Packet Loss on IPV6 Gateway

tim h

I've been using PFsense for about 3 years now. Recently I had to blow away my configuration and redoing it due to my own mistakes. That said my WAN_DHCP6 gateway keeps losing packets and then going down. This seems to also introduce delays in the network. I'm very new to IPV6 (studied it years ago in college and never looked at it again). I've spent some time looking for suggestions and nothing has panned out. IPV4 works just fine. My provider is Xfinity.

WAN Configuration:
IPv6 Configuration Type: DHCP6

DHCP6 Client Configuration:
Checked - Use IPv4 connectivity as parent interface
DHCPv6 Prefix Delegation size - 60
Checked - Send IPv6 prefix hint

As a side note my home network is broken into 3 VLANs (Lan, IOT, and Guest)

General Log Snippet:
Dec 29 08:32:30 php-fpm 94842 /rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. 'WAN_DHCP6'
Dec 29 08:35:58 rc.gateway_alarm 82945 >>> Gateway alarm: WAN_DHCP6 (Addr:fe80::201:5cff:feae:6446%em0 Alarm:0 RTT:18.092ms RTTsd:21.786ms Loss:5%)
Dec 29 08:35:58 check_reload_status updating dyndns WAN_DHCP6
Dec 29 08:35:58 check_reload_status Restarting ipsec tunnels
Dec 29 08:35:58 check_reload_status Restarting OpenVPN tunnels/interfaces
Dec 29 08:35:58 check_reload_status Reloading filter
Dec 29 08:36:19 rc.gateway_alarm 27956 >>> Gateway alarm: WAN_DHCP6 (Addr:fe80::201:5cff:feae:6446%em0 Alarm:1 RTT:24.101ms RTTsd:28.786ms Loss:21%)
Dec 29 08:36:19 check_reload_status updating dyndns WAN_DHCP6
Dec 29 08:36:19 check_reload_status Restarting ipsec tunnels
Dec 29 08:36:19 check_reload_status Restarting OpenVPN tunnels/interfaces
Dec 29 08:36:19 check_reload_status Reloading filter
Dec 29 08:36:20 php-fpm 91108 /rc.openvpn: Gateway, none 'available' for inet6, use the first one configured. 'WAN_DHCP6'
Dec 29 08:39:02 rc.gateway_alarm 23191 >>> Gateway alarm: WAN_DHCP6 (Addr:fe80::201:5cff:feae:6446%em0 Alarm:0 RTT:12.987ms RTTsd:4.085ms Loss:5%)
Dec 29 08:39:02 check_reload_status updating dyndns WAN_DHCP6
Dec 29 08:39:02 check_reload_status Restarting ipsec tunnels
Dec 29 08:39:02 check_reload_status Restarting OpenVPN tunnels/interfaces
Dec 29 08:39:02 check_reload_status Reloading filter

Gateways Snippet:
Dec 29 07:11:42 dpinger WAN_DHCP6 fe80::201:5cff:feae:6446%em0: Clear latency 8759us stddev 1955us loss 5%
Dec 29 07:12:03 dpinger WAN_DHCP6 fe80::201:5cff:feae:6446%em0: Alarm latency 11391us stddev 24807us loss 21%
Dec 29 07:20:51 dpinger WAN_DHCP6 fe80::201:5cff:feae:6446%em0: Clear latency 9202us stddev 3813us loss 6%
Dec 29 07:21:16 dpinger WAN_DHCP6 fe80::201:5cff:feae:6446%em0: Alarm latency 10219us stddev 12225us loss 21%
Dec 29 07:24:55 dpinger WAN_DHCP6 fe80::201:5cff:feae:6446%em0: Clear latency 9601us stddev 2824us loss 5%
Dec 29 07:27:22 dpinger WAN_DHCP6 fe80::201:5cff:feae:6446%em0: Alarm latency 9192us stddev 2086us loss 22%
Dec 29 07:28:59 dpinger WAN_DHCP6 fe80::201:5cff:feae:6446%em0: Clear latency 9212us stddev 2207us loss 5%
Dec 29 07:29:23 dpinger WAN_DHCP6 fe80::201:5cff:feae:6446%em0: Alarm latency 12128us stddev 25134us loss 22%
Dec 29 07:33:03 dpinger WAN_DHCP6 fe80::201:5cff:feae:6446%em0: Clear latency 8925us stddev 1731us loss 5%

JKnott

@tim-h

Does IPv4 fail at the same time?

tim h

@JKnott no, I wish though as it's be probably easier to diagnose. The IPV4 gateway has been rock solid.

Derelict

I see that you have these choices of action:

1. Call the ISP and see why their gateway cannot reliably respond to ICMP6 echo requests
2. Choose something different to monitor like 2001:4860:4860::8888 (IPv6 equivalent to 8.8.8.8)
3. Disable gateway monitoring actions on that IPv6 gateway. You likely don't have Multi-WAN IPv6 because that gets pretty difficult so who cares about gateway actions

tim h

@Derelict said in Packet Loss on IPV6 Gateway:

I see that you have these choices of action:

1. Call the ISP and see why their gateway cannot reliably respond to ICMP6 echo requests
2. Choose something different to monitor like 2001:4860:4860::8888 (IPv6 equivalent to 8.8.8.8)
3. Disable gateway monitoring actions on that IPv6 gateway. You likely don't have Multi-WAN IPv6 because that gets pretty difficult so who cares about gateway actions

Haven't called Comcast yet, I do expect they will point the finger at my more advanced configuration. I did try the second suggestion with no change in behavior. Packet loss also occurs when I ping the google IPv6 DNS from my desktop. I've also gone ahead and disabled actions on that gateway as you suggested. In addition I've set "Prefer IPv4 over IPv6" until I can figure this out.

Derelict

You can packet capture the pings going out. If there is no response there's nothing you can do about it - they have to fix it.

If absolutely necessary (as in they still blame the firewall), put a managed switch (or some kind of network tap) between the WAN and the ISP and capture on a mirror port there. Then you're definitely looking at what's out on the wire, outside of the firewall. Set the monitored port to the one connected to the modem, not pfSense. If you see the echo requests and no replies there, there is certainly nothing more you can do. Press them hard for an escalation. If you can get to the right person/group you might be able to get it fixed.