IPv6 no longer working after updating to 2.4.4



  • Hi all,

    As the title says, my IPv6 connectivity has stopped since updating to 2.4.4. What's strange is pfSense is able to obtain an address on both the WAN and LAN side, but it's not assigning an address to any clients.

    If you take a look at this below, you can see what I mean:

    alt text

    I even went as far as disabling IPv6 from my ISP and using a Hurricane Electric tunnel, though I'm not really sure what I expected as it seems to be an issue with the DHCP server on pfSense.

    Any way anyone can help troubleshoot this? I looked at the logs for DHCP but most of it seems to be for v4 and very little to do with v6.

    Thanks for any help!


  • Rebel Alliance Global Moderator

    why would you look at dhcp? Did you mean to dhcpV6.. are you running that? It sure is not required for ipv6 to function..



  • By looking at DHCP I mean in System Logs, there is the DHCP section. Is that not where it shows information related to this?

    I do have DHCPv6 Server running because I had previously been assigning static addresses for certain clients.


  • Rebel Alliance Developer Netgate

    What type of hardware (real or virtual) setup is this?

    Does IPv6 connectivity work from the firewall, but not client behind the firewall?

    Do you have an IPv6 gateway configured as default for IPv6 (System > Routing), and is it showing under Diagnostics > Routes?

    Do clients on the LAN obtain an IPv6 address?



  • @jimp said in IPv6 no longer working after updating to 2.4.4:

    What type of hardware (real or virtual) setup is this?

    This is a bare metal setup

    Does IPv6 connectivity work from the firewall, but not client behind the firewall?

    What's strange is when I was playing around with it the other day I was able to ping6 hosts from the firewall itself. Today that doesn't seem to be the case, despite having an address assigned to it.

    Do you have an IPv6 gateway configured as default for IPv6 (System > Routing), and is it showing under Diagnostics > Routes?

    Yes, and yes..

    Do clients on the LAN obtain an IPv6 address?

    No, which seems to be the main problem. What's strange is after my last post a few minutes ago under Interaces -> LAN, I turned IPv6 connectivity to none and then back to Track Interface and for about 30 seconds I was assigned an address on my computer, but it's now gone.

    Thanks for your assistance!


  • Rebel Alliance Developer Netgate

    If you are on Track Interface, you actually need to save and apply on WAN for it to reapply an address obtained from DHCPv6 on WAN.

    That should also trigger the other parts to reconfigure.

    You can set the DHCPv6 client to log more verbosely by putting it into debug mode, also on the WAN settings. Then check the DHCP log tab for errors.



  • Hmmmm, that didn't seem to do the trick. Tried saving and applying from the WAN page but still no ability to access any IPv6 from the firewall and no address assigned to clients.

    I also enabled debug mode, but nothing really stands out in the DHCP log tab. Is there any way to get it to show more entries that the default? Can I filter out v6 entries only?


  • Rebel Alliance Developer Netgate

    If you filter that log for anything from dhcp6c it should show you quite a bit in debug mode. You'll need to increase the amount of lines it shows quite a bit, I'd set it up to 250 at least to be sure.



  • Ahh I got it now!

    Does anything in this log look out of the ordinary?

