deprecated IPv6 address



  • Hi all,

    i got a problem with IPv6 and I hope someone has an idea.

    I'm using a AVM Fritzbox which has been provided by my ISP. Behind it, there's the pfSense running as a VM on an ESXi host. I would like to use IPv6 in my local network (behind the pfSense) parallel to IPv4 (dual stack).

    My provider delegates an IPv6 prefix to me, but this prefix changes every 24 hours when the AVM router reconnects. I have some servers in my local network running. I don't want their IPv6 addresses to change every 24 hours and I neither want them to have both a public and a private address. That's why I want to use a private fd00 prefix locally and then use the public IPv6 address on the pfSense WAN interface with a masquerading NAT to go online. I know that IPv6 is not intended to be used this way, but since my provider is not able to give me a static prefix and I don't want to have two IPv6 addresses per host, I see no other way.

    I've already configured the system this way and it works fine, all systems have both local and WAN connectivity with their fd00-addresses - until my AVM router reconnects and I get a new prefix. The pfSense receives a new IPv6 address on the WAN port after the reconnect instantaneously, but it also keeps the old IPv6 address. The old address is marked as deprecated in ifconfig. The problem is that the NAT rule seems to use the old, deprecated address after getting a new IPv6 address:

    Before reconnect

    [2.4.4-RELEASE][root@pfSense.localdomain]/root: ifconfig em5
    em5: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
    ether xx:xx:xx:xx:xx:xx
    hwaddr xx:xx:xx:xx:xx:xx
    inet6 fe80::20c:29ff:fedd:e6ae%em5 prefixlen 64 scopeid 0x6
    inet6 2001:16b8:20d1:e000:xxxx:xxxx:xxxx:xxxx prefixlen 64 autoconf
    nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active

    After reconnect

    [2.4.4-RELEASE][root@pfSense.localdomain]/root: ifconfig em5
    em5: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
    options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
    ether xx:xx:xx:xx:xx:xx
    hwaddr xx:xx:xx:xx:xx:xx
    inet6 fe80::20c:29ff:fedd:e6ae%em5 prefixlen 64 scopeid 0x6
    inet6 2001:16b8:20d1:e000:xxxx:xxxx:xxxx:xxxx prefixlen 64 deprecated autoconf
    inet6 2001:16b8:20d3:6700:xxxx:xxxx:xxxx:xxxx prefixlen 64 autoconf

    nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
    media: Ethernet autoselect (1000baseT <full-duplex>)
    status: active

    If I was able to somehow drop this deprecated address, my ruleset will use the new, currently active IPv6 address and then it also works fine. After disabling and enabling the WAN interface, the deprecated address is being dropped and IPv6 connectivity works fine. But of course I cannot restart this interface every 24 hours.

    Does anyone have an idea how I can automatically drop the deprecated address after a new IPv6 address is being assigned?

    Please don't tell me that NAT shall not be used with IPv6. I know that. I would love to get rid of NAT, but then my ISP should assign me a static prefix that I could use internally. But they won't, I already asked them. As already mentioned, I need static addresses for my servers and don't want to use both local and global addresses on every host.

    Thanks for your help!

    Regards

    Daniel



  • @da370338

    There is a setting "Do not allow PD/Address release" on the WAN page. Make sure it's selected.

    Why are you using NAT on IPv6??? The reason for NAT on IPv4 is to get around the address shortage.



  • This :

    @da370338 said in deprecated IPv6 address:

    My provider delegates an IPv6 prefix to me, but this prefix changes every 24 hours when the AVM router reconnects

    pretty much sucks anyway.

    If your only look for IPv6 reachability, without much of a load, consider tunnel.he.net : Free Ipv6 /48 for live, supported out of the box by pfSense.


  • LAYER 8 Moderator

    Besides I don't understand running NAT in that scenario. IPv6 has no NAT, only NPt that won't work with changing prefixes AFAIK. And the AVM boxes can easily do RA/PD for pfSense behind it (running that myself) so you can have global IP6 via prefix delegation and run some fdXY:: additional to it so your internal stuff has "fixed" addresses to resolve.

