IPv6 Native with Telstra, Australia



  • EDIT This is now working. Here is the wiki on how to get it to work: https://whirlpool.net.au/wiki/pfsense_ipv6_telstra


    I have been unable to get IPv6 working with Australia's largest ISP. They issue a /56 PD. They run IPv4 and IPv6 natively dual stack. I plug directly into an Ethernet port which is delivered to me via fibre. It's an IPoE connection.

    Telstra uses Ipv6 PD via dhcpv6.
    This is Native Ipv6 in a dual ipv4/ipv6 stack enviroment, no tunnel broker or 6rd.
    Telstra's supported router uses DHCPv6 and get a PD (prefix delegation) back, it will then assign the addresses to LAN clients.
    This means while the Telstra router may show it doesn't have a ipv6 address, It's still handing out PD ipv6 addresses to clients.

    Telstra supports third party routers - just cannot find a way to get pfsense going. They are happy to support me getting it working. I've been working with Telstra's back of office IPv6 person, so I have access to a really good tech guy in Telstra.

    In this post, I'll include the following

    1. My config
    2. My DHCP logs
    3. My packet sniffing logs
    4. Telstra's logs from their end

    Ignore the time stamps across the logs. They are different simply because I've just copied the ones handy - but its all off the same config.

    What I am hoping for is some advice on how to get it working. Thanks in advance.

    My config:

    LAN Settings (and other local interfaces) using Track Interface
    Menu: Interfaces – LAN

    IPv6 Configuration Type: Track Interface

    Under Track IPv6 Interface

    IPv6 Interface: WAN
    IPv6 Prefix ID: 0

    LAN Settings (and other local interfaces) using Static IPv6
    Menu: Interfaces – LAN

    WAN Settings
    Menu: Interfaces – WAN

    IP Configuration Type: DHCP6
    Under IPv6 Client Configuration

    DHCPv6 Prefix Delegation size: 56

    The following options only are checked:

    Send IPv6 prefix hint
    Debug

    Advanced Configuration: checked
    Under Advanced DHCP6 Client Configuration

    Send options: ia-na 0, ia-pd 0
    Request options: domain-name-servers, domain-name
    Scripts: /var/etc/dhcp6c_wan_dhcp6withoutra_script.sh
    Identity Association Statement:
    Non-Temporary Address Allocation: checked
    id-assoc na ID: 0
    Prefix Delegation: checked
    id-assoc pd ID: 0
    IPv6 prefix: ::/56
    pltime: infinity
    Prefix interface statement:
    Prefix Interface sla-id: 0
    sla-len: 8
    Prefix Interface: LAN

    Still on WAN interface:
    Block private networks and loopback addresses - unticked
    Block bogon networks - unticked

    Router Advertisements & SLAAC
    Menu: Services – DHCPv6 Server & RA – Router Advertisements

    For LAN:
    Router mode: Unmanaged
    Router priority: Normal

    Under System, Routing - Default IPv6 Gateway set to WAN_DHCP6

    System, Advanced networking - allow IPv6 ticked

    I've even tried creating firewall rules to allow IPv6 ICMP and UDP into the WAN interface thinking that the firewall might be dropping them.

    So that's my config.

    DHCP logs:

    Feb 22 23:05:59 dhcp6c 17908 reset a timer on em0, state=SOLICIT, timeo=6, retrans=64469
    Feb 22 23:05:59 dhcp6c 17908 send solicit to ff02::1:2%em0
    Feb 22 23:05:59 dhcp6c 17908 set IA_PD
    Feb 22 23:05:59 dhcp6c 17908 set IA_PD prefix
    Feb 22 23:05:59 dhcp6c 17908 set option request (len 4)
    Feb 22 23:05:59 dhcp6c 17908 set elapsed time (len 2)
    Feb 22 23:05:59 dhcp6c 17908 set client ID (len 14)
    Feb 22 23:05:59 dhcp6c 17908 Sending Solicit

    Packet sniffing logs:

    22:13:15.731905 00:0c:29:05:a3:a1 > 33:33:ff:2f:08:93, ethertype IPv6 (0x86dd), length 86: (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::20c:29ff:fe05:a3a1 > ff02::1:ff2f:893: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::4e16:fcff:fe2f:893
    source link-address option (1), length 8 (1): 00:0c:29:05:a3:a1
    0x0000: 000c 2905 a3a1

    22:13:15.293243 4c:16:fc:2f:08:93 > 33:33:ff:05:a3:a1, ethertype IPv6 (0x86dd), length 96: (class 0xc0, hlim 255, next-header ICMPv6 (58) payload length: 32) 2001:8003:0:bdf:f0:3:9:0 > ff02::1:ff05:a3a1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::20c:29ff:fe05:a3a1

    Telstra's logs:

    (including the email from the Telstra tech so where it says "I" below, I = Telstra tech guy)

    I can see it sending Ipv6 DHCPv6

    13:30:59.553687 In
    Juniper PCAP Flags [no-L2, In]
    -----original packet-----
    PFE proto 6 (ipv6): (hlim 1, next-header: UDP (17), length: 146) fe80::20c:29ff:fe05:a3a1.dhcpv6-server > ff02::1:2.dhcpv6-server: [udp sum ok] dhcp6 Relay-forward

