[Solved] IPv6 Track Interface doesn't work - static IP works



  • I have a strange issue with IPv6 Track Interface.
    My current testing setup is as follows:
    ISP Router <-> pfSense <-> my PC

    In pfSense, the WAN IPv6 Configuration Type is set to DHCP6.
    I have IPv6 connectivity, the IPv6 of the interface is 2003:xxxx:xxxx:2018:xxxx:xxxx:xxxx:xxxx, I can ping outside, so the WAN side of things seems to be okay.
    The ISP router also provides a 2003:xxxx:xxxx:201c::/62 prefix.
    These are the settings:
    0_1528297398622_pfSense_DHCP6_Client_config.png
    Blocking bogon and private networks is unchecked (for now).

    When I set the pfSense LAN IPv6 configuration type to Static and enter the prefix
    2003:xxxx:xxxx:201c::/64,
    2003:xxxx:xxxx:201d::/64,
    2003:xxxx:xxxx:201e::/64 or
    2003:xxxx:xxxx:201f::/64 I get an IPv6 connection on my LAN devices.
    When I set my LAN to Track interface, Interface WAN, Prefix ID 0, I won't get an IPv6 on LAN side.

    I analyzed the packages and I can confirm that I actually get the Identity Association for Prefix Delegation in the DHCPv6 packet with 2003:xxxx:xxxx:201c::/62 on the WAN side of pfSense.
    Looking at the packages on LAN side, it seems like pfSense is not announcing an on-link /64 in its RAs.
    The ICMPv6 RA packets only contain DNS Search list option, MTU and Source link layer address, but no Prefix Information Option.
    DHCPv6 Server is disabled, RA is set to assisted.
    System->Advanced->Networking->Allow IPv6 is enabled, of course.

    Firewall rules:
    WAN
    0_1528298054919_FW_WAN.png
    LAN
    1_1528296469191_FW_LAN.png

    I also noticed this error under System->Routing
    invalid all-zeros prefix in /var/etc/radvd.conf, line 9
    Can this be ignored or might this be a hint to what's wrong?
    File content:

    # Automatically Generated, do not edit
    # Generated config for dhcp6 delegation from wan on lan
    interface igb1 {
    	AdvSendAdvert on;
    	MinRtrAdvInterval 5;
    	MaxRtrAdvInterval 10;
    	AdvLinkMTU 1500;
    	AdvOtherConfigFlag on;
    	prefix ::/64 {
    		AdvOnLink on;
    		AdvAutonomous on;
    		AdvRouterAddr on;
    	};
    	DNSSL localdomain{ };
    };
    
    

    Does anyone have an Idea for a solution?
    If you need more information, just ask, I'm happy to provide it.
    Thank you in advance!


  • Netgate

    I would look at the DHCP logs, filter on command dhcp6c, and post a complete session especially the stuff about the IA_PD.

    /62 - how very generous of them. ISPs are their own worst enemies.



  • Okay, my Interfaces are:
    igb0: WAN
    igb1: LAN

    First there is this block:

