7e00::/60 Mar 29 19:48:51 dhcpd Sending on Socket/5/vmx1/2605:6001:XXXX:7e00::/60 Mar 29 19:48:51 dhcpd Server starting service. Mar 29 19:48:52 dhcpd Confirm message from fe80::ea06:88ff:fecb:8b3c port 546, transaction ID 0x64CD3500 Mar 29 19:48:52 dhcpd Sending Reply to fe80::ea06:88ff:fecb:8b3c port 546 Mar 29 19:49:47 dhcpd Renew message from fe80::adc4:b23a:5f75:f2a8 port 546, transaction ID 0x98925900 Mar 29 19:49:47 dhcpd Reply NA: address 2605:6001:XXXX:7e00::2000 to client with duid 00:01:00:01:1d:1c:28:0d:01:e4:d7:84:e5:1d iaid = 238347991 valid for 7200 seconds Mar 29 19:49:47 dhcpd Sending Reply to fe80::adc4:ffff:0000:f2a8 port 546 -
I recommend making only the required changes to defaults to get it working, then have your way with it.
Hey bimmerdriver and all,
Oh C'mon man, This is IT stuff, need to cowboy up! Change controls are for sissys!!! (kidding)I did flatten the network and removed VLANs. On reboot I am good to go from Windows, Mac and Linux. Now I have a functional base config which includes IPv6 from the ISP (TWC/Spectrum). I am going to add a single VLAN shortly and will report back once I have some additional details. At present the config is as follows:
*** Welcome to pfSense 2.3.3-RELEASE-p1 (amd64 full-install) on host***
WAN (wan) -> vmx0 -> v4/DHCP4: 76.999.999.68/19
v6/DHCP6: 2605:6000:XXXX:96:4474:ffff:0000:d98a/128
LAN (lan) -> vmx1 -> v4: 192.168.1.254/24
v6/t6: 2605:6001:XXXX:7e00:20c:ffff:0000:ac01/60I can see the /60 is allocated, I am operating under the assumption that I am following the correct process for VLAN creation and assignment, since I used them in IPv4:
Interfaces -> VLAN -> Add
Interfaces -> Interface Assignments -> Add (the VLAN I just created to the LAN interface)Hey, looks good. Glad you got it working. Since I'm not using vlans or have even played with them, hopefully someone else will jump in.
-
Hey, looks good. Glad you got it working. Since I'm not using vlans or have even played with them, hopefully someone else will jump in.
I appreciate the level-set to go back to a base image, I needed to remember I was troubleshooting and to follow the KISS principle.
I have the VLAN up now, just waiting until the end of my shift to move back to my switch. My understanding of VLANs and IPv6 is probably not what is should be, but I am reading rfc4554 https://tools.ietf.org/html/rfc4554 to sort that out. The introduction seems to indicate this should "just work" in the following
If such a site wishes to introduce IPv6, it may do so by deploying a
parallel IPv6 routing infrastructure (which is likely to be a
different platform to the site's main infrastructure equipment, i.e.,
one that supports IPv6 where the existing equipment does not), and
then using VLAN technology to "overlay" IPv6 links onto existing IPv4
links. This can be achieved without needing any changes to the IPv4
configuration. The VLANs don't need to differentiate between IPv4
and IPv6; the deployment is just dual-stack, as Ethernet is without
VLANs.The IPv4 default route to the VLAN is provided by one (IPv4) router,
while the IPv6 default route to the VLAN is provided by a different
(IPv6) router. The IPv6 router can provide native IPv6 connectivity
to the whole site with just a single physical interface, thanks to
VLAN tagging and trunking, as described below.The IPv6 connectivity to the enterprise may or may not enter the site
via the same physical link as the IPv4 traffic, and may be native or
tunneled from the external provider to the IPv6 routing equipment.I guess I'll have to see what I get. I need to move this link back over to the switched network first and test and make sure things remain the same for connectivity of IPv4 and IPv6 on LAN then move to my VLAN which supplies the tagging. I'd thought this would just work in ESX, but I'd need a pfsense interface per VLAN for that to be the case.
-
For posterity, this is what working looks like in /var/log/dhcpd.log
Mar 29 17:14:14 fire2 dhcpd: Listening on Socket/5/vmx1_vlan10/2605:6001:e71b:7e00::/60 Mar 29 17:14:14 fire2 dhcpd: Sending on Socket/5/vmx1_vlan10/2605:6001:e71b:7e00::/60 Mar 29 17:14:14 fire2 dhcpd: Listening on Socket/5/vmx1/2605:6001:e71b:7e00::/60 Mar 29 17:14:14 fire2 dhcpd: Sending on Socket/5/vmx1/2605:6001:e71b:7e00::/60 Mar 29 17:14:14 fire2 dhcpd: Server starting service. Mar 29 17:15:45 fire2 dhcpd: DHCPREQUEST for 192.168.1.101 from 34:e6:d7:84:e5:1d (9zs5t32) via vmx1 Mar 29 17:15:45 fire2 dhcpd: DHCPACK on 192.168.1.101 to 34:e6:d7:84:e5:1d (9zs5t32) via vmx1 Mar 29 17:18:23 fire2 dhcpd: reuse_lease: lease age 918 (secs) under 25% threshold, reply with unaltered, existing lease for 10.0.10.101 Mar 29 17:18:23 fire2 dhcpd: DHCPREQUEST for 10.0.10.101 from 00:0c:29:22:7a:a9 (sierra) via vmx1_vlan10 Mar 29 17:18:23 fire2 dhcpd: DHCPACK on 10.0.10.101 to 00:0c:29:22:7a:a9 (sierra) via vmx1_vlan10 Mar 29 17:18:23 fire2 dhcpd: Solicit message from fe80::1886:1929:2dfc:5be4 port 546, transaction ID 0x8DB0E500 Mar 29 17:18:23 fire2 dhcpd: Advertise NA: address 2605:6001:e71b:7e01::2000 to client with duid 00:01:00:01:20:60:58:9f:00:0c:29:22:7a:a9 iaid = 0 valid for 7200 seconds Mar 29 17:18:23 fire2 dhcpd: Sending Advertise to fe80::1886:1929:2dfc:5be4 port 546 Mar 29 17:18:24 fire2 dhcpd: reuse_lease: lease age 919 (secs) under 25% threshold, reply with unaltered, existing lease for 10.0.10.101 Mar 29 17:18:24 fire2 dhcpd: DHCPREQUEST for 10.0.10.101 from 00:0c:29:22:7a:a9 (sierra) via vmx1_vlan10 Mar 29 17:18:24 fire2 dhcpd: DHCPACK on 10.0.10.101 to 00:0c:29:22:7a:a9 (sierra) via vmx1_vlan10 Mar 29 17:18:24 fire2 dhcpd: Request message from fe80::1886:1929:2dfc:5be4 port 546, transaction ID 0x90B43200 Mar 29 17:18:24 fire2 dhcpd: Reply NA: address 2605:6001:e71b:7e01::2000 to client with duid 00:01:00:01:20:60:58:9f:00:0c:29:22:7a:a9 iaid = 0 valid for 7200 seconds Mar 29 17:18:24 fire2 dhcpd: Sending Reply to fe80::1886:1929:2dfc:5be4 port 546 Mar 29 17:18:29 fire2 dhcpd: Confirm message from fe80::1886:1929:2dfc:5be4 port 546, transaction ID 0x8F9BE00 Mar 29 17:18:29 fire2 dhcpd: Sending Reply to fe80::1886:1929:2dfc:5be4 port 546I am releasing this block anyway in a moment :)
-
Good stuff.