Pfsense configures radvd with a /60, breaking it [SOLVED]
-
Hello!
I've just made a new pfsense install, and it's all working great - except for radvd. For some reason, radvd is configured to hand out a /60 prefix to my network, and it refuses to do that. Under the routing log, I get massive spam of:
Oct 4 19:59:26 radvd 8561 prefix length should be 64 for em1If I ssh into the router and change the
60to a64, radvd works fine and my network gets IPv6.I suppose this is happening because my LAN is getting a /60 prefix.
ifconfigshows a prefixlen of 60.Here's my setup: I get internet over PPPoE over VLAN 10 from my ISP. After that, I do DHCPv6-PD to get a /52 prefix (ISP won't give me anything else). My LAN is set to Track Interface on my WAN, with a prefix ID of 0 (does that do anything?).
Does anyone know why Track Interface is slapping a /60 on my LAN after I get a /52 from my ISP, and why pfsense is then uncritically passing that on to radvd despite the fact that radvd doesn't support it (and I believe it's against the spec)?
Thanks for your time.
(I would have my ifconfig output here, but that seems to upset the great gatekeeper Akismet.)
-
Enable debug mode for the WAN IPv6 DHCP client and see what the logs show.
Usually that kind of math error happens because your configured prefix length does not match what the ISP actually gave you.
-
Thanks for the reply.
You were actually right (my ISP gives /56, not /52), but fixing that hasn't fixed my issue. Now Radvd is configured to give /56's out, and is spamming the same error:
prefix 2406:e231:8819::/56Logging:
Oct 6 13:11:05 radvd 40658 prefix length should be 64 for em1And from ifconfig:
prefixlen 56Why is math involved here? If radvd will only ever accept /64, what is there to calculate?
-
What is in your
/var/etc/dhcp6c_wan.conffile?There is math involved inside the client because it has to take the prefix length and calculate it based on the prefix ID and what was received. It's not math done by pfSense, but inside
dhcp6c. -
[2.4.4-RELEASE][ripdog@madokasama.home]/home/ripdog: cat /var/etc/dhcp6c_wan.conf interface pppoe0 { send ia-pd 0; # request prefix delegation request domain-name-servers; request domain-name; script "/var/etc/dhcp6c_wan_dhcp6withoutra_script.sh"; # we'd like nameservers and RTSOLD to do all the work }; id-assoc pd 0 { prefix ::/56 infinity; prefix-interface em1 { sla-id 0; sla-len 8; }; }; -
What happens if you uncheck the "send prefix hint" box in the WAN settings?
Also, with the client in debug mode what gets logged from the ISP for the prefix (lines containing
IA_PD)The
sla-lenbits are correct if you receive a /56, but I have to wonder if maybe somehow dhcp6c is using the prefix hint incorrectly if what it receives from the ISP does not match that prefix size. -
I have no idea how I got this so wrong, but it turns out I was wrong about my ISPs prefix size AGAIN. You only get a /56 if you pay for a static IP+prefix, everyone else gets a /48. They don't document this, of course. I suppose the community members who had documented their own IPv6 setups had mostly been paying for the static IP.
After turning off the prefix hint (seems it wasn't necessary after all) and setting the prefix length to /48, ifconfig is reporting a /64 being put on my LAN interface, and radvd is getting the same and working fine.
Thanks so much for your help.
Since you're a developer, I have to ask: It seems like it should be fairly easy for pfsense to detect when dhcp6c is receiving a different prefix length to what is being configured. Perhaps it could detect that and provide an alert like "You've configured WAN to receive a /56 prefix, but your ISP provided a /48. IPv6 may not work until the prefix length is correctly configured."? Might stop others from falling into the trap I did.
Thanks again.
-
@ripdog said in Pfsense configures radvd with a /60, breaking it [SOLVED]:
You only get a /56 if you pay for a static IP+prefix, everyone else gets a /48.
Hopefully, they'll respect the DUID and provide a consistent prefix. When they say static, are they referring to the WAN IP or the entire prefix? It's only the prefix you're worried about. The WAN IP is pretty much irrelevant.
It's a shame you'll have to make do with only a meager /48.
-
Hah, I'm not complaining. 48 is bigger, after all.
Static is a product for both v4 and v6, giving a static v4 IP and v6 prefix. I have no idea how often my prefix changes, I haven't bothered to find out. I'm not worried, anyway.
-
@ripdog said in Pfsense configures radvd with a /60, breaking it [SOLVED]:
Since you're a developer, I have to ask: It seems like it should be fairly easy for pfsense to detect when dhcp6c is receiving a different prefix length to what is being configured.
It actually isn't. The client doesn't expose the prefix to scripts or the environment in any way yet. There is an open issue where someone is looking into that, though.
At the moment the only way to even find that out is putting the client in debug mode and then scraping the log output, which is too late to do anything programmatically and prone to errors.
-
Log scraping is what I had been thinking about, actually. Leaving the client in debug mode by default seems fine, surely? It's not like it spams thousands of messages or anything.
-
I leave all of mine in debug mode. It's generally harmless and usually when I look for the logs they've already rolled off. And I have my logs set to 50MB. Not spammy at all.