    Jun 7 10:10:05	dhcp6c	13553	extracted an existing DUID from /var/db/dhcp6c_duid: 00:01:00:01:22:xx:xx:xx:xx:xx:xx:xx:xx:xx
    Jun 7 10:10:05	dhcp6c	13553	failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
    Jun 7 10:10:05	dhcp6c	13553	failed initialize control message authentication
    Jun 7 10:10:05	dhcp6c	13553	skip opening control port
    Jun 7 10:10:05	dhcp6c	13553	<3>[interface] (9)
    Jun 7 10:10:05	dhcp6c	13553	<5>[igb0] (4)
    Jun 7 10:10:05	dhcp6c	13553	<3>begin of closure [{] (1)
    Jun 7 10:10:05	dhcp6c	13553	<3>[send] (4)
    Jun 7 10:10:05	dhcp6c	13553	<3>[ia-pd] (5)
    Jun 7 10:10:05	dhcp6c	13553	<3>[0] (1)
    Jun 7 10:10:05	dhcp6c	13553	<3>end of sentence [;] (1)
    Jun 7 10:10:05	dhcp6c	13553	<3>comment [# request prefix delegation] (27)
    Jun 7 10:10:05	dhcp6c	13553	<3>[request] (7)
    Jun 7 10:10:05	dhcp6c	13553	<3>[domain-name-servers] (19)
    Jun 7 10:10:05	dhcp6c	13553	<3>end of sentence [;] (1)
    Jun 7 10:10:05	dhcp6c	13553	<3>[request] (7)
    Jun 7 10:10:05	dhcp6c	13553	<3>[domain-name] (11)
    Jun 7 10:10:05	dhcp6c	13553	<3>end of sentence [;] (1)
    Jun 7 10:10:05	dhcp6c	13553	<3>[script] (6)
    Jun 7 10:10:05	dhcp6c	13553	<3>["/var/etc/dhcp6c_wan_script.sh"] (31)
    Jun 7 10:10:05	dhcp6c	13553	<3>end of sentence [;] (1)
    Jun 7 10:10:05	dhcp6c	13553	<3>comment [# we'd like some nameservers please] (35)
    Jun 7 10:10:05	dhcp6c	13553	<3>end of closure [}] (1)
    Jun 7 10:10:05	dhcp6c	13553	<3>end of sentence [;] (1)
    Jun 7 10:10:05	dhcp6c	13553	<3>[id-assoc] (8)
    Jun 7 10:10:05	dhcp6c	13553	<13>[pd] (2)
    Jun 7 10:10:05	dhcp6c	13553	<13>[0] (1)
    Jun 7 10:10:05	dhcp6c	13553	<13>begin of closure [{] (1)
    Jun 7 10:10:05	dhcp6c	13553	<3>[prefix] (6)
    Jun 7 10:10:05	dhcp6c	13553	<3>[::] (2)
    Jun 7 10:10:05	dhcp6c	13553	<3>[/] (1)
    Jun 7 10:10:05	dhcp6c	13553	<3>[62] (2)
    Jun 7 10:10:05	dhcp6c	13553	<3>[infinity] (8)
    Jun 7 10:10:05	dhcp6c	13553	<3>end of sentence [;] (1)
    Jun 7 10:10:05	dhcp6c	13553	<3>[prefix-interface] (16)
    Jun 7 10:10:05	dhcp6c	13553	<5>[igb1] (4)
    Jun 7 10:10:05	dhcp6c	13553	<3>begin of closure [{] (1)
    Jun 7 10:10:05	dhcp6c	13553	<3>[sla-id] (6)
    Jun 7 10:10:05	dhcp6c	13553	<3>[0] (1)
    Jun 7 10:10:05	dhcp6c	13553	<3>end of sentence [;] (1)
    Jun 7 10:10:05	dhcp6c	13553	<3>[sla-len] (7)
    Jun 7 10:10:05	dhcp6c	13553	<3>[2] (1)
    Jun 7 10:10:05	dhcp6c	13553	<3>end of sentence [;] (1)
    Jun 7 10:10:05	dhcp6c	13553	<3>end of closure [}] (1)
    Jun 7 10:10:05	dhcp6c	13553	<3>end of sentence [;] (1)
    Jun 7 10:10:05	dhcp6c	13553	<3>end of closure [}] (1)
    Jun 7 10:10:05	dhcp6c	13553	<3>end of sentence [;] (1)
    Jun 7 10:10:05	dhcp6c	13553	called
    Jun 7 10:10:05	dhcp6c	13553	called
    Jun 7 10:10:05	dhcp6c	13806	reset a timer on igb0, state=INIT, timeo=0, retrans=891
    Jun 7 10:10:06	dhcp6c	13806	Sending Solicit
    Jun 7 10:10:06	dhcp6c	13806	a new XID (cad15e) is generated
    Jun 7 10:10:06	dhcp6c	13806	set client ID (len 14)
    Jun 7 10:10:06	dhcp6c	13806	set elapsed time (len 2)
    Jun 7 10:10:06	dhcp6c	13806	set option request (len 4)
    Jun 7 10:10:06	dhcp6c	13806	set IA_PD prefix
    Jun 7 10:10:06	dhcp6c	13806	set IA_PD
    Jun 7 10:10:06	dhcp6c	13806	send solicit to ff02::1:2%igb0
    Jun 7 10:10:06	dhcp6c	13806	reset a timer on igb0, state=SOLICIT, timeo=0, retrans=1091
    Jun 7 10:10:06	dhcp6c	13806	receive advertise from fe80::yyyy:yyyy:yyyy:yyyy%igb0 on igb0