    It’s also unable to establish Ipv6 neighbours which I suspect is a reason why it’s not functioning correctly

    13:31:01.106029 In
    Juniper PCAP Flags [no-L2, In]
    -----original packet-----
    PFE proto 6 (ipv6): (hlim 255, next-header: ICMPv6 (58), length: 32) fe80::20c:29ff:fe05:a3a1 > ff02::1:ff2f:893: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::4e16:fcff:fe2f:893
    source link-address option (1), length 8 (1): 00:0c:29:05:a3:a1
    0x0000: 000c 2905 a3a1

    13:31:02.073018 Out
    Juniper PCAP Flags [no-L2]
    -----original packet-----
    PFE proto 6 (ipv6): (class 0xc0, hlim 255, next-header: ICMPv6 (58), length: 32) 2001:8003:0:bdf:f0:3:9:0 > ff02::1:ff05:a3a1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::20c:29ff:fe05:a3a1
    source link-address option (1), length 8 (1): 4c:16:fc:2f:08:93
    0x0000: 4c16 fc2f 0893



  • This post is deleted!


  • My WAN interface has local IPv6: fe80::20c:29ff:fe05:a3a1



  • After further analysis, I think the key thing here is that Telstra appears to be responding validly, yet pfsense won't pick it up:

    22:13:15.293243 4c:16:fc:2f:08:93 > 33:33:ff:05:a3:a1, ethertype IPv6 (0x86dd), length 96: (class 0xc0, hlim 255, next-header ICMPv6 (58) payload length: 32) 2001:8003:0:bdf:f0:3:9:0 > ff02::1:ff05:a3a1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::20c:29ff:fe05:a3a1



  • Maybe check pfSense ICMP6 default rules in /tmp/debug.rules. If there is no rule allowing ICMP6 neighbour solicitation in on WAN interface 2001:8003:0:bdf:f0:3:9:0 then add such a rule.

    (You could also verify this by checking Firewall log ... you should see the ICMP6 being blocked)



  • @dugeem Thanks for looking at this. I see no IPv6 traffic in my logs being dropped, and I've read that rules for IPv6 are auto created and no manual rules are required.

    According to johnpoz "The icmpv6 rules that are required for IPv6 to work are allowed but hidden, just like dhcp is when you enable dhcp.. There is no need to worry about setting rules to allow the required stuff for IPv6 to function."



  • @Derelict Any ideas on this one? Basically pfsense won't accept Telstra's neighbor solicitation resulting in IPv6 not working on Australia's largest ISP. Other third party routers are working - just not pfsense. I have posted a heap of info above to help troubleshoot.



  • @johnpoz Same thing - if you've got any ideas on this one? Ta.


  • LAYER 8 Netgate

    Set the DHCPv6 Debug Log flag on the WAN, and post the WHOLE DHCP logs filtering on command dhcp6c.

    Post a screen shot of your Interfaces > WAN especially the DHCP6 section, not a textual representation.

    You might also want to packet capture on WAN for DHCP6 traffic and post that capture file, not some textual representation of the same. dhcp6 traffic should be on UDP port 547.

    Are they supposed to be delegating a /64, /60, /56, or /48?

    What is the exact guidance Telstra gives for configuring your own DHCP6 router?

    Since the typical settings don't work you need to find whatever secret sauce they require. You might also consider packet capturing a device that does work if Telstra can't tell you what they require.



  • @derelict

    I'll do this over multiple posts.

    DHCP logs with debug on:

    Feb 27 03:12:41 dhcp6c 52296 reset a timer on em0, state=SOLICIT, timeo=6, retrans=64469
    Feb 27 03:12:41 dhcp6c 52296 send solicit to ff02::1:2%em0
    Feb 27 03:12:41 dhcp6c 52296 set IA_PD
    Feb 27 03:12:41 dhcp6c 52296 set IA_PD prefix
    Feb 27 03:12:41 dhcp6c 52296 set option request (len 4)
    Feb 27 03:12:41 dhcp6c 52296 set elapsed time (len 2)
    Feb 27 03:12:41 dhcp6c 52296 set identity association
    Feb 27 03:12:41 dhcp6c 52296 set client ID (len 14)
    Feb 27 03:12:41 dhcp6c 52296 Sending Solicit
    Feb 27 03:12:09 dhcp6c 52296 reset a timer on em0, state=SOLICIT, timeo=5, retrans=31928
    Feb 27 03:12:09 dhcp6c 52296 send solicit to ff02::1:2%em0
    Feb 27 03:12:09 dhcp6c 52296 set IA_PD
    Feb 27 03:12:09 dhcp6c 52296 set IA_PD prefix
    Feb 27 03:12:09 dhcp6c 52296 set option request (len 4)
    Feb 27 03:12:09 dhcp6c 52296 set elapsed time (len 2)
    Feb 27 03:12:09 dhcp6c 52296 set identity association
    Feb 27 03:12:09 dhcp6c 52296 set client ID (len 14)
    Feb 27 03:12:09 dhcp6c 52296 Sending Solicit
    Feb 27 03:11:53 dhcp6c 52296 reset a timer on em0, state=SOLICIT, timeo=4, retrans=16326
    Feb 27 03:11:53 dhcp6c 52296 send solicit to ff02::1:2%em0
    Feb 27 03:11:53 dhcp6c 52296 set IA_PD
    Feb 27 03:11:53 dhcp6c 52296 set IA_PD prefix
    Feb 27 03:11:53 dhcp6c 52296 set option request (len 4)
    Feb 27 03:11:53 dhcp6c 52296 set elapsed time (len 2)
    Feb 27 03:11:53 dhcp6c 52296 set identity association
    Feb 27 03:11:53 dhcp6c 52296 set client ID (len 14)
    Feb 27 03:11:53 dhcp6c 52296 Sending Solicit