    Oct 1 14:10:40 	dhcp6c 	45170 	got an expected reply, sleeping.
    Oct 1 14:10:40 	dhcp6c 	45170 	removing server (ID: 00:01:00:01:16:72:7a:51:00:14:4f:f1:32:d1)
    Oct 1 14:10:40 	dhcp6c 	45170 	removing an event on re1, state=REQUEST
    Oct 1 14:10:40 	dhcp6c 	45170 	script "/var/etc/dhcp6c_wan_script.sh" terminated
    Oct 1 14:10:40 	dhcp6c 		dhcp6c REQUEST on re1 - running rc.newwanipv6
    Oct 1 14:10:33 	dhcp6c 	45170 	executes /var/etc/dhcp6c_wan_script.sh
    Oct 1 14:10:33 	dhcp6c 	45170 	add an address 2607:f798:xxxxxx on re1
    Oct 1 14:10:33 	dhcp6c 	45170 	create an address 2607:f798:xxxxx pltime=169472, vltime=7855461924157861248
    Oct 1 14:10:33 	dhcp6c 	45170 	make an IA: NA-0
    Oct 1 14:10:33 	dhcp6c 	45170 	add an address 2607:fea8:5b00:xxxx/64 on re0
    Oct 1 14:10:33 	dhcp6c 	45170 	create a prefix 2607:fea8:5b00:xxxx::/64 pltime=169472, vltime=601472
    Oct 1 14:10:33 	dhcp6c 	45170 	make an IA: PD-0
    Oct 1 14:10:33 	dhcp6c 	45170 	nameserver[1] 2607:f798:18:10:0:640:7125:5198
    Oct 1 14:10:33 	dhcp6c 	45170 	nameserver[0] 2607:f798:18:10:0:640:7125:5204
    Oct 1 14:10:33 	dhcp6c 	45170 	dhcp6c Received REQUEST
    Oct 1 14:10:33 	dhcp6c 	45170 	get DHCP option DNS, len 32
    Oct 1 14:10:33 	dhcp6c 	45170 	IA_PD prefix: 2607:fea8:5b00:xxxx::/64 pltime=169472 vltime=601472
    Oct 1 14:10:33 	dhcp6c 	45170 	get DHCP option IA_PD prefix, len 25
    Oct 1 14:10:33 	dhcp6c 	45170 	IA_PD: ID=0, T1=84736, T2=135577
    Oct 1 14:10:33 	dhcp6c 	45170 	get DHCP option IA_PD, len 41
    Oct 1 14:10:33 	dhcp6c 	45170 	IA_NA address: 2607:f798:xxxxxxx pltime=169472 vltime=601472
    Oct 1 14:10:33 	dhcp6c 	45170 	get DHCP option IA address, len 24
    Oct 1 14:10:33 	dhcp6c 	45170 	IA_NA: ID=0, T1=84736, T2=135577
    Oct 1 14:10:33 	dhcp6c 	45170 	get DHCP option identity association, len 40
    Oct 1 14:10:33 	dhcp6c 	45170 	DUID: 00:01:00:01:16:72:7a:51:00:14:4f:f1:32:d1
    Oct 1 14:10:33 	dhcp6c 	45170 	get DHCP option server ID, len 14
    Oct 1 14:10:33 	dhcp6c 	45170 	DUID: 00:01:00:01:22:cf:8e:04:7c:8b:ca:00:ef:46
    Oct 1 14:10:33 	dhcp6c 	45170 	get DHCP option client ID, len 14
    Oct 1 14:10:33 	dhcp6c 	45170 	receive reply from fe80::217:10ff:fe90:e80b%re1 on re1
    Oct 1 14:10:33 	dhcp6c 	45170 	reset a timer on re1, state=REQUEST, timeo=0, retrans=909
    Oct 1 14:10:33 	dhcp6c 	45170 	send request to ff02::1:2%re1
    Oct 1 14:10:33 	dhcp6c 	45170 	set IA_PD
    Oct 1 14:10:33 	dhcp6c 	45170 	set IA_PD prefix
    Oct 1 14:10:33 	dhcp6c 	45170 	set option request (len 4)
    Oct 1 14:10:33 	dhcp6c 	45170 	set elapsed time (len 2)
    Oct 1 14:10:33 	dhcp6c 	45170 	set identity association
    Oct 1 14:10:33 	dhcp6c 	45170 	set IA address
    Oct 1 14:10:33 	dhcp6c 	45170 	set server ID (len 14)
    Oct 1 14:10:33 	dhcp6c 	45170 	set client ID (len 14)
    Oct 1 14:10:33 	dhcp6c 	45170 	a new XID (ec6766) is generated
    Oct 1 14:10:33 	dhcp6c 	45170 	Sending Request
    Oct 1 14:10:33 	dhcp6c 	45170 	picked a server (ID: 00:01:00:01:16:72:7a:51:00:14:4f:f1:32:d1)
    Oct 1 14:10:32 	dhcp6c 	45170 	reset timer for re1 to 0.984332
    Oct 1 14:10:32 	dhcp6c 	45170 	server ID: 00:01:00:01:16:72:7a:51:00:14:4f:f1:32:d1, pref=-1
    Oct 1 14:10:32 	dhcp6c 	45170 	get DHCP option DNS, len 32
    Oct 1 14:10:32 	dhcp6c 	45170 	IA_PD prefix: 2607:fea8:5b00:xxxx::/64 pltime=169473 vltime=601473
    Oct 1 14:10:32 	dhcp6c 	45170 	get DHCP option IA_PD prefix, len 25
    Oct 1 14:10:32 	dhcp6c 	45170 	IA_PD: ID=0, T1=84736, T2=135578
    Oct 1 14:10:32 	dhcp6c 	45170 	get DHCP option IA_PD, len 41
    Oct 1 14:10:32 	dhcp6c 	45170 	IA_NA address: 2607:f798:xxxxx pltime=169473 vltime=601473
    Oct 1 14:10:32 	dhcp6c 	45170 	get DHCP option IA address, len 24
    Oct 1 14:10:32 	dhcp6c 	45170 	IA_NA: ID=0, T1=84736, T2=135578
    Oct 1 14:10:32 	dhcp6c 	45170 	get DHCP option identity association, len 40
