Not getting IPv6 from ISP (Telus)



  • I've read pretty much every relevant thread here and googled for days. All settings look like they should (recommended here and on another forum for my ISP Telus), and yet I have zero success in getting IPv6 assigned. My setup is bonded DSL to Telus gateway (Actiontec T3200M). pfsense is connected to port 1 in bridged mode, therefore it gets its own IP address, while T3200M gets it's own. IPv6 on T3220M part works just fine. It gets prefix /56, WAN address DNS servers, etc. All kosher. IPv4 works perfect for both T3200M and pfsense. Yet, when I configure pfsense v2.3.4 with DHCP6:

    • Request only an IPv6 prefix = checked

    • DHCPv6 Prefix Delegation size = 56

    • Send IPv6 prefix hint = checked

    • Do not wait for a RA = checked

    I get this in log (Debug = on)

    Jul 1 11:01:30     dhcp6c     26875     extracted an existing DUID from /var/db/dhcp6c_duid: 00:01:00:01:20:dd:81:1e:00:12:2d:67:dd:02
    Jul 1 11:01:30     dhcp6c     26875     <3>[interface] (9)
    Jul 1 11:01:30     dhcp6c     26875     <5>[hn0] (3)
    Jul 1 11:01:30     dhcp6c     26875     <3>begin of closure [{] (1)
    Jul 1 11:01:30     dhcp6c     26875     <3>[request] (7)
    Jul 1 11:01:30     dhcp6c     26875     <3>[domain-name-servers] (19)
    Jul 1 11:01:30     dhcp6c     26875     <3>end of sentence [;] (1)
    Jul 1 11:01:30     dhcp6c     26875     <3>[request] (7)
    Jul 1 11:01:30     dhcp6c     26875     <3>[domain-name] (11)
    Jul 1 11:01:30     dhcp6c     26875     <3>end of sentence [;] (1)
    Jul 1 11:01:30     dhcp6c     26875     <3>[script] (6)
    Jul 1 11:01:30     dhcp6c     26875     <3>["/var/etc/dhcp6c_wan_script.sh"] (31)
    Jul 1 11:01:30     dhcp6c     26875     <3>end of sentence [;] (1)
    Jul 1 11:01:30     dhcp6c     26875     <3>comment [# we'd like some nameservers please] (35)
    Jul 1 11:01:30     dhcp6c     26875     <3>end of closure [}] (1)
    Jul 1 11:01:30     dhcp6c     26875     <3>end of sentence [;] (1)
    Jul 1 11:01:30     dhcp6c     26875     called
    Jul 1 11:01:30     dhcp6c     26875     called
    Jul 1 11:01:30     dhcp6c     27200     reset a timer on hn0, state=INIT, timeo=0, retrans=383
    Jul 1 11:01:31     dhcp6c     27200     Sending Solicit
    Jul 1 11:01:31     dhcp6c     27200     a new XID (59f068) is generated
    Jul 1 11:01:31     dhcp6c     27200     set client ID (len 14)
    Jul 1 11:01:31     dhcp6c     27200     set elapsed time (len 2)
    Jul 1 11:01:31     dhcp6c     27200     set option request (len 4)
    Jul 1 11:01:31     dhcp6c     27200     transmit failed: No route to host
    Jul 1 11:01:31     dhcp6c     27200     reset a timer on hn0, state=SOLICIT, timeo=0, retrans=1088
    Jul 1 11:01:32     dhcp6c     27200     Sending Solicit
    Jul 1 11:01:32     dhcp6c     27200     set client ID (len 14)
    Jul 1 11:01:32     dhcp6c     27200     set elapsed time (len 2)
    Jul 1 11:01:32     dhcp6c     27200     set option request (len 4)
    Jul 1 11:01:32     dhcp6c     27200     transmit failed: No route to host
    Jul 1 11:01:32     dhcp6c     27200     reset a timer on hn0, state=SOLICIT, timeo=1, retrans=2151
    Jul 1 11:01:34     dhcp6c     27200     Sending Solicit 
    

    Obviously "transmit failed: No route to host" can't be good, but I can't figure out why is it happening. Any help is appreciated.



