Verizon Fios and IPV6, Which Settings Work?
-
@jeremy-duncan Yeah, I have it set to track interface on the LAN side. The LAN router interface correctly gets a routable IPv6 address, and clients get routable IPv6 addresses as well. However the WAN interface just refuses to respond to the neighbor solicitations, so everything just fails with no route to host.
The gateway is fe80::e86:10ff:fea1:7bc2 and WAN is automatically assigned fe80::e86:10ff:fea1:7bc2%igb0. Manually trying to ping the gateway fails:
[2.6.0-RELEASE][root@pfSense]/root: ping6 -I igb0 fe80::e86:10ff:fea1:7bc2 PING6(56=40+8+8 bytes) fe80::2e0:67ff:fe2a:da56%igb0 --> fe80::e86:10ff:fea1:7bc2 ^C --- fe80::e86:10ff:fea1:7bc2 ping6 statistics --- 12 packets transmitted, 0 packets received, 100.0% packet loss
The packet capture just shows repeat attempts by pfsense to send neighbor solicitation upstream, but no response. And then 2600:4041:170::1 sends a solicitation to pfsense, which also doesn't respond.
It seems like a firewall issue, but I'm not sure what else I can do besides setting a rule to allow all IPv6 traffic, which I've already done.
I've tried pinging from the LAN interface as well with the same result.
-
@ingenium13 as stupid as this sounds.. did you reboot it?
-
@jeremy-duncan Yes, many times
-
@ingenium13 what other 3rd party or extraneous apps you have running? Do you have a Dynamic DNS agent running?
-
@jeremy-duncan Yeah I have Dynamic DNS running updating an IP on Cloudflare, pfblockerng, suricata (not in blocking mode, and only on some LAN interfaces, but not the one I'm testing IPv6 with), avahi (with ipv6 support turned off), haproxy, bandwidthd, and igmpproxy. And wireguard.
Firewall logs aren't showing any blocked IPv6 traffic.
-
@ingenium13 I've seen some jacked up stuff with dyn dns trying to update the DNS with the IPv6 address instead of the IPv4. Try disabling those and rebooting and see what happens
-
@jeremy-duncan Didn't make a difference. I even deleted my he.net config just in case that was somehow causing a problem.
-
@ingenium13 odd... I'm all outta ideas
-
@jeremy-duncan I got it working. I had previously cloned my WAN MAC address to match a previous router because I didn't want to lose my IP assignment (I happened to have it memorized and it hadn't changed in 5 years). This resulted in the link local address and IPv6 DUID matching the hardware MAC, but not the assigned MAC. So pfsense ignored everything on it. Setting the MAC to the hardware address alone didn't resolve it (it no longer even got a config from Verizon), because the DUID was still matching the old MAC. I force updated it to match the hardware MAC, and everything started working.
-
@ingenium13 dang.. cloning MACs... That makes things super hard in DHCPv6 because of the relationship between it and DUIDs and IAIDs.. glad you got it working
-
***Edit: About 30-some hours later IPv6 came back, on it's own. Guessing some local oddity or something....
Anyone having any oddities with IPv6 today? My wife mentioned today that "the internet started running like crap" around 11am-ish. I'm assuming around that time is when the IPv6 issue happened, and devices ran bad until they realized that IPv6 was dead and fell back to IPv4. I've had IPv6 for weeks now w/o issues, and no recent config changes so it's unexpected.
Nothing really jumps out at me in the log. I connected to my neighbor's Verizon-provided router, and they don't seem to have IPv6 connectivity either, when they also have previously had it like me. Looks like pfsense is keeping the prefix, and the WAN link-local address is showing as online as well, so that part of the connection is working...
Maybe locally (Newport News, VA) there's some sort of work, or IPv6 outage for some reason.
Verbose log below if anyone sees anything interesting!
