LAN interface IPv6 with track interface eventually reverts to Link Local
-
All,
I don't have a lot of data because I haven't tried to monitor for this issue.
I have pfSense behind an AT&T Router/Gateway (RG) (Arris NVG599) with native IPv6. NVG599 supports delegation (will only delegate a single /64 to my pfSense router).
I have set my primary LAN interface to track my WAN.
It works FINE when it works. Track Interface picks up my delegated /64 and things are good. At some point down the road (I am not sure how long, but it's days or weeks, not hours or minutes) the LAN reverts to link-local and my clients lose IPv6. Of course since I am not going to IPv6-only sites I never notice and life goes on.
Other variables:
- I have a cascaded router setup (NVG599 settings) as AT&T is also giving me 5 static IPs.
- I do not use "passthrough" to get put the external IPV4 on my WAN interface, I am picking up the 192.168.254.x DHCP address from the NVG599.
It wouldn't surprise me if the NVG599 is doing something wrong here and pfSense is doing it correctly.
Anything else I should be checking? I'd hate to have to write a workaround script restart the WAN interface periodically.
-
The clients rely on frequent RAs to get the prefix. If the RAs stop, then the clients will lose the prefix. Is pfSense sending out RAs?
-
Well, I don't know as I'm not intimately familiar with how the services in pfSense work with respect to IPv6.
I have DHCPv6 server disabled, and on the next "tab" for RA I am using "assisted". I'm not sure when I picked up these settings as I've used ipV6 off and on for a few years now (first tunneled and now native from the RG) with different settings.
Do you have a suggested setting that might help alleviate this?
-
You can use Packet Capture to check for RAs. Filter on ICMP6 on the LAN. You can then download the captures, to examine them with Wireshark.
-
@JKnott How would capturing RAs from clients help me debug why the LAN interface drops its IPv6 and reverts to Link Local? Is it only trying to pick up IPv6 when there are downstream clients sending RAs? Doesn't make sense to me.
It feels like pfSense LAN interface is not tracking WAN interface correctly (or the upstream router isn't doing something correct to keep it alive). Or am I misunderstanding how Track Interface works?
-
No, missing or bad RAs will cause clients to lose the prefix, leaving them only with link local addresses. I just checked my network and see RAs every minute or so. Examining the RA may give you a clue to the problem.
