Can't get IPv6 address on WAN (Comcast)

zwoop · Jul 2, 2018, 7:13 PM

Hi,

I found a number of similar posts, but none that seemed to experience my problems. I have a Comcast internet connectivity, and while IPv4 works just fine, I can not seem to get IPv6 running. I enabled IPv6 with DHCP6 on the WAN interface. But, I only get the link local IPv6 address, not the one I'd expect from upstream. I see a number of errors in dhcpd.log, neither of which I could find any solution for:

Jul 2 11:39:25 yggdrasil dhcp6c[79024]: failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
Jul 2 11:39:25 yggdrasil dhcp6c[79024]: failed initialize control message authentication
Jul 2 11:39:25 yggdrasil dhcp6c[79024]: skip opening control port
Jul 2 11:39:25 yggdrasil dhcp6c[79024]: /var/etc/dhcp6c_wan.conf:3 IA_PD (0) is not defined
Jul 2 11:39:25 yggdrasil dhcp6c[79024]: failed to parse configuration file
Jul 2 12:50:58 yggdrasil dhclient[39455]: connection closed
Jul 2 12:50:58 yggdrasil dhclient[39455]: exiting.

My /var/etc/dhcp6c_wan.conf is as follows (I did not manually edit this at all):

interface igb0 {
send ia-na 0; # request stateful address
send ia-pd 0; # request prefix delegation
request domain-name-servers;
request domain-name;
script "/var/etc/dhcp6c_wan_script.sh"; # we'd like some nameservers please
};
id-assoc na 0 { };

Question: is there something missing in the id-assoc na 0 line ?

The file /usr/local/etc/dhcp6cctlkey does not exist, and I have no idea what I should put in there :). ifconfig shows (slightly edited, removing private information):

[2.4.3-RELEASE][admin@yggdrasil.ogre.com]/var/log: ifconfig -a
igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=400b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO>
ether xx:xx:xx:xx:xx:xx
hwaddr xx:xx:xx:xx:xx:xx
inet6 fe80::208:xxxx:xxxx:xxxx%igb0 prefixlen 64 scopeid 0x1
inet x.x.x.x netmask 0xfffffe00 broadcast 255.255.255.255
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active

I've tried with "Use IPv4 connectivity as parent interface" both enabled and disabled, but seems to make no difference. Enabling dhcp6 debug, I get

Jul 2 13:09:12 yggdrasil dhcp6c[799]: extracted an existing DUID from /var/db/dhcp6c_duid: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
Jul 2 13:09:12 yggdrasil dhcp6c[799]: failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
Jul 2 13:09:12 yggdrasil dhcp6c[799]: failed initialize control message authentication
Jul 2 13:09:12 yggdrasil dhcp6c[799]: skip opening control port
Jul 2 13:09:12 yggdrasil dhcp6c[799]: <3>[interface] (9)
Jul 2 13:09:12 yggdrasil dhcp6c[799]: <5>[igb0] (4)
Jul 2 13:09:12 yggdrasil dhcp6c[799]: <3>begin of closure [{] (1)
Jul 2 13:09:12 yggdrasil dhcp6c[799]: <3>[send] (4)
Jul 2 13:09:12 yggdrasil dhcp6c[799]: <3>[ia-na] (5)
Jul 2 13:09:12 yggdrasil dhcp6c[799]: <3>[0] (1)
Jul 2 13:09:12 yggdrasil dhcp6c[799]: <3>end of sentence [;] (1)
Jul 2 13:09:12 yggdrasil dhcp6c[799]: <3>comment [# request stateful address] (26)
Jul 2 13:09:12 yggdrasil dhcp6c[799]: <3>[send] (4)
Jul 2 13:09:12 yggdrasil dhcp6c[799]: <3>[ia-pd] (5)
Jul 2 13:09:12 yggdrasil dhcp6c[799]: <3>[0] (1)
Jul 2 13:09:12 yggdrasil dhcp6c[799]: <3>end of sentence [;] (1)
Jul 2 13:09:12 yggdrasil dhcp6c[799]: <3>comment [# request prefix delegation] (27)
Jul 2 13:09:12 yggdrasil dhcp6c[799]: <3>[request] (7)
Jul 2 13:09:12 yggdrasil dhcp6c[799]: <3>[domain-name-servers] (19)
Jul 2 13:09:12 yggdrasil dhcp6c[799]: <3>end of sentence [;] (1)
Jul 2 13:09:12 yggdrasil dhcp6c[799]: <3>[request] (7)
Jul 2 13:09:12 yggdrasil dhcp6c[799]: <3>[domain-name] (11)
Jul 2 13:09:12 yggdrasil dhcp6c[799]: <3>end of sentence [;] (1)
Jul 2 13:09:12 yggdrasil dhcp6c[799]: <3>[script] (6)
Jul 2 13:09:12 yggdrasil dhcp6c[799]: <3>["/var/etc/dhcp6c_wan_script.sh"] (31)
Jul 2 13:09:12 yggdrasil dhcp6c[799]: <3>end of sentence [;] (1)
Jul 2 13:09:12 yggdrasil dhcp6c[799]: <3>comment [# we'd like some nameservers please] (35)
Jul 2 13:09:12 yggdrasil dhcp6c[799]: <3>end of closure [}] (1)
Jul 2 13:09:12 yggdrasil dhcp6c[799]: <3>end of sentence [;] (1)
Jul 2 13:09:12 yggdrasil dhcp6c[799]: <3>[id-assoc] (8)
Jul 2 13:09:12 yggdrasil dhcp6c[799]: <13>[na] (2)
Jul 2 13:09:12 yggdrasil dhcp6c[799]: <13>[0] (1)
Jul 2 13:09:12 yggdrasil dhcp6c[799]: <13>begin of closure [{] (1)
Jul 2 13:09:12 yggdrasil dhcp6c[799]: <3>end of closure [}] (1)
Jul 2 13:09:12 yggdrasil dhcp6c[799]: <3>end of sentence [;] (1)
Jul 2 13:09:12 yggdrasil dhcp6c[799]: called
Jul 2 13:09:12 yggdrasil dhcp6c[799]: /var/etc/dhcp6c_wan.conf:3 IA_PD (0) is not defined
Jul 2 13:09:12 yggdrasil dhcp6c[799]: called
Jul 2 13:09:12 yggdrasil dhcp6c[799]: failed to parse configuration file