    0_1551197837283_Screen Shot 2019-02-27 at 3.15.34 am.png

    0_1551197844731_Screen Shot 2019-02-27 at 3.15.44 am.png

    0_1551197852532_Screen Shot 2019-02-27 at 3.15.59 am.png

    @derelict said in IPv6 Native with Telstra, Australia:

    Ugh. Yes they do. Look at the packet capture settings again.

    To avoid any confusion, I have even simplified my packet capture settings. here they are:

    0_1551242127112_Screen Shot 2019-02-27 at 3.35.16 pm.png



  • @derelict

    Here is the total information I have received from Telstra to date.

    Telstra uses Ipv6 PD /56 via dhcpv6.
    This is Native Ipv6 in a dual ipv4/ipv6 stack enviroment, no tunnel broker or 6rd.
    Telstra's supported router uses DHCPv6 and get a PD (prefix delegation) back, it will then assign the addresses to LAN clients.
    This means while the Telstra router may show it doesn't have a ipv6 address, It's still handing out PD ipv6 addresses to clients.

    I can see it sending Ipv6 DHCPv6

    13:30:59.553687 In
    Juniper PCAP Flags [no-L2, In]
    -----original packet-----
    PFE proto 6 (ipv6): (hlim 1, next-header: UDP (17), length: 146) fe80::20c:29ff:fe05:a3a1.dhcpv6-server > ff02::1:2.dhcpv6-server: [udp sum ok] dhcp6 Relay-forward

    It’s also unable to establish Ipv6 neighbours which I suspect is a reason why it’s not functioning correctly

    13:31:01.106029 In
    Juniper PCAP Flags [no-L2, In]
    -----original packet-----
    PFE proto 6 (ipv6): (hlim 255, next-header: ICMPv6 (58), length: 32) fe80::20c:29ff:fe05:a3a1 > ff02::1:ff2f:893: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::4e16:fcff:fe2f:893
    source link-address option (1), length 8 (1): 00:0c:29:05:a3:a1
    0x0000: 000c 2905 a3a1

    13:31:02.073018 Out
    Juniper PCAP Flags [no-L2]
    -----original packet-----
    PFE proto 6 (ipv6): (class 0xc0, hlim 255, next-header: ICMPv6 (58), length: 32) 2001:8003:0:bdf:f0:3:9:0 > ff02::1:ff05:a3a1: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::20c:29ff:fe05:a3a1
    source link-address option (1), length 8 (1): 4c:16:fc:2f:08:93
    0x0000: 4c16 fc2f 0893


  • LAYER 8 Netgate

    What's with all that advanced configuration? Especially setting LAN as the PD interface. Is that you stabbing in the dark with your fingers crossed?

