IPv6 disabled, getting ipv6 address and clients getting ipv6 dns addresses



  • I was reading another thread, a quite old one, about another user have this exact same issue.

    Occasionally clients behind my pfSense router are getting ipv6 addresses and failing to connect. For example, right now:

    0_1544745227858_05295ece-50c2-44fe-89e0-b29fb5f13e25-image.png

    I looked at my interfaces and:

    0_1544745887220_5949a2e3-639d-42a9-b028-470f6288726a-image.png

    But I definitely have ipv6 turned off:

    0_1544745365693_9b9edd10-1e2e-4f01-beae-0ba24d0f8845-image.png

    I wouldn't normally care, but occasionally clients simply won't connect and get DNS errors. At all times DNS resolution is real slow (1-5 seconds).

    Everything I can find related to ipv6 I have turned off. Yet this still persists.

    Help? Let me know what additional information I can provide to help. Or let me know WHERE I'm being stupid.

    Thank you!

    --MrNick



  • Where do your Windows clients get their IP address from? Is it via DHCP from a Windows Active Directory DHCP server, or is it from the DHCP server within pfSense?

    You posted up only the configuration for your WAN interface. What about the LAN interface of pfSense? Did you accidentally enable IPv6 there? If so, you may also have the router advertisement daemon running on pfSense. That would offer IPv6 addresses to LAN clients.

    What are your LAN clients using for DNS? Is it a Windows AD DNS server or is it the pfSense box?


  • LAYER 8 Global Moderator

    that is just returning the AAAA record for facebook - that doesn't mean anything has an actual IPv6 address.

    On your windows machine do a
    ipconfig /all

    This will tell you if there is IPv6 address on the machine.. Be it a dual stack address on your interface or a transition address like teredo or 6to4 or isatap, etc.

    When clients do a dns query for say www.facebook.com they ask for both A and AAAA.. so yeah you can get back that address.

    C:\>dig www.facebook.com AAAA
    
    ; <<>> DiG 9.12.3 <<>> www.facebook.com AAAA
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43575
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;www.facebook.com.              IN      AAAA
    
    ;; ANSWER SECTION:
    www.facebook.com.       3573    IN      CNAME   star-mini.c10r.facebook.com.
    star-mini.c10r.facebook.com. 60 IN      AAAA    2a03:2880:f127:283:face:b00c:0:25de
    
    ;; Query time: 172 msec
    ;; SERVER: 192.168.3.10#53(192.168.3.10)
    ;; WHEN: Fri Dec 14 07:55:40 Central Standard Time 2018
    ;; MSG SIZE  rcvd: 102
    

    That is the AAAA address, here is A

    C:\>dig www.facebook.com A
    
    ; <<>> DiG 9.12.3 <<>> www.facebook.com A
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49609
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;www.facebook.com.              IN      A
    
    ;; ANSWER SECTION:
    www.facebook.com.       3514    IN      CNAME   star-mini.c10r.facebook.com.
    star-mini.c10r.facebook.com. 0  IN      A       157.240.18.35
    
    ;; Query time: 1 msec
    ;; SERVER: 192.168.3.10#53(192.168.3.10)
    ;; WHEN: Fri Dec 14 07:56:39 Central Standard Time 2018
    ;; MSG SIZE  rcvd: 90
    

    That fe80 address is just your link-local address.. That is yes going to be there.. Be it you have IPv6 disable or not, or be it you allow it via rules or not.. Even when the interface has IPv6 set to NONE..

    If you do not want to use any IPv6 on your windows machine, you prob better off disable it via the 255 reg entry..
    https://support.microsoft.com/en-us/help/929852/guidance-for-configuring-ipv6-in-windows-for-advanced-users



  • @mrnick said in IPv6 disabled, getting ipv6 address and clients getting ipv6 dns addresses:

    Occasionally clients behind my pfSense router are getting ipv6 addresses and failing to connect. For example, right now:

    Can happen.
    If your first upstream DNS resolver is pfSense, then it will resolve.
    By default, the "nslookup" will ask A and AAAA.
    Restrict to "A" only and you will receive "A" only ;)
    Btw : AAAA info will travel over IPv4 connections.
    A info will travel just fine over AAAA (IPv6) connections.

