Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [Solved] IPv6 Track Interface doesn't work - static IP works

    Scheduled Pinned Locked Moved
    IPv6
    3
    15
    3.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Terabit
      last edited by Terabit

      I have a strange issue with IPv6 Track Interface.
      My current testing setup is as follows:
      ISP Router <-> pfSense <-> my PC

      In pfSense, the WAN IPv6 Configuration Type is set to DHCP6.
      I have IPv6 connectivity, the IPv6 of the interface is 2003:xxxx:xxxx:2018:xxxx:xxxx:xxxx:xxxx, I can ping outside, so the WAN side of things seems to be okay.
      The ISP router also provides a 2003:xxxx:xxxx:201c::/62 prefix.
      These are the settings:
      0_1528297398622_pfSense_DHCP6_Client_config.png
      Blocking bogon and private networks is unchecked (for now).

      When I set the pfSense LAN IPv6 configuration type to Static and enter the prefix
      2003:xxxx:xxxx:201c::/64,
      2003:xxxx:xxxx:201d::/64,
      2003:xxxx:xxxx:201e::/64 or
      2003:xxxx:xxxx:201f::/64 I get an IPv6 connection on my LAN devices.
      When I set my LAN to Track interface, Interface WAN, Prefix ID 0, I won't get an IPv6 on LAN side.

      I analyzed the packages and I can confirm that I actually get the Identity Association for Prefix Delegation in the DHCPv6 packet with 2003:xxxx:xxxx:201c::/62 on the WAN side of pfSense.
      Looking at the packages on LAN side, it seems like pfSense is not announcing an on-link /64 in its RAs.
      The ICMPv6 RA packets only contain DNS Search list option, MTU and Source link layer address, but no Prefix Information Option.
      DHCPv6 Server is disabled, RA is set to assisted.
      System->Advanced->Networking->Allow IPv6 is enabled, of course.

      Firewall rules:
      WAN
      0_1528298054919_FW_WAN.png
      LAN
      1_1528296469191_FW_LAN.png

      I also noticed this error under System->Routing
      invalid all-zeros prefix in /var/etc/radvd.conf, line 9
      Can this be ignored or might this be a hint to what's wrong?
      File content:

      # Automatically Generated, do not edit
# Generated config for dhcp6 delegation from wan on lan
interface igb1 {
	AdvSendAdvert on;
	MinRtrAdvInterval 5;
	MaxRtrAdvInterval 10;
	AdvLinkMTU 1500;
	AdvOtherConfigFlag on;
	prefix ::/64 {
		AdvOnLink on;
		AdvAutonomous on;
		AdvRouterAddr on;
	};
	DNSSL localdomain{ };
};

      Does anyone have an Idea for a solution?
      If you need more information, just ask, I'm happy to provide it.
      Thank you in advance!

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        I would look at the DHCP logs, filter on command dhcp6c, and post a complete session especially the stuff about the IA_PD.

        /62 - how very generous of them. ISPs are their own worst enemies.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • T
          Terabit
          last edited by Terabit

          Okay, my Interfaces are:
          igb0: WAN
          igb1: LAN

          First there is this block:

