IPv6 NDP Table - Hundreds of Entries for Single Mac Address (Apple TV)
-
Yup I concur thinking about it, there's no way to do the ATV end.
-
@JKnott is correct @NogBadTheBad ... the Apple TV’s don’t have the ability to force a specific speed/duplex.
I forced to 1Gbps at one end (switch) and the ATV’s both disconnected and wouldn’t reconnect.
Will continue some testing today with going pure wireless, as well as an unmanaged switch in between and report back.
Best Regards,
dg6464
-
Think I've found the culprit, Energy Efficient Ethernet:-
https://community.meraki.com/t5/Switching/Port-Speed-Changing/td-p/1913
-
@NogBadTheBad yes, this is correct. It’s also noted in the Meraki case that I sent near the start of the thread:
https://community.meraki.com/t5/Switching/AppleTV-4K-Ethernet-Madness/td-p/41254
He did quite a bit of troubleshooting already and has the case in with Meraki, who is also talking to Apple apparently.
The latest update was January 2020... so hopefully we will see a fix at some point in the next few Apple TV TVOS releases and potentially Meraki switch OS’s as well (although the issue seems to be persistent in Meraki, Cisco and Ubiquiti switches... so I doubt all vendors have done it wrong, it likely lies specifically with Apple).
Since the issue seems to persist in some Apple TV 4K’s and not others... I’d assume it has to do with the included wired chipset and associated driver.
Best Regards,
dg6464
-
So quick question @JKnott ... I ran into a major IPv6 issue last night to the point where it totally dickered my entire LAN and all IPv6 services and some IPv4 services as well because docker images stopped functioning that serve both... I’ll keep it in this thread as I was still trying to troubleshoot things for this NDP Table/Apple TV issue.
Situation: Rogers gave me a new IPv6 prefix when I rebooted.
What happened: even though I have the option in interfaces configured to “not change my prefix” (I cant remember the setting) all WAN/LAN interface IP’s and the entire LAN subnet prefix totally changed.
This caused some docker containers (ie: pihole and DNScrypt) to stop working, because the static assignment for the main unRAID interface was now wrong.
I believe this is because the definitions I used on the interfaces were static and tied to the global IPv6 prefix lease.
Should I be setting these to automatic opposed to static?
And subsequently for LAN services like DNS... set the actual DNS server IP’s (in my DHCP / DJCPv6/RA pools) as the link-local fe80: IP’s?Reason being... literally everything I configured for DNS needed to change when the IPv6 prefix changed. It legit broke everything. My pihole and DNScrypt dockers, in fact wouldn’t boot anymore because the IPv6 global address assigned to the main unRAID interface was no longer valid; so of course same goes for the IPv6 IP’s set on docker containers and in DHCPv6/RA leases.
Thoughts?
I’ve totally disabled IPv6 at this point out of frustration... as it happened at like 11pm last night :(.
Thanks!
Best Regards,
dg6464
-
I have no experience with Docker, so I can't answer any questions about it. However, my prefix stopped changing when I made that setting. Did you do anything else that might have caused it to change?
-
@JKnott only a reboot, unfortunately. That’s all I did, was reboot pfSense.
With IPv6 disabled, the option isn’t there.
Can you remind me by chance of what the option is and if you’ve got it checked or not checked?
Do you have any other services on your LAN (DNS, NTP, or anything) that serve using IPv6 addresses? If so do you use link local or their global address to advertise via DHCPv6/RA?
Thanks!
Best Regards,
dg6464
-
The option is Do not allow PD/Address release and prevents the prefix from changing. Rebooting without that setting will cause a prefix change. It has no effect on IPv4.
Yes, my entire network runs IPv6, so pfSense provides NTP & DNS. Link local addresses are used for a lot of things, including router & neighbour advertisements. Unlike IPv4, IPv6 can't function without link local addresses. They're even often used for routing.
BTW, you normally don't have to reboot pfSense, other than when updating the system.
-
@JKnott thanks.
So you’ve got that box checked?
Also... for DNS/NTP... in your RA settings, do you use your LAN’s link-local IP as the DNS server? Or the global?
Or you just don’t put an entry in for DNS Server and pfSense automatically uses a chosen address (I assume it’s LAN link-local)?
Thanks again!
Best Regards,
dg6464
-
Yes, I have it checked. That's why I said to use it, as I have been through the changing prefixes. When I started using pfsense, that option wasn't available and my prefix changed several times.
As for the DNS, I let the RAs use the default DNS address which, in my case is a Unique Local Address. Since DNS addresses must be routeable, link local cannot be used for the DNS server.
-
Thanks @JKnott
So I did a quick test. Re-enabled IPv6... tried some stuff with ULA's.
Just can't get it to work right.
Also, I have the follow checked...:
"Do not allow PD/Address release:
dhcp6c will send a release to the ISP on exit, some ISPs then release the allocated address or prefix. This option prevents that signal ever being sent"However, Rogers continues to change my /56 when I reboot (I did an intentional test).
