Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Getting new IPv6 prefix

    Scheduled Pinned Locked Moved IPv6
    28 Posts 3 Posters 4.2k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD Offline
      Derelict LAYER 8 Netgate
      last edited by

      Then you should have more descriptive output there,

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      JKnottJ 1 Reply Last reply Reply Quote 0
      • JKnottJ Offline
        JKnott @Derelict
        last edited by

        @derelict

        Tried again:
        Feb 4 20:48:06 dhcp6c 481 IA_PD: ID=0, T1=0, T2=0
        Feb 4 20:48:06 dhcp6c 481 get DHCP option status code, len 56
        Feb 4 20:48:06 dhcp6c 481 status code: no prefixes
        Feb 4 20:48:06 dhcp6c 481 get DHCP option DNS, len 32
        Feb 4 20:48:06 dhcp6c 481 dhcp6c Received REQUEST
        Feb 4 20:48:06 dhcp6c 481 nameserver[0] 2607:f798:18:10:0:640:7125:5204
        Feb 4 20:48:06 dhcp6c 481 nameserver[1] 2607:f798:18:10:0:640:7125:5198
        Feb 4 20:48:06 dhcp6c 481 make an IA: PD-0
        Feb 4 20:48:06 dhcp6c 481 status code for PD-0: no prefixes
        Feb 4 20:48:06 dhcp6c 481 IA PD-0 is invalidated
        Feb 4 20:48:06 dhcp6c 481 remove an IA: PD-0
        Feb 4 20:48:06 dhcp6c 481 reset a timer on re0, state=INIT, timeo=0, retrans=677
        Feb 4 20:48:06 dhcp6c 481 executes /var/etc/dhcp6c_wan_dhcp6withoutra_script.sh
        Feb 4 20:48:08 dhcp6c 481 script "/var/etc/dhcp6c_wan_dhcp6withoutra_script.sh" terminated
        Feb 4 20:48:08 dhcp6c 481 removing an event on re0, state=REQUEST
        Feb 4 20:48:08 dhcp6c 481 removing server (ID: 00:01:00:01:15:9b:b6:e5:00:21:28:5f:d2:b7)
        Feb 4 20:48:08 dhcp6c 481 got an expected reply, sleeping.
        Feb 4 20:48:08 dhcp6c 481 Sending Solicit
        Feb 4 20:48:08 dhcp6c 481 a new XID (feda7) is generated
        Feb 4 20:48:08 dhcp6c 481 set client ID (len 14)
        Feb 4 20:48:08 dhcp6c 481 set elapsed time (len 2)
        Feb 4 20:48:08 dhcp6c 481 set option request (len 4)
        Feb 4 20:48:08 dhcp6c 481 set IA_PD prefix
        Feb 4 20:48:08 dhcp6c 481 set IA_PD
        Feb 4 20:48:08 dhcp6c 481 send solicit to ff02::1:2%re0
        Feb 4 20:48:08 dhcp6c 481 reset a timer on re0, state=SOLICIT, timeo=0, retrans=1038
        Feb 4 20:48:09 dhcp6c 481 Sending Solicit
        Feb 4 20:48:09 dhcp6c 481 set client ID (len 14)
        Feb 4 20:48:09 dhcp6c 481 set elapsed time (len 2)
        Feb 4 20:48:09 dhcp6c 481 set option request (len 4)
        Feb 4 20:48:09 dhcp6c 481 set IA_PD prefix
        Feb 4 20:48:09 dhcp6c 481 set IA_PD
        Feb 4 20:48:09 dhcp6c 481 send solicit to ff02::1:2%re0
        Feb 4 20:48:09 dhcp6c 481 reset a timer on re0, state=SOLICIT, timeo=1, retrans=2027
        Feb 4 20:48:11 dhcp6c 481 Sending Solicit
        Feb 4 20:48:11 dhcp6c 481 set client ID (len 14)
        Feb 4 20:48:11 dhcp6c 481 set elapsed time (len 2)
        Feb 4 20:48:11 dhcp6c 481 set option request (len 4)
        Feb 4 20:48:11 dhcp6c 481 set IA_PD prefix
        Feb 4 20:48:11 dhcp6c 481 set IA_PD
        Feb 4 20:48:11 dhcp6c 481 send solicit to ff02::1:2%re0
        Feb 4 20:48:11 dhcp6c 481 reset a timer on re0, state=SOLICIT, timeo=2, retrans=4070
        Feb 4 20:48:15 dhcp6c 481 Sending Solicit
        Feb 4 20:48:15 dhcp6c 481 set client ID (len 14)
        Feb 4 20:48:15 dhcp6c 481 set elapsed time (len 2)
        Feb 4 20:48:15 dhcp6c 481 set option request (len 4)
        Feb 4 20:48:15 dhcp6c 481 set IA_PD prefix
        Feb 4 20:48:15 dhcp6c 481 set IA_PD
        Feb 4 20:48:15 dhcp6c 481 send solicit to ff02::1:2%re0
        Feb 4 20:48:15 dhcp6c 481 reset a timer on re0, state=SOLICIT, timeo=3, retrans=8103

