IPv6 Sanity Check - delegated prefixes & inbound icmp questions



  • After much study, stress, trial-and-error, and patience with Xfinity residential internet "technical support" (term used loosely), I have IPv6 working (for the most part) for a couple of subnets. Managed to get a /60 delegated prefix working, though the cablemodem status still shows a completely different delegated prefix!

    Would like to get some feedback on a couple of remaining concerns please.

    First, the aforementioned delegated prefix mismatch between the Xfinity cablemodem (Aris TG1682G / XB3) in bridge mode and PFSense...

    The cablemodem shows a delegated prefix of 2601:403:4300:2510::/64 though I've asked for a /60 prefix and logs show I received it - actually two different prefixes (last one got used); e.g. 2601:403:4380:2260::/60. Why two, and any clue why they're different than what the modem is reporting???

    Time           	Proc	PID  	Message
    Jan 15 15:11:03	dhcp6c	85730	got an expected reply, sleeping.
    Jan 15 15:11:03	dhcp6c	85730	removing an event on em0, state=RENEW
    Jan 15 15:11:03	dhcp6c	85730	script "/var/etc/dhcp6c_wan_script.sh" terminated
    Jan 15 15:11:03	dhcp6c	       dhcp6c renew, no change - bypassing update on em0
    Jan 15 15:11:03	dhcp6c	85730	executes /var/etc/dhcp6c_wan_script.sh
    Jan 15 15:11:03	dhcp6c	85730	update a prefix 2601:403:4380:2260::/60 pltime=345590, vltime=345590
    Jan 15 15:11:03	dhcp6c	85730	update an IA: PD-0
    Jan 15 15:11:03	dhcp6c	85730	nameserver[1] 2001:558:feed::2
    Jan 15 15:11:03	dhcp6c	85730	nameserver[0] 2001:558:feed::1
    Jan 15 15:11:03	dhcp6c	85730	dhcp6c Received INFO
    Jan 15 15:11:03	dhcp6c	85730	get DHCP option DNS, len 32
    Jan 15 15:11:03	dhcp6c	85730	IA_PD prefix: 2601:403:4380:2260::/60 pltime=345590 vltime=345590
    Jan 15 15:11:03	dhcp6c	85730	get DHCP option IA_PD prefix, len 25
    Jan 15 15:11:03	dhcp6c	85730	IA_PD: ID=0, T1=172795, T2=276472
    Jan 15 15:11:03	dhcp6c	85730	get DHCP option IA_PD, len 41
    Jan 15 15:11:03	dhcp6c	85730	DUID: 00:01:00:01:22:xx:xx:xx:xx:xx:xx:xx:xx:ef
    Jan 15 15:11:03	dhcp6c	85730	get DHCP option server ID, len 14
    Jan 15 15:11:03	dhcp6c	85730	DUID: 00:01:00:01:25:xx:xx:xx:xx:xx:xx:xx:xx:ae
    Jan 15 15:11:03	dhcp6c	85730	get DHCP option client ID, len 14
    Jan 15 15:11:03	dhcp6c	85730	receive reply from fe80::201:5cff:fea3:b846%em0 on em0
    Jan 15 15:11:03	dhcp6c	85730	reset a timer on em0, state=RENEW, timeo=1, retrans=20762
    Jan 15 15:11:03	dhcp6c	85730	send renew to ff02::1:2%em0
    Jan 15 15:11:03	dhcp6c	85730	set IA_PD
    Jan 15 15:11:03	dhcp6c	85730	set IA_PD prefix
    Jan 15 15:11:03	dhcp6c	85730	set option request (len 4)
    Jan 15 15:11:03	dhcp6c	85730	set elapsed time (len 2)
    Jan 15 15:11:03	dhcp6c	85730	set server ID (len 14)
    Jan 15 15:11:03	dhcp6c	85730	set client ID (len 14)
    Jan 15 15:11:03	dhcp6c	85730	Sending Renew
    

    Also, the pfSense WAN interface shows an IPv6 address of 2001:558:6007:85:xxxx:xxxx:xxxx:xxxx - clearly not in the delegated prefix network. Why?

    My pfSense LAN interface has: 2601:403:4380:2261:xxxx:xxxx:xxxx:xxxx
    and the OPT1 interface has 2601:403:4380:2262:xxxx:xxxx:xxxx:xxxx
    These are clearly in the delegated range and have the correct assigned prefix ID as the subnet bits.