First LAN Prefix 0: 260xx:fexx:7b2x:fe00:xxxx:xxxx:xxxx:xxxx
Second LAN Prefix 0: 26xx:fexx:7b2x:5c00:xxxx:xxxx:xxxx:xxxxTwo digits changed.
So I can't do Global Addresses (which I had working with unRAID, Docker, Pihole ad DNSCrypt... until they changed the prefix and it nuked everything). It's possible, I guess to forgo using Rogers Native IPv6 and get a tunnel and lease from Hurricane or something that will stick...
And I can't seem to get ULA's to work appropriately either... it's an easy pfSense configuration, but there aren't proper parameters to pass in the docker side of things to ensure both addresses hit the docker container properly.
I also wasn't able to get the pfSense ULA virtual IP on the LAN to ping or be pinged (I set fd00::1 /64, as well as I tried /128). I was able to get ULA addresses on all of my regular non-docker devices and was able to ping between them... but was not able to ping the virtual ULA, or any of the docker machines if I was able to get them to grab an address.
So not sure what to do on that.
The NDP entries for the Apple TV only persist on wired, when I have IPv6 enabled, but I am not too worried about that now to be honest... since the only thing it affected was pihole seeing 400+ "clients" on the LAN, which is moot now that I can't use pihole for IPv6.
Might just be worth leaving pihole on IPv4 DNS stuff and using DNSBL for IPv6 DNS and loading the same lists.
Any guidance would be appreciated - if you feel a different post is warranted, I can do that too, or just give up until there's better IPv6 support out there in general.
Thanks!
Best Regards,
dg6464
-
@dg6464 said in IPv6 NDP Table - Hundreds of Entries for Single Mac Address (Apple TV):
However, Rogers continues to change my /56 when I reboot (I did an intentional test).
It doesn't for me.
Also, ULA works fine for me. I'm not sure what your issue is, but I'm beginning to wonder if you're poking around somewhere that's causing the problems. Sometimes the solution is to start from scratch and then start adding stuff and see when it fails.
Rogers is one company I have direct experience with (including working on their network). Other than a problem they had last year, my IPv6 service has been solid for over 4 years.
ULA can be tricky in that when you create it on the Router Advertisements page, you also have to manually set the global address prefix, as that's no longer done automagically. This means, should your prefix from Rogers change, then you have to change the prefix on that page.
BTW, you shouldn't have to keep rebooting pfSense. That's a bad habit from the Windows world. Normally, the only time mine reboots is when it updates to a new version.
-
@JKnott I got it all working the last couple of weeks... the major thing was I didn't have the firewall LAN to ANY rule set up for the virtual IP Alias / assigned subnet that was set up for the ULA's.
The troubleshooting issue I ran in to was I could ping the VIP before setting up the ULA pool on the RA (ie: I could ping the VIP because my Mac was using a global address, which is allowed to ping anything due to the default IPv6 LAN to Any rule).
I would implement the ULA pool in RA / DHCP, renew my IP and wouldn't be able to ping... which I later found out was because my Mac would get the ULA address upon renewal... then be denied pinging the ULA gateway because it was using the ULA address, which had no firewall rule to allow any traffic from the ULA LAN to anything.I also have direct experience with the Rogers network, since the days when they did throttling and such (which was a mess)... and hadn't experienced a weird issue with IPv6 until this (but never really had a specific reason for my IPv6 addresses not to change... they always have).
I haven't done any reboots since, but will check periodically now if the subnet changes when I perform my next update (I've taken note of both WAN and LAN subet's).
I was able to get the ULA addresses assigned (fdxx:xxxx:xxxx::/48) and pinging on the LAN for local stuff (dynamically via RA and DHCP for normal hosts) and statically for certain things like pihole and server machines and those pihole devices serving DNS using the local IPv4 addresses, as well as the ULA addresses, but they automatically use their global IPv6 addresses to communicate outbound for DNS queries to OpenDNS IPv6 servers and such.
I used the RFC Generator for ULA Addresses (using the MAC of my LAN interface to generate 40 bits randomly and assigned the first /64 of the /48 to my local LAN for ULA):
[https://cd34.com/rfc4193/](link url)The pfSense side of things, I rarely reboot - in the case of the reboot above... I believe it was an update.
All is good in the hood now.
But that pesky Apple TV 4K still takes a ton of addresses that show up in the NDP table when it's wired. Must just be a chipset and driver thing.
Thanks again for the support - I think we can close this one off.
If anyone has any questions on the ULA config with IPv6, RA and DHCPv6, I'd be happy to help.
-
@JKnott of course... overnight I lost public IPv6 connectivity.
WAN had an IPv6 address in the morning, but LAN did not have one (except for the ULA's I'd set).
Any chance you are having issue with IPv6 right today?
Best Regards,
dg6464
-
@dg6464 said in IPv6 NDP Table - Hundreds of Entries for Single Mac Address (Apple TV):
Any chance you are having issue with IPv6 right today?
No. I just got 10/10 at test-ipv6.com.