    Jun 7 10:10:06	dhcp6c	13806	get DHCP option server ID, len 10
    Jun 7 10:10:06	dhcp6c	13806	DUID: 00:03:00:01:00:22:zz:zz:zz:zz
    Jun 7 10:10:06	dhcp6c	13806	get DHCP option client ID, len 14
    Jun 7 10:10:06	dhcp6c	13806	DUID: 00:01:00:01:22:xx:xx:xx:xx:xx:xx:xx:xx:xx
    Jun 7 10:10:06	dhcp6c	13806	get DHCP option opt_82, len 4
    Jun 7 10:10:06	dhcp6c	13806	unknown or unexpected DHCP6 option opt_82, len 4
    Jun 7 10:10:06	dhcp6c	13806	get DHCP option DNS, len 16
    Jun 7 10:10:06	dhcp6c	13806	get DHCP option domain search list, len 5
    Jun 7 10:10:06	dhcp6c	13806	get DHCP option opt_20, len 0
    Jun 7 10:10:06	dhcp6c	13806	unknown or unexpected DHCP6 option opt_20, len 0
    Jun 7 10:10:06	dhcp6c	13806	get DHCP option IA_PD, len 12
    Jun 7 10:10:06	dhcp6c	13806	IA_PD: ID=0, T1=21600, T2=34560
    Jun 7 10:10:06	dhcp6c	13806	server ID: 00:03:00:01:00:22:zz:zz:zz:zz, pref=-1
    Jun 7 10:10:06	dhcp6c	13806	reset timer for igb0 to 0.998914
    Jun 7 10:10:07	dhcp6c	13806	picked a server (ID: 00:03:00:01:00:22:zz:zz:zz:zz)
    Jun 7 10:10:07	dhcp6c	13806	Sending Request
    Jun 7 10:10:07	dhcp6c	13806	a new XID (963418) is generated
    Jun 7 10:10:07	dhcp6c	13806	set client ID (len 14)
    Jun 7 10:10:07	dhcp6c	13806	set server ID (len 10)
    Jun 7 10:10:07	dhcp6c	13806	set elapsed time (len 2)
    Jun 7 10:10:07	dhcp6c	13806	set option request (len 4)
    Jun 7 10:10:07	dhcp6c	13806	set IA_PD
    Jun 7 10:10:07	dhcp6c	13806	send request to ff02::1:2%igb0
    Jun 7 10:10:07	dhcp6c	13806	reset a timer on igb0, state=REQUEST, timeo=0, retrans=909
    Jun 7 10:10:07	dhcp6c	13806	receive reply from fe80::yyyy:yyyy:yyyy:yyyy%igb0 on igb0
    Jun 7 10:10:07	dhcp6c	13806	get DHCP option server ID, len 10
    Jun 7 10:10:07	dhcp6c	13806	DUID: 00:03:00:01:00:22:zz:zz:zz:zz
    Jun 7 10:10:07	dhcp6c	13806	get DHCP option client ID, len 14
    Jun 7 10:10:07	dhcp6c	13806	DUID: 00:01:00:01:22:xx:xx:xx:xx:xx:xx:xx:xx:xx
    Jun 7 10:10:07	dhcp6c	13806	get DHCP option opt_82, len 4
    Jun 7 10:10:07	dhcp6c	13806	unknown or unexpected DHCP6 option opt_82, len 4
    Jun 7 10:10:07	dhcp6c	13806	get DHCP option DNS, len 16
    Jun 7 10:10:07	dhcp6c	13806	get DHCP option domain search list, len 5
    Jun 7 10:10:07	dhcp6c	13806	get DHCP option IA_PD, len 18
    Jun 7 10:10:07	dhcp6c	13806	IA_PD: ID=0, T1=0, T2=0
    Jun 7 10:10:07	dhcp6c	13806	get DHCP option status code, len 2
    Jun 7 10:10:07	dhcp6c	13806	status code: no prefixes
    Jun 7 10:10:07	dhcp6c	13806	dhcp6c Received REQUEST
    Jun 7 10:10:07	dhcp6c	13806	nameserver[0] fe80::yyyy:yyyy:yyyy:yyyy
    Jun 7 10:10:07	dhcp6c	13806	Domain search list[0] lan.
    Jun 7 10:10:07	dhcp6c	13806	make an IA: PD-0
    Jun 7 10:10:07	dhcp6c	13806	status code for PD-0: no prefixes
    Jun 7 10:10:07	dhcp6c	13806	IA PD-0 is invalidated
    Jun 7 10:10:07	dhcp6c	13806	remove an IA: PD-0
    Jun 7 10:10:07	dhcp6c	13806	reset a timer on igb0, state=INIT, timeo=0, retrans=118
    Jun 7 10:10:07	dhcp6c	13806	executes /var/etc/dhcp6c_wan_script.sh
    Jun 7 10:10:07	dhcp6c		dhcp6c REQUEST on igb0 - running rc.newwanipv6
    Jun 7 10:10:07	dhcp6c	13806	script "/var/etc/dhcp6c_wan_script.sh" terminated
    Jun 7 10:10:07	dhcp6c	13806	removing an event on igb0, state=REQUEST
    Jun 7 10:10:07	dhcp6c	13806	removing server (ID: 00:03:00:01:00:22:zz:zz:zz:zz)
    Jun 7 10:10:07	dhcp6c	13806	got an expected reply, sleeping.
    

