Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?
-
@Derelict said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
It has already been established that the ISP responds to an RS with an RA. They need to send periodic RAs and they are not. So that does no good either.
Yes, understood. I'm wondering why pfSense sometimes works in this situation and other times doesn't. As far as I understand, based on correspondence with the ISP, the juniper routers DO NOT send unsolicited RA messages. Shouldn't pfSense always drop the default route after 5400 seconds?
-
They HAVE to send an unsolicited, periodic RA. If juniper has that setting then it is to be used in cases where it is not necessary. This is not a pfSense problem. It is an ISP problem. See RFC4861. The host device is FORBIDDEN from sending another RS unless its interface is shut/no shut, etc.
-
@bimmerdriver said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
@Derelict said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
It has already been established that the ISP responds to an RS with an RA. They need to send periodic RAs and they are not. So that does no good either.
Yes, understood. I'm wondering why pfSense sometimes works in this situation and other times doesn't. As far as I understand, based on correspondence with the ISP, the juniper routers DO NOT send unsolicited RA messages. Shouldn't pfSense always drop the default route after 5400 seconds?
I don't understand your point. ISPs that work and adhere to standards send periodic RAs.
-
@bimmerdriver said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
far as I understand, based on correspondence with the ISP, the juniper routers DO NOT send unsolicited RA messages.
Says who? 2 second google
https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/no-unsolicited-ra-edit-enhanced-universal-edge-overrides.htmlSo they have that SET!!! Per previous comments, etc. as well
Says that the DEFAULT is to send them..
Disable the default transmission and periodic refresh of unsolicited Router Advertisement messages by the router when the subscriber interface is created, and at configured periodic intervals thereafter. When you include the no-unsolicited-ra statement, the router sends Router Advertisement messages and associated periodic refresh messages only when it receives a Router Solicitation message from the subscriber.
BTW - that link is first hit on google for "juniper routers unsolicited RA"
Couple hits down is your post on the other distro board.. Posting the same link - so you KNOW its not default and that they set it, not that they DO NOT do it...
If the RFC says the host is "forbidden" from sending RS... You think pfsense should break the rfc and send RS anyway, because some ISP doesn't know how to configure their own choice of hardware? To be standard?
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
Based on RFC4861 I cannot see that as ever working unless you have coded your subscriber devices to violate RFC4861 by periodically sending RSs, thus breaking your subscribers' ability to use compliant devices.
-
Yeah not sure why they added the "option" but prob some feature request for some bigger odd ball network doing odd things, etc.
But it sure is not "default" nor is with the RFCs - so yeah could break a lot of shit..
-
@Derelict My point is that sometimes, pfSense tolerates the absence of RA messages and IPv6 continues to work. Other times, IPv6 drops after a couple of hours. It can be restored by save / apply on the WAN I/F.
-
No, it doesn't. My guess is that when you think it is tolerating it it is really because something has done something to the WAN port that caused another RS to be issued. Could be a down up on WAN for any reason or probably several other things.
A long packet capture would tell the tale there.
Your ISP is broken. They should fix it. At this point I'd try to make an appointment with someone there. VP or higher.
-
@johnpoz said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
@bimmerdriver said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
far as I understand, based on correspondence with the ISP, the juniper routers DO NOT send unsolicited RA messages.
Says who? 2 second google
https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/no-unsolicited-ra-edit-enhanced-universal-edge-overrides.htmlSo they have that SET!!!
Says that the DEFAULT is to send them..
Disable the default transmission and periodic refresh of unsolicited Router Advertisement messages by the router when the subscriber interface is created, and at configured periodic intervals thereafter. When you include the no-unsolicited-ra statement, the router sends Router Advertisement messages and associated periodic refresh messages only when it receives a Router Solicitation message from the subscriber.
BTW - that link is first hit on google for "juniper routers unsolicited RA"
Couple hits down is your post on the other distro board.. Posting the same link - so you KNOW its not default and that they set it, not that they DO NOT do it...
If the RFC says the host is "forbidden" from sending RS... You think pfsense should break the rfc and send RS anyway, because some ISP doesn't know how to configure their own choice of hardware? To be standard?
I have a pcap that ran overnight with no unsolicited RA messages. pfsense was dutifully renewing the DHCP lease, but the link wasn't working. The only RA message in the entire pcap was in reply to the RS message sent from pfsense when the link was started. IPv6 worked for a while when the link started, then dropped and did not restore for the duration of the pcap.
The link to Juniper describing the "feature" is from June 2019. Not likely that very many ISPs will push out an update overnight and I'm not sure it would fix the problem the ISP is having.
RFC 4861 says the following for RA destination address: Typically the Source Address of an invoking Router Solicitation or the all-nodes multicast address.
According to the most recent email I got from the ISP, the CPE only accepts unsolicited RA with unicast destination address. (In my case, with a Nokia edge router, that's what my modem is receiving for both the solicited and unsolicited RA messages.) According to the ISP, the Juniper edge router only sends unsolicited RA with all-nodes multicast address destination. (IMO, it makes sense that it would be multicast for unsolicited RA, no idea why this should be a problem for the CPE.) The CPE doesn't accept this, so it drops the default route and IPv6 drops until something triggers another RS message. For customers who are unlucky and have a Juniper edge router, they don't have working IPv6. The ISP is trying to get Juniper to modify the software to support unicast and they are also looking at modifying the CPE to not expire the default route.
It's a pretty pathetic situation when major companies can't / won't make interoperable network equipment. It's not like IPv6 was invented yesterday.