    Dynamic IPv6 prefix support in NPt would be a nice thingy though ;)



  • @JKnott said in deprecated IPv6 address:

    @da370338

    There is a setting "Do not allow PD/Address release" on the WAN page. Make sure it's selected.

    Why are you using NAT on IPv6??? The reason for NAT on IPv4 is to get around the address shortage.

    Thanks for your reply! Unfortunately, activating the checkbox does not change the behavior. I still got a deprecated IPv6 in ifconfig after a reconnect.

    As already mentioned, I want to use IPv6 without NAT but my public prefix changes every 24 hours (provider limitation) and I don't want to use both local and global addresses in parallel. In my opinion, the right solution would be to use global / public addresses only and nothing else, but that's not possible with this provider.



  • @JeGr said in deprecated IPv6 address:

    And the AVM boxes can easily do RA/PD for pfSense behind it (running that myself) so you can have global IP6 via prefix delegation and run some fdXY:: additional to it so your internal stuff has "fixed" addresses to resolve.

    That is correct, but it's a setup I wand to avoid. Having multiple addresses on each system will cause more maintenance for me since I got multiple local networks and then each system will have two gateways as well - that's something i really want to avoid if somehow possible.

    Anyway, I also tried the way you suggested but I wasn't able to get a delegation from the AVM box running, despite following multiple manuals....


  • LAYER 8 Moderator

    @da370338 said in deprecated IPv6 address:

    each system will have two gateways as well - that's something i really want to avoid if somehow possible.

    Doesn't have to, depends on your setup.

    I want to use IPv6 without NAT

    I don't know how you even configured IPv6 with NAT?


  • LAYER 8 Global Moderator

    @da370338 said in deprecated IPv6 address:

    public addresses only and nothing else, but that's not possible with this provider.

    If your provider keeps changing your IPv6 prefix on you, and you telling pfsense not to release it, etc.. Then just get a tunnel from hurricane electric - now your IPv6 prefix, you can get a /48 from them even for free will be yours.. I have had the same IPv6 /48 from them since like 2011, and have changed multiple ISPs since then - my current isp doesn't even have ipv6 support.. Doesn't matter to me since I have my tunnel to HE and use my /48 however I want on my network, for my vpn clients, etc. etc.



  • @JeGr well, basically the same way you would when using IPv4 - I just created a NAT rule like this and it works without any issues. fd00:6151:1337:181::/64 is my local prefix.

    NATv6.png

    However, as already mentioned I'm aware that this is not "best practice" and I tried a regular delegation for the internal network without NAT first, but I can't get it running. Here's what I did, maybe I forgot something?

    On the AVM device:

    • disabled unique local addresses (the device shall only use global addresses for delegation, but also tried with ULA enabled)
    • allowed ipv6 announcements of other gateways
    • enabled avertisement of the prefix (IA_PD)

    On pfSense:

    • set the WAN interface to DHCP6
    • Enabled "Use IPv4 connectivity as parent interface" (also tried with this option disabled)
    • Enabled "Request only an IPv6 prefix"
    • Set "DHCPv6 Prefix Delegation size" to 60 (my public prefix has a netmask of /56)
    • Enabled "Send IPv6 prefix hint"
    • Enabled "Do not allow PD/Address release"
    • Set the LAN interface IPv6 Configuration Type to "Track Interface" and the Tracking Interface to "WAN"
    • Enabled the DHCPv6 Server, set the Range from :: to ::ffff:ffff:ffff:ffff and set the Prefix Delegation Size to 64

    After this procedure, when I check Status > Interfaces I see no global or local IPv6 addresses anymore. Only the fe80:: / link local addresses are shown. My devices get no IPv6 addresses. I must be doing something totally wrong....

    Update: When i disable "Use IPv4 connectivity as parent interface", the WAN interface gets an IPv6 address. But this address still does not renew when I reconnect the AVM device. The old address is still shown as deprecated. I'm running our of ideas :(



  • @da370338 said in deprecated IPv6 address:

    and I don't want to use both local and global addresses in parallel

    There is nothing wrong with doing that. IPv6 is designed to support it. As I mentioned, I have both on my LAN.