Second question: Am I supposed to create an IPv6 WAN Gateway in the Routing setup? I tried that as well, with and without an IPv6 WAN gateway, but seemed to make no difference (and, now I can't delete it, but I can disable it).

Any help / tips much appreciated!

Thanks,

-- Leif

zwoop · Jul 5, 2018, 6:07 PM

Small update, while fiddling with all these things, I noticed that if I put the modem in router mode (so it NATs etc.), then pfSense can successfully get a correct IPv6. But back in bridge mode, where pfSense talks directly to the Comcast DHCP6 servers, it fails.

gzorn · Jul 6, 2018, 6:52 PM

I've run into some similar difficulty. Make sure that your LAN is set to track your WAN IPV6. If I understand correctly, that's needed for the dhcp6 config to parse correctly.
I'd also recommend setting a manual request for a prefix delegation of /60 (it works for me on comcast). You might need to delete the file /var/db/dhcp6c_duid before making the change to get it to work. See this thread.
https://forum.netgate.com/topic/87190/how-to-release-renew-dhcp6-ipv6-to-move-from-64-60/7

MikeV7896 · Jul 7, 2018, 12:15 PM

I would think you'd still get a /128 global address for the WAN interface itself, but maybe I'm wrong... regardless, if you're using DHCPv6 to get a prefix, you need to have a LAN or other interface that is tracking WAN in order for the prefix to actually be obtained. Maybe that also applies to the WAN global address.

BTW, you don't need to delete the DUID file anymore. You can actually adjust the DUID setting in System > Advanced > Networking, assuming you're running a newer version of pfSense. Just increase the time value a few seconds to create a different DUID and Comcast's servers will respond accordingly. The old DUID will eventually expire out of their systems after a week. In fact, pfSense might just re-create the DUID file with the same DUID if you don't change the setting.

zwoop · Sep 14, 2018, 8:47 PM

Long story short, I managed to brick my Netgate / pfSsense router (while trying to setup ntopng, no idea why it bricked). So, I reset the router, and started a fresh configuration, with the WAN interface connected to the Comcast modem. And lo and behold, IPv6 kicked in automatically, without me doing anything ... I know it's not a great solution for others, but if you end up like me, and IPv6 refuses to work, doing a hard reset of the configuration might be worth it. :).

JeFizz · Nov 2, 2018, 2:18 PM

I'm seeing the exact same behavior on my VM running 2.4.4-RELEASE (amd64). What gives?

Nov  2 08:45:52 pfsense dhcp6c[60377]: failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
Nov  2 08:45:52 pfsense dhcp6c[60377]: failed initialize control message authentication
Nov  2 08:45:52 pfsense dhcp6c[60377]: skip opening control port
Nov  2 08:45:52 pfsense dhcp6c[60377]: /var/etc/dhcp6c_wan.conf:3 IA_PD (0) is not defined
Nov  2 08:45:52 pfsense dhcp6c[60377]: failed to parse configuration file