Pfsense configures radvd with a /60, breaking it [SOLVED]

ripdog

Hello!

I've just made a new pfsense install, and it's all working great - except for radvd. For some reason, radvd is configured to hand out a /60 prefix to my network, and it refuses to do that. Under the routing log, I get massive spam of:

Oct 4 19:59:26 	radvd 	8561 	prefix length should be 64 for em1 

If I ssh into the router and change the 60 to a 64, radvd works fine and my network gets IPv6.

I suppose this is happening because my LAN is getting a /60 prefix. ifconfig shows a prefixlen of 60.

Here's my setup: I get internet over PPPoE over VLAN 10 from my ISP. After that, I do DHCPv6-PD to get a /52 prefix (ISP won't give me anything else). My LAN is set to Track Interface on my WAN, with a prefix ID of 0 (does that do anything?).

Does anyone know why Track Interface is slapping a /60 on my LAN after I get a /52 from my ISP, and why pfsense is then uncritically passing that on to radvd despite the fact that radvd doesn't support it (and I believe it's against the spec)?

Thanks for your time.

(I would have my ifconfig output here, but that seems to upset the great gatekeeper Akismet.)

jimp

Enable debug mode for the WAN IPv6 DHCP client and see what the logs show.

Usually that kind of math error happens because your configured prefix length does not match what the ISP actually gave you.

ripdog

Thanks for the reply.

You were actually right (my ISP gives /56, not /52), but fixing that hasn't fixed my issue. Now Radvd is configured to give /56's out, and is spamming the same error:

prefix 2406:e231:8819::/56

Logging:

Oct 6 13:11:05 	radvd 	40658 	prefix length should be 64 for em1 

And from ifconfig:

prefixlen 56

Why is math involved here? If radvd will only ever accept /64, what is there to calculate?

jimp

What is in your /var/etc/dhcp6c_wan.conf file?

There is math involved inside the client because it has to take the prefix length and calculate it based on the prefix ID and what was received. It's not math done by pfSense, but inside dhcp6c.

ripdog

[2.4.4-RELEASE][ripdog@madokasama.home]/home/ripdog: cat /var/etc/dhcp6c_wan.conf
interface pppoe0 {
        send ia-pd 0;   # request prefix delegation
        request domain-name-servers;
        request domain-name;
        script "/var/etc/dhcp6c_wan_dhcp6withoutra_script.sh"; # we'd like nameservers and RTSOLD to do all the work
};
id-assoc pd 0 {
        prefix ::/56 infinity;
        prefix-interface em1 {
                sla-id 0;
                sla-len 8;
        };
};

jimp

What happens if you uncheck the "send prefix hint" box in the WAN settings?

Also, with the client in debug mode what gets logged from the ISP for the prefix (lines containing IA_PD)

The sla-len bits are correct if you receive a /56, but I have to wonder if maybe somehow dhcp6c is using the prefix hint incorrectly if what it receives from the ISP does not match that prefix size.

ripdog

I have no idea how I got this so wrong, but it turns out I was wrong about my ISPs prefix size AGAIN. You only get a /56 if you pay for a static IP+prefix, everyone else gets a /48. They don't document this, of course. I suppose the community members who had documented their own IPv6 setups had mostly been paying for the static IP.

After turning off the prefix hint (seems it wasn't necessary after all) and setting the prefix length to /48, ifconfig is reporting a /64 being put on my LAN interface, and radvd is getting the same and working fine.

Thanks so much for your help.

Since you're a developer, I have to ask: It seems like it should be fairly easy for pfsense to detect when dhcp6c is receiving a different prefix length to what is being configured. Perhaps it could detect that and provide an alert like "You've configured WAN to receive a /56 prefix, but your ISP provided a /48. IPv6 may not work until the prefix length is correctly configured."? Might stop others from falling into the trap I did.

Thanks again.

JKnott

@ripdog said in Pfsense configures radvd with a /60, breaking it [SOLVED]:

You only get a /56 if you pay for a static IP+prefix, everyone else gets a /48.

Hopefully, they'll respect the DUID and provide a consistent prefix. When they say static, are they referring to the WAN IP or the entire prefix? It's only the prefix you're worried about. The WAN IP is pretty much irrelevant.

It's a shame you'll have to make do with only a meager /48.

ripdog

Hah, I'm not complaining. 48 is bigger, after all.

Static is a product for both v4 and v6, giving a static v4 IP and v6 prefix. I have no idea how often my prefix changes, I haven't bothered to find out. I'm not worried, anyway.

jimp

@ripdog said in Pfsense configures radvd with a /60, breaking it [SOLVED]:

Since you're a developer, I have to ask: It seems like it should be fairly easy for pfsense to detect when dhcp6c is receiving a different prefix length to what is being configured.

It actually isn't. The client doesn't expose the prefix to scripts or the environment in any way yet. There is an open issue where someone is looking into that, though.

At the moment the only way to even find that out is putting the client in debug mode and then scraping the log output, which is too late to do anything programmatically and prone to errors.

ripdog

Log scraping is what I had been thinking about, actually. Leaving the client in debug mode by default seems fine, surely? It's not like it spams thousands of messages or anything.

Derelict

I leave all of mine in debug mode. It's generally harmless and usually when I look for the logs they've already rolled off. And I have my logs set to 50MB. Not spammy at all.

w0w

I have similar messages from radvd and want to debug dhcp6c messages, but I don't see debug option anywhere, how can I start dhcp6c in debug mode? PfSense version is 23.05 WAN is PPPoE and LAN is set to track IPv6 on WAN.