Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Pfsense configures radvd with a /60, breaking it [SOLVED]

    IPv6
    4
    12
    1523
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      ripdog last edited by ripdog

      Hello!

      I've just made a new pfsense install, and it's all working great - except for radvd. For some reason, radvd is configured to hand out a /60 prefix to my network, and it refuses to do that. Under the routing log, I get massive spam of:

      Oct 4 19:59:26 	radvd 	8561 	prefix length should be 64 for em1 
      

      If I ssh into the router and change the 60 to a 64, radvd works fine and my network gets IPv6.

      I suppose this is happening because my LAN is getting a /60 prefix. ifconfig shows a prefixlen of 60.

      Here's my setup: I get internet over PPPoE over VLAN 10 from my ISP. After that, I do DHCPv6-PD to get a /52 prefix (ISP won't give me anything else). My LAN is set to Track Interface on my WAN, with a prefix ID of 0 (does that do anything?).

      Does anyone know why Track Interface is slapping a /60 on my LAN after I get a /52 from my ISP, and why pfsense is then uncritically passing that on to radvd despite the fact that radvd doesn't support it (and I believe it's against the spec)?

      Thanks for your time.

      (I would have my ifconfig output here, but that seems to upset the great gatekeeper Akismet.)

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        Enable debug mode for the WAN IPv6 DHCP client and see what the logs show.

        Usually that kind of math error happens because your configured prefix length does not match what the ISP actually gave you.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • R
          ripdog last edited by

          Thanks for the reply.

          You were actually right (my ISP gives /56, not /52), but fixing that hasn't fixed my issue. Now Radvd is configured to give /56's out, and is spamming the same error:

          prefix 2406:e231:8819::/56
          

          Logging:

          Oct 6 13:11:05 	radvd 	40658 	prefix length should be 64 for em1 
          

          And from ifconfig:

          prefixlen 56
          

          Why is math involved here? If radvd will only ever accept /64, what is there to calculate?

          1 Reply Last reply Reply Quote 0
          • jimp
            jimp Rebel Alliance Developer Netgate last edited by

            What is in your /var/etc/dhcp6c_wan.conf file?

            There is math involved inside the client because it has to take the prefix length and calculate it based on the prefix ID and what was received. It's not math done by pfSense, but inside dhcp6c.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • R
              ripdog last edited by

              [2.4.4-RELEASE][ripdog@madokasama.home]/home/ripdog: cat /var/etc/dhcp6c_wan.conf
              interface pppoe0 {
                      send ia-pd 0;   # request prefix delegation
                      request domain-name-servers;
                      request domain-name;
                      script "/var/etc/dhcp6c_wan_dhcp6withoutra_script.sh"; # we'd like nameservers and RTSOLD to do all the work
              };
              id-assoc pd 0 {
                      prefix ::/56 infinity;
                      prefix-interface em1 {
                              sla-id 0;
                              sla-len 8;
                      };
              };
              
              1 Reply Last reply Reply Quote 0
              • jimp
                jimp Rebel Alliance Developer Netgate last edited by

                What happens if you uncheck the "send prefix hint" box in the WAN settings?

                Also, with the client in debug mode what gets logged from the ISP for the prefix (lines containing IA_PD)

                The sla-len bits are correct if you receive a /56, but I have to wonder if maybe somehow dhcp6c is using the prefix hint incorrectly if what it receives from the ISP does not match that prefix size.

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 1
                • R
                  ripdog last edited by

                  I have no idea how I got this so wrong, but it turns out I was wrong about my ISPs prefix size AGAIN. You only get a /56 if you pay for a static IP+prefix, everyone else gets a /48. They don't document this, of course. I suppose the community members who had documented their own IPv6 setups had mostly been paying for the static IP.

                  After turning off the prefix hint (seems it wasn't necessary after all) and setting the prefix length to /48, ifconfig is reporting a /64 being put on my LAN interface, and radvd is getting the same and working fine.

                  Thanks so much for your help.

                  Since you're a developer, I have to ask: It seems like it should be fairly easy for pfsense to detect when dhcp6c is receiving a different prefix length to what is being configured. Perhaps it could detect that and provide an alert like "You've configured WAN to receive a /56 prefix, but your ISP provided a /48. IPv6 may not work until the prefix length is correctly configured."? Might stop others from falling into the trap I did.

                  Thanks again.

                  jimp 1 Reply Last reply Reply Quote 0
                  • JKnott
                    JKnott last edited by

                    @ripdog said in Pfsense configures radvd with a /60, breaking it [SOLVED]:

                    You only get a /56 if you pay for a static IP+prefix, everyone else gets a /48.

                    Hopefully, they'll respect the DUID and provide a consistent prefix. When they say static, are they referring to the WAN IP or the entire prefix? It's only the prefix you're worried about. The WAN IP is pretty much irrelevant.

                    It's a shame you'll have to make do with only a meager /48. ๐Ÿ˜‰

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 64 GB SSD & 4 Intel Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    1 Reply Last reply Reply Quote 0
                    • R
                      ripdog last edited by

                      Hah, I'm not complaining. 48 is bigger, after all.

                      Static is a product for both v4 and v6, giving a static v4 IP and v6 prefix. I have no idea how often my prefix changes, I haven't bothered to find out. I'm not worried, anyway.

                      1 Reply Last reply Reply Quote 0
                      • jimp
                        jimp Rebel Alliance Developer Netgate @ripdog last edited by

                        @ripdog said in Pfsense configures radvd with a /60, breaking it [SOLVED]:

                        Since you're a developer, I have to ask: It seems like it should be fairly easy for pfsense to detect when dhcp6c is receiving a different prefix length to what is being configured.

                        It actually isn't. The client doesn't expose the prefix to scripts or the environment in any way yet. There is an open issue where someone is looking into that, though.

                        At the moment the only way to even find that out is putting the client in debug mode and then scraping the log output, which is too late to do anything programmatically and prone to errors.

                        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • R
                          ripdog last edited by

                          Log scraping is what I had been thinking about, actually. Leaving the client in debug mode by default seems fine, surely? It's not like it spams thousands of messages or anything.

                          1 Reply Last reply Reply Quote 0
                          • Derelict
                            Derelict LAYER 8 Netgate last edited by

                            I leave all of mine in debug mode. It's generally harmless and usually when I look for the logs they've already rolled off. And I have my logs set to 50MB. Not spammy at all.

                            Chattanooga, Tennessee, USA
                            The pfSense Book is free of charge!
                            DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post