    And then it basically repeats the following section, which is very similar to the second half of the first section, but has "set status code"

    Jun 7 10:10:07	dhcp6c	13806	Sending Solicit
    Jun 7 10:10:07	dhcp6c	13806	a new XID (a62192) is generated
    Jun 7 10:10:07	dhcp6c	13806	set client ID (len 14)
    Jun 7 10:10:07	dhcp6c	13806	set elapsed time (len 2)
    Jun 7 10:10:07	dhcp6c	13806	set option request (len 4)
    Jun 7 10:10:07	dhcp6c	13806	set IA_PD prefix
    Jun 7 10:10:07	dhcp6c	13806	set IA_PD
    Jun 7 10:10:07	dhcp6c	13806	send solicit to ff02::1:2%igb0
    Jun 7 10:10:07	dhcp6c	13806	reset a timer on igb0, state=SOLICIT, timeo=0, retrans=1025
    Jun 7 10:10:07	dhcp6c	13806	receive advertise from fe80::yyyy:yyyy:yyyy:yyyy%igb0 on igb0
    Jun 7 10:10:07	dhcp6c	13806	get DHCP option server ID, len 10
    Jun 7 10:10:07	dhcp6c	13806	DUID: 00:03:00:01:00:22:zz:zz:zz:zz
    Jun 7 10:10:07	dhcp6c	13806	get DHCP option client ID, len 14
    Jun 7 10:10:07	dhcp6c	13806	DUID: 00:01:00:01:22:xx:xx:xx:xx:xx:xx:xx:xx:xx
    Jun 7 10:10:07	dhcp6c	13806	get DHCP option opt_82, len 4
    Jun 7 10:10:07	dhcp6c	13806	unknown or unexpected DHCP6 option opt_82, len 4
    Jun 7 10:10:07	dhcp6c	13806	get DHCP option DNS, len 16
    Jun 7 10:10:07	dhcp6c	13806	get DHCP option domain search list, len 5
    Jun 7 10:10:07	dhcp6c	13806	get DHCP option IA_PD, len 18
    Jun 7 10:10:07	dhcp6c	13806	IA_PD: ID=0, T1=0, T2=0
    Jun 7 10:10:07	dhcp6c	13806	get DHCP option status code, len 2
    Jun 7 10:10:07	dhcp6c	13806	status code: no prefixes
    Jun 7 10:10:07	dhcp6c	13806	server ID: 00:03:00:01:00:22:zz:zz:zz:zz, pref=-1
    Jun 7 10:10:07	dhcp6c	13806	reset timer for igb0 to 0.999245
    Jun 7 10:10:08	dhcp6c	13806	picked a server (ID: 00:03:00:01:00:22:zz:zz:zz:zz)
    Jun 7 10:10:08	dhcp6c	13806	Sending Request
    Jun 7 10:10:08	dhcp6c	13806	a new XID (66e2a7) is generated
    Jun 7 10:10:08	dhcp6c	13806	set client ID (len 14)
    Jun 7 10:10:08	dhcp6c	13806	set server ID (len 10)
    Jun 7 10:10:08	dhcp6c	13806	set elapsed time (len 2)
    Jun 7 10:10:08	dhcp6c	13806	set option request (len 4)
    Jun 7 10:10:08	dhcp6c	13806	set status code
    Jun 7 10:10:08	dhcp6c	13806	set IA_PD
    Jun 7 10:10:08	dhcp6c	13806	send request to ff02::1:2%igb0
    Jun 7 10:10:08	dhcp6c	13806	reset a timer on igb0, state=REQUEST, timeo=0, retrans=1024
    Jun 7 10:10:08	dhcp6c	13806	receive reply from fe80::yyyy:yyyy:yyyy:yyyy%igb0 on igb0
    Jun 7 10:10:08	dhcp6c	13806	get DHCP option server ID, len 10
    Jun 7 10:10:08	dhcp6c	13806	DUID: 00:03:00:01:00:22:zz:zz:zz:zz
    Jun 7 10:10:08	dhcp6c	13806	get DHCP option client ID, len 14
    Jun 7 10:10:08	dhcp6c	13806	DUID: 00:01:00:01:22:xx:xx:xx:xx:xx:xx:xx:xx:xx
    Jun 7 10:10:08	dhcp6c	13806	get DHCP option opt_82, len 4
    Jun 7 10:10:08	dhcp6c	13806	unknown or unexpected DHCP6 option opt_82, len 4
    Jun 7 10:10:08	dhcp6c	13806	get DHCP option DNS, len 16
    Jun 7 10:10:08	dhcp6c	13806	get DHCP option domain search list, len 5
    Jun 7 10:10:08	dhcp6c	13806	get DHCP option IA_PD, len 18
    Jun 7 10:10:08	dhcp6c	13806	IA_PD: ID=0, T1=0, T2=0
    Jun 7 10:10:08	dhcp6c	13806	get DHCP option status code, len 2
    Jun 7 10:10:08	dhcp6c	13806	status code: no prefixes
    Jun 7 10:10:08	dhcp6c	13806	dhcp6c Received REQUEST
    Jun 7 10:10:08	dhcp6c	13806	nameserver[0] fe80::yyyy:yyyy:yyyy:yyyy
    Jun 7 10:10:08	dhcp6c	13806	Domain search list[0] lan.
    Jun 7 10:10:08	dhcp6c	13806	make an IA: PD-0
    Jun 7 10:10:08	dhcp6c	13806	status code for PD-0: no prefixes
    Jun 7 10:10:08	dhcp6c	13806	IA PD-0 is invalidated
    Jun 7 10:10:08	dhcp6c	13806	remove an IA: PD-0
    Jun 7 10:10:08	dhcp6c	13806	reset a timer on igb0, state=INIT, timeo=0, retrans=557
    Jun 7 10:10:08	dhcp6c	13806	executes /var/etc/dhcp6c_wan_script.sh
    Jun 7 10:10:08	dhcp6c		dhcp6c REQUEST on igb0 - running rc.newwanipv6
    Jun 7 10:10:08	dhcp6c	13806	script "/var/etc/dhcp6c_wan_script.sh" terminated
    Jun 7 10:10:08	dhcp6c	13806	removing an event on igb0, state=REQUEST
    Jun 7 10:10:08	dhcp6c	13806	removing server (ID: 00:03:00:01:00:22:zz:zz:zz:zz)
    Jun 7 10:10:08	dhcp6c	13806	got an expected reply, sleeping.
    

  • Netgate

    @terabit said in IPv6 Track Interface doesn't work - static IP works:

    Jun 7 10:10:07 dhcp6c 13806 status code: no prefixes

    You might be asking for a /62 but they aren't giving one so there is nothing for the system to add to the tracked interface.



