Clients don't receive IPv6 address on LAN with track interface



  • Hi everybody,

    I'm trying to setup IPv6 on my pfSense box (a Netgate SG-3100).
    It looks like I'm almost there, but I can't get pfSense to hand out IPv6 addresses to clients on my LAN.

    My provider (XS4ALL in The Netherlands) assigns a /48 prefix through DHCPv6 prefix delegation.

    The setup is relatively simple:
    The WAN interface is set to use PPPoE for IPv4 config and DHCP6 for IPv6 config.
    DHCP6 client configuration is set to:

    • Use IPv4 connectivity as parent interface: Request a IPv6 prefix/information through the IPv4 connectivity link
    • Request only an IPv6 prefix: Only request an IPv6 prefix, do not request an IPv6 address
    • DHCPv6 Prefix Delegation size=48
    • Send IPv6 prefix hint Send an IPv6 prefix hint to indicate the desired prefix size for delegation

    The LAN interface is set to track the WAN interface for IPv6:

    • IPv6 Configuration Type=Track Interface
    • IPv6 Interface=WAN
    • IPv6 Prefix ID=0

    The DHCPv6 server is disabled and in the Route Advertisements tab the 'Router mode' is set to 'Unmanaged' (the rest is kept on the default).
    I think this configuration should start handing out IPv6 addresses. According to pfSense 'Unmanaged' means: 'Will advertise this router with stateless autoconfig.'

    Communication with the provider appears to work without a problem, here's the relevant part of the dhcp6c log with debugging enabled:

    Nov 7 20:43:51	dhcp6c	18277	reset a timer on pppoe1, state=REQUEST, timeo=0, retrans=909
    Nov 7 20:43:52	dhcp6c	18277	receive reply from fe80::2a8a:1cff:fee0:9052%pppoe1 on pppoe1
    Nov 7 20:43:52	dhcp6c	18277	get DHCP option client ID, len 14
    Nov 7 20:43:52	dhcp6c	18277	DUID: 00:01:00:01:22:22:a6:43:00:08:a2:0d:2d:51
    Nov 7 20:43:52	dhcp6c	18277	get DHCP option server ID, len 26
    Nov 7 20:43:52	dhcp6c	18277	DUID: 00:02:00:00:05:83:32:38:3a:38:61:3a:31:63:3a:65:30:3a:39:37:3a:63:30:00:00:00
    Nov 7 20:43:52	dhcp6c	18277	get DHCP option IA_PD, len 41
    Nov 7 20:43:52	dhcp6c	18277	IA_PD: ID=0, T1=43200, T2=69120
    Nov 7 20:43:52	dhcp6c	18277	get DHCP option IA_PD prefix, len 25
    Nov 7 20:43:52	dhcp6c	18277	IA_PD prefix: 2001:980:4447::/48 pltime=86400 vltime=86400
    Nov 7 20:43:52	dhcp6c	18277	dhcp6c Received REQUEST
    Nov 7 20:43:52	dhcp6c	18277	make an IA: PD-0
    Nov 7 20:43:52	dhcp6c	18277	create a prefix 2001:980:4447::/48 pltime=86400, vltime=86400
    Nov 7 20:43:52	dhcp6c	18277	add an address 2001:980:4447:0:208:a2ff:fe0d:2d52/64 on mvneta1
    

    To me it looks like pfSense recognizes the prefix it receives from the provider and picks an address to assign to the LAN interface (=mvneta1). This is also visible in 'Status'->'Interfaces'.

    So far so good and with the configuration mentioned above I think pfSense should start handing out IPv6 addresses on the LAN interface, only it doesn't do that. None of the clients on the LAN (linux servers, W10 computers, phones, etc.) receive an IPv6 address. They do have a link-local (fe80::) address, meaning IPv6 is enabled.

    IPv6 works like a charm from the firewall itself, for instance pinging to ipv6.google.com using 'Diagnostics'->'Ping'.

    I have tried a lot of different configurations in 'Services'->'DHCPv6 server&RA', but so far haven't found any configuration that hands out IPv6 addresses to clients on the LAN interface.

    Does anybody have any idea what could be wrong with this configuration and why clients on the LAN don't receive an IPv6 address?

    Thanks in advance!