    There are a lot of differences in the way IPv4 and IPv6 do things and people just have to get used to the new ways of doing things. For example, with both GUA and ULA addresses and privacy addresses, after my computer has been up for a week, it will have 17 addresses, including link local. You'd never imagine doing such a thing with IPv4, but it's entirely normal with IPv6.

    Does your ISP say why they can't provided consistent prefixes?


  • LAYER 8 Netgate

    @da370338 said in deprecated IPv6 address:

    my public prefix changes every 24 hours (provider limitation)

    If that is truly the case, your best bet is to use an HE.net tunnel and forget about that broken ISP implementation.



  • @Derelict said in deprecated IPv6 address:

    If that is truly the case, your best bet is to use an HE.net tunnel and forget about that broken ISP implementation.

    I have no doubts that this is a cool solution and it will sure work for me, but I would like to figure out which way I can go to get it running. But I think I will try it out, as soon as IPv6 works basically. At the moment, I can't get it working at all.

    @JKnott

    Does your ISP say why they can't provided consistent prefixes?

    No, they just don't offer this. I also thought it's not helpful to discuss this with the hotline guys. That might be a reason for me to change to another ISP, indeed. But then I have to switch to a business contract which is much more expensive. None of the ISPs in my country offer static addresses (IPv4 or IPv6) for standard contracts. I actualy have no idea why they can't just give a static prefix to everyone. It's not that hard!

    May I ask you guys to take a look at my procedure for prefix delegation in my post with the screenshot? A standard delegation should (in my opinion) work even with a dynamic prefix but it seems not to work at all. Is the procedure to configure prefix delegation and the tracking interface basically correct how I did it?


  • LAYER 8 Global Moderator

    What I will say from my own personal experience is that most ISPs I have had to deal with, their IPv6 deployments are pretty shoddy at best... You would save yourself a whole lot of grief and aggravation by just going with HE..

    I agree there is no reason why clients could not be given a /48 to use, that doesn't change.. Its not like there is a shortage of IPv6 space that the ISP has to work with..

    The cost of IPv6 /24 is $4k a year from arin... That is 16 Million /48's pretty sure any ISP that is doing anything with IPv6 could afford that ;)



  • @johnpoz said in deprecated IPv6 address:

    What I will say from my own personal experience is that most ISPs I have had to deal with, their IPv6 deployments are pretty shoddy at best.

    Quite so. As I described a while ago, I had problems with my ISP almost a year ago and I found myself having to teach the support people and tech about IPv6. They had a general idea, but didn't know enough to solve the problem.

    @da370338

    Many ISPs do not yet properly implement IPv6. There is absolutely no valid reason for your prefix to change daily. Either they're incompetent or they're being nasty. With my ISP, I get a /56 prefix which does not change and even on IPv4 my address rarely changes, to the point it's virtually static. So yes, you should contact their support and file a complaint about the prefix changing daily. If they tell you it's intentional, then you should take your business elsewhere and let them know why.


  • LAYER 8 Moderator

    @da370338 said in deprecated IPv6 address:

    On the AVM device:

    • disabled unique local addresses (the device shall only use global addresses for delegation, but also tried with ULA enabled)
    • allowed ipv6 announcements of other gateways
    • enabled avertisement of the prefix (IA_PD)

    On pfSense:

    • set the WAN interface to DHCP6
    • Enabled "Use IPv4 connectivity as parent interface" (also tried with this option disabled)
    • Enabled "Request only an IPv6 prefix"
    • Set "DHCPv6 Prefix Delegation size" to 60 (my public prefix has a netmask of /56)
    • Enabled "Send IPv6 prefix hint"
    • Enabled "Do not allow PD/Address release"
    • Set the LAN interface IPv6 Configuration Type to "Track Interface" and the Tracking Interface to "WAN"
    • Enabled the DHCPv6 Server, set the Range from :: to ::ffff:ffff:ffff:ffff and set the Prefix Delegation Size to 64

    After this procedure, when I check Status > Interfaces I see no global or local IPv6 addresses anymore. Only the fe80:: / link local addresses are shown. My devices get no IPv6 addresses. I must be doing something totally wrong....