    Feb 26 08:17:55 	dhcp6c 	79587 	reset a timer on igb1, state=INIT, timeo=0, retrans=891
    Feb 26 08:17:56 	dhcp6c 	79587 	Sending Solicit
    Feb 26 08:17:56 	dhcp6c 	79587 	a new XID (781bad) is generated
    Feb 26 08:17:56 	dhcp6c 	79587 	set client ID (len 14)
    Feb 26 08:17:56 	dhcp6c 	79587 	set identity association
    Feb 26 08:17:56 	dhcp6c 	79587 	set elapsed time (len 2)
    Feb 26 08:17:56 	dhcp6c 	79587 	set option request (len 4)
    Feb 26 08:17:56 	dhcp6c 	79587 	set IA_PD prefix
    Feb 26 08:17:56 	dhcp6c 	79587 	set IA_PD
    Feb 26 08:17:56 	dhcp6c 	79587 	send solicit to ff02::1:2%igb1
    Feb 26 08:17:56 	dhcp6c 	79587 	reset a timer on igb1, state=SOLICIT, timeo=0, retrans=1091
    Feb 26 08:17:56 	dhcp6c 	79587 	receive advertise from fe80::2e86:d2ff:fe89:2019%igb1 on igb1
    Feb 26 08:17:56 	dhcp6c 	79587 	get DHCP option client ID, len 14
    Feb 26 08:17:56 	dhcp6c 	79587 	DUID: 00:ff:ee:dd:cc:09:0f:68:00:08:a2:0a:59:41
    Feb 26 08:17:56 	dhcp6c 	79587 	get DHCP option server ID, len 14
    Feb 26 08:17:56 	dhcp6c 	79587 	DUID: 00:01:00:01:55:f6:d0:f4:f8:bc:12:3e:b6:9c
    Feb 26 08:17:56 	dhcp6c 	79587 	get DHCP option DNS, len 32
    Feb 26 08:17:56 	dhcp6c 	79587 	get DHCP option identity association, len 40
    Feb 26 08:17:56 	dhcp6c 	79587 	IA_NA: ID=0, T1=43200, T2=69120
    Feb 26 08:17:56 	dhcp6c 	79587 	get DHCP option IA address, len 24
    Feb 26 08:17:56 	dhcp6c 	79587 	IA_NA address: 2600:aaaa:bbbb:1c00:4417:7125:99fd:24cb pltime=86400 vltime=86400
    Feb 26 08:17:56 	dhcp6c 	79587 	get DHCP option IA_PD, len 41
    Feb 26 08:17:56 	dhcp6c 	79587 	IA_PD: ID=0, T1=43200, T2=69120
    Feb 26 08:17:56 	dhcp6c 	79587 	get DHCP option IA_PD prefix, len 25
    Feb 26 08:17:56 	dhcp6c 	79587 	IA_PD prefix: 2600:aaaa:ccc:ab00::/56 pltime=86400 vltime=86400
    Feb 26 08:17:56 	dhcp6c 	79587 	server ID: 00:01:00:01:55:f6:d0:f4:f8:bc:12:3e:b6:9c, pref=-1
    Feb 26 08:17:56 	dhcp6c 	79587 	reset timer for igb1 to 0.973168
    Feb 26 08:17:57 	dhcp6c 	79587 	picked a server (ID: 00:01:00:01:55:f6:d0:f4:f8:bc:12:3e:b6:9c)
    Feb 26 08:17:57 	dhcp6c 	79587 	Sending Request
    Feb 26 08:17:57 	dhcp6c 	79587 	a new XID (804c2e) is generated
    Feb 26 08:17:57 	dhcp6c 	79587 	set client ID (len 14)
    Feb 26 08:17:57 	dhcp6c 	79587 	set server ID (len 14)
    Feb 26 08:17:57 	dhcp6c 	79587 	set IA address
    Feb 26 08:17:57 	dhcp6c 	79587 	set identity association
    Feb 26 08:17:57 	dhcp6c 	79587 	set elapsed time (len 2)
    Feb 26 08:17:57 	dhcp6c 	79587 	set option request (len 4)
    Feb 26 08:17:57 	dhcp6c 	79587 	set IA_PD prefix
    Feb 26 08:17:57 	dhcp6c 	79587 	set IA_PD
    Feb 26 08:17:57 	dhcp6c 	79587 	send request to ff02::1:2%igb1
    Feb 26 08:17:57 	dhcp6c 	79587 	reset a timer on igb1, state=REQUEST, timeo=0, retrans=909
    Feb 26 08:17:57 	dhcp6c 	79587 	receive reply from fe80::2e86:d2ff:fe89:2019%igb1 on igb1
    Feb 26 08:17:57 	dhcp6c 	79587 	get DHCP option client ID, len 14
    Feb 26 08:17:57 	dhcp6c 	79587 	DUID: 00:ff:ee:dd:cc:09:0f:68:00:08:a2:0a:59:41
    Feb 26 08:17:57 	dhcp6c 	79587 	get DHCP option server ID, len 14
    Feb 26 08:17:57 	dhcp6c 	79587 	DUID: 00:01:00:01:55:f6:d0:f4:f8:bc:12:3e:b6:9c
    Feb 26 08:17:57 	dhcp6c 	79587 	get DHCP option DNS, len 32
    Feb 26 08:17:57 	dhcp6c 	79587 	get DHCP option identity association, len 46
    Feb 26 08:17:57 	dhcp6c 	79587 	IA_NA: ID=0, T1=43200, T2=69120
    Feb 26 08:17:57 	dhcp6c 	79587 	get DHCP option status code, len 2
    Feb 26 08:17:57 	dhcp6c 	79587 	status code: success
    Feb 26 08:17:57 	dhcp6c 	79587 	get DHCP option IA address, len 24
    Feb 26 08:17:57 	dhcp6c 	79587 	IA_NA address: 2600:aaaa:bbbb:1c00:4417:7125:99fd:24cb pltime=86400 vltime=86400
    Feb 26 08:17:57 	dhcp6c 	79587 	get DHCP option IA_PD, len 47
    Feb 26 08:17:57 	dhcp6c 	79587 	IA_PD: ID=0, T1=43200, T2=69120
    Feb 26 08:17:57 	dhcp6c 	79587 	get DHCP option status code, len 2
    Feb 26 08:17:57 	dhcp6c 	79587 	status code: success
    Feb 26 08:17:57 	dhcp6c 	79587 	get DHCP option IA_PD prefix, len 25
    Feb 26 08:17:57 	dhcp6c 	79587 	IA_PD prefix: 2600:aaaa:ccc:ab00::/56 pltime=86400 vltime=86400
    Feb 26 08:17:57 	dhcp6c 	79587 	dhcp6c Received REQUEST
    Feb 26 08:17:57 	dhcp6c 	79587 	nameserver[0] 2001:578:3f::30
    Feb 26 08:17:57 	dhcp6c 	79587 	nameserver[1] 2001:578:3f:1::30
    Feb 26 08:17:57 	dhcp6c 	79587 	make an IA: PD-0
    Feb 26 08:17:57 	dhcp6c 	79587 	status code for PD-0: success
    Feb 26 08:17:57 	dhcp6c 	79587 	create a prefix 2600:aaaa:ccc:ab00::/56 pltime=86400, vltime=86400
    Feb 26 08:17:57 	dhcp6c 	79587 	add an address 2600:aaaa:ccc:ab01:208:a2ff:fe0a:593f/64 on lagg0.223
    Feb 26 08:17:57 	dhcp6c 	79587 	add an address 2600:aaaa:ccc:ab02:208:a2ff:fe0a:593f/64 on lagg0.999
    Feb 26 08:17:57 	dhcp6c 	79587 	add an address 2600:aaaa:ccc:ab03:208:a2ff:fe0a:593f/64 on lagg0.1003
    Feb 26 08:17:57 	dhcp6c 	79587 	add an address 2600:aaaa:ccc:ab10:208:a2ff:fe0a:593f/64 on lagg0.1004
    Feb 26 08:17:57 	dhcp6c 	79587 	add an address 2600:aaaa:ccc:ab04:208:a2ff:fe0a:593f/64 on lagg0.224
    Feb 26 08:17:57 	dhcp6c 	79587 	make an IA: NA-0
    Feb 26 08:17:57 	dhcp6c 	79587 	status code for NA-0: success
    Feb 26 08:17:57 	dhcp6c 	79587 	create an address 2600:aaaa:bbbb:1c00:4417:7125:99fd:24cb pltime=86400, vltime=11447309925244555648
    Feb 26 08:17:57 	dhcp6c 	79587 	add an address 2600:aaaa:bbbb:1c00:4417:7125:99fd:24cb/128 on igb1
    Feb 26 08:17:57 	dhcp6c 	79587 	executes /var/etc/dhcp6c_wan_script.sh
    Feb 26 08:19:06 	dhcp6c 		dhcp6c REQUEST on igb1 - running rc.newwanipv6
    Feb 26 08:19:06 	dhcp6c 	79587 	script "/var/etc/dhcp6c_wan_script.sh" terminated
    Feb 26 08:19:06 	dhcp6c 	79587 	removing an event on igb1, state=REQUEST
    Feb 26 08:19:06 	dhcp6c 	79587 	removing server (ID: 00:01:00:01:55:f6:d0:f4:f8:bc:12:3e:b6:9c)
    Feb 26 08:19:06 	dhcp6c 	79587 	got an expected reply, sleeping.
    