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • DerelictD Offline
          Derelict LAYER 8 Netgate
          last edited by

          Looks like upstream is not responding.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          JKnottJ 2 Replies Last reply Reply Quote 0
          • JKnottJ Offline
            JKnott @Derelict
            last edited by

            @derelict said in Getting new IPv6 prefix:

            Looks like upstream is not responding.

            That wouldn't surprise me. There's definitely a routing problem to my LAN prefix, though to the WAN address is fine. I was able to demonstrate that to 2nd level support. The problem is getting someone beyond them to fix this. At least this narrows down the problem area somewhat. Incidentally, I was doing some work in my ISPs head ends, a couple of months ago, but not the one I connect to. However, that work had nothing to do with IP.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • JKnottJ Offline
              JKnott @Derelict
              last edited by

              @derelict said in Getting new IPv6 prefix:

              Looks like upstream is not responding.

              Do you know what to look for in the router solicitations and advertisements. Also, I've noticed something curious in the advertisements, the lifetimes are infinite!

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              1 Reply Last reply Reply Quote 0
              • JKnottJ Offline
                JKnott
                last edited by

                I've been examining the router advertisements and noticed something else. I see several prefixes provided, all with /64. However, I don't see mine, which should be a /56. I've attached the Wireshark capture file. This was captured as pfSense was booting up. I filtered on the WAN interface link local address and ICMP6.

                0_1549381817002_bootup_capture.pcapng

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                1 Reply Last reply Reply Quote 0
                • B Offline
                  bimmerdriver
                  last edited by

                  Did you try changing the MAC of the WAN port? That might work.

                  JKnottJ 1 Reply Last reply Reply Quote 0
                  • JKnottJ Offline
                    JKnott @bimmerdriver
                    last edited by

                    @bimmerdriver said in Getting new IPv6 prefix:

                    Did you try changing the MAC of the WAN port? That might work.

                    Yes, I did and no it didn't. The problem I'm trying to resolve, is a routing problem with my ISP, where traffic for my network doesn't even reach my firewall. It even fails when I have the modem in gateway mode. I have proven it's a routing problem to tier support, but they can't get the people responsible for maintaining the network to fix it.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    B 1 Reply Last reply Reply Quote 0
                    • B Offline
                      bimmerdriver @JKnott
                      last edited by

                      @jknott How many prefixes will your ISP allow you to have? If your system insists on using the same prefix, try another instance of pfsense while the other one is still running. I haven't seen any evidence of a limit from Telus. I have at four separate prefixes at any one time (modem, main pfsense, test pfsense, other).

                      JKnottJ 1 Reply Last reply Reply Quote 0
                      • JKnottJ Offline
                        JKnott @bimmerdriver
                        last edited by JKnott

                        @bimmerdriver said in Getting new IPv6 prefix:

                        @jknott How many prefixes will your ISP allow you to have? If your system insists on using the same prefix, try another instance of pfsense while the other one is still running. I haven't seen any evidence of a limit from Telus. I have at four separate prefixes at any one time (modem, main pfsense, test pfsense, other).