  • I can capture those packages on WAN:
    Shouldn't this be a sign that I actually get a /62?
    Or am I missing something?

    No.     Time           Source                Destination           Protocol Length Source Port Destination Port Info
         70 12.089014      fe80::xxxx:xxxx:xxxx:xxxx ff02::1:2             DHCPv6   143    dhcpv6-client dhcpv6-server    Solicit XID: 0xc96b25 CID: 0001000122a857aea0369fyyyyyy 
    
    DHCPv6
        Message type: Solicit (1)
        Transaction ID: 0xc96b25
        Client Identifier
            Option: Client Identifier (1)
            Length: 14      
            DUID: 0001000122a857aea0369fyyyyyy
            DUID Type: link-layer address plus time (1)
            Hardware type: Ethernet (1)
            DUID Time: Jun  4, 2018 22:03:58.000000000 Mitteleuropäische Sommerzeit
            Link-layer address: a0:36:9f:ii:ii:ii
        Elapsed time
            Option: Elapsed time (8)
            Length: 2       
            Elapsed time: 0ms
        Option Request
            Option: Option Request (6)
            Length: 4      
            Requested Option code: DNS recursive name server (23)
            Requested Option code: Domain Search List (24)
        Identity Association for Prefix Delegation
            Option: Identity Association for Prefix Delegation (25)
            Length: 41        
            IAID: 00000000
            T1: 0
            T2: 0
            IA Prefix
                Option: IA Prefix (26)
                Length: 25
                Preferred lifetime: infinity
                Valid lifetime: infinity
                Prefix length: 62
                Prefix address: :: (::)
    
    No.     Time           Source                Destination           Protocol Length Source Port Destination Port Info
         71 12.089891      fe80::yyyy:yyyy:yyyy:yyyy fe80::xxxx:xxxx:xxxx:xxxx DHCPv6   184    dhcpv6-server dhcpv6-client    Advertise XID: 0xc96b25 CID: 0001000122a857aea0369fyyyyyy 
    
    DHCPv6
        Message type: Advertise (2)
        Transaction ID: 0xc96b25
        Server Identifier
            Option: Server Identifier (2)
            Length: 10
            DUID: 00030001002207jjjjjj
            DUID Type: link-layer address (3)
            Hardware type: Ethernet (1)
            Link-layer address: 00:22:07:jj:jj:jj
        Client Identifier
            Option: Client Identifier (1)
            Length: 14
            DUID: 0001000122a857aea0369fyyyyyy
            DUID Type: link-layer address plus time (1)
            Hardware type: Ethernet (1)
            DUID Time: Jun  4, 2018 22:03:58.000000000 Mitteleuropäische Sommerzeit
            Link-layer address: a0:36:9f:ii:ii:ii
        SOL_MAX_RT
            Option: SOL_MAX_RT (82)
            Length: 4
        DNS recursive name server
            Option: DNS recursive name server (23)
            Length: 16
             1 DNS server address: fe80::yyyy:yyyy:yyyy:yyyy (fe80::yyyy:yyyy:yyyy:yyyy)
        Domain Search List
            Option: Domain Search List (24)
            Length: 5
            DNS Domain Search List
                Domain Search List FQDN: lan
        Reconfigure Accept
            Option: Reconfigure Accept (20)
            Length: 0
        Identity Association for Prefix Delegation
            Option: Identity Association for Prefix Delegation (25)
            Length: 41
            IAID: 00000000
            T1: 19827
            T2: 31723
            IA Prefix
                Option: IA Prefix (26)
                Length: 25         
                Preferred lifetime: 39654
                Valid lifetime: 50454
                Prefix length: 62
                Prefix address: 2003:xxxx:xxxx:201c::
    
    No.     Time           Source                Destination           Protocol Length Source Port Destination Port Info
        120 15.830114      fe80::xxxx:xxxx:xxxx:xxxx ff02::1:2             DHCPv6   157    dhcpv6-client dhcpv6-server    Request XID: 0xd0c619 CID: 0001000122a857aea0369fyyyyyy 
    
    DHCPv6
        Message type: Request (3)
        Transaction ID: 0xd0c619
        Client Identifier
            Option: Client Identifier (1)
            Length: 14
            DUID: 0001000122a857aea0369fyyyyyy
            DUID Type: link-layer address plus time (1)
            Hardware type: Ethernet (1)
            DUID Time: Jun  4, 2018 22:03:58.000000000 Mitteleuropäische Sommerzeit
            Link-layer address: a0:36:9f:ii:ii:ii
        Server Identifier
            Option: Server Identifier (2)
            Length: 10
            DUID: 00030001002207jjjjjj
            DUID Type: link-layer address (3)
            Hardware type: Ethernet (1)
            Link-layer address: 00:22:07:jj:jj:jj
        Elapsed time
            Option: Elapsed time (8)
            Length: 2
            Elapsed time: 2680ms
        Option Request
            Option: Option Request (6)
            Length: 4
            Requested Option code: DNS recursive name server (23)
            Requested Option code: Domain Search List (24)
        Identity Association for Prefix Delegation
            Option: Identity Association for Prefix Delegation (25)
            Length: 41
            IAID: 00000000
            T1: 0
            T2: 0
            IA Prefix
                Option: IA Prefix (26)
                Length: 25            
                Preferred lifetime: 39654
                Valid lifetime: 50454
                Prefix length: 62
                Prefix address: 2003:xxxx:xxxx:201c::
    