          Jun 7 10:10:05	dhcp6c	13553	extracted an existing DUID from /var/db/dhcp6c_duid: 00:01:00:01:22:xx:xx:xx:xx:xx:xx:xx:xx:xx
Jun 7 10:10:05	dhcp6c	13553	failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
Jun 7 10:10:05	dhcp6c	13553	failed initialize control message authentication
Jun 7 10:10:05	dhcp6c	13553	skip opening control port
Jun 7 10:10:05	dhcp6c	13553	<3>[interface] (9)
Jun 7 10:10:05	dhcp6c	13553	<5>[igb0] (4)
Jun 7 10:10:05	dhcp6c	13553	<3>begin of closure [{] (1)
Jun 7 10:10:05	dhcp6c	13553	<3>[send] (4)
Jun 7 10:10:05	dhcp6c	13553	<3>[ia-pd] (5)
Jun 7 10:10:05	dhcp6c	13553	<3>[0] (1)
Jun 7 10:10:05	dhcp6c	13553	<3>end of sentence [;] (1)
Jun 7 10:10:05	dhcp6c	13553	<3>comment [# request prefix delegation] (27)
Jun 7 10:10:05	dhcp6c	13553	<3>[request] (7)
Jun 7 10:10:05	dhcp6c	13553	<3>[domain-name-servers] (19)
Jun 7 10:10:05	dhcp6c	13553	<3>end of sentence [;] (1)
Jun 7 10:10:05	dhcp6c	13553	<3>[request] (7)
Jun 7 10:10:05	dhcp6c	13553	<3>[domain-name] (11)
Jun 7 10:10:05	dhcp6c	13553	<3>end of sentence [;] (1)
Jun 7 10:10:05	dhcp6c	13553	<3>[script] (6)
Jun 7 10:10:05	dhcp6c	13553	<3>["/var/etc/dhcp6c_wan_script.sh"] (31)
Jun 7 10:10:05	dhcp6c	13553	<3>end of sentence [;] (1)
Jun 7 10:10:05	dhcp6c	13553	<3>comment [# we'd like some nameservers please] (35)
Jun 7 10:10:05	dhcp6c	13553	<3>end of closure [}] (1)
Jun 7 10:10:05	dhcp6c	13553	<3>end of sentence [;] (1)
Jun 7 10:10:05	dhcp6c	13553	<3>[id-assoc] (8)
Jun 7 10:10:05	dhcp6c	13553	<13>[pd] (2)
Jun 7 10:10:05	dhcp6c	13553	<13>[0] (1)
Jun 7 10:10:05	dhcp6c	13553	<13>begin of closure [{] (1)
Jun 7 10:10:05	dhcp6c	13553	<3>[prefix] (6)
Jun 7 10:10:05	dhcp6c	13553	<3>[::] (2)
Jun 7 10:10:05	dhcp6c	13553	<3>[/] (1)
Jun 7 10:10:05	dhcp6c	13553	<3>[62] (2)
Jun 7 10:10:05	dhcp6c	13553	<3>[infinity] (8)
Jun 7 10:10:05	dhcp6c	13553	<3>end of sentence [;] (1)
Jun 7 10:10:05	dhcp6c	13553	<3>[prefix-interface] (16)
Jun 7 10:10:05	dhcp6c	13553	<5>[igb1] (4)
Jun 7 10:10:05	dhcp6c	13553	<3>begin of closure [{] (1)
Jun 7 10:10:05	dhcp6c	13553	<3>[sla-id] (6)
Jun 7 10:10:05	dhcp6c	13553	<3>[0] (1)
Jun 7 10:10:05	dhcp6c	13553	<3>end of sentence [;] (1)
Jun 7 10:10:05	dhcp6c	13553	<3>[sla-len] (7)
Jun 7 10:10:05	dhcp6c	13553	<3>[2] (1)
Jun 7 10:10:05	dhcp6c	13553	<3>end of sentence [;] (1)
Jun 7 10:10:05	dhcp6c	13553	<3>end of closure [}] (1)
Jun 7 10:10:05	dhcp6c	13553	<3>end of sentence [;] (1)
Jun 7 10:10:05	dhcp6c	13553	<3>end of closure [}] (1)
Jun 7 10:10:05	dhcp6c	13553	<3>end of sentence [;] (1)
Jun 7 10:10:05	dhcp6c	13553	called
Jun 7 10:10:05	dhcp6c	13553	called
Jun 7 10:10:05	dhcp6c	13806	reset a timer on igb0, state=INIT, timeo=0, retrans=891
Jun 7 10:10:06	dhcp6c	13806	Sending Solicit
Jun 7 10:10:06	dhcp6c	13806	a new XID (cad15e) is generated
Jun 7 10:10:06	dhcp6c	13806	set client ID (len 14)
Jun 7 10:10:06	dhcp6c	13806	set elapsed time (len 2)
Jun 7 10:10:06	dhcp6c	13806	set option request (len 4)
Jun 7 10:10:06	dhcp6c	13806	set IA_PD prefix
Jun 7 10:10:06	dhcp6c	13806	set IA_PD
Jun 7 10:10:06	dhcp6c	13806	send solicit to ff02::1:2%igb0
Jun 7 10:10:06	dhcp6c	13806	reset a timer on igb0, state=SOLICIT, timeo=0, retrans=1091
Jun 7 10:10:06	dhcp6c	13806	receive advertise from fe80::yyyy:yyyy:yyyy:yyyy%igb0 on igb0