You'll have to do some investigating. Capture the dhcpv6 packets on the WAN interface. They might tell you something.
-
@JKnott I'm back on as 10/10 for test-ipv6 as well, but it took some troubleshooting again.
It looks like there was a DHCP release / renew again some time during the night and the IPv6 subnet changed (even though I had the "Do not allow PD/Address release" box checked in Interfaces --> WAN). Either that... or for some reason my ULA VIP is taking over as the "main" LAN interface address (the single address that shows on dashboard for the interface... which is usually the global IPv6 address for LAN/WAN and NOT the ULA VIP).
On the main dashboard page (as well as status --> interfaces) it has the ULA address as the address on the LAN interface as the only IPv6 address and was longer getting a proper global IP address (WAN was fine with a global address in it's own prefix).
If I disable DHCPv6/RA and remove the ULA VIP (under Firewall --> Virtual IP's) on LAN... the LAN interface THEN gets a global IP address/range again, I can re-add the ULA VIP, re-instantiate DHCPv6/RA... and add the new Public IPv6 range from LAN in as an RA subnet to broadcast (I'm not even sure if this is necessary, as I think the RA server by default broadcasts the prefix that the LAN gets... in addition to the ULA range... but I manually add the range in as that's what you've said in the past)
I've seen this kind of issue on another thread before as well (in fact, I believe it was potentially yours on reddit or something, but may be mistaken). The major issue being the LAN interface seems to give some sort of priority or first-come-first-served to one or the other IPv6 addresses on the interface at various times, and sometimes reboot.
No idea what's going on with the subnet changes from Rogers. I didn't do anything to the system last night and woke up to the main LAN interface IP address being set to my fda1: VIP interface with no global IP... and it wouldn't get a new global IP until I disabled the VIP (which removed the address from the LAN interface).
It would be ideal if we made it a priority in the next pfSense release moving forward to do this properly (ie: without a VIP required).
Somehow if we were able to assign multiple IP's to the LAN interface more easily (and be able to classify then somehow, maybe as global/ULA/etc)... opposed to using a separate VIP.It just seems like there is some overall flakiness here for some reason... but it may be how the underlying kernel/OS deals with IPv6 and that needs to be addressed first? Who knows.
I know yours seems to be stable @JKnott ... but mine just seems to be stable for short periods. Everything works great, then it just doesn't.
I'm happy to provide my configurations, or do troubleshooting or provide logs... but am not sure if it's even valuable, or if the team is already aware of this, or if maybe, somehow it is a configuration error.
If you think I should open up a separate thread for this and provide whatever info people ask for, I can do so.
Let me know your thoughts.
Best Regards,
dg6464
-
I doubt Rogers is doing a release/renew. I've been on them for over 20 years and have never seen that happen. My IPv4 address is so stable it's virtually static. In fact, I've only once seen it change, when I didn't change some hardware. That was when they made significant changes to the network, requiring new addresses for everyone. This is why I said you should capture DHCPv6 from them, to see if it provides any clues. Just start up Packet Capture and let it run for hours/days. You can use Wireshark to examine the captures.
I can't provide answers, when I don't have any info to work with. My own experience, in all those years, is Rogers doesn't do anything like what you say. I've had IPv4 with them for over 20 years and IPv6 for over 4.
-
@JKnott I agree, however had had Rogers change over the years (mostly based on DOCSIS version migrations and re-IP's)... this seems to be pfSense related.
I did a DHCPv6 capture, captured WAN and DHCPv6 specific ports in promiscuous mode, unplugged the WAN interface, re-plugged the interface... and voila.. the packet capture shows the /56 prefix in there, as well as the WAN interface address.
However... guess what happened? The VIP took over the LAN interface again and shows as the main interface address on the dashboard and interfaces screen.
The second I go in and remove the VIP... the global IP from the prefix pops up as the main LAN interface and stuff starts functioning again. I can then re-add the ULA VIP and all is hunky-dory.
Thoughts? Weird? Configuration issue?
If you want the captures, I can provide them... it's only 4 packets, but has all of the addressing info in it. It all looks fine. Seems to be a problem either with my pfSense configuration, or pfSense's interpretation of IPv6.
Let me know what you you think is needed... if it's the whole pfSense configuration, or snippets - I will provide.
Not sure if there are any particular log files I should look at... I checked through a lot of them and didn't find much (but I don't have DHCPv6 Debug Mode enabled on the WAN Interface).Best Regards,
dg6464
-
How are you creating the VIP? The way I use for unique local addresses is to create the prefix on the Router Advertisement settings. If you do this, you'll also have to create one for the assigned prefix.
-
@JKnott I create the VIP in Firewall --> Virtual IP's, then create an IP Alias and assign to LAN interface.
I thought that was the way to create a VIP (that’s what I’ve seen in previous posts).
Are you saying that if I put the fd00:: prefix under the RA advertisements (as I have right now for both the ULA network, as well as the assigned prefix from the WAN)... it automatically creates a VIP on the routers LAN interface for that ULA prefix?
Thanks!
Best Regards,
dg6464