-
@Derelict said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
No, it doesn't. My guess is that when you think it is tolerating it it is really because something has done something to the WAN port that caused another RS to be issued. Could be a down up on WAN for any reason or probably several other things.
A long packet capture would tell the tale there.
Your ISP is broken. They should fix it. At this point I'd try to make an appointment with someone there. VP or higher.
It may well be the case that something is causing the IPv6 to restart but it's not obvious what that would be. I don't have a pcap that captures IPv6 going back up after going down. There are two completely separate, almost identical hyper-v servers, each running the same version of pfsense, connected to the same fibre interface. On one of them IPv6 is solid. On the other it's unreliable. The pcap is from the unreliable one. Both are connected to the same edge router. We haven't had a chance to run a pcap on the other system.
I really doubt a VP is going to take an appointment with a residential subscriber for a bitch session about their network. lolz
-
@bimmerdriver said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
I have a pcap that ran overnight with no unsolicited RA messages. pfsense was dutifully renewing the DHCP lease, but the link wasn't working. The only RA message in the entire pcap was in reply to the RS message sent from pfsense when the link was started. IPv6 worked for a while when the link started, then dropped and did not restore for the duration of the pcap.
Exactly. Because obtaining a gateway (router) is completely disconnected from DHCP in IPv6.
Everything you describe there is exactly what should happen according to RFC4861.
You should be focusing your efforts on your ISP, not your firewall.
I really doubt a VP is going to take an appointment with a residential subscriber for a bitch session about their network. lolz
If you had your ducks in a row and could quickly demonstrate how his network was WRONG the VP might appreciate it.
According to the ISP, the Juniper edge router only sends unsolicited RA with all-nodes multicast address destination. (IMO, it makes sense that it would be multicast for unsolicited RA, no idea why this should be a problem for the CPE.) The CPE doesn't accept this, so it drops the default route and IPv6 drops until something triggers another RS message. For customers who are unlucky and have a Juniper edge router, they don't have working IPv6. The ISP is trying to get Juniper to modify the software to support unicast and they are also looking at modifying the CPE to not expire the default route.
But is sounds like they already know it. pfSense can do a lot of things but it can't fix a broken ISP. Sorry.
What your ISP needs is someone with the cajones to push the necessary change.
-
4.2. Router Advertisement Message Format
Source Address
MUST be the link-local address assigned to the
interface from which this message is sent.Destination Address
Typically the Source Address of an invoking Router
Solicitation or the all-nodes multicast address.That's pretty non-committal and I haven't found anything more authoritative but that says the response to an RS will be unicast to the host sending the RS being responded to and, if unsolicited, it will be to the all-nodes multicast address.
Chattanooga, Tennessee, USA
A comprehensive network diagram is worth 10,000 words and 15 conference calls.
DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
Do Not Chat For Help! NO_WAN_EGRESS(TM) -
Which makes complete sense - you sure wouldn't want to send out multicast every time someone asks for a RS.. Would just generate noise..
-
@bimmerdriver said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
According to the most recent email I got from the ISP, the CPE only accepts unsolicited RA with unicast destination address.
That's nonsense. Unsolicited RAs only go to the multicast address. If they were only sent to the unicast address, how would the router know the unicast address of something that didn't send a request?
-
@bimmerdriver said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
I really doubt a VP is going to take an appointment with a residential subscriber for a bitch session about their network. lolz
Actually, I went through something similar a few months ago. I had a problem where the cable company's CMTS wasn't working properly. I had determined the failure was not on my network and even identified the failing system by name. I had the office of the President involved and finally got it resolved, after a senior tech proved the problem was with a specific CMTS (mine) at the head end.
-
@Derelict said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
That's pretty non-committal and I haven't found anything more authoritative but that says the response to an RS will be unicast to the host sending the RS being responded to and, if unsolicited, it will be to the all-nodes multicast address.
Here's what it says in IPv6 Essentials 3rd ed, by Silvia Hagen, pg 90:
"By inspecting the IP header of the Router Advertisement message, you can determine
whether this Router Advertisement is periodic or was sent in reply to a Solicitation
message. A periodic advertisement’s Destination address will be the all-nodes multicast
address ff02::1. A solicited advertisement’s Destination address will be the address of the
interface that originated the solicitation message. Again, the hop limit is set to 255." -
@johnpoz said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
...your post on the other distro board...
This forum is amazing! Just by following/reading this thread I learned a lot.
On the "other distro board" wasn't even a single reply to the question.
Tells it all, doesn't it?Thanks for sharing knowledge and discuss professionally on this forum, really appreciate it!
-
@jahonix said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
On the "other distro board" wasn't even a single reply to the question.
I don't know what that other distro is, but here it's all about networking with pfSense. Many of us here work professionally with networks. This means we tend to know more about networks than users on Linux sites. When I had that problem a few months ago, I found I had to teach both the tier 2 support and senior tech about some of the finer points about IPv6.
-
@JKnott said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
I don't know what that other distro is, but ...
The fork of pfSense, maybe?
So it's not that far off the track as "other Linux sites" might be. -
@JKnott said in Is there a way to trigger pfSense to periodically send RS on WAN I/F to ISP edge router?:
I don't know what that other distro is
hehe - yeah bimmerdriver posted pretty much same question over on the forums for the distro that I will not name ;) I mentioned that in my posted about the juniper setting not being default to not send unsolicated RAs.
Its like 3rd or 4th listing on the google search I stated - if you want to find it.. Its crickets over there for his question..