  • I'm unfamiliar with Telus configuration, but if the T3220M is getting IPv6, then a couple of things come to mind.
    What size subnet is the T3220M getting, if it is a /56, you also cannot get a /56, you need something smaller, like /57, /58, etc.
    Show us some interface stats from the modem and pfSense, that might help troubleshoot what's going on.



  • No, that's not it. As I mentioned, pfSense is connected to the 1st port on T3200M, and that port is configured in bridged mode. That's like "pass-through". In that mode, T3200M does not control traffic on that port. It is like Port 1 is on its own switch, and Ports 2-4 + WAN on another. Normal router/gateway/firewall functions performed by T3200M pertain only to latter switch, while Port 1 gets its own "lane" to public network. I'm attaching picture of how's everything connected, if that helps.

    ![Internal network.png](/public/imported_attachments/1/Internal network.png)
    ![Internal network.png_thumb](/public/imported_attachments/1/Internal network.png_thumb)



  • I'm a telus customer and I posted a thread about using pfsense on the Telus network on dslreports.com/forum/telus. I have two pfsense networks using the bridged port of a T2200H. One is using 2.3.4 and the other is using 2.4 beta. Both pfsense routers are running on a hyper-v server as well. As far as I know, the T3200M works the same so it should work for you. BTW, you don't need to send the prefix hint. Telus will only allocate a /56 anyway.

    You didn't mention the LAN interface settings, but presumably you have the LAN set to track the WAN and you have enabled dhcpv6 with managed ra. Normally, it should be very easy to get it working. I can set up a system from scratch in just a few minutes. One thing to be wary of is that if a lease is active on a particular mac address, the edge router will not allocate another lease until the existing lease expires, irrespective of the DUID. On a few occasions, I've had a system get stuck without prefix for 24 hours waiting for the least to expire. Leases are 2 hours now, so that's not as bad.

    Looking at your configuration, if you have pfsense connected to the LAN port of the T3300M and to a bridged port, you are asking for trouble in my opinion. I recommend you get pfsense working with a single WAN and a single LAN interface completely separate from the T3300M LAN. It's possible to connect a NIC from the hyper-v to the LAN to access the modem GUI, but unless you want traffic going through the modem LAN, you need to increase the metric on the route to a number higher than the default route. Since you are getting a message "no route to host", I wouldn't be surprised if this is your problem.

    It would help if you posted the interface and gateway status.



  • @bimmerdriver:

    I'm a telus customer and I posted a thread about using pfsense on the Telus network on dslreports.com/forum/telus. I have two pfsense networks using the bridged port of a T2200H. One is using 2.3.4 and the other is using 2.4 beta. Both pfsense routers are running on a hyper-v server as well. As far as I know, the T3200M works the same so it should work for you. BTW, you don't need to send the prefix hint. Telus will only allocate a /56 anyway.

    I know, I saw your threads there (that's the "other forum" I mentioned). I will try without prefix when I get home. I'd be surprised if that's the issue, but you never know. At the moment I'm grasping at the straws.

    @bimmerdriver:

    You didn't mention the LAN interface settings, but presumably you have the LAN set to track the WAN and you have enabled dhcpv6 with managed ra. Normally, it should be very easy to get it working. I can set up a system from scratch in just a few minutes. One thing to be wary of is that if a lease is active on a particular mac address, the edge router will not allocate another lease until the existing lease expires, irrespective of the DUID. On a few occasions, I've had a system get stuck without prefix for 24 hours waiting for the least to expire. Leases are 2 hours now, so that's not as bad.

    I did not mention LAN interface settings because I did not even bother to set it up yet for IPv6. I'd like to get pfSense going alone on IPv6 WAN side first. Then I can start worrying about LAN. More so because, as you can see from the diagram, IPv4 DNS is handled by Windows servers. I'm not sure how's that going to work for IPv6 name resolution. But, I'll cross that bridge in due time.