                        The problem is not with pfSense. It also happens when I put my modem into gateway mode. I get an IPv6 address on my computer, but can't get to the Internet with it. What my investigation shows is that pinging, www.yahoo.com for example, works from my firewall, but not anything behind it. I also had the tier 2 support person try pinging, while I watched traffic between my modem and firewall. When he pinged my firewall, it worked and I could see the packets coming and going. When he pinged my computer behind the firewall, the packets weren't even passing from the modem to firewall. The only significant difference is the prefix for my firewall is different from devices behind the firewall, so the problem is likely a routing error of some sort. I also examined the router advertisements, from my ISP, when my firewall booted up. I should see my prefix and /56 length. I see neither, but I see several /64 prefixes that have nothing to do with my network and one doesn't even appear to be from the range my ISP has. Those RAs also have an infinite lifetime, which I don't ever recall seeing before. The problem is clearly with my ISP, but the network support people don't seem to want to look into the problem, despite my talking to the ISP's Office of the President. Today, I filed a complaint with CCTS, because of the lack of action on this, despite tier 2 support recognizing the problem is with the network. This has been dragging on for about a month now.

                        My original question here about changing prefixes was because things that would normally cause a prefix change didn't. Prior to that option to not release the prefix, just disconnecting/reconnecting the Ethernet cable between the modem and pfSense would cause a prefix change, but not now.

                        PfSense running on Qotom mini PC
                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                        UniFi AC-Lite access point

                        I haven't lost my mind. It's around here...somewhere...

                        B 1 Reply Last reply Reply Quote 0
                        • B Offline
                          bimmerdriver @JKnott
                          last edited by

                          @jknott You asked if there was a way to get a new prefix. I gave you a way that should work if your ISP allows you to request multiple prefixes.

                          My ISP is Telus. My service is VDSL. Telus supports PD, but they only provide a prefix, not an address. The modem gets a prefix, which is used for any device that connects to the LAN. I do not use this LAN. The only devices on it are the PVR and STB.

                          One of the ports is bridged. I have a switch on this port and there are multiple routers, including my main pfsense router that serves my LAN, as well as some virtual routers that I use to test different versions before I install them on the main system. They all have their own completely separate /56. If I create a new VM, it will get its own /56. The only limitation is that for any given MAC, there can only be one prefix.

                          If I connect a Windows PC to the bridged port, it will not get an IPv6 address or prefix, because Windows doesn't support PD. (But even though it doesn't get an IPv6 address, I can still use it to run wireshark, so I can observe the ICMP and DHCP packets for PD and RA of the routers.)

                          JKnottJ 1 Reply Last reply Reply Quote 0
                          • JKnottJ Offline
                            JKnott @bimmerdriver
                            last edited by

                            @bimmerdriver said in Getting new IPv6 prefix:

                            You asked if there was a way to get a new prefix. I gave you a way that should work if your ISP allows you to request multiple prefixes.

                            I asked for that long before I realized the problem was greater than just the prefix not being routed properly. As I mentioned, the traffic for the firewall routes properly, but not for anything on my LAN. The only significant difference is the prefix. The prefix for the firewall is quite different from my /56. As I mentioned, it even fails with the modem in gateway mode, which would have it's own prefix again different from the LAN. The problem is not identifying a problem with pfSense, as have proven it isn't. The problem has moved to getting Rogers to fix a problem that been proven to be within their network. I'll have to see if others in my area have a similar problem.

                            Also, short of setting up a virtual machine, I have no way to set up another instance of pfSense. As I mentioned the RAs I'm getting from Rogers do not contain valid prefixes. Since the Rogers provided modem, in gateway mode, doesn't work, I have my doubts that another instance of pfSense would make much difference. Of course, the really BIG question is what would happen to a regular customer, who doesn't have my technical expertise. Once I got past tier 1 support, I had to educate the tier 2 person on how IPv6 works, using link local addresses for routing, how the interface address has nothing to do with routing etc.. Once he understood the problem and realized it was internal to Rogers, he was unable to get the network people to work on it.

