IPv6 Connectivity problem in vm



  • I really don't know where to start... I have a Hyper-V VM with Windows 10 connected to a Hyper-V "private switch" to the pfSense VM. This interface is the only one which get an IPv6 Address-prefix from pfsense.
    I see some wired firewall log entries for weeks now, gmail tried to connect via IPv6, which was allowed but than switched to IPv4 to bring Email to the mailserver hosted on that Win10 VM.
    On this machine, when I start a vanilla firefox and go to a IPv6-testsite like https://ipv6-test.com/ I get "IPv6 is Not supported.
    When I type ipconfig -all, everything looks like it should. I got my IPv6-Adddress from the DHCPv6 Server and Windows got his own etc.
    It doesn't make any sense to me. Any ideas?

    2.5.0-DEVELOPMENT (amd64)
    built on Sun Mar 08 05:18:17 EDT 2020
    FreeBSD 12.0-RELEASE-p10

    PS:I got another VM on that same Hyper-V Switch with ubuntu, with has no problem, so it might be a Windows problem. But that Vm was fresh installed and there is nothing installed other then the E-Mail-Server and Firefox for testing.

    PPS: When I restart that machine, the IPv6 connectivity is there, I don't know for how long, can't be much.



  • @Bob-Dig

    Does the Windows computer have IPv6 working properly? Is the VM network adapter in bridge or NAT mode? IPv6 won't work through NAT mode.



  • @JKnott It is Hyper-V not VMWare . It is working after a reboot. I guess it is a Windows Bug.



  • @Bob-Dig

    Who said anything about VM Ware? VM often means just virtual machine. I use VirtualBox.



  • For what it's worth : I'm using a pfSense in a VM, on a Hyper-V Windows 10 box.
    My ISP isn't informed about the existence of IPv6 yet, they just adapted IPv4 so it actually works.
    With the help oh tunnebroker.he.net, some clicks in the GUI in pfSense and done : high quality IPv6 everywhere.

    edit : To use IPv6 from he.net you need t have their T-Shirt ... something like that - I don't recall.



  • Still found no cause for that behavior. I set up a new VM with another Windowsversion, still after some time, firefox, as an example, has no IPv6 Connectivity anymore. IPv6 is pingable through pfsense.



  • @Bob-Dig said in IPv6 Connectivity problem in vm:

    still after some time

    The client (?) that looses IPv6 : it's using 'DHCPv6' ? You set up the DHCPv6 server ? How ? "DHCPv6 log" says what ?

    For all what I know :
    My ISP (it's he.net) gave me a IPv6 gateway.

    3f90a143-0b45-46fd-ac96-4215e55f380d-image.png

    On my side, I had to enter 'my' IPv6 - he.net gave it to me :
    c8c83bab-96d1-44c8-8d6d-68766e960ab8-image.png

    This ........1 is the gateway,.........2 being "me", or on the pfSense side.

    he.net uses another appoarch as the what classic ISP normally use : I can't setup my pfSense WAN interface with some IPv4 and IPv6 settings. My upstream ISP device is a router, and added to that, it only handles IPv4.
    he.net and pfSense found the solution : I had to create a new interface, dedicated to IPv6 only, that uses the gateway and client IPv6 mentioned above. Added to that : it's using a IPv6 over IPv4 protocol, which means that all the IPv6 traffic is encapsulated in some IPv4 data stream - the GIF protocol (dono if it's is actuality a protocol) that looks somewhat like what VPN does.

    he.net offers me an entire
    9af617a5-aa61-4abc-a940-3c7c13991907-image.png
    which is a simple 'minimal' /64 block, just ok for one LAN.
    So I set up my LAN interface like this :
    2001:470:1f13:5c1::/64

    and use a small part of it for DHCPv6 so it can hand out IPv6 out of this range to my devices :

    56228e22-ddf1-4d6a-9007-2aeef89f2d60-image.png

    I has to add me rules on my LAN interface :

    95c1ce4e-9f1c-4646-a6e4-d8c870e5f258-image.png

    The first rule is me playing with my firewall and exists just for fun. The other two seem rather logic to me, and can even be condensed in one rule.

    The "he.net WAN special IPv6" interface doesn't need any rules and can stay empty - as any good WAN interface.