    0_1551198919669_Screen Shot 2019-02-26 at 8.34.49 AM.png

    And if I do check advanced configuration to view it:

    0_1551198941112_Screen Shot 2019-02-26 at 8.35.05 AM.png





  • @derelict said in IPv6 Native with Telstra, Australia:

    What's with all that advanced configuration? Especially setting LAN as the PD interface. Is that you stabbing in the dark with your fingers crossed?

    It's me following other ISP implementations where people have said its close to how Telstra work. That said, you are right - its me stabbing in the dark trying to get it to work. I am reading info on how other 3rd party routers have got theirs up and running with Telstra and trying to translate that into pfsense. But long and short - its flying darts blind folded.


  • LAYER 8 Netgate

    I would get rid of all of that and start over with basically what I have there and start the information gathering and pasting evolution over again.

    No need to fly blind with actual information from the ISP and an ISP willing to help.



  • @Derelict

    So I now have the config you posted above. Results below. I would also say the ISP doesn't know a thing about pfsense, so not sure how much help they will be to us. That said, the guy does respond to me if I have specific questions.

    Here is the debug DHCP log with the config you suggested above:

    Feb 27 03:43:11 dhcp6c 17859 reset a timer on em0, state=SOLICIT, timeo=3, retrans=8065
    Feb 27 03:43:11 dhcp6c 17859 send solicit to ff02::1:2%em0
    Feb 27 03:43:11 dhcp6c 17859 set IA_PD
    Feb 27 03:43:11 dhcp6c 17859 set IA_PD prefix
    Feb 27 03:43:11 dhcp6c 17859 set option request (len 4)
    Feb 27 03:43:11 dhcp6c 17859 set elapsed time (len 2)
    Feb 27 03:43:11 dhcp6c 17859 set identity association
    Feb 27 03:43:11 dhcp6c 17859 set client ID (len 14)
    Feb 27 03:43:11 dhcp6c 17859 Sending Solicit



  • @derelict Here is the new packet capture from the settings you told me to implement:

    0_1551199609614_packetcapture.cap.zip



  • @derelict Interestingly, zero UDP packets in the packet captures. All ICMP neighbor solicitation.