Jun 7 10:10:06	dhcp6c	13806	get DHCP option server ID, len 10
Jun 7 10:10:06	dhcp6c	13806	DUID: 00:03:00:01:00:22:zz:zz:zz:zz
Jun 7 10:10:06	dhcp6c	13806	get DHCP option client ID, len 14
Jun 7 10:10:06	dhcp6c	13806	DUID: 00:01:00:01:22:xx:xx:xx:xx:xx:xx:xx:xx:xx
Jun 7 10:10:06	dhcp6c	13806	get DHCP option opt_82, len 4
Jun 7 10:10:06	dhcp6c	13806	unknown or unexpected DHCP6 option opt_82, len 4
Jun 7 10:10:06	dhcp6c	13806	get DHCP option DNS, len 16
Jun 7 10:10:06	dhcp6c	13806	get DHCP option domain search list, len 5
Jun 7 10:10:06	dhcp6c	13806	get DHCP option opt_20, len 0
Jun 7 10:10:06	dhcp6c	13806	unknown or unexpected DHCP6 option opt_20, len 0
Jun 7 10:10:06	dhcp6c	13806	get DHCP option IA_PD, len 12
Jun 7 10:10:06	dhcp6c	13806	IA_PD: ID=0, T1=21600, T2=34560
Jun 7 10:10:06	dhcp6c	13806	server ID: 00:03:00:01:00:22:zz:zz:zz:zz, pref=-1
Jun 7 10:10:06	dhcp6c	13806	reset timer for igb0 to 0.998914
Jun 7 10:10:07	dhcp6c	13806	picked a server (ID: 00:03:00:01:00:22:zz:zz:zz:zz)
Jun 7 10:10:07	dhcp6c	13806	Sending Request
Jun 7 10:10:07	dhcp6c	13806	a new XID (963418) is generated
Jun 7 10:10:07	dhcp6c	13806	set client ID (len 14)
Jun 7 10:10:07	dhcp6c	13806	set server ID (len 10)
Jun 7 10:10:07	dhcp6c	13806	set elapsed time (len 2)
Jun 7 10:10:07	dhcp6c	13806	set option request (len 4)
Jun 7 10:10:07	dhcp6c	13806	set IA_PD
Jun 7 10:10:07	dhcp6c	13806	send request to ff02::1:2%igb0
Jun 7 10:10:07	dhcp6c	13806	reset a timer on igb0, state=REQUEST, timeo=0, retrans=909
Jun 7 10:10:07	dhcp6c	13806	receive reply from fe80::yyyy:yyyy:yyyy:yyyy%igb0 on igb0
Jun 7 10:10:07	dhcp6c	13806	get DHCP option server ID, len 10
Jun 7 10:10:07	dhcp6c	13806	DUID: 00:03:00:01:00:22:zz:zz:zz:zz
Jun 7 10:10:07	dhcp6c	13806	get DHCP option client ID, len 14
Jun 7 10:10:07	dhcp6c	13806	DUID: 00:01:00:01:22:xx:xx:xx:xx:xx:xx:xx:xx:xx
Jun 7 10:10:07	dhcp6c	13806	get DHCP option opt_82, len 4
Jun 7 10:10:07	dhcp6c	13806	unknown or unexpected DHCP6 option opt_82, len 4
Jun 7 10:10:07	dhcp6c	13806	get DHCP option DNS, len 16
Jun 7 10:10:07	dhcp6c	13806	get DHCP option domain search list, len 5
Jun 7 10:10:07	dhcp6c	13806	get DHCP option IA_PD, len 18
Jun 7 10:10:07	dhcp6c	13806	IA_PD: ID=0, T1=0, T2=0
Jun 7 10:10:07	dhcp6c	13806	get DHCP option status code, len 2
Jun 7 10:10:07	dhcp6c	13806	status code: no prefixes
Jun 7 10:10:07	dhcp6c	13806	dhcp6c Received REQUEST
Jun 7 10:10:07	dhcp6c	13806	nameserver[0] fe80::yyyy:yyyy:yyyy:yyyy
Jun 7 10:10:07	dhcp6c	13806	Domain search list[0] lan.
Jun 7 10:10:07	dhcp6c	13806	make an IA: PD-0
Jun 7 10:10:07	dhcp6c	13806	status code for PD-0: no prefixes
Jun 7 10:10:07	dhcp6c	13806	IA PD-0 is invalidated
Jun 7 10:10:07	dhcp6c	13806	remove an IA: PD-0
Jun 7 10:10:07	dhcp6c	13806	reset a timer on igb0, state=INIT, timeo=0, retrans=118
Jun 7 10:10:07	dhcp6c	13806	executes /var/etc/dhcp6c_wan_script.sh
Jun 7 10:10:07	dhcp6c		dhcp6c REQUEST on igb0 - running rc.newwanipv6
Jun 7 10:10:07	dhcp6c	13806	script "/var/etc/dhcp6c_wan_script.sh" terminated
Jun 7 10:10:07	dhcp6c	13806	removing an event on igb0, state=REQUEST
Jun 7 10:10:07	dhcp6c	13806	removing server (ID: 00:03:00:01:00:22:zz:zz:zz:zz)
Jun 7 10:10:07	dhcp6c	13806	got an expected reply, sleeping.