    Also : he.net gives also another block for me : a woping huge

    94f8c85b-3f59-49c0-9119-2b8ecbd50eb0-image.png

    which I can map onto my other 256 LAN interfaces .......... :))))
    edit : sorry, no : 65535 other interfaces

    A lot of what I said is valid for my "special IPv6 ISP" and the reason why I use it is two folded :
    They are still today one of the few ISP's that offer the IPv6 as it was meant to be. They didn't fcked up the RFC.
    They give - for free - you a /48 as it was meant to be from the beginning.
    They have a solid background. No bla bla bla. Good forum support.
    And they are ... strange. They actually give (== for free) you a rather special T-Shirt if you mange to finish this one : https://ipv6.he.net/certification/cert-main.php
    If you want to use their IPv6 facilities, or, IMHO, use any IPv6 faculities, you should finish the certification tour. You'll be needing it. It enables you to understand how to setup IPv6 on your side, and you'll be knowing what your ISP should do for you so it works - and, very important, it enables you to 'see' and 'check' how it works, and what to do when it doesn't.
    I have the impression that he.net did all this for me.

    This might be valid tomorrow : IPv6 is, as IPv4, simple, easy, straight forward and totally logic ☺ (for me, it shall be next decade, or so ...)



  • Thanks, but please let us stay on topic, why, now a second, windows machine is loosing its IPv6 connectivity somewhat and how to troubleshoot for that.



  • @Bob-Dig said in IPv6 Connectivity problem in vm:

    let us stay on topic

    Exactly. So, start feeding 'us' with some (far !) more info.
    Saying : it's doesn't work doesn't allow someone to help you.

    I do presume it isn't a VM issue, although, I have no means to exclude it neither.

    @Gertjan said in IPv6 Connectivity problem in vm:

    The client (?) that looses IPv6 : it's using 'DHCPv6' ? You set up the DHCPv6 server ? How ? "DHCPv6 log" says what ?



  • @Gertjan That vm is using DHCPv6.
    Right after a reboot it is looking good like shown in the second picture. That picture is taken from another vm, which also has this problem.

    Capture.JPG

    2.JPG

    Capture3.JPG

    Screenshot_2020-03-11 pfSense localdomain - Services DHCPv6 Server RA PRIVATSWITCH DHCPv6 Server.jpg

    Screenshot_2020-03-11 pfSense localdomain - Services DHCPv6 Server RA PRIVATSWITCH Router Advertisements.png



  • This :

    2802e463-112c-4fbd-a0d8-d1a8c9a25826-image.png

    is missing the Prefix. For me, something like ":: to ffff:ffff;ffff;ffff;ffff" isn't normal at all.

    How is your LAN interface (yours is called PRIVATESWITCH) set up ?

    It should have some 'IPv6' related settings like :

    8f011f12-ff4b-4cea-98ee-291d8146fd13-image.png

    Most often it's set up as a Static IPv6 - or "tracking interface", the others are more rare (?)
    Normally, if your ISP assigned you a "fixed" "/64", you put that one on your LAN interface, and the LAN interafce will have abcd.efgh......... ::1 mask /65

    Also, you should see in the DHCPv6 server status page that it delivered an IPv6 from the pool.

    Like :

    33fd7b3f-29c0-4dd9-be71-0646995c30e8-image.png

    Logs : idem : this is a a snippet of one of the leases you can see in the image above :

    d85e3e13-0f7d-4ed0-9bd0-386ae7721d27-image.png

    so I know that 'my' pfSense is actually handing over an Ipv6 friom my pool to one of the LAN devices that was asking for an IPv6.



  • @Gertjan

    You can see in the first picture, that it got an IP from DHCPv6

    switch.JPG

    I mean, it is running for a while and than there is no connectivity sais the test-site, although ping6 from pfsense works.



  • When you select Track Interface, there are IPv6 things to set up :

    These :

    7ae17bec-bdea-4fd3-a90c-ce40323137a1-image.png

    I guess, because I never sued that facility before - that you should select your WAN type interface.
    And a "prefix" that was given to you by the ISP ...
    And, I guess.



  • @Gertjan Sure.

    Screenshot_2020-03-11 pfSense localdomain - Interfaces PrivatSwitch (hn2).png



  • Problem still persist, help for diagnosing would be much appreciated.

    -dualstack WAN, no IPv6 tunnel
    -Host Win10 with Hyper-V
    -Client (VM): Windows 10 (two different versions tested) have problems
    -Client (VM): ubuntu on that same interface has no problem!

    Just disabling and then enabling the adapter in Windows makes the ipv6-test-site work again (for some time).



  • Is it normal that the expirations shown under NDP Table are changing all the time? e.g. it shows almost 24 hours and some seconds later it is only 30 seconds. That happens all the time.

    xxx.JPG

    Next I will try "Change DHCPv6 display lease time from UTC to local time" in the DHCPv6 Server, maybe Windows wants that...