  • @derelict Also, no idea how to packet capture their router doing DHCPv6 negotiation. Their router plugs straight into the IPoE interface and I don't have a hub where I can plug wireshark or anything like that to capture packets. Any ideas welcome on how to achieve that. Their router also has custom firmware so no ability to packet capture off of it. I can check their limited logs, but that's about it. Let me know if you want me to that.



  • @derelict

    Here are screen shots of my LAN interface

    0_1551201294932_Screen Shot 2019-02-27 at 4.14.19 am.png 0_1551201302072_Screen Shot 2019-02-27 at 4.14.29 am.png

    RA:

    0_1551201349613_Screen Shot 2019-02-27 at 4.15.34 am.png

    Gateway:

    0_1551201434158_Screen Shot 2019-02-27 at 4.16.23 am.png


  • LAYER 8 Netgate

    They do not have to know anything about pfSense. They should be able to tell you what is required of ANY dhcp6 client to pull an address and PD. Then we just make pfSense do what they require instead of guessing.



  • @derelict said in IPv6 Native with Telstra, Australia:

    They do not have to know anything about pfSense. They should be able to tell you what is required of ANY dhcp6 client to pull an address and PD. Then we just make pfSense do what they require instead of guessing.

    What I've given you is everything they have given me when I've asked. I don't think they intend on giving me any more info unless there is a specific question you want me to go back and ask them. They haven't provided me with any further info. I've literally given you exactly what they have given me. They think the issue is to do with neighbor solicitation and pfsense not accepting it.



  • @derelict said in IPv6 Native with Telstra, Australia:

    They do not have to know anything about pfSense. They should be able to tell you what is required of ANY dhcp6 client to pull an address and PD. Then we just make pfSense do what they require instead of guessing.

    So in summary - I'm out of moves. I feel that if this is ever going to get resolved, and we need more info from Telstra, then I would need to ask them specific questions for them to answer (and I don't know what those questions are).

    I've asked the general questions like you've already asked me which is "how do they expect a client to get a DHCPv6 PD" and their response was the email above, plus the monitoring of my control plane, and coming back to me saying its a neighbor solicitation issue with pfsense.


  • LAYER 8 Netgate

    You should absolutely see traffic on WAN on UDP/547

    That is Solicit, Advertise, Request, Reply

    All I did was start that capture then edit/save Interfaces > WAN

    0_1551210796707_screenshot-192.168.223.1-8883-2019.02.26-11-51-55.png


  • LAYER 8 Netgate

    @larrikin said in IPv6 Native with Telstra, Australia:

    I am reading info on how other 3rd party routers have got theirs up and running with Telstra and trying to translate that into pfsense.

    Maybe you should post some of those.




  • LAYER 8 Netgate

    OK so prefix-only probably translates to:

    Request only an IPv6 prefix
    Only request an IPv6 prefix, do not request an IPv6 address

    Did you check that?



  • @derelict said in IPv6 Native with Telstra, Australia:

    OK so prefix-only probably translates to:

    Request only an IPv6 prefix
    Only request an IPv6 prefix, do not request an IPv6 address

    Did you check that?

    Yes - I've tried that too.


  • LAYER 8 Netgate

    OK and what did the dhcp6c logs look like when you only enabled that and tried it?

    You're going to have to be a lot more forthcoming with information. We can't test it from here. Only you can.



  • @derelict

    Here are the logs. Want another packet capture too?