          And then it basically repeats the following section, which is very similar to the second half of the first section, but has "set status code"

          Jun 7 10:10:07	dhcp6c	13806	Sending Solicit
Jun 7 10:10:07	dhcp6c	13806	a new XID (a62192) is generated
Jun 7 10:10:07	dhcp6c	13806	set client ID (len 14)
Jun 7 10:10:07	dhcp6c	13806	set elapsed time (len 2)
Jun 7 10:10:07	dhcp6c	13806	set option request (len 4)
Jun 7 10:10:07	dhcp6c	13806	set IA_PD prefix
Jun 7 10:10:07	dhcp6c	13806	set IA_PD
Jun 7 10:10:07	dhcp6c	13806	send solicit to ff02::1:2%igb0
Jun 7 10:10:07	dhcp6c	13806	reset a timer on igb0, state=SOLICIT, timeo=0, retrans=1025
Jun 7 10:10:07	dhcp6c	13806	receive advertise from fe80::yyyy:yyyy:yyyy:yyyy%igb0 on igb0
Jun 7 10:10:07	dhcp6c	13806	get DHCP option server ID, len 10
Jun 7 10:10:07	dhcp6c	13806	DUID: 00:03:00:01:00:22:zz:zz:zz:zz
Jun 7 10:10:07	dhcp6c	13806	get DHCP option client ID, len 14
Jun 7 10:10:07	dhcp6c	13806	DUID: 00:01:00:01:22:xx:xx:xx:xx:xx:xx:xx:xx:xx
Jun 7 10:10:07	dhcp6c	13806	get DHCP option opt_82, len 4
Jun 7 10:10:07	dhcp6c	13806	unknown or unexpected DHCP6 option opt_82, len 4
Jun 7 10:10:07	dhcp6c	13806	get DHCP option DNS, len 16
Jun 7 10:10:07	dhcp6c	13806	get DHCP option domain search list, len 5
Jun 7 10:10:07	dhcp6c	13806	get DHCP option IA_PD, len 18
Jun 7 10:10:07	dhcp6c	13806	IA_PD: ID=0, T1=0, T2=0
Jun 7 10:10:07	dhcp6c	13806	get DHCP option status code, len 2
Jun 7 10:10:07	dhcp6c	13806	status code: no prefixes
Jun 7 10:10:07	dhcp6c	13806	server ID: 00:03:00:01:00:22:zz:zz:zz:zz, pref=-1
Jun 7 10:10:07	dhcp6c	13806	reset timer for igb0 to 0.999245
Jun 7 10:10:08	dhcp6c	13806	picked a server (ID: 00:03:00:01:00:22:zz:zz:zz:zz)
Jun 7 10:10:08	dhcp6c	13806	Sending Request
Jun 7 10:10:08	dhcp6c	13806	a new XID (66e2a7) is generated
Jun 7 10:10:08	dhcp6c	13806	set client ID (len 14)
Jun 7 10:10:08	dhcp6c	13806	set server ID (len 10)
Jun 7 10:10:08	dhcp6c	13806	set elapsed time (len 2)
Jun 7 10:10:08	dhcp6c	13806	set option request (len 4)
Jun 7 10:10:08	dhcp6c	13806	set status code
Jun 7 10:10:08	dhcp6c	13806	set IA_PD
Jun 7 10:10:08	dhcp6c	13806	send request to ff02::1:2%igb0
Jun 7 10:10:08	dhcp6c	13806	reset a timer on igb0, state=REQUEST, timeo=0, retrans=1024
Jun 7 10:10:08	dhcp6c	13806	receive reply from fe80::yyyy:yyyy:yyyy:yyyy%igb0 on igb0
Jun 7 10:10:08	dhcp6c	13806	get DHCP option server ID, len 10
Jun 7 10:10:08	dhcp6c	13806	DUID: 00:03:00:01:00:22:zz:zz:zz:zz
Jun 7 10:10:08	dhcp6c	13806	get DHCP option client ID, len 14
Jun 7 10:10:08	dhcp6c	13806	DUID: 00:01:00:01:22:xx:xx:xx:xx:xx:xx:xx:xx:xx
Jun 7 10:10:08	dhcp6c	13806	get DHCP option opt_82, len 4
Jun 7 10:10:08	dhcp6c	13806	unknown or unexpected DHCP6 option opt_82, len 4
Jun 7 10:10:08	dhcp6c	13806	get DHCP option DNS, len 16
Jun 7 10:10:08	dhcp6c	13806	get DHCP option domain search list, len 5
Jun 7 10:10:08	dhcp6c	13806	get DHCP option IA_PD, len 18
Jun 7 10:10:08	dhcp6c	13806	IA_PD: ID=0, T1=0, T2=0
Jun 7 10:10:08	dhcp6c	13806	get DHCP option status code, len 2
Jun 7 10:10:08	dhcp6c	13806	status code: no prefixes
Jun 7 10:10:08	dhcp6c	13806	dhcp6c Received REQUEST
Jun 7 10:10:08	dhcp6c	13806	nameserver[0] fe80::yyyy:yyyy:yyyy:yyyy
Jun 7 10:10:08	dhcp6c	13806	Domain search list[0] lan.
Jun 7 10:10:08	dhcp6c	13806	make an IA: PD-0
Jun 7 10:10:08	dhcp6c	13806	status code for PD-0: no prefixes
Jun 7 10:10:08	dhcp6c	13806	IA PD-0 is invalidated
Jun 7 10:10:08	dhcp6c	13806	remove an IA: PD-0
Jun 7 10:10:08	dhcp6c	13806	reset a timer on igb0, state=INIT, timeo=0, retrans=557
Jun 7 10:10:08	dhcp6c	13806	executes /var/etc/dhcp6c_wan_script.sh
Jun 7 10:10:08	dhcp6c		dhcp6c REQUEST on igb0 - running rc.newwanipv6
Jun 7 10:10:08	dhcp6c	13806	script "/var/etc/dhcp6c_wan_script.sh" terminated
Jun 7 10:10:08	dhcp6c	13806	removing an event on igb0, state=REQUEST
Jun 7 10:10:08	dhcp6c	13806	removing server (ID: 00:03:00:01:00:22:zz:zz:zz:zz)
Jun 7 10:10:08	dhcp6c	13806	got an expected reply, sleeping.
          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            @terabit said in IPv6 Track Interface doesn't work - static IP works:

            Jun 7 10:10:07 dhcp6c 13806 status code: no prefixes

            You might be asking for a /62 but they aren't giving one so there is nothing for the system to add to the tracked interface.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • T
              Terabit
              last edited by

              I can capture those packages on WAN:
              Shouldn't this be a sign that I actually get a /62?
              Or am I missing something?