    @bimmerdriver:

    Looking at your configuration, if you have pfsense connected to the LAN port of the T3300M and to a bridged port, you are asking for trouble in my opinion. I recommend you get pfsense working with a single WAN and a single LAN interface completely separate from the T3300M LAN. It's possible to connect a NIC from the hyper-v to the LAN to access the modem GUI, but unless you want traffic going through the modem LAN, you need to increase the metric on the route to a number higher than the default route. Since you are getting a message "no route to host", I wouldn't be surprised if this is your problem.

    pfSense connection to LAN port on T3200M (marked as ISP) is not a gateway. In other words, all internet traffic is routed solely through the WAN interface. It's, basically, just another LAN segment, with only purpose to be able to manage T3200M and few boxes I have connected there. All the boxes on that segment are set up with ISP as gateway, so they go to the internet through pfSense and WAN interface (they use T3200M as dumb switch). The only devices that use T3200M to communicate to the outside world are Telus' OptikTV PVR and portals.

    @bimmerdriver:

    It would help if you posted the interface and gateway status.

    I'll do that when I get home, too. But there's nothing exciting there. All IPv4 interfaces are green (working just fine for as long as I'm Telus customer - 2.5 years). WAN IPv6 sits on the dashboard as "pending" forever, so I turned it off, for now.



  • @753951:

    @bimmerdriver:

    I'm a telus customer and I posted a thread about using pfsense on the Telus network on dslreports.com/forum/telus. I have two pfsense networks using the bridged port of a T2200H. One is using 2.3.4 and the other is using 2.4 beta. Both pfsense routers are running on a hyper-v server as well. As far as I know, the T3200M works the same so it should work for you. BTW, you don't need to send the prefix hint. Telus will only allocate a /56 anyway.

    I know, I saw your threads there (that's the "other forum" I mentioned). I will try without prefix when I get home. I'd be surprised if that's the issue, but you never know. At the moment I'm grasping at the straws.

    @bimmerdriver:

    You didn't mention the LAN interface settings, but presumably you have the LAN set to track the WAN and you have enabled dhcpv6 with managed ra. Normally, it should be very easy to get it working. I can set up a system from scratch in just a few minutes. One thing to be wary of is that if a lease is active on a particular mac address, the edge router will not allocate another lease until the existing lease expires, irrespective of the DUID. On a few occasions, I've had a system get stuck without prefix for 24 hours waiting for the least to expire. Leases are 2 hours now, so that's not as bad.

    I did not mention LAN interface settings because I did not even bother to set it up yet for IPv6. I'd like to get pfSense going alone on IPv6 WAN side first. Then I can start worrying about LAN. More so because, as you can see from the diagram, IPv4 DNS is handled by Windows servers. I'm not sure how's that going to work for IPv6 name resolution. But, I'll cross that bridge in due time.

    @bimmerdriver:

    Looking at your configuration, if you have pfsense connected to the LAN port of the T3300M and to a bridged port, you are asking for trouble in my opinion. I recommend you get pfsense working with a single WAN and a single LAN interface completely separate from the T3300M LAN. It's possible to connect a NIC from the hyper-v to the LAN to access the modem GUI, but unless you want traffic going through the modem LAN, you need to increase the metric on the route to a number higher than the default route. Since you are getting a message "no route to host", I wouldn't be surprised if this is your problem.

    pfSense connection to LAN port on T3200M (marked as ISP) is not a gateway. In other words, all internet traffic is routed solely through the WAN interface. It's, basically, just another LAN segment, with only purpose to be able to manage T3200M and few boxes I have connected there. All the boxes on that segment are set up with ISP as gateway, so they go to the internet through pfSense and WAN interface (they use T3200M as dumb switch). The only devices that use T3200M to communicate to the outside world are Telus' OptikTV PVR and portals.