    But I definitely have ipv6 turned off:

    No way.
    Turning of IPv6 on pfSense is done here :

    0_1544800442270_17a7a149-48df-4f6a-8cd1-63ac593a38b1-image.png

    (and still, shutting it down completely isn't possible - I guess all interface on pfSense will be filtered for IPv6, that's all)

    I wouldn't normally care, but occasionally clients simply won't connect and get DNS errors. At all times DNS resolution is real slow (1-5 seconds).
    Everything I can find related to ipv6 I have turned off. Yet this still persists.

    You missed the most logic one : Turn of IPv6 on the device you use (PC, pad, phone).
    It will not have an IPv6 anymore, not even a local one.
    Pure IPv4, like in the last century - nothing else
    No more "x tries to connect to some IPv6 DNS server, and finally fallback to IPv4" delays. All modern OS's use IPv6 fist, and fall back to IPv4 if IPv6 takes to much time.

    Btw : In a nearby future we will all receive an invite to the party that buries IPv4 ones and for all. I advise you to make IPv6 work. It's like IPv4 but more adapted for more modern needs. It will take some time, as IPv4 did back then.

    The future :
    0_1544801309916_11d10ed2-8599-42e6-8b05-9232c73ee3b4-image.png



  • @gertjan

    No way. Turning of IPv6 on pfSense is done here.

    Okay, yeah, that was turned on. I thought disabling on all the interfaces and making sure no IPv6 services were running was sufficient. Thanks for point that out.

    You missed the most logic one : Turn of IPv6 on the device you use (PC, pad, phone).

    That is what I've been doing for my PCs but it seemed kind of hacky. I couldn't find where on my Pixel to do it though.

    I advise you to make IPv6 work.

    My ISP doesn't currently support IPv6 (I'm pretty sure, though I'm doubting myself a lot now). If I enable it on my local net how would I prevent the issues that I'm seeing now, ie clients attempting to connect to IPv6 addresses and timing out? Would a REJECT instead of BLOCK rule on my LAN interface fix that? Sorry, but it should be obvious I am new to both pfSense and networking in general.

    Any friendly suggestions you have would be warmly taken.

    Thank you!

    --MrNick



  • @bmeeks

    Where do your Windows clients get their IP address from? Is it via DHCP from a Windows Active Directory DHCP server, or is it from the DHCP server within pfSense?

    pfSense

    You posted up only the configuration for your WAN interface. What about the LAN interface of pfSense?

    0_1544815909420_e67bba1e-e8d9-4f97-8f9f-de88c33a56d6-image.png

    If so, you may also have the router advertisement daemon running on pfSense.

    This?
    0_1544816026131_55a34642-0de3-4007-8f57-208ea1bb4eac-image.png

    What are your LAN clients using for DNS? Is it a Windows AD DNS server or is it the pfSense box?

    pfSense:

    0_1544816166955_17f7a0d2-1110-4ca2-9f57-5648be302993-image.png



  • @johnpoz

    that is just returning the AAAA record for facebook - that doesn't mean anything has an actual IPv6 address.

    So unless I have a valid (non link-local/fe80::) IPv6 address that means that the client won't be attempting to connect via IPv6?

    0_1544816480844_b19a34c7-3c9c-4364-98d9-8048477e7a6b-image.png

    After reading all the great responses here it really seems that my connection issues aren't related to IPv6 at all... BUT... if I go into the adapter properties and disable IPv6, everything works as expected.

    I've seen this happen on three different Win10 boxes that I have. So obviously I'm missing something.

    I'm going to go ahead and post all the configurations that might be relevant in case I'm just plain being stupid, or thick-witted about IPv6.

    Thanks for your help!