              No.     Time           Source                Destination           Protocol Length Source Port Destination Port Info
     70 12.089014      fe80::xxxx:xxxx:xxxx:xxxx ff02::1:2             DHCPv6   143    dhcpv6-client dhcpv6-server    Solicit XID: 0xc96b25 CID: 0001000122a857aea0369fyyyyyy 

DHCPv6
    Message type: Solicit (1)
    Transaction ID: 0xc96b25
    Client Identifier
        Option: Client Identifier (1)
        Length: 14      
        DUID: 0001000122a857aea0369fyyyyyy
        DUID Type: link-layer address plus time (1)
        Hardware type: Ethernet (1)
        DUID Time: Jun  4, 2018 22:03:58.000000000 Mitteleuropäische Sommerzeit
        Link-layer address: a0:36:9f:ii:ii:ii
    Elapsed time
        Option: Elapsed time (8)
        Length: 2       
        Elapsed time: 0ms
    Option Request
        Option: Option Request (6)
        Length: 4      
        Requested Option code: DNS recursive name server (23)
        Requested Option code: Domain Search List (24)
    Identity Association for Prefix Delegation
        Option: Identity Association for Prefix Delegation (25)
        Length: 41        
        IAID: 00000000
        T1: 0
        T2: 0
        IA Prefix
            Option: IA Prefix (26)
            Length: 25
            Preferred lifetime: infinity
            Valid lifetime: infinity
            Prefix length: 62
            Prefix address: :: (::)

No.     Time           Source                Destination           Protocol Length Source Port Destination Port Info
     71 12.089891      fe80::yyyy:yyyy:yyyy:yyyy fe80::xxxx:xxxx:xxxx:xxxx DHCPv6   184    dhcpv6-server dhcpv6-client    Advertise XID: 0xc96b25 CID: 0001000122a857aea0369fyyyyyy 

DHCPv6
    Message type: Advertise (2)
    Transaction ID: 0xc96b25
    Server Identifier
        Option: Server Identifier (2)
        Length: 10
        DUID: 00030001002207jjjjjj
        DUID Type: link-layer address (3)
        Hardware type: Ethernet (1)
        Link-layer address: 00:22:07:jj:jj:jj
    Client Identifier
        Option: Client Identifier (1)
        Length: 14
        DUID: 0001000122a857aea0369fyyyyyy
        DUID Type: link-layer address plus time (1)
        Hardware type: Ethernet (1)
        DUID Time: Jun  4, 2018 22:03:58.000000000 Mitteleuropäische Sommerzeit
        Link-layer address: a0:36:9f:ii:ii:ii
    SOL_MAX_RT
        Option: SOL_MAX_RT (82)
        Length: 4
    DNS recursive name server
        Option: DNS recursive name server (23)
        Length: 16
         1 DNS server address: fe80::yyyy:yyyy:yyyy:yyyy (fe80::yyyy:yyyy:yyyy:yyyy)
    Domain Search List
        Option: Domain Search List (24)
        Length: 5
        DNS Domain Search List
            Domain Search List FQDN: lan
    Reconfigure Accept
        Option: Reconfigure Accept (20)
        Length: 0
    Identity Association for Prefix Delegation
        Option: Identity Association for Prefix Delegation (25)
        Length: 41
        IAID: 00000000
        T1: 19827
        T2: 31723
        IA Prefix
            Option: IA Prefix (26)
            Length: 25         
            Preferred lifetime: 39654
            Valid lifetime: 50454
            Prefix length: 62
            Prefix address: 2003:xxxx:xxxx:201c::

No.     Time           Source                Destination           Protocol Length Source Port Destination Port Info
    120 15.830114      fe80::xxxx:xxxx:xxxx:xxxx ff02::1:2             DHCPv6   157    dhcpv6-client dhcpv6-server    Request XID: 0xd0c619 CID: 0001000122a857aea0369fyyyyyy 

DHCPv6
    Message type: Request (3)
    Transaction ID: 0xd0c619
    Client Identifier
        Option: Client Identifier (1)
        Length: 14
        DUID: 0001000122a857aea0369fyyyyyy
        DUID Type: link-layer address plus time (1)
        Hardware type: Ethernet (1)
        DUID Time: Jun  4, 2018 22:03:58.000000000 Mitteleuropäische Sommerzeit
        Link-layer address: a0:36:9f:ii:ii:ii
    Server Identifier
        Option: Server Identifier (2)
        Length: 10
        DUID: 00030001002207jjjjjj
        DUID Type: link-layer address (3)
        Hardware type: Ethernet (1)
        Link-layer address: 00:22:07:jj:jj:jj
    Elapsed time
        Option: Elapsed time (8)
        Length: 2
        Elapsed time: 2680ms
    Option Request
        Option: Option Request (6)
        Length: 4
        Requested Option code: DNS recursive name server (23)
        Requested Option code: Domain Search List (24)
    Identity Association for Prefix Delegation
        Option: Identity Association for Prefix Delegation (25)
        Length: 41
        IAID: 00000000
        T1: 0
        T2: 0
        IA Prefix
            Option: IA Prefix (26)
            Length: 25            
            Preferred lifetime: 39654
            Valid lifetime: 50454
            Prefix length: 62
            Prefix address: 2003:xxxx:xxxx:201c::

No.     Time           Source                Destination           Protocol Length Source Port Destination Port Info
    121 15.830970      fe80::yyyy:yyyy:yyyy:yyyy fe80::xxxx:xxxx:xxxx:xxxx DHCPv6   216    dhcpv6-server dhcpv6-client    Reply XID: 0xd0c619 CID: 0001000122a857aea0369fyyyyyy 