                            As I mentioned above, I've filed a complaint with CCTS about this, as this is clearly Rogers not fixing problems that are entirely their responsibility.

                            PfSense running on Qotom mini PC
                            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                            UniFi AC-Lite access point

                            I haven't lost my mind. It's around here...somewhere...

                            B 1 Reply Last reply Reply Quote 0
                            • B Offline
                              bimmerdriver @JKnott
                              last edited by

                              @jknott If you're running windows 10 pro, you can run a vm. Alternatively, you could use virtual box. Clunky, but it might reveal something.

                              It's quite pathetic how ignorant Canadian ISPs are WRT IPv6. In general, they do not consider it important.

                              There was a paper published by a Shaw employee describing the grief they had trying implement IPv6. They had some struggles, the project went over budget and they got slapped down. That is the end of IPv6 in Shaw for the indefinite future.

                              Telus offers IPv6 for residential customers, but not for business customers, because there is no business case for it. It's not possible to get a static prefix from Telus and will not be possible for the indefinite future. The residential IPv6 works fine, except for their goofy DHCP before RA thing. At least it's possible to work around this. Also, they at least attempt to provide prefix continuity, as long as the DUID is constant.

                              Not sure what Bhell does with IPv6, if anything.

                              I seriously doubt you will get anywhere with Robbers. Currently, if you want native IPv6 in Canada, your choice is limited. Maybe you should give Telus a try.

                              JKnottJ 1 Reply Last reply Reply Quote 0
                              • JKnottJ Offline
                                JKnott @bimmerdriver
                                last edited by JKnott

                                @bimmerdriver said in Getting new IPv6 prefix:

                                @jknott If you're running windows 10 pro, you can run a vm. Alternatively, you could use virtual box. Clunky, but it might reveal something.

                                I have a stand alone computer running pfSense by itself, without any VM. To run a VM on that box, I'd have to blow away the existing pfSense install and then install Linux, where I could run a VM. However, given that running the modem in gateway mode has the same problem, I doubt another pfSense instance would make a difference. Take a look at the capture I uploaded. It's a few messages up and called bootup_capture.pcapng. Look at the RA and tell me what you think of it. My prefix isn't mentioned at all, yet several others are.

                                It's quite pathetic how ignorant Canadian ISPs are WRT IPv6. In general, they do not consider it important.

                                I know I had to instruct the tier 2 guy on a few things. Rogers has business customers with IPv6 and the cell network is largely, if not entirely IPv6 only, with 464XLAT used to provide IPv4 support.

                                I suspect the problem in my case is the attitude of the network guy, rather than the company as a whole. I've run into a few guys like that in my time. They can't get off their butt to put some real effort into solving a problem. On the other hand, I received a commendation from Air Canada, several years ago, for helping solve a real strange problem. At that time, my company was responsible for maintaining their reservation network, other than the Univac computer at the heart of it. I like the challenge of a difficult problem, others can't be bothered. I've had other recognition for solving difficult problems over the years. That only happens because I put the effort in to understand it. This isn't the first time I've had to go to extraordinary lengths to prove to Rogers they have a problem beyond my home. I feel sorry for the customers who don't have my expertise to identify where a problem might be and so get no resolution from the support people. However, Rogers is still much better than Bell in that regard.

                                I don't know if Bell offers IPv6 directly, but many of their customers get bare Ethernet/VLANs over fibre back to wherever and often have their own addresses. I have worked with those circuits for Allstream customers and also over Rogers. Some other Canadian ISPs offer IPv6, such as Cogeco, Videotron and Teksavvy, though they have it over ADSL only.

                                BTW, that Air Canada network I worked on used time slots and not packets. It predated Ethernet and IP. It consisted of Collins C8500 computers and everything was connected via triaxial cable at 8 Mb or coax at 2 Mb. There were 3 Collins computers and several PDP-11s, each with up to 4 serial cards, with 8 UARTs each, connected to modems serving terminals around the world. Now THAT was a network! It was also my first LAN experience! All this to provide a communications front end for the Univac systems. The building it was located in is now an Internet exchange point and I was back in there again last year, the first time in 23 years, to do some work for Freedom Mobile. It felt really weird being back in there and remembering where what was back then.