    No.     Time           Source                Destination           Protocol Length Source Port Destination Port Info
        121 15.830970      fe80::yyyy:yyyy:yyyy:yyyy fe80::xxxx:xxxx:xxxx:xxxx DHCPv6   216    dhcpv6-server dhcpv6-client    Reply XID: 0xd0c619 CID: 0001000122a857aea0369fyyyyyy 
    
    DHCPv6
        Message type: Reply (7)
        Transaction ID: 0xd0c619
        Server Identifier
            Option: Server Identifier (2)
            Length: 10
            DUID: 00030001002207jjjjjj
            DUID Type: link-layer address (3)
            Hardware type: Ethernet (1)
            Link-layer address: 00:22:07:jj:jj:jj
        Client Identifier
            Option: Client Identifier (1)
            Length: 14
            DUID: 0001000122a857aea0369fyyyyyy
            DUID Type: link-layer address plus time (1)
            Hardware type: Ethernet (1)
            DUID Time: Jun  4, 2018 22:03:58.000000000 Mitteleuropäische Sommerzeit
            Link-layer address: a0:36:9f:ii:ii:ii
        SOL_MAX_RT
            Option: SOL_MAX_RT (82)
            Length: 4
        DNS recursive name server
            Option: DNS recursive name server (23)
            Length: 16
             1 DNS server address: fe80::yyyy:yyyy:yyyy:yyyy (fe80::yyyy:yyyy:yyyy:yyyy)
        Domain Search List
            Option: Domain Search List (24)
            Length: 5
            DNS Domain Search List
                Domain Search List FQDN: lan
        Reconfigure Accept
            Option: Reconfigure Accept (20)
            Length: 0
        Authentication
            Option: Authentication (11)
            Length: 28
            Protocol: 3
            Algorithm: 1
            RDM: 0
            Replay Detection: ....
            Authentication Information: ....
        Identity Association for Prefix Delegation
            Option: Identity Association for Prefix Delegation (25)
            Length: 41
            IAID: 00000000
            T1: 19825
            T2: 31720
            IA Prefix
                Option: IA Prefix (26)
                Length: 25          
                Preferred lifetime: 39650
                Valid lifetime: 50450
                Prefix length: 62
                Prefix address: 2003:xxxx:xxxx:201c::
    
    No.     Time           Source                Destination           Protocol Length Source Port Destination Port Info
        122 19.350272      fe80::xxxx:xxxx:xxxx:xxxx ff02::1:2             DHCPv6   157    dhcpv6-client dhcpv6-server    Request XID: 0xd0c619 CID: 0001000122a857aea0369fyyyyyy 
    
    DHCPv6
        Message type: Request (3)
        Transaction ID: 0xd0c619
        Client Identifier
            Option: Client Identifier (1)
            Length: 14
            DUID: 0001000122a857aea0369fyyyyyy
            DUID Type: link-layer address plus time (1)
            Hardware type: Ethernet (1)
            DUID Time: Jun  4, 2018 22:03:58.000000000 Mitteleuropäische Sommerzeit
            Link-layer address: a0:36:9f:ii:ii:ii
        Server Identifier
            Option: Server Identifier (2)
            Length: 10
            DUID: 00030001002207jjjjjj
            DUID Type: link-layer address (3)
            Hardware type: Ethernet (1)
            Link-layer address: 00:22:07:jj:jj:jj
        Elapsed time
            Option: Elapsed time (8)
            Length: 2
            Elapsed time: 6200ms
        Option Request
            Option: Option Request (6)
            Length: 4      
            Requested Option code: DNS recursive name server (23)
            Requested Option code: Domain Search List (24)
        Identity Association for Prefix Delegation
            Option: Identity Association for Prefix Delegation (25)
            Length: 41
            IAID: 00000000
            T1: 0
            T2: 0
            IA Prefix
                Option: IA Prefix (26)
                Length: 25           
                Preferred lifetime: 39654
                Valid lifetime: 50454
                Prefix length: 62
                Prefix address: 2003:xxxx:xxxx:201c::
    
    No.     Time           Source                Destination           Protocol Length Source Port Destination Port Info
        123 19.351088      fe80::yyyy:yyyy:yyyy:yyyy fe80::xxxx:xxxx:xxxx:xxxx DHCPv6   216    dhcpv6-server dhcpv6-client    Reply XID: 0xd0c619 CID: 0001000122a857aea0369fyyyyyy 
    