    Oct 1 14:10:32 	dhcp6c 	45170 	DUID: 00:01:00:01:16:72:7a:51:00:14:4f:f1:32:d1
    Oct 1 14:10:32 	dhcp6c 	45170 	get DHCP option server ID, len 14
    Oct 1 14:10:32 	dhcp6c 	45170 	DUID: 00:01:00:01:22:cf:8e:04:7c:8b:ca:00:ef:46
    Oct 1 14:10:32 	dhcp6c 	45170 	get DHCP option client ID, len 14
    Oct 1 14:10:32 	dhcp6c 	45170 	receive advertise from fe80::217:10ff:fe90:e80b%re1 on re1
    Oct 1 14:10:32 	dhcp6c 	45170 	reset a timer on re1, state=SOLICIT, timeo=0, retrans=1091
    Oct 1 14:10:32 	dhcp6c 	45170 	send solicit to ff02::1:2%re1
    Oct 1 14:10:32 	dhcp6c 	45170 	set IA_PD
    Oct 1 14:10:32 	dhcp6c 	45170 	set IA_PD prefix
    Oct 1 14:10:32 	dhcp6c 	45170 	set option request (len 4)
    Oct 1 14:10:32 	dhcp6c 	45170 	set elapsed time (len 2)
    Oct 1 14:10:32 	dhcp6c 	45170 	set identity association
    Oct 1 14:10:32 	dhcp6c 	45170 	set client ID (len 14)
    Oct 1 14:10:32 	dhcp6c 	45170 	a new XID (e94bae) is generated
    Oct 1 14:10:32 	dhcp6c 	45170 	Sending Solicit
    Oct 1 14:10:32 	dhcp6c 	45170 	reset a timer on re1, state=INIT, timeo=0, retrans=891
    Oct 1 14:10:32 	dhcp6c 	44680 	called
    Oct 1 14:10:32 	dhcp6c 	44680 	called
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>end of sentence [;] (1)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>end of closure [}] (1)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>end of sentence [;] (1)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>end of closure [}] (1)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>end of sentence [;] (1)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>[0] (1)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>[sla-len] (7)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>end of sentence [;] (1)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>[0] (1)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>[sla-id] (6)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>begin of closure [{] (1)
    Oct 1 14:10:32 	dhcp6c 	44680 	<5>[re0] (3)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>[prefix-interface] (16)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>end of sentence [;] (1)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>[infinity] (8)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>[64] (2)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>[/] (1)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>[::] (2)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>[prefix] (6)
    Oct 1 14:10:32 	dhcp6c 	44680 	<13>begin of closure [{] (1)
    Oct 1 14:10:32 	dhcp6c 	44680 	<13>[0] (1)
    Oct 1 14:10:32 	dhcp6c 	44680 	<13>[pd] (2)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>[id-assoc] (8)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>end of sentence [;] (1)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>end of closure [}] (1)
    Oct 1 14:10:32 	dhcp6c 	44680 	<13>begin of closure [{] (1)
    Oct 1 14:10:32 	dhcp6c 	44680 	<13>[0] (1)
    Oct 1 14:10:32 	dhcp6c 	44680 	<13>[na] (2)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>[id-assoc] (8)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>end of sentence [;] (1)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>end of closure [}] (1)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>comment [# we'd like some nameservers please] (35)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>end of sentence [;] (1)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>["/var/etc/dhcp6c_wan_script.sh"] (31)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>[script] (6)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>end of sentence [;] (1)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>[domain-name] (11)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>[request] (7)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>end