                                Telus doesn't operate around here, other than cell service and even with that, they often share the Bell network.

                                PfSense running on Qotom mini PC
                                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                                UniFi AC-Lite access point

                                I haven't lost my mind. It's around here...somewhere...

                                1 Reply Last reply Reply Quote 0
                                • JKnottJ Offline
                                  JKnott
                                  last edited by

                                  An update, my next door neighbour has the same problem, so it has nothing to do with pfSense or my network. I expect the problem is back at the head end, with the router that supports my node.

                                  PfSense running on Qotom mini PC
                                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                                  UniFi AC-Lite access point

                                  I haven't lost my mind. It's around here...somewhere...

                                  1 Reply Last reply Reply Quote 0
                                  • JKnottJ Offline
                                    JKnott
                                    last edited by

                                    While there is no doubt this problem is occurring at the ISP, I've continued investigating. I'm examining the DHCPv6 XID advertise packet. What I've found it this:

                                    Status Message: No prefix available on Link 'CMTS89.WLFDLE-BNDL1-GRP3'

                                    I assume this means the ISP is not providing the prefix to my network. The full packet is listed below.

                                    Any ideas?

                                    Frame 66: 214 bytes on wire (1712 bits), 214 bytes captured (1712 bits) on interface 0
                                    Ethernet II, Src: Casa_9a:a1:99 (00:17:10:9a:a1:99), Dst: Trendnet_2b:ed:ea (00:14:d1:2b:ed:ea)
                                    Internet Protocol Version 6, Src: fe80::217:10ff:fe9a:a199, Dst: fe80::214:d1ff:fe2b:edea
                                    User Datagram Protocol, Src Port: 547, Dst Port: 546
                                    DHCPv6
                                    Message type: Advertise (2)
                                    Transaction ID: 0x557257
                                    Client Identifier
                                    Option: Client Identifier (1)
                                    Length: 14
                                    Value: 0001000123eb5e12001617a7f2d3
                                    DUID: 0001000123eb5e12001617a7f2d3
                                    DUID Type: link-layer address plus time (1)
                                    Hardware type: Ethernet (1)
                                    DUID Time: Feb 4, 2019 15:33:22.000000000 EST
                                    Link-layer address: 00:16:17:a7:f2:d3
                                    Server Identifier
                                    Option: Server Identifier (2)
                                    Length: 14
                                    Value: 00010001159bb6e50021285fd2b7
                                    DUID: 00010001159bb6e50021285fd2b7
                                    DUID Type: link-layer address plus time (1)
                                    Hardware type: Ethernet (1)
                                    DUID Time: Jun 27, 2011 17:47:17.000000000 EDT
                                    Link-layer address: 00:21:28:5f:d2:b7
                                    Identity Association for Prefix Delegation
                                    Option: Identity Association for Prefix Delegation (25)
                                    Length: 72
                                    Value: 000000000000000000000000000d003800064e6f20707265...
                                    IAID: 00000000
                                    T1: 0
                                    T2: 0
                                    Status code
                                    Option: Status code (13)
                                    Length: 56
                                    Value: 00064e6f2070726566697820617661696c61626c65206f6e...
                                    Status Code: NoPrefixAvail (6)
                                    Status Message: No prefix available on Link 'CMTS89.WLFDLE-BNDL1-GRP3'
                                    DNS recursive name server
                                    Option: DNS recursive name server (23)
                                    Length: 32
                                    Value: 2607f7980018001000000640712552042607f79800180010...
                                    1 DNS server address: 2607:f798:18:10:0:640:7125:5204
                                    2 DNS server address: 2607:f798:18:10:0:640:7125:5198

                                    PfSense running on Qotom mini PC
                                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                                    UniFi AC-Lite access point

                                    I haven't lost my mind. It's around here...somewhere...

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.