DHCPv6
    Message type: Reply (7)
    Transaction ID: 0xd0c619
    Server Identifier
        Option: Server Identifier (2)
        Length: 10
        DUID: 00030001002207jjjjjj
        DUID Type: link-layer address (3)
        Hardware type: Ethernet (1)
        Link-layer address: 00:22:07:jj:jj:jj
    Client Identifier
        Option: Client Identifier (1)
        Length: 14
        DUID: 0001000122a857aea0369fyyyyyy
        DUID Type: link-layer address plus time (1)
        Hardware type: Ethernet (1)
        DUID Time: Jun  4, 2018 22:03:58.000000000 Mitteleuropäische Sommerzeit
        Link-layer address: a0:36:9f:ii:ii:ii
    SOL_MAX_RT
        Option: SOL_MAX_RT (82)
        Length: 4
    DNS recursive name server
        Option: DNS recursive name server (23)
        Length: 16
         1 DNS server address: fe80::yyyy:yyyy:yyyy:yyyy (fe80::yyyy:yyyy:yyyy:yyyy)
    Domain Search List
        Option: Domain Search List (24)
        Length: 5
        DNS Domain Search List
            Domain Search List FQDN: lan
    Reconfigure Accept
        Option: Reconfigure Accept (20)
        Length: 0
    Authentication
        Option: Authentication (11)
        Length: 28
        Protocol: 3
        Algorithm: 1
        RDM: 0
        Replay Detection: ....
        Authentication Information: ....
    Identity Association for Prefix Delegation
        Option: Identity Association for Prefix Delegation (25)
        Length: 41
        IAID: 00000000
        T1: 19825
        T2: 31720
        IA Prefix
            Option: IA Prefix (26)
            Length: 25          
            Preferred lifetime: 39650
            Valid lifetime: 50450
            Prefix length: 62
            Prefix address: 2003:xxxx:xxxx:201c::

No.     Time           Source                Destination           Protocol Length Source Port Destination Port Info
    122 19.350272      fe80::xxxx:xxxx:xxxx:xxxx ff02::1:2             DHCPv6   157    dhcpv6-client dhcpv6-server    Request XID: 0xd0c619 CID: 0001000122a857aea0369fyyyyyy 

DHCPv6
    Message type: Request (3)
    Transaction ID: 0xd0c619
    Client Identifier
        Option: Client Identifier (1)
        Length: 14
        DUID: 0001000122a857aea0369fyyyyyy
        DUID Type: link-layer address plus time (1)
        Hardware type: Ethernet (1)
        DUID Time: Jun  4, 2018 22:03:58.000000000 Mitteleuropäische Sommerzeit
        Link-layer address: a0:36:9f:ii:ii:ii
    Server Identifier
        Option: Server Identifier (2)
        Length: 10
        DUID: 00030001002207jjjjjj
        DUID Type: link-layer address (3)
        Hardware type: Ethernet (1)
        Link-layer address: 00:22:07:jj:jj:jj
    Elapsed time
        Option: Elapsed time (8)
        Length: 2
        Elapsed time: 6200ms
    Option Request
        Option: Option Request (6)
        Length: 4      
        Requested Option code: DNS recursive name server (23)
        Requested Option code: Domain Search List (24)
    Identity Association for Prefix Delegation
        Option: Identity Association for Prefix Delegation (25)
        Length: 41
        IAID: 00000000
        T1: 0
        T2: 0
        IA Prefix
            Option: IA Prefix (26)
            Length: 25           
            Preferred lifetime: 39654
            Valid lifetime: 50454
            Prefix length: 62
            Prefix address: 2003:xxxx:xxxx:201c::

No.     Time           Source                Destination           Protocol Length Source Port Destination Port Info
    123 19.351088      fe80::yyyy:yyyy:yyyy:yyyy fe80::xxxx:xxxx:xxxx:xxxx DHCPv6   216    dhcpv6-server dhcpv6-client    Reply XID: 0xd0c619 CID: 0001000122a857aea0369fyyyyyy 

DHCPv6
    Message type: Reply (7)
    Transaction ID: 0xd0c619
    Server Identifier
        Option: Server Identifier (2)
        Length: 10
        DUID: 00030001002207jjjjjj
        DUID Type: link-layer address (3)
        Hardware type: Ethernet (1)
        Link-layer address: 00:22:07:jj:jj:jj
    Client Identifier
        Option: Client Identifier (1)
        Length: 14
        DUID: 0001000122a857aea0369fyyyyyy
        DUID Type: link-layer address plus time (1)
        Hardware type: Ethernet (1)
        DUID Time: Jun  4, 2018 22:03:58.000000000 Mitteleuropäische Sommerzeit
        Link-layer address: a0:36:9f:ii:ii:ii
    SOL_MAX_RT
        Option: SOL_MAX_RT (82)
        Length: 4
    DNS recursive name server
        Option: DNS recursive name server (23)
        Length: 16
         1 DNS server address: fe80::yyyy:yyyy:yyyy:yyyy (fe80::yyyy:yyyy:yyyy:yyyy)
    Domain Search List
        Option: Domain Search List (24)
        Length: 5        
        DNS Domain Search List
            Domain Search List FQDN: lan
    Reconfigure Accept
        Option: Reconfigure Accept (20)
        Length: 0
    Authentication
        Option: Authentication (11)
        Length: 28
        Protocol: 3
        Algorithm: 1
        RDM: 0
        Replay Detection: ....
        Authentication Information: ....
    Identity Association for Prefix Delegation
        Option: Identity Association for Prefix Delegation (25)
        Length: 41
        IAID: 00000000
        T1: 19823
        T2: 31716
        IA Prefix
            Option: IA Prefix (26)
            Length: 25
            Preferred lifetime: 39646
            Valid lifetime: 50446
            Prefix length: 62
            Prefix address: 2003:xxxx:xxxx:201c::
              1 Reply Last reply Reply Quote 0
              • IsaacFLI
                IsaacFL
                last edited by

                Try different Prefix Delegation size. Instead of 62 try 60 or 56.