    Update: When i disable "Use IPv4 connectivity as parent interface", the WAN interface gets an IPv6 address. But this address still does not renew when I reconnect the AVM device. The old address is still shown as deprecated. I'm running our of ideas :(

    Don't know which provider it is in your case but with mine I use:

    AVM: (activate advanced settings view first)

    • Home Network > Network > Network Settings > IPv6-Addresses
      • ULA: recommeded (first setting, use ULA as long as there's no IPv6 internet)
      • no manual ULA prefix - don't need it anyways (most of the time)
      • additional IPv6 routers:
        • allow IPv6 prefixes announced by other routers
        • This box provides the default gateway
        • medium advertising preference
      • DNSv6 servers:
        • announce DNSv6 server via RA (RFC5006)
      • DHCPv6 server
        • activate DHCPv6 for your home network
        • select last item: DNS servers, prefix (IA_PD) and address (IA_NA)

    pfSense:

    • interfaces / WAN
      • IPv6 config: DHCP6
      • DHCP prefix size: /60 (to play it safe as there are different sizes communicated by different ISPs. /56 should(!) be good, but I went with /60 to be sure not to request more than I get)
      • Send IPv6 prefix hint
      • Start in client debug mode (to see more intel if it doesn't work)

    besides this, nothing in DHCP6 client config is selected or configured. That works fine with my cable provider, gets me a global IPv6 on WAN (blah:blah:blah:aa00:/64) and via tracking interface on my lab vlan I get another /64 there (blah:blah:blah:aaf7) and on my guest vlan (blah:blah:blah:aafb). So the tracking (aaf0-aaff) works just fine within the defined /60. If your provider is some VDSL thing, the IPv6 settings for DHCP6 on WAN may vary as different providers need slightly different settings. Some may need the "request only prefix" or the request sent via IPv4 or no prefix hint at all.

    But I had problems in the past, too so I just got myself a he.net tunnel with a /48 delegation that worked super-easy. Only thing that I see is that using the IPv6 via the tunnel, it's (much) slower (in some cases) then an IPv4 link. I suppose it's either the v6 is slow because of tunnel overhead etc. or the v6 address resolves to servers with lower bandwith. Especially had that with streaming (YT etc.) that got incredibly slow after running v6 in my media network so I disabled it in that VLAN and got instant speedups. (seems YT servers via v6 are either slow as fuck or the tunnel overhead/MTU is playing dirty tricks).
    Besides that, connections via e.g. SSH or such are working great. Big file transfers are slower than v4 though. Perhaps the same problem as above (pointing to the tunnel being slower than native v4).

    BTW: I get deprecated IP6s sometimes, too. That is nothing bad. It is specified, that these are IP6s that are "old" and soon to be removed but there may still be traffic arriving for them, so they remain on the interface for a bit. Same thing is used for IP6 clients with privacy extensions enabled. Those rotate through on the interface without problem. Getting a new prefix would always result in a deprecated older address but that shouldn't be a problem for IP6 connectivity at all. Perhaps you don't get the right GW from the AVM box? Normally that should be an fe80::aa:bb:cc:dd* (the box own suffix) and that should remain valid even after IP6 rollover.



  • Yep, the gateway address is the address of the AVM box (fe80: ...).

    Man, things could be so easy. Let's get rid of that old IPv4 crap and move on to the future. Can't understand why this causes so much trouble at the ISP's site.

    Thank you all for your help and thanks to @JeGr for describing the prefix delegation config. I will walk trough this once more to see if I find some config that works for me. But yes, I will check out what other providers can offer. If I find one that is not too expensive and provides a static prefix, I'm gone.

    Have a nice weekend!


Log in to reply