    @bimmerdriver:

    It would help if you posted the interface and gateway status.

    I'll do that when I get home, too. But there's nothing exciting there. All IPv4 interfaces are green (working just fine for as long as I'm Telus customer - 2.5 years). WAN IPv6 sits on the dashboard as "pending" forever, so I turned it off, for now.

    You're making life difficult for yourself by trying to get a complex configuration working before you have a simple configuration working. Crawl before you walk before you run. Since you have a hyper-v, it's easy to create a simple completely isolated network. Connect one NIC to the virtual WAN switch. Connect this NIC to the bridged port on the modem. Then configure pfsense with one WAN interface and one LAN interface. Connect the pfsense WAN interface to the virtual WAN switch. Connect the pfsense LAN interface to the virtual LAN switch. Connect one guest to the virtual LAN switch. Use default settings for pfsense unless you are sure you need to change something (e.g., WAN interface). Enable dhcp and dhcpv6 with managed RA. If you're using a windows guest, disable and enable the adapter and it should have ipv4 and ipv6 addresses and connectivity to the internet. You will be able to verify this using ipv6-test or whatever. When you get that working, then migrate to the configuration you have in your drawing. I'm pretty sure that by connecting the modem lan to pfsense you are causing problems.



  • I get what you are saying, but you are assuming I'm trying to get my Windows clients on LAN to get public IPv6, and pfSense to serve those via dhcpv6 with managed RA. That's not the case. It may be in the future, but not now. I am indeed trying to crawl first. All I want is for pfSense to get IPv6 from Telus on WAN interface. Nothing else. Once I do, I want to be able to use pfSense built-in tools to ping outside public IPv6 address. For now, LAN, ISP and OpenVPN (yes, I have that working on OPT1) have nothing to do with it. All of them are strictly IPv4.

    BTW, I tried with and without "Only request IPv6 prefix, do not request IPv6 address". Same problem.

    I was able to do it in the past (6-10 months ago). Now I want to continue that work, and it's not working. I suspect that something in configuration may be corrupt, but question is what? Saving config and restoring it on another instance, in theory, should not change it. I may try, this afternoon, to go through other interfaces and resetting all the options.



  • @753951:

    I get what you are saying, but you are assuming I'm trying to get my Windows clients on LAN to get public IPv6, and pfSense to serve those via dhcpv6 with managed RA. That's not the case. It may be in the future, but not now. I am indeed trying to crawl first. All I want is for pfSense to get IPv6 from Telus on WAN interface. Nothing else. Once I do, I want to be able to use pfSense built-in tools to ping outside public IPv6 address. For now, LAN, ISP and OpenVPN (yes, I have that working on OPT1) have nothing to do with it. All of them are strictly IPv4.

    BTW, I tried with and without "Only request IPv6 prefix, do not request IPv6 address". Same problem.

    I was able to do it in the past (6-10 months ago). Now I want to continue that work, and it's not working. I suspect that something in configuration may be corrupt, but question is what? Saving config and restoring it on another instance, in theory, should not change it. I may try, this afternoon, to go through other interfaces and resetting all the options.

    I can tell you for sure that only request prefix is mandatory. The edge router will reject a request for an address. I asked someone at Telus if they planned to change that in the future and the reply was no.

    Unless there's an issue with the way your modem is bridging (which I doubt is the case), the only conclusion is that something is wrong with your configuration, because I and others have working systems. I have no ideas or suggestions to figure out what's wrong, aside from starting over from scratch and making gradual changes. Irrespective of whether you plan to use public ipv6 addresses on your LAN, the simplest way to verify your WAN connection is working properly is to use a dual-stack host on the LAN. In order to be sure there isn't a conflict in the edge router dhcp server, I suggest you increment the MAC address of the NIC you are using for the WAN, then create a new VM and do a clean installation. Whether or not you intend to use this configuration, it will validate configuration of the WAN interface. Once that's done, you can have your way with it.