    P.S.
    'Allow IPv6' is turned on in 'System'->'Advanced'->'Networking'
    I have a firewall rule to allow LAN IPv6 to any (created by the above option I believe)



  • Please check under Status - Services if the radvd is actually running.
    If so, please check if router advertisement messages are being sent.
    This might help:

    tcpdump -i <<ifname>> -n -nn icmp6
    

    You could also start Wireshark on the client and see if the router actually sends router advertisements or answers router solicitations.



  • Also helpful would be to know what Router Mode is selected for RA’s, as well as what kinds of client devices you’re using.

    For example, Managed mode would require you to have a DHCPv6 server configured (whether on pfSense or another device on your network), and is also not compatible with most Android devices (unless the device mfr has specifically added support for it; most haven’t).



  • @virgiliomi It's set to unmanaged



  • @pmisch sorry, I need to read better apparently. 🙂



  • Thanks for the reply!
    Router Mode is indeed set to 'unmanaged', I plan to switch to a more advanced Router Mode with DHCPv6 server, but if I can't get this to work, the other options won't work either I think.

    I checked 'Status'->'Services' and it shows that radvd is running.

    Running tcpdump on the firewall also shows that it appears to be sending (correct) router advertisement messages:

    17:23:26.258746 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 136) fe80::1:1 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 136
            hop limit 64, Flags [none], pref medium, router lifetime 60s, reachable time 0s, retrans time 0s
              prefix info option (3), length 32 (4): 2001:980:4447::/64, Flags [onlink, auto, router], valid time 86400s, pref. time 14400s
              route info option (24), length 24 (3):  ::/0, pref=medium, lifetime=60s
              rdnss option (25), length 24 (3):  lifetime 20s, addr: 2001:980:4447:0:208:a2ff:fe0d:2d52
              dnssl option (31), length 24 (3):  lifetime 20s, domain(s): van-heel.net.
              mtu option (5), length 8 (1):  1500
              source link-address option (1), length 8 (1): 00:08:a2:0d:2d:52
    
    

    What's interesting is that it looks like these advertisements don't arrive at the clients on the LAN network.
    I checked a linux server on the LAN with tcpdump and my Windows 10 machine (also on the LAN network) with Wireshark, no ICMP6 packets arrive there.

    I thought these packets might be blocked by the firewall, but there's just 3 rules on the LAN interface and those are the default rules created by pfSense, so the 'Anti-Lockout Rule', the IPv4 'Default allow LAN to any rule' and the 'Default allow LAN IPv6 to any rule'. Should block ICMP6 I think.

    Also the firewall-log doesn't show any blocked traffic on the LAN interface.



  • @svheel said in Clients don't receive IPv6 address on LAN with track interface:

    I thought these packets might be blocked by the firewall, but there's just 3 rules on the LAN interface and those are the default rules created by pfSense, so the 'Anti-Lockout Rule', the IPv4 'Default allow LAN to any rule' and the 'Default allow LAN IPv6 to any rule'. Should block ICMP6 I think.

    I meant to write: 'Should not block ICMP6' ofcourse.
    Quote instead of edit since forum doesn't let me edit (says message is marked as spam).



  • Do you have any other filtering mechanisms in place like intrusion prevention or have you activated "block bogon" on your LAN interface?
    I suspect the outgoing packets do not leave the firewall even though the packet filter itself isn't blocking. Must be something else.
    There's also a possibility of an interim device like a switch that might block packets. Quite unlikely but not impossible.



  • @pmisch said in Clients don't receive IPv6 address on LAN with track interface:

    Do you have any other filtering mechanisms in place like intrusion prevention or have you activated "block bogon" on your LAN interface?
    I suspect the outgoing packets do not leave the firewall even though the packet filter itself isn't blocking. Must be something else.
    There's also a possibility of an interim device like a switch that might block packets. Quite unlikely but not impossible.

    Triggered by your comment on an interim device like a switch blocking packets I checked my switches, since I had been messing with multicast and broadcast filtering and settings on those switches (2 Netgear ProSAFE Plus Switches). My provider has an IPTV service (using multicast for TV channels) and it's a bit unstable, which is why I've been tinkering with those settings.

    After turning off some filtering (I think turning off 'Block Unknown Multicast Address' did the trick) the router advertisements arrived at the clients and they receive an IPv6 address! So that was the problem.

    Thank you very much for your comments and help!