    Feb 27 10:26:01 dhcp6c 48288 reset a timer on em0, state=SOLICIT, timeo=4, retrans=16326
    Feb 27 10:26:01 dhcp6c 48288 send solicit to ff02::1:2%em0
    Feb 27 10:26:01 dhcp6c 48288 set IA_PD
    Feb 27 10:26:01 dhcp6c 48288 set IA_PD prefix
    Feb 27 10:26:01 dhcp6c 48288 set option request (len 4)
    Feb 27 10:26:01 dhcp6c 48288 set elapsed time (len 2)
    Feb 27 10:26:01 dhcp6c 48288 set client ID (len 14)
    Feb 27 10:26:01 dhcp6c 48288 Sending Solicit
    Feb 27 10:25:53 dhcp6c 48288 reset a timer on em0, state=SOLICIT, timeo=3, retrans=8065
    Feb 27 10:25:53 dhcp6c 48288 send solicit to ff02::1:2%em0
    Feb 27 10:25:53 dhcp6c 48288 set IA_PD
    Feb 27 10:25:53 dhcp6c 48288 set IA_PD prefix
    Feb 27 10:25:53 dhcp6c 48288 set option request (len 4)
    Feb 27 10:25:53 dhcp6c 48288 set elapsed time (len 2)
    Feb 27 10:25:53 dhcp6c 48288 set client ID (len 14)
    Feb 27 10:25:53 dhcp6c 48288 Sending Solicit
    Feb 27 10:25:49 dhcp6c 48288 reset a timer on em0, state=SOLICIT, timeo=2, retrans=3982
    Feb 27 10:25:49 dhcp6c 48288 send solicit to ff02::1:2%em0
    Feb 27 10:25:49 dhcp6c 48288 set IA_PD
    Feb 27 10:25:49 dhcp6c 48288 set IA_PD prefix
    Feb 27 10:25:49 dhcp6c 48288 set option request (len 4)
    Feb 27 10:25:49 dhcp6c 48288 set elapsed time (len 2)
    Feb 27 10:25:49 dhcp6c 48288 set client ID (len 14)
    Feb 27 10:25:49 dhcp6c 48288 Sending Solicit
    Feb 27 10:25:47 dhcp6c 48288 reset a timer on em0, state=SOLICIT, timeo=1, retrans=2083
    Feb 27 10:25:47 dhcp6c 48288 send solicit to ff02::1:2%em0
    Feb 27 10:25:47 dhcp6c 48288 set IA_PD
    Feb 27 10:25:47 dhcp6c 48288 set IA_PD prefix
    Feb 27 10:25:47 dhcp6c 48288 set option request (len 4)
    Feb 27 10:25:47 dhcp6c 48288 set elapsed time (len 2)
    Feb 27 10:25:47 dhcp6c 48288 set client ID (len 14)
    Feb 27 10:25:47 dhcp6c 48288 Sending Solicit



  • @derelict 0_1551224042344_packetcapture.cap.zip

    That's the latest packet capture based on turning on "request only an IPv6 prefix".



  • @derelict said in IPv6 Native with Telstra, Australia:

    OK and what did the dhcp6c logs look like when you only enabled that and tried it?

    You're going to have to be a lot more forthcoming with information. We can't test it from here. Only you can.

    Mate - really appreciate you helping me. Apologies if I am not giving enough info. I'll just assume from here on in to include logs and packet captures every time you ask me to change something. Shout out if you need more info than those things.

    What just seems strange to me is this whole neighbor solicitation thing on ICMP. It doesn't seem to be able to get past that and onto UDP.



  • @derelict This is the only info I can get out of the Telstra router which does get a valid IPv6 address. Not sure its helpful, but thought I'd give it to you:

    01.01.2018 11:01:08 DHCPv6: Request on eth0, interval 4000ms.
    01.01.2018 11:01:10 DHCPv6: gets IPv6 address: 2001:8003:f00:3209:ac01:1e31:de2d:8725/128, valid/preferred: 3600/3600, PD: 2001:8003:Xxxx:6600::/56, valid/preferred: 3600/3600, gateway: fe80::4e16:fcff:fe2f:893, DNS:



  • @derelict More DHCPv6 logs from a reboot:

    Feb 27 10:45:51 dhcp6c 50809 reset a timer on em0, state=SOLICIT, timeo=0, retrans=1091
    Feb 27 10:45:51 dhcp6c 50809 send solicit to ff02::1:2%em0
    Feb 27 10:45:51 dhcp6c 50809 set IA_PD
    Feb 27 10:45:51 dhcp6c 50809 set IA_PD prefix
    Feb 27 10:45:51 dhcp6c 50809 set option request (len 4)
    Feb 27 10:45:51 dhcp6c 50809 set elapsed time (len 2)
    Feb 27 10:45:51 dhcp6c 50809 set client ID (len 14)
    Feb 27 10:45:51 dhcp6c 50809 a new XID (57b82e) is generated
    Feb 27 10:45:51 dhcp6c 50809 Sending Solicit
    Feb 27 10:45:50 dhcp6c 50809 reset a timer on em0, state=INIT, timeo=0, retrans=891
    Feb 27 10:45:50 dhcp6c 50646 called
    Feb 27 10:45:50 dhcp6c 50646 called
    Feb 27 10:45:50 dhcp6c 50646 <3>end of sentence [;] (1)
    Feb 27 10:45:50 dhcp6c 50646 <3>end of closure [}] (1)
    Feb 27 10:45:50 dhcp6c 50646 <3>end of sentence [;] (1)
    Feb 27 10:45:50 dhcp6c 50646 <3>end of closure [}] (1)
    Feb 27 10:45:50 dhcp6c 50646 <3>end of sentence [;] (1)
    Feb 27 10:45:50 dhcp6c 50646 <3>[8] (1)
    Feb 27 10:45:50 dhcp6c 50646 <3>[sla-len] (7)
    Feb 27 10:45:50 dhcp6c 50646 <3>end of sentence [;] (1)
    Feb 27 10:45:50 dhcp6c 50646 <3>[0] (1)
    Feb 27 10:45:50 dhcp6c 50646 <3>[sla-id] (6)
    Feb 27 10:45:50 dhcp6c 50646 <3>begin of closure [{] (1)
    Feb 27 10:45:50 dhcp6c 50646 <5>[em1] (3)
    Feb 27 10:45:50 dhcp6c 50646 <3>[prefix-interface] (16)
    Feb 27 10:45:50 dhcp6c 50646 <3>end of sentence [;] (1)
    Feb 27 10:45:50 dhcp6c 50646 <3>[infinity] (8)
    Feb 27 10:45:50 dhcp6c 50646 <3>[56] (2)
    Feb 27 10:45:50 dhcp6c 50646 <3>[/] (1)
    Feb 27 10:45:50 dhcp6c 50646 <3>[::] (2)
    Feb 27 10:45:50 dhcp6c 50646 <3>[prefix] (6)
    Feb 27 10:45:50 dhcp6c 50646 <13>begin of closure [{] (1)
    Feb 27 10:45:50 dhcp6c 50646 <13>[0] (1)
    Feb 27 10:45:50 dhcp6c 50646 <13>[pd] (2)
    Feb 27 10:45:50 dhcp6c 50646 <3>[id-assoc] (8)
    Feb 27 10:45:50 dhcp6c 50646 <3>end of sentence [;] (1)
    Feb 27 10:45:50 dhcp6c 50646 <3>end of closure [}] (1)
    Feb 27 10:45:50 dhcp6c 50646 <3>comment [# we'd like some nameservers please] (35)
    Feb 27 10:45:50 dhcp6c 50646 <3>end of sentence [;] (1)
    Feb 27 10:45:50 dhcp6c 50646 <3>["/var/etc/dhcp6c_wan_script.sh"] (31)
    Feb 27 10:45:50 dhcp6c 50646 <3>[script] (6)
    Feb 27 10:45:50 dhcp6c 50646 <3>end of sentence [;] (1)
    Feb 27 10:45:50 dhcp6c 50646 <3>[domain-name] (11)
    Feb 27 10:45:50 dhcp6c 50646 <3>[request] (7)
    Feb 27 10:45:50 dhcp6c 50646 <3>end of sentence [;] (1)
    Feb 27 10:45:50 dhcp6c 50646 <3>[domain-name-servers] (19)
    Feb 27 10:45:50 dhcp6c 50646 <3>[request] (7)
    Feb 27 10:45:50 dhcp6c 50646 <3>comment [# request prefix delegation] (27)
    Feb 27 10:45:50 dhcp6c 50646 <3>end of sentence [;] (1)
    Feb 27 10:45:50 dhcp6c 50646 <3>[0] (1)
    Feb 27 10:45:50 dhcp6c 50646 <3>[ia-pd] (5)
    Feb 27 10:45:50 dhcp6c 50646 <3>[send] (4)
    Feb 27 10:45:50 dhcp6c 50646 <3>begin of closure [{] (1)
    Feb 27 10:45:50 dhcp6c 50646 <5>[em0] (3)
    Feb 27 10:45:50 dhcp6c 50646 <3>[interface] (9)
    Feb 27 10:45:50 dhcp6c 50646 skip opening control port
    Feb 27 10:45:50 dhcp6c 50646 failed initialize control message authentication
    Feb 27 10:45:50 dhcp6c 50646 failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
    Feb 27 10:45:50 dhcp6c 50646 extracted an existing DUID from /var/db/dhcp6c_duid: 00:01:00:01:24:07:f7:52:00:0c:29:05:a3:a1


  • LAYER 8 Netgate

    That doesn't show a DHCP attempt.

    You might want to reset to defaults and start over.

    Resetting everything related to the WAN DHCP6 should be enough but nobody knows what you've clicked to try to fix this.


  • LAYER 8 Netgate

    @larrikin Well then that whirlpool link you posted is wrong because obviously it issues a WAN IP address.


  • LAYER 8 Netgate

    Did you get traffic on IPv6/UDP/547 on the WAN? If that's not happening nothing is going to work.



  • @derelict said in IPv6 Native with Telstra, Australia:

    @larrikin Well then that whirlpool link you posted is wrong because obviously it issues a WAN IP address.

    Welcome to my confusion of the land of contradictions with the information that is out there on how Telstra IPv6 actually works :). The Telstra modem I showed you above has a WAN v6IP address. There is another Telstra modem I have where it doesn't get a WAN v6IP address. It's different per their modems.



  • @derelict said in IPv6 Native with Telstra, Australia:

    Did you get traffic on IPv6/UDP/547 on the WAN? If that's not happening nothing is going to work.

    I only get the ICMP traffic with the neighbor solicitation that you see in the packet capture. Telstra responds to my pfsense request using ICMP neighbor solicitation, but my pfsense doesn't seem to do anything with their response, so it just goes into a perpetual loop. That's the problem from Telstra's perspective.



  • @derelict said in IPv6 Native with Telstra, Australia:

    That doesn't show a DHCP attempt.

    You might want to reset to defaults and start over.

    Resetting everything related to the WAN DHCP6 should be enough but nobody knows what you've clicked to try to fix this.

    I've done exactly that. The config I have is exactly the one you've asked me to do. I have nothing else configured. Let me know if you want screen shots. I've literally disabled everything. I've even factory reset pfsense. Then freshly did the config as per what you asked. That is the config that is currently live.


Log in to reply