  • Exporting configuration and looking at XML, I can't see any lingering setting that would cause the issue. I tried fresh pfSense 2.3.4, with only WAN+LAN. Makes no difference. Called Telus support. Their answer was "IPv6 is still experimental, and as such not supported". I guess no IPv6 for me until some latter date.  :'(



  • I guess no IPv6 for me until some latter date.  :'(

    Why wait for Telus to get their act together??  If you want to experiment with IPv6, or even use it "in production", head over to HE.NET and get yourself a free IPv6 tunnel.  You'll even get a free /48 with it.  That's more than Telus will give you!



  • Why? Because it's not that important too me right now. It's still an experiment and I don't get much out of it in day-to-day use. I will just move onto my next pet project (home automation), and get back to it when I don't have anything better to do.



  • @753951:

    Exporting configuration and looking at XML, I can't see any lingering setting that would cause the issue. I tried fresh pfSense 2.3.4, with only WAN+LAN. Makes no difference. Called Telus support. Their answer was "IPv6 is still experimental, and as such not supported". I guess no IPv6 for me until some latter date.  :'(

    Telus support is clueless and even if they knew about ipv6, I really doubt they would help anyone with a third-party router. For what it's worth, Telus has been supporting native ipv6 for well over a year. The only issue with respect to pfsense was that Telus' edge router is configured to require dhcpv6 solicit before it will reply to a router solicit. As far as I know, according to a contact in the engineering organization, Telus has no intention of changing that. They consider it a "security" feature. The "do not wait for RA feature" has been in pfsense for over a year and it works reliably. I and others have been using pfsense on the Telus network. I have two separate pfsense routers, each with its own prefix. If your T3200M is getting dual stack, the only reason you are not able to get pfsense working through the bridge port is because something in the configuration is broken.

    My suggestion is to create a new VM from scratch with a new, previously unused MAC address. Then install either 2.3.4 or 2.4 beta with one WAN and one LAN. (I'm using both and they both work.) The only settings you should have to change to get ipv4 and ipv6 working are to request a /56 prefix, prefix only but no address and "do not wait for RA". I also select "do not allow PD/address release". I would be very surprised if you could not get it working with this configuration.

    If you are still having problems, I would start looking at how your hyper-v server is configured. Another thing you could try is to create another guest and connect it to the private WAN switch running wireshark. It's a bit messy to get the filtering working, but you should see the sequence of dhcpv6 and icmpv6 messages within a few seconds of each other every time you reboot or apply the WAN settings.

    If you want, I will give you a hand off-line. We could use team-viewer or something. I've done this before for another Telus user.



  • @bimmerdriver:

    My suggestion is to create a new VM from scratch with a new, previously unused MAC address. Then install either 2.3.4 or 2.4 beta with one WAN and one LAN. (I'm using both and they both work.) The only settings you should have to change to get ipv4 and ipv6 working are to request a /56 prefix, prefix only but no address and "do not wait for RA". I also select "do not allow PD/address release". I would be very surprised if you could not get it working with this configuration.

    That's what I did. Fresh new VM with 2.3.4 (did not thinker with MAC though). No dice.

    @bimmerdriver:

    If you want, I will give you a hand off-line. We could use team-viewer or something. I've done this before for another Telus user.

    I may take you up on that, but not now. Thanks for your help.



  • @753951:

    @bimmerdriver:

    My suggestion is to create a new VM from scratch with a new, previously unused MAC address. Then install either 2.3.4 or 2.4 beta with one WAN and one LAN. (I'm using both and they both work.) The only settings you should have to change to get ipv4 and ipv6 working are to request a /56 prefix, prefix only but no address and "do not wait for RA". I also select "do not allow PD/address release". I would be very surprised if you could not get it working with this configuration.

    That's what I did. Fresh new VM with 2.3.4 (did not thinker with MAC though). No dice.

    @bimmerdriver:

    If you want, I will give you a hand off-line. We could use team-viewer or something. I've done this before for another Telus user.