                I have noticed that pfsense won't work at all if it doesn't match what the ISP is actually providing.

                I was testing different router packages with ipv6 about a few months ago and initially I couldn't get pfsense to work because I thought my ISP provided a /60.

                I tried a Mikrotik router and it worked, and what I saw was that even though I asked for the /60, the Mikrotik somehow figured out that the ISP was providing a /56 and it configured itself to work that way.

                So I went back to the pfsense and put in 56 for the prefix delegation size and then it worked. It doesn't do the auto negotiation for the prefix at least with my ISP.

                1 Reply Last reply Reply Quote 0
                • T
                  Terabit
                  last edited by

                  I already tried all possibilities (with reboot, etc.) and I can only get a /62.
                  I also confirmed this is the "correct" choice with an ISP engineer. (They will assign /56 later, btw.)

                  The problem is:
                  The Track Interface does not work, I won't get an IPv6 on LAN with that.
                  But when I request a 62 and use the 2003:xxxx:xxxx:201c:: prefix as a static IPv6, everything works.
                  The packet captures also seem to confirm that can I request /62 and actually get the /62 prefix.

                  So the problem seems to lie on the pfSense Track Interface side of things, either me making a mistake or some kind of bug/compatibility issue.

                  Or did I miss something?
                  Thanks for your time and effort, by the way.

                  IsaacFLI 1 Reply Last reply Reply Quote 0
                  • IsaacFLI
                    IsaacFL @Terabit
                    last edited by

                    @terabit said in IPv6 Track Interface doesn't work - static IP works:

                    I already tried all possibilities (with reboot, etc.) and I can only get a /62.
                    I also confirmed this is the “correct” choice with an ISP engineer. (They will assign /56 later, btw.)
                    The problem is:
                    The Track Interface does not work, I won’t get an IPv6 on LAN with that.
                    But when I request a 62 and use the 2003:xxxx:xxxx:201c:: prefix as a static IPv6, everything works.
                    The packet captures also seem to confirm that can I request /62 and actually get the /62 prefix.
                    So the problem seems to lie on the pfSense Track Interface side of things, either me making a mistake or some kind of bug/compatibility issue.
                    Or did I miss something?
                    Thanks for your time and effort, by the way.

                    Track Interface works fine, IF the prefix is obtained correctly. If Track isn't working it is either a configuration issue, or you aren't really getting a prefix.

                    One other thing I have noticed is that my cable modem sometimes will get fussy, with 2 many pfsense reboots. So you might try rebooting the cable modem too.

                    T 1 Reply Last reply Reply Quote 0
                    • T
                      Terabit @IsaacFL
                      last edited by

                      @isaacfl When talking about rebooting I always meant both, ISP router and pfSense.
                      Then I wonder how the packages on WAN side should look like, if that's not the correct way to get the prefix.

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        @terabit said in IPv6 Track Interface doesn't work - static IP works:

                        Jun 7 10:10:08 dhcp6c 13806 get DHCP option DNS, len 16
                        Jun 7 10:10:08 dhcp6c 13806 get DHCP option domain search list, len 5
                        Jun 7 10:10:08 dhcp6c 13806 get DHCP option IA_PD, len 18
                        Jun 7 10:10:08 dhcp6c 13806 IA_PD: ID=0, T1=0, T2=0
                        Jun 7 10:10:08 dhcp6c 13806 get DHCP option status code, len 2
                        Jun 7 10:10:08 dhcp6c 13806 status code: no prefixes
                        Jun 7 10:10:08 dhcp6c 13806 dhcp6c Received REQUEST
                        Jun 7 10:10:08 dhcp6c 13806 nameserver[0] fe80::yyyy:yyyy:yyyy:yyyy
                        Jun 7 10:10:08 dhcp6c 13806 Domain search list[0] lan.
                        Jun 7 10:10:08 dhcp6c 13806 make an IA: PD-0
                        Jun 7 10:10:08 dhcp6c 13806 status code for PD-0: no prefixes
                        Jun 7 10:10:08 dhcp6c 13806 IA PD-0 is invalidated
                        Jun 7 10:10:08 dhcp6c 13806 remove an IA: PD-0

                        Whatever they are sending, dhcp6c doesn't like it. I can look at the exchange further but you'll need to post the actual pcap, not a textual representation of it.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • T
                          Terabit
                          last edited by Terabit

                          Here is the capture file (link removed) of what happens on the WAN side of pfSense.
                          I filtered some stuff out, mainly endless pages of DNS stuff my PC was asking for in the background.
                          If any important bits are missing please tell me, I will fix the file/do another capture in that case.