of sentence [;] (1)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>[domain-name-servers] (19)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>[request] (7)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>comment [# request prefix delegation] (27)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>end of sentence [;] (1)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>[0] (1)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>[ia-pd] (5)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>[send] (4)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>comment [# request stateful address] (26)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>end of sentence [;] (1)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>[0] (1)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>[ia-na] (5)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>[send] (4)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>begin of closure [{] (1)
    Oct 1 14:10:32 	dhcp6c 	44680 	<5>[re1] (3)
    Oct 1 14:10:32 	dhcp6c 	44680 	<3>[interface] (9)
    Oct 1 14:10:32 	dhcp6c 	44680 	skip opening control port
    Oct 1 14:10:32 	dhcp6c 	44680 	failed initialize control message authentication
    Oct 1 14:10:32 	dhcp6c 	44680 	failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
    Oct 1 14:10:32 	dhcp6c 	44680 	extracted an existing DUID from /var/db/dhcp6c_duid: 00:01:00:01:22:cf:8e:04:7c:8b:ca:00:ef:46
    Oct 1 14:08:50 	dhcp6c 	67928 	failed to parse configuration file
    Oct 1 14:08:50 	dhcp6c 	67928 	called
    Oct 1 14:08:50 	dhcp6c 	67928 	/var/etc/dhcp6c_wan.conf:3 IA_PD (0) is not defined
    Oct 1 14:08:50 	dhcp6c 	67928 	called
    Oct 1 14:08:50 	dhcp6c 	67928 	<3>end of sentence [;] (1)
    Oct 1 14:08:50 	dhcp6c 	67928 	<3>end of closure [}] (1)
    Oct 1 14:08:50 	dhcp6c 	67928 	<13>begin of closure [{] (1)
    Oct 1 14:08:50 	dhcp6c 	67928 	<13>[0] (1)
    Oct 1 14:08:50 	dhcp6c 	67928 	<13>[na] (2)
    Oct 1 14:08:50 	dhcp6c 	67928 	<3>[id-assoc] (8)
    Oct 1 14:08:50 	dhcp6c 	67928 	<3>end of sentence [;] (1)
    Oct 1 14:08:50 	dhcp6c 	67928 	<3>end of closure [}] (1)
    Oct 1 14:08:50 	dhcp6c 	67928 	<3>comment [# we'd like some nameservers please] (35)
    Oct 1 14:08:50 	dhcp6c 	67928 	<3>end of sentence [;] (1)
    Oct 1 14:08:50 	dhcp6c 	67928 	<3>["/var/etc/dhcp6c_wan_script.sh"] (31)
    Oct 1 14:08:50 	dhcp6c 	67928 	<3>[script] (6)
    Oct 1 14:08:50 	dhcp6c 	67928 	<3>end of sentence [;] (1)
    Oct 1 14:08:50 	dhcp6c 	67928 	<3>[domain-name] (11)
    Oct 1 14:08:50 	dhcp6c 	67928 	<3>[request] (7)
    Oct 1 14:08:50 	dhcp6c 	67928 	<3>end of sentence [;] (1)
    Oct 1 14:08:50 	dhcp6c 	67928 	<3>[domain-name-servers] (19)
    Oct 1 14:08:50 	dhcp6c 	67928 	<3>[request] (7)
    Oct 1 14:08:50 	dhcp6c 	67928 	<3>comment [# request prefix delegation] (27)
    Oct 1 14:08:50 	dhcp6c 	67928 	<3>end of sentence [;] (1)
    Oct 1 14:08:50 	dhcp6c 	67928 	<3>[0] (1)
    Oct 1 14:08:50 	dhcp6c 	67928 	<3>[ia-pd] (5)
    Oct 1 14:08:50 	dhcp6c 	67928 	<3>[send] (4)
    Oct 1 14:08:50 	dhcp6c 	67928 	<3>comment [# request stateful address] (26)
    Oct 1 14:08:50 	dhcp6c 	67928 	<3>end of sentence [;] (1)
    Oct 1 14:08:50 	dhcp6c 	67928 	<3>[0] (1)
    Oct 1 14:08:50 	dhcp6c 	67928 	<3>[ia-na] (5)
    Oct 1 14:08:50 	dhcp6c 	67928 	<3>[send] (4)
    Oct 1 14:08:50 	dhcp6c 	67928 	<3>begin of closure [{] (1)
    Oct 1 14:08:50 	dhcp6c 	67928 	<5>[re1] (3)
    Oct 1 14:08:50 	dhcp6c 	67928 	<3>[interface] (9)
    Oct 1 14:08:50 	dhcp6c 	67928 	skip opening control port
    Oct 1 14:08:50 	dhcp6c 	67928 	failed initialize control message authentication
    Oct 1 14:08:50 	dhcp6c 	67928 	failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
    Oct 1 14:08:50 	dhcp6c 	67928 	extracted an existing DUID from /var/db/dhcp6c_duid: 00:01:00:01:22:cf:8e:04:7c:8b:ca:00:ef:46
    