  • Why did you decide to use "Interface Tracking" ?
    As per ISP information ?

    According to https://docs.netgate.com/pfsense/en/latest/book/interfaces/ipv6-wan-types.html#track-interface there should be lines in the logs related to this delegation exchange. Are there any logs lines ? Logs lines are the principal source of information when debugging - and you have none ??

    You have a dual WAN (also a very error prone thing) : you're tracking the right WAN interface ?
    And what about System > Routing > Gateways : is the right gateway selected ?

    edit : NDP uses ICMP6 for discovering "who lives on a network segment" and is somewhat comparable with the ARP protocol used by IPv4. It's build into the IPv6 kernel and driver stack part, and doesn't need any user configuration. ( although : block ICMP6 on your LAN type interface and you'll "break" IPv6 )
    See https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol



  • @Gertjan I don't have dual wan and track interface is the default in pfSense. What is wrong with that?

    "Change DHCPv6 display lease time from UTC to local time" didn't help.



  • @Gertjan I appreciate your help but you have a total different setup with that he-tunnel and probably not having dualstack on your wan.



  • When I do a "route print" in the windows vm, there is a difference between full connectivity and problematic connectivity. The following (first) line is missing after some time.

    IPv6 Route Table
    Active Routes:
    If Metric Network Destination Gateway
    9 271 ::/0 fe80::215:5dff:fe01:7507

    This is the PrivatSwitch Interface.



  • I found this in the logs:
    route 0::/0 lifetime (60) conflicts with AdvDefaultLifetime (0), default routes will flap!

    So I guess it is a problem with radvd. Ubuntu has no problem with that but windows does. I remember when I was adding the second LAN-Interface called Privat Switch, it was missing the defaults at least under Router Advertisements completely. I also switched the interfaces once, which one should get IPv6 and which one not. So something is broken there.

    Is there a way in pfSense to bring the defaults to that setting?



  • @Bob-Dig said in IPv6 Connectivity problem in vm:

    So I guess it is a problem with radvd. Ubuntu has no problem with that but windows does.

    I have 2 computers with Windows 10 in VirtualBox on Linux. Neither have a problem with radvd. You can run Wireshark in Windows and watch for ICMP6 to see what's happening.



  • @JKnott Thanks. But I guess you don't have those problems under
    Status - System Logs - SystemRouting like I have, log was flooded with:

    route 0::/0 lifetime (60) conflicts with AdvDefaultLifetime (0), default routes will flap!
    

    So after I changed the Router lifetime to 1000s in ServicesDHCPv6 Server & RA PRIVATSWITCHRouter Advertisements
    Later I get those log entries flooding:

    Mar 13 08:58:28 	radvd 	81932 	version 2.18 started
    Mar 13 08:58:29 	radvd 	82558 	attempting to reread config file
    Mar 13 08:58:29 	radvd 	82558 	resuming normal operation
    Mar 13 08:58:31 	radvd 	82558 	attempting to reread config file
    Mar 13 08:58:31 	radvd 	82558 	resuming normal operation
    Mar 13 08:58:45 	radvd 	82558 	attempting to reread config file
    Mar 13 08:58:45 	radvd 	82558 	resuming normal operation 
    

    Also I am using the 2.5.0-DEVELOPMENT Branch

    So is it possible to reset the DHCPv6 Server & RA, because there seems to be the problem.



  • Dono if this is related : https://redmine.pfsense.org/projects/pfsense/issues?per_page=100&query_id=104, look for the 'radv' occurrences on the list.

    @JKnott : you're using 2.5.0 - and if so, what version ?



  • @Gertjan 2.5.0 get updates three times a day and I am remembering the problem with no defaults for the DHCPv6 Server & RA was only when I was adding the second LAN-Interface later on. So probably no one noticed it.

    If I can't reset it, I will have to go back to 2.4.* and do everything manually. ☹



  • There is no reset button.

    But what you can do, is saving your config, and then reset to default the entire setup.
    When done, take a look at the config xml file, look for 'radv', and compare and copy if needed that part into your config.xml.

    This a a part of the config, related to 'radv' :

    6a349553-8855-4a0a-86ba-25c957d4c2d7-image.png

    You'll find two blocks of these, as you have two LAN type interfaces.

    When you edited (if needed), you import back in your config file.



  • What I finally did was deleting the interface and then creating it new. This time there seems to be no problem.

    Thanks everybody.

    I have to read more log files to get a sense, when there is something not ok.

    Also I crafted some new IPv6 addresses in the DHCPv6 Server, like this one:
    ::192:168:2:37

    😋


Log in to reply