                          1 Reply Last reply Reply Quote 0
                          • DerelictD
                            Derelict LAYER 8 Netgate
                            last edited by

                            What is in /var/etc/dhcp6c_wan.conf in the id-assoc pd 0 secion?

                            This is mine for a /56

                            I would expect yours to be a /62 with sla-len of 2 and sla-id of 0 through 3 if they are all defined.

                            id-assoc pd 0 {
        prefix ::/56 infinity;
        prefix-interface igb1.223 {
                sla-id 1;
                sla-len 8;
        };
        prefix-interface igb1.999 {
                sla-id 2;
                sla-len 8;
        };
        prefix-interface lagg0.1003 {
                sla-id 3;
                sla-len 8;
        };
        prefix-interface lagg0.1004 {
                sla-id 16;
                sla-len 8;
        };
        prefix-interface lagg0.224 {
                sla-id 4;
                sla-len 8;
        };
};

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • T
                              Terabit
                              last edited by Terabit

                              Yep, seems to be alright.

                              id-assoc pd 0 {
	prefix ::/62 infinity;
	prefix-interface igb1 {
		sla-id 0;
		sla-len 2;
	};
};

                              I noticed something:
                              The logs are a bit different now. They say:

                              Jun 9 21:27:32	dhcp6c	62162	Sending Request
Jun 9 21:27:32	dhcp6c	62162	set client ID (len 14)
Jun 9 21:27:32	dhcp6c	62162	set server ID (len 10)
Jun 9 21:27:32	dhcp6c	62162	set elapsed time (len 2)
Jun 9 21:27:32	dhcp6c	62162	set option request (len 4)
Jun 9 21:27:32	dhcp6c	62162	set IA_PD prefix
Jun 9 21:27:32	dhcp6c	62162	set IA_PD
Jun 9 21:27:32	dhcp6c	62162	send request to ff02::1:2%igb0
Jun 9 21:27:32	dhcp6c	62162	reset a timer on igb0, state=REQUEST, timeo=9, retrans=27750
Jun 9 21:27:32	dhcp6c	62162	receive reply from fe80::...%igb0 on igb0
Jun 9 21:27:32	dhcp6c	62162	get DHCP option server ID, len 10
Jun 9 21:27:32	dhcp6c	62162	DUID: ...
Jun 9 21:27:32	dhcp6c	62162	get DHCP option client ID, len 14
Jun 9 21:27:32	dhcp6c	62162	DUID: ...
Jun 9 21:27:32	dhcp6c	62162	get DHCP option opt_82, len 4
Jun 9 21:27:32	dhcp6c	62162	unknown or unexpected DHCP6 option opt_82, len 4
Jun 9 21:27:32	dhcp6c	62162	get DHCP option DNS, len 16
Jun 9 21:27:32	dhcp6c	62162	get DHCP option domain search list, len 5
Jun 9 21:27:32	dhcp6c	62162	get DHCP option opt_20, len 0
Jun 9 21:27:32	dhcp6c	62162	unknown or unexpected DHCP6 option opt_20, len 0
Jun 9 21:27:32	dhcp6c	62162	get DHCP option authentication, len 28
Jun 9 21:27:32	dhcp6c	62162	proto: reconfig, alg: HMAC-MD5, RDM: mono counter, RD: ...

                              Which is sending and decoding the request.
                              E.g. decoding the option 20 that the ISP router sends is all parsed (or skipped) - up to this point.
                              And then:

                              Jun 9 21:27:32	dhcp6c	62162	unsupported authentication protocol: 1
Jun 9 21:27:32	dhcp6c	62162	failed to parse options
Jun 9 21:28:00	dhcp6c	62162	no responses were received

                              It stops!
                              But after the Authentication part comes the IA_PD!
                              Could it be that after failing at decoding the authentication protocol pfSense just ignores the rest of the packet?

                              Edit 2: I had a look at the source code, it seems the dhcp6c doesn't support the Reconfigure Key Authentication Protocol yet?
                              https://github.com/hrs-allbsd/wide-dhcpv6/blob/freebsd/dhcp6c.c#L2010
                              (Source as per https://forum.netgate.com/topic/126501/where-to-find-source-code-of-pfsense-dhcp-and-dhcpv6-cleints/4)
                              Looks like it discards the packet afterwards and ignores the IA_PD which comes right after the Authentication block...

                              Edit: After rebooting ISP router and pfSense box, the first seven repeats are like the logs I posted earlier in the thread (with status code: no prefixes), after that it's what I just posted now (with unsupported authentication protocol: 1)

                              1 Reply Last reply Reply Quote 0
                              • T
                                Terabit
                                last edited by Terabit

                                I contacted the ISP about the Reconfigure Key Authentication Protocol issue and they confirmed there is a bug in the version of odhcpd they're using.
                                The server sends the reconfigure-accept option, even though the client didn't ask for it.
                                In the case of pfSense reconfiguration isn't even implemented yet, as far as I can see.

                                They told me this will be fixed on their router in Q3.
                                So I guess this mystery is solved!

                                1 Reply Last reply Reply Quote 0
                                • DerelictD
                                  Derelict LAYER 8 Netgate
                                  last edited by

                                  Nice digging. Thanks for getting back.

                                  Chattanooga, Tennessee, USA
                                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post