    I may take you up on that, but not now. Thanks for your help.

    Okay, it's probably either the MAC or more likely the configuration of the NICs on the hyper-v server. If you want to take another run at this, send me a pm.



  • It was bloody "Block bogon networks" option. The moment I unchecked it, IPv6 started working.



  • @753951:

    It was bloody "Block bogon networks" option. The moment I unchecked it, IPv6 started working.

    Glad you got it working. I have it checked on the wan and unchecked on the lan, which are the defaults. It's easy for some seemingly innocuous setting to have a drastic effect. This is why I suggest to anyone having trouble getting pfsense working for the first time to use defaults wherever possible. Obviously you can't do that on the ipv6 wan settings, but hardly any changes are required to get it up and running. Good luck getting the rest of the configuration going.



  • I had exact same setting (I don't remember ever changing it). LAN off, WAN on. But turning it off for a moment on WAN made IPv6 working again. It's back to default value (on now) on WAN and everything still works even after reboot.

    I made other changes (LAN tracks WAN) and it's all working now. The only thing I can't get to work is VM interface in pfSense (Hyper-V virtual switch). It's set up to track WAN interface, exactly same as LAN, but that entire segment (one Debian, one Windows 10, one Windows 8.1 and one Windows Server 2016, which is domain controller, DHCP server and DNS server) can't get public IPv6. Can you have more than one interface in pfSense set to track another one for DHCPv6?



  • Does Telus have a user forum?  If so, perhaps you can post your settings there.  I'm on Rogers and it was a Rogers employee who posted the pfSense settings in the forum.  Also, there's a "Do not allow PD/Address release" on the Wan tab you may want to select.  It keeps pfSense from releasing your prefix.  Without it, my prefix would change if I did something as simple as disconnect/reconnect the Ethernet cable to the modem.



  • Telus has user forum, but quality of posts there makes me want to forget all about it.

    I have "do not release" flag checked. As this was an experiment only, I'm quite happy with results. I'll wait for 2.4 to get released and then give it another shot with VM interface.



  • @753951:

    I had exact same setting (I don't remember ever changing it). LAN off, WAN on. But turning it off for a moment on WAN made IPv6 working again. It's back to default value (on now) on WAN and everything still works even after reboot.

    I made other changes (LAN tracks WAN) and it's all working now. The only thing I can't get to work is VM interface in pfSense (Hyper-V virtual switch). It's set up to track WAN interface, exactly same as LAN, but that entire segment (one Debian, one Windows 10, one Windows 8.1 and one Windows Server 2016, which is domain controller, DHCP server and DNS server) can't get public IPv6. Can you have more than one interface in pfSense set to track another one for DHCPv6?

    That's really strange.

    For a typical dual-stack configuration with one WAN and one LAN it's a pretty simple setup.

    You should have the following WAN settings:

    IPV4: dhcp
    IPV6: dhcp6
    request prefix only
    /56 prefix
    do not wait for ra
    do not allow pd release

    You should have the following LAN settings:

    ipv4: static
    ipv6: track interface
    upstream gateway: none
    track ipv6 interface: WAN

    Except for do not allow pd release, it will not work without the settings. I recommend do not allow pd release. It works quite well at preventing the prefix from changing. However, Telus engineering told me that as long as the DUID does not change, the prefix should not change. I have found that if I clear do not allow release, it will release the lease and there will be a new prefix. If I do that a few times, occasionally the same prefix will be allocated again.

    If you plan to use pfsense for dhcpv6, I also recommend assisted RA.

    Not sure what you're trying to accomplish with the VM interface. Please elaborate. I have my hyper-v configured so the hyper-v management interface is on the LAN. I also have an extra NIC that's only connected to the hyper-v (not to any guests) and is connected to an unbridged LAN port on the modem. I use this only to log into the modem. I bumped up the routing metric so if any address other than the modem lan is accessed, it will go through the LAN interface on pfsense.


Log in to reply