    DHCPv6
        Message type: Reply (7)
        Transaction ID: 0xd0c619
        Server Identifier
            Option: Server Identifier (2)
            Length: 10
            DUID: 00030001002207jjjjjj
            DUID Type: link-layer address (3)
            Hardware type: Ethernet (1)
            Link-layer address: 00:22:07:jj:jj:jj
        Client Identifier
            Option: Client Identifier (1)
            Length: 14
            DUID: 0001000122a857aea0369fyyyyyy
            DUID Type: link-layer address plus time (1)
            Hardware type: Ethernet (1)
            DUID Time: Jun  4, 2018 22:03:58.000000000 Mitteleuropäische Sommerzeit
            Link-layer address: a0:36:9f:ii:ii:ii
        SOL_MAX_RT
            Option: SOL_MAX_RT (82)
            Length: 4
        DNS recursive name server
            Option: DNS recursive name server (23)
            Length: 16
             1 DNS server address: fe80::yyyy:yyyy:yyyy:yyyy (fe80::yyyy:yyyy:yyyy:yyyy)
        Domain Search List
            Option: Domain Search List (24)
            Length: 5        
            DNS Domain Search List
                Domain Search List FQDN: lan
        Reconfigure Accept
            Option: Reconfigure Accept (20)
            Length: 0
        Authentication
            Option: Authentication (11)
            Length: 28
            Protocol: 3
            Algorithm: 1
            RDM: 0
            Replay Detection: ....
            Authentication Information: ....
        Identity Association for Prefix Delegation
            Option: Identity Association for Prefix Delegation (25)
            Length: 41
            IAID: 00000000
            T1: 19823
            T2: 31716
            IA Prefix
                Option: IA Prefix (26)
                Length: 25
                Preferred lifetime: 39646
                Valid lifetime: 50446
                Prefix length: 62
                Prefix address: 2003:xxxx:xxxx:201c::
    
    


  • Try different Prefix Delegation size. Instead of 62 try 60 or 56.

    I have noticed that pfsense won't work at all if it doesn't match what the ISP is actually providing.

    I was testing different router packages with ipv6 about a few months ago and initially I couldn't get pfsense to work because I thought my ISP provided a /60.

    I tried a Mikrotik router and it worked, and what I saw was that even though I asked for the /60, the Mikrotik somehow figured out that the ISP was providing a /56 and it configured itself to work that way.

    So I went back to the pfsense and put in 56 for the prefix delegation size and then it worked. It doesn't do the auto negotiation for the prefix at least with my ISP.



  • I already tried all possibilities (with reboot, etc.) and I can only get a /62.
    I also confirmed this is the "correct" choice with an ISP engineer. (They will assign /56 later, btw.)

    The problem is:
    The Track Interface does not work, I won't get an IPv6 on LAN with that.
    But when I request a 62 and use the 2003:xxxx:xxxx:201c:: prefix as a static IPv6, everything works.
    The packet captures also seem to confirm that can I request /62 and actually get the /62 prefix.

    So the problem seems to lie on the pfSense Track Interface side of things, either me making a mistake or some kind of bug/compatibility issue.

    Or did I miss something?
    Thanks for your time and effort, by the way.



  • @terabit said in IPv6 Track Interface doesn't work - static IP works:

    I already tried all possibilities (with reboot, etc.) and I can only get a /62.
    I also confirmed this is the “correct” choice with an ISP engineer. (They will assign /56 later, btw.)
    The problem is:
    The Track Interface does not work, I won’t get an IPv6 on LAN with that.
    But when I request a 62 and use the 2003:xxxx:xxxx:201c:: prefix as a static IPv6, everything works.
    The packet captures also seem to confirm that can I request /62 and actually get the /62 prefix.
    So the problem seems to lie on the pfSense Track Interface side of things, either me making a mistake or some kind of bug/compatibility issue.
    Or did I miss something?
    Thanks for your time and effort, by the way.

    Track Interface works fine, IF the prefix is obtained correctly. If Track isn't working it is either a configuration issue, or you aren't really getting a prefix.

    One other thing I have noticed is that my cable modem sometimes will get fussy, with 2 many pfsense reboots. So you might try rebooting the cable modem too.



  • @isaacfl When talking about rebooting I always meant both, ISP router and pfSense.
    Then I wonder how the packages on WAN side should look like, if that's not the correct way to get the prefix.


  • Netgate

    @terabit said in IPv6 Track Interface doesn't work - static IP works:

    Jun 7 10:10:08 dhcp6c 13806 get DHCP option DNS, len 16
    Jun 7 10:10:08 dhcp6c 13806 get DHCP option domain search list, len 5
    Jun 7 10:10:08 dhcp6c 13806 get DHCP option IA_PD, len 18
    Jun 7 10:10:08 dhcp6c 13806 IA_PD: ID=0, T1=0, T2=0
    Jun 7 10:10:08 dhcp6c 13806 get DHCP option status code, len 2
    Jun 7 10:10:08 dhcp6c 13806 status code: no prefixes
    Jun 7 10:10:08 dhcp6c 13806 dhcp6c Received REQUEST
    Jun 7 10:10:08 dhcp6c 13806 nameserver[0] fe80::yyyy:yyyy:yyyy:yyyy
    Jun 7 10:10:08 dhcp6c 13806 Domain search list[0] lan.
    Jun 7 10:10:08 dhcp6c 13806 make an IA: PD-0
    Jun 7 10:10:08 dhcp6c 13806 status code for PD-0: no prefixes
    Jun 7 10:10:08 dhcp6c 13806 IA PD-0 is invalidated
    Jun 7 10:10:08 dhcp6c 13806 remove an IA: PD-0

    Whatever they are sending, dhcp6c doesn't like it. I can look at the exchange further but you'll need to post the actual pcap, not a textual representation of it.