    Other questions:

    • Why is the WAN IPv6 Gateway Address a link-local address (fe80::201:5cff:fea3:b846)?

    • For the LAN IPv6 configs set to Track Interface (WAN), is there any way to customize/set a preferred host address rather than the seemingly randomly assigned address? call me old-fashioned... I'd prefer them to be ::1

    (edit: the LAN/OPT1 IPv6 link-local addresses are fe80::1:1 and fe80::2:1 respectively. It seems the other hosts on the networks are using the link-local addresses as their default gateways. I need to do some more reading, evidently.)

    • Understanding that the IPv6 firewall rules are hidden and should not be screwed with, what would be preventing in-bound ICMP to my IPv6 hosts? sites like https://ipv6-test.com are indicating everything's fine except ping tests. Well, that and the expected lack of host name resolution, but I've only set that up in unbound, no external DDNS. Internal AAAA and PTR lookup is working fine.

    Process followed to set up IPv6 with /60 prefix (had a /64 previously):

    System > Advanced > Networking
    Allow IPv6: CHECKED

    WAN:

    • Use IPv4 connectivity as parent interface: CHECKED
    • Request only an IPv6 prefix: NOT CHECKED
    • DHCPv6 Prefix Delegation Size: 60
    • Send IPv6 prefix hint: CHECKED
    • Debug: CHECKED
    • Do not wait for an RA: NOT CHECKED
    • Do not allow PD/Address release: NOT CHECKED (temporarily)
    • Block private networks and loopback addresses: CHECKED
    • Block bogon networks: NOT CHECKED

    LAN:

    • IPv6 - Track Interface, Select WAN
    • IPv6 Prefix ID: 1 (e.g. 2601:aaaa:bbbb:ccc1::/64)

    OPT1:

    • IPv6 - Track Interface, Select WAN
    • IPv6 Prefix ID: 2 (e.g. 2601:aaaa:bbbb:ccc2::/64)

    Delete /var/db/dhcp6_duid
    power down modem
    reboot pfSense
    power up modem
    renew WAN lease

    Reconfigure WAN:

    • Do not allow PD/Address release: CHECKED

    Running 2.4.4-RELEASE-p3 (amd64) / FreeBSD 11.2-RELEASE-p10
    on a Protectli FW6C-0 Vault (Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz, 8GB RAM)
    with pfBlockerNG 2.1.4_20 and Snort 3.2.9.10, among others...

    Thanks,
    Fabrizio



  • Hi Fabrizio

    the main question is quite hard to answer. Those transfer net configurations differ between providers. There are a couple of different practices. Can you do a traceroute6 from a host in your lan into the internet. That might shed some light.

    @fabrizior said in IPv6 Sanity Check - delegated prefixes & inbound icmp questions:

    Why is the WAN IPv6 Gateway Address a link-local address (fe80::201:5cff:fea3:b846)?

    This is common practice. Link-Local addresses are automatically being configured and also being used for router advertisements.

    @fabrizior said in IPv6 Sanity Check - delegated prefixes & inbound icmp questions:

    For the LAN IPv6 configs set to Track Interface (WAN), is there any way to customize/set a preferred host address rather than the seemingly randomly assigned address? call me old-fashioned... I'd prefer them to be ::1

    Don't go with such addresses. A small portion of your privacy / security depends on the so called privacy extensions, which should be active on your client devices. If you insist on having your preferred IP addresses you might assign them statically or use DHCPv6. DHCPv6 though doesn't work with every client because not every client OS does offer a decent DHCPv6 client implementation.



  • @fabrizior said in IPv6 Sanity Check - delegated prefixes & inbound icmp questions:

    Why is the WAN IPv6 Gateway Address a link-local address (fe80::201:5cff:fea3:b846)?

    For the LAN IPv6 configs set to Track Interface (WAN), is there any way to customize/set a preferred host address rather than the seemingly randomly assigned address? call me old-fashioned... I'd prefer them to be ::1

    Link local addresses are often used for routing. All a router needs to know is how to get to the next hop. A link local address is fine for that. If you're also assigned a WAN address, it will likely not be used for routing.

    With SLAAC, there is one consistent address, based on the MAC, or a random number. You can spoof the MAC to give you what you want. You can also use manual configuration. If you're using DHCPv6 on the LAN, you can create specific mappings to what you want.


Log in to reply