  • Tried once again to change LAN connection type from Track Interface -> None -> Track Interface and once again IPv6 was working for less than a minute.

    Checked logs around that timestamp and nothing was going on except for Status -> System Logs -> 'Systems' tab -> 'Routing' tab shows a message:

    prefix length should be 64 for re1

    In Interfaces -> WAN it is set to request a /64.



  • So I decided to reinstall 2.4.4 from scratch. IPv6 worked as expected. I restored from a backup and it started misbehaving again.

    Reset to factory defaults and it's working again.

    Frustrating that I have to configure everything manually again, but at least IPv6 works now.


  • Rebel Alliance Developer Netgate

    If that is the case then it stands to reason that it's a problem with your configuration and not 2.4.4 in general. It could still be a bug, but one triggered only by your specific combination of environment+settings.

    Isolate your interface settings that are different vs a stock install and put them back one by one until it breaks.



  • What's frustrating is it did this when I originally did an upgrade to 2.4.3, so I ended up doing a fresh install of 2.4.3 and re-configuring everything.

    Obviously something was wrong with the configuration, but not sure why after a fresh install and configuration, any updates to pfSense seems to break IPv6.

    Thanks for your assistance earlier in any case.



  • @xero9 i had similar problems changing from 2.4.3_1 to 2.4.4. the way to migrate is the one i always use: backup the configuration, clean installation and then restore the configuration. i found different problems in three different installations in three different environments, one in bare metal and two in virtual environments based on xen.

    i reported it as a bug and i was asked to report it in this forum. it was also mentioned that it was environment + settings, that is nothing.

    i have reconstructed the configuration step by step manually, parameter by parameter until arriving at an exact configuration to those i had in 2.4.3_1 and everything works again.

    my conclusion is that something is broken in the backup and restore mechanism by xml file. that method is breaking random configurations in different environments.

    i have the configurations working for several years in different environments, it is the first time something like this happens when changing the version using the xml file.

    and it is the first time that i have to reconstruct by hand all the configurations, a terrible job.

    i repeat that there are no differences between the configurations, i have checked it.

    i insist that it is an error in the backup - restore mechanism using the xml file.



  • @fabianburpf
    Thanks for the response fabianburpf!

    Good to know I’m not going crazy and I’m not the only one.

    I would test a theory but everything is working as it should now, so I don’t want to mess with it, but today I “broke” my IPv6 again, but it wasn’t really my fault. The DHCPv6 service wasn’t handing out ips to all of my systems and static addressing wasn’t working so I was looking deeper in to it and I think previously I had set RA to Managed and because I had an incorrect DUID (there was a space instead of a : in an entry) it was causing the DHCP server to not run.

    I’m wondering now if I restore using the XML file if it would break entirely again or not but based on your experience I’ll just stick with things the way they are.



  • Confirmed. I also had issues with my firewall after upgrading to 2.4.4.
    After the upgrade the firewall and restoring my config the firewall gui would freeze after a while, rendering internet connectivity unavailable. I also needed to start from scratch to overcome the problems. I was thinking that the problems could be related to the gateway monitoring feature but wasn't able to confirm that.