  • Here is the capture file (link removed) of what happens on the WAN side of pfSense.
    I filtered some stuff out, mainly endless pages of DNS stuff my PC was asking for in the background.
    If any important bits are missing please tell me, I will fix the file/do another capture in that case.


  • Netgate

    What is in /var/etc/dhcp6c_wan.conf in the id-assoc pd 0 secion?

    This is mine for a /56

    I would expect yours to be a /62 with sla-len of 2 and sla-id of 0 through 3 if they are all defined.

    id-assoc pd 0 {
            prefix ::/56 infinity;
            prefix-interface igb1.223 {
                    sla-id 1;
                    sla-len 8;
            };
            prefix-interface igb1.999 {
                    sla-id 2;
                    sla-len 8;
            };
            prefix-interface lagg0.1003 {
                    sla-id 3;
                    sla-len 8;
            };
            prefix-interface lagg0.1004 {
                    sla-id 16;
                    sla-len 8;
            };
            prefix-interface lagg0.224 {
                    sla-id 4;
                    sla-len 8;
            };
    };
    


  • Yep, seems to be alright.

    id-assoc pd 0 {
    	prefix ::/62 infinity;
    	prefix-interface igb1 {
    		sla-id 0;
    		sla-len 2;
    	};
    };
    
    

    I noticed something:
    The logs are a bit different now. They say:

    Jun 9 21:27:32	dhcp6c	62162	Sending Request
    Jun 9 21:27:32	dhcp6c	62162	set client ID (len 14)
    Jun 9 21:27:32	dhcp6c	62162	set server ID (len 10)
    Jun 9 21:27:32	dhcp6c	62162	set elapsed time (len 2)
    Jun 9 21:27:32	dhcp6c	62162	set option request (len 4)
    Jun 9 21:27:32	dhcp6c	62162	set IA_PD prefix
    Jun 9 21:27:32	dhcp6c	62162	set IA_PD
    Jun 9 21:27:32	dhcp6c	62162	send request to ff02::1:2%igb0
    Jun 9 21:27:32	dhcp6c	62162	reset a timer on igb0, state=REQUEST, timeo=9, retrans=27750
    Jun 9 21:27:32	dhcp6c	62162	receive reply from fe80::...%igb0 on igb0
    Jun 9 21:27:32	dhcp6c	62162	get DHCP option server ID, len 10
    Jun 9 21:27:32	dhcp6c	62162	DUID: ...
    Jun 9 21:27:32	dhcp6c	62162	get DHCP option client ID, len 14
    Jun 9 21:27:32	dhcp6c	62162	DUID: ...
    Jun 9 21:27:32	dhcp6c	62162	get DHCP option opt_82, len 4
    Jun 9 21:27:32	dhcp6c	62162	unknown or unexpected DHCP6 option opt_82, len 4
    Jun 9 21:27:32	dhcp6c	62162	get DHCP option DNS, len 16
    Jun 9 21:27:32	dhcp6c	62162	get DHCP option domain search list, len 5
    Jun 9 21:27:32	dhcp6c	62162	get DHCP option opt_20, len 0
    Jun 9 21:27:32	dhcp6c	62162	unknown or unexpected DHCP6 option opt_20, len 0
    Jun 9 21:27:32	dhcp6c	62162	get DHCP option authentication, len 28
    Jun 9 21:27:32	dhcp6c	62162	proto: reconfig, alg: HMAC-MD5, RDM: mono counter, RD: ...
    

    Which is sending and decoding the request.
    E.g. decoding the option 20 that the ISP router sends is all parsed (or skipped) - up to this point.
    And then:

    Jun 9 21:27:32	dhcp6c	62162	unsupported authentication protocol: 1
    Jun 9 21:27:32	dhcp6c	62162	failed to parse options
    Jun 9 21:28:00	dhcp6c	62162	no responses were received
    

    It stops!
    But after the Authentication part comes the IA_PD!
    Could it be that after failing at decoding the authentication protocol pfSense just ignores the rest of the packet?

    Edit 2: I had a look at the source code, it seems the dhcp6c doesn't support the Reconfigure Key Authentication Protocol yet?
    https://github.com/hrs-allbsd/wide-dhcpv6/blob/freebsd/dhcp6c.c#L2010
    (Source as per https://forum.netgate.com/topic/126501/where-to-find-source-code-of-pfsense-dhcp-and-dhcpv6-cleints/4)
    Looks like it discards the packet afterwards and ignores the IA_PD which comes right after the Authentication block...

    Edit: After rebooting ISP router and pfSense box, the first seven repeats are like the logs I posted earlier in the thread (with status code: no prefixes), after that it's what I just posted now (with unsupported authentication protocol: 1)



  • I contacted the ISP about the Reconfigure Key Authentication Protocol issue and they confirmed there is a bug in the version of odhcpd they're using.
    The server sends the reconfigure-accept option, even though the client didn't ask for it.
    In the case of pfSense reconfiguration isn't even implemented yet, as far as I can see.

    They told me this will be fixed on their router in Q3.
    So I guess this mystery is solved!


  • Netgate

    Nice digging. Thanks for getting back.