  • 0_1544817997103_56047def-ddbd-4c59-9e56-d182d1ca8891-image.png 0_1544817940759_7fa42791-500b-44df-b2f4-f9e98b674402-image.png 0_1544817914396_3e58f0a7-75b9-49a6-83fc-e647b1191cc9-image.png

    0_1544817147636_cef968f2-69a0-4213-a757-eef14439c34e-image.png

    0_1544817376852_dc16285b-147c-4a57-be09-eb82d1c7bb2f-image.png

    0_1544817421142_ee3197e1-6bc0-4aa0-950e-e7369fb31603-image.png

    0_1544817460554_8f0f1f05-b28c-45a1-a0a0-b1fb128a4a10-image.png

    0_1544817509174_5729822e-ac8f-4504-bc97-d829d40b3939-image.png

    0_1544817286898_d6e18747-9b91-40f1-9793-5a104e659689-image.png

    0_1544817491638_232f20b1-9c4c-4c57-937a-5f86c8e064cb-image.png

    0_1544817326770_62689dff-93d0-4150-98f6-37358cefb735-image.png

    0_1544817350378_62ca8319-0b07-46ed-9ca0-a75cc7c7f286-image.png

    0_1544817550110_76aa152f-8a92-4972-b97b-016754675456-image.png

    0_1544817565971_0ffbc79c-5a44-41e1-84ae-d3508d5539fe-image.png

    0_1544817586385_111735a3-e165-4737-ac26-c8a4d98d9d76-image.png

    0_1544817646317_29ab32d3-3406-48a2-b54a-afdfc341f5d6-image.png

    0_1544817669771_afce71e5-7d01-4209-aab2-68a63fe8bfdc-image.png

    0_1544817714919_392784d3-ec27-4fdb-93fd-764901d70e3a-image.png

    0_1544817744431_c17fbf4b-b3bb-43d7-b593-6dc4d95a28fd-image.png

    0_1544817775009_69166856-04ff-420c-af97-9d03e1fac38f-image.png

    0_1544817866606_f3f467fe-8640-469b-ad0d-feee9267fbbc-image.png


  • LAYER 8 Global Moderator

    That is not your whole ipconfig /all output..

    A widows box will have teredo, 6to4 and isatap interfaces listed... Unless you took the time to clean them up... They will attempt to get IPv6 and tunnel out of your ipv4 network..

    If you want to play with IPv6 - your ISP doesn't have to support it.. Just get an HE tunnel.. they are FREE and and will give you a /48 to play with.. And they have certification program to walk through and help you learn the stuff you need to learn to correctly setup IPv6.. My last isp support ipv6 - well kind of.. It was way more trouble than it was worth... So I ran HE tunnel.. And my new isp doesn't have any ipv6 support.. Still have my same /48 because I was using tunnel.. But then again I only run it on the devices I want to run it on, for my own amusement and testing.. There is not actual "need" for it.. If that is something you want to do to learn about IPv6 than yeah lets go - lots of learning to do.. Happy to help... But when someone doesn't know the difference between a A record and AAAA... maybe they quite ready to ride the IPv6 train correctly.

    Here is the thing - IPv6 for sure is the FUTURE... But no matter how much some people want it... IPv4 is not going away any time soon.. For the home user, sorry there is no actual reason they need to run IPv6.. And to be honest until such time that they can commit to learning how to correctly configure it.. Its easier to turn it off.. Some people don't like that approach... But sorry thing tunneling out of your IPv4 network just to use a protocol that is not actually needed. Name a internet resource that you NEED, that you can not get to unless you have IPv6 and then we can talk about IPv6 being a "required" thing...

    And in the corp world - yeah the cost of transition on the lan side when they have all the IPv4 space they need with rfc1918.. Sure they can put their public facing stuff on both IPv4 and IPv6 that is for outside access.. But on the internal corp network - it cost money to do this transition... Until there is a financial reason - corp is going to drag their feet screaming into the IPv6 world..

    So there is PLENTY of time to get up to speed on IPv6.. Nothing saying you need to take on that challenge right now.