Jun 30 20:24:28 dhcp6c 73904 got an expected reply, sleeping. Jun 30 20:24:28 dhcp6c 73904 removing server (ID: 00:02:00:00:05:83:66:34:3a:62:35:3a:32:66:3a:30:34:3a:65:30:3a:63:30:00:00:00) Jun 30 20:24:28 dhcp6c 73904 removing an event on igb0, state=REQUEST Jun 30 20:24:28 dhcp6c 73904 script "/var/etc/dhcp6c_wan_dhcp6withoutra_script.sh" terminated Jun 30 20:24:28 dhcp6c 84659 dhcp6c REQUEST on igb0 - running rtsold Jun 30 20:24:26 dhcp6c 73904 executes /var/etc/dhcp6c_wan_dhcp6withoutra_script.sh Jun 30 20:24:26 dhcp6c 73904 add an address 2600:4040:13e5:1a35:21b:21ff:fe73:d35d/64 on igb3 Jun 30 20:24:26 dhcp6c 73904 add an address 2600:4040:13e5:1a20:21b:21ff:fe73:d35c/64 on igb2 Jun 30 20:24:26 dhcp6c 73904 add an address 2600:4040:13e5:1a10:21b:21ff:fe73:d359/64 on igb1 Jun 30 20:24:26 dhcp6c 73904 create a prefix 2600:4040:13e5:1a00::/56 pltime=7200, vltime=7200 Jun 30 20:24:26 dhcp6c 73904 make an IA: PD-0 Jun 30 20:24:26 dhcp6c 73904 dhcp6c Received REQUEST Jun 30 20:24:26 dhcp6c 73904 IA_PD prefix: 2600:4040:13e5:1a00::/56 pltime=7200 vltime=7200 Jun 30 20:24:26 dhcp6c 73904 get DHCP option IA_PD prefix, len 25 Jun 30 20:24:26 dhcp6c 73904 IA_PD: ID=0, T1=3600, T2=5760 Jun 30 20:24:26 dhcp6c 73904 get DHCP option IA_PD, len 41 Jun 30 20:24:26 dhcp6c 73904 DUID: 00:02:00:00:05:83:66:34:3a:62:35:3a:32:66:3a:30:34:3a:65:30:3a:63:30:00:00:00 Jun 30 20:24:26 dhcp6c 73904 get DHCP option server ID, len 26 Jun 30 20:24:26 dhcp6c 73904 DUID: 00:01:00:01:2a:47:f1:e8:00:1b:21:73:XX:XX Jun 30 20:24:26 dhcp6c 73904 get DHCP option client ID, len 14 Jun 30 20:24:26 dhcp6c 73904 receive reply from fe80::f6b5:2fff:fe04:d9da%igb0 on igb0 Jun 30 20:24:26 dhcp6c 73904 reset a timer on igb0, state=REQUEST, timeo=0, retrans=955 Jun 30 20:24:26 dhcp6c 73904 send request to ff02::1:2%igb0 Jun 30 20:24:26 dhcp6c 73904 set IA_PD Jun 30 20:24:26 dhcp6c 73904 set IA_PD prefix Jun 30 20:24:26 dhcp6c 73904 set option request (len 4) Jun 30 20:24:26 dhcp6c 73904 set elapsed time (len 2) Jun 30 20:24:26 dhcp6c 73904 set server ID (len 26) Jun 30 20:24:26 dhcp6c 73904 set client ID (len 14) Jun 30 20:24:26 dhcp6c 73904 a new XID (803dba) is generated Jun 30 20:24:26 dhcp6c 73904 Sending Request Jun 30 20:24:26 dhcp6c 73904 picked a server (ID: 00:02:00:00:05:83:66:34:3a:62:35:3a:32:66:3a:30:34:3a:65:30:3a:63:30:00:00:00) Jun 30 20:24:25 dhcp6c 73904 reset timer for igb0 to 0.995807 Jun 30 20:24:25 dhcp6c 73904 server ID: 00:02:00:00:05:83:66:34:3a:62:35:3a:32:66:3a:30:34:3a:65:30:3a:63:30:00:00:00, pref=-1 Jun 30 20:24:25 dhcp6c 73904 IA_PD prefix: 2600:4040:13e5:1a00::/56 pltime=7200 vltime=7200 Jun 30 20:24:25 dhcp6c 73904 get DHCP option IA_PD prefix, len 25 Jun 30 20:24:25 dhcp6c 73904 IA_PD: ID=0, T1=3600, T2=5760 Jun 30 20:24:25 dhcp6c 73904 get DHCP option IA_PD, len 41 Jun 30 20:24:25 dhcp6c 73904 DUID: 00:02:00:00:05:83:66:34:3a:62:35:3a:32:66:3a:30:34:3a:65:30:3a:63:30:00:00:00 Jun 30 20:24:25 dhcp6c 73904 get DHCP option server ID, len 26 Jun 30 20:24:25 dhcp6c 73904 DUID: 00:01:00:01:2a:47:f1:e8:00:1b:21:73:XX:XX Jun 30 20:24:25 dhcp6c 73904 get DHCP option client ID, len 14 Jun 30 20:24:25 dhcp6c 73904 receive advertise from fe80::f6b5:2fff:fe04:d9da%igb0 on igb0 Jun 30 20:24:25 dhcp6c 73904 reset a timer on igb0, state=SOLICIT, timeo=4, retrans=16326 Jun 30 20:24:25 dhcp6c 73904 send solicit to ff02::1:2%igb0 Jun 30 20:24:25 dhcp6c 73904 set IA_PD Jun 30 20:24:25 dhcp6c 73904 set IA_PD prefix Jun 30 20:24:25 dhcp6c 73904 set option request (len 4) Jun 30 20:24:25 dhcp6c 73904 set elapsed time (len 2) Jun 30 20:24:25 dhcp6c 73904 set client ID (len 14) Jun 30 20:24:25 dhcp6c 73904 Sending Solicit Jun 30 20:24:17 dhcp6c 73904 reset a timer on igb0, state=SOLICIT, timeo=3, retrans=8065 Jun 30 20:24:17 dhcp6c 73904 send solicit to ff02::1:2%igb0 Jun 30 20:24:17 dhcp6c 73904 set IA_PD Jun 30 20:24:17 dhcp6c 73904 set IA_PD prefix Jun 30 20:24:17 dhcp6c 73904 set option request (len 4) Jun 30 20:24:17 dhcp6c 73904 set elapsed time (len 2) Jun 30 20:24:17 dhcp6c 73904 set client ID (len 14) Jun 30 20:24:17 dhcp6c 73904 Sending Solicit Jun 30 20:24:13 dhcpleases 23855 Could not deliver signal HUP to process 69147: No such process. Jun 30 20:24:13 dhcpleases 23855 Sending HUP signal to dns daemon(69147) Jun 30 20:24:13 dhcp6c 73904 reset a timer on igb0, state=SOLICIT, timeo=2, retrans=3982 Jun 30 20:24:13 dhcp6c 73904 send solicit to ff02::1:2%igb0 Jun 30 20:24:13 dhcp6c 73904 set IA_PD Jun 30 20:24:13 dhcp6c 73904 set IA_PD prefix Jun 30 20:24:13 dhcp6c 73904 set option request (len 4) Jun 30 20:24:13 dhcp6c 73904 set elapsed time (len 2) Jun 30 20:24:13 dhcp6c 73904 set client ID (len 14) Jun 30 20:24:13 dhcp6c 73904 Sending Solicit Jun 30 20:24:11 dhcp6c 73904 reset a timer on igb0, state=SOLICIT, timeo=1, retrans=2083 Jun 30 20:24:11 dhcp6c 73904 send solicit to ff02::1:2%igb0 Jun 30 20:24:11 dhcp6c 73904 set IA_PD Jun 30 20:24:11 dhcp6c 73904 set IA_PD prefix Jun 30 20:24:11 dhcp6c 73904 set option request (len 4) Jun 30 20:24:11 dhcp6c 73904 set elapsed time (len 2) Jun 30 20:24:11 dhcp6c 73904 set client ID (len 14) Jun 30 20:24:11 dhcp6c 73904 Sending Solicit Jun 30 20:24:10 dhcp6c 73904 reset a timer on igb0, state=SOLICIT, timeo=0, retrans=1091 Jun 30 20:24:10 dhcp6c 73904 send solicit to ff02::1:2%igb0 Jun 30 20:24:10 dhcp6c 73904 set IA_PD Jun 30 20:24:10 dhcp6c 73904 set IA_PD prefix Jun 30 20:24:10 dhcp6c 73904 set option request (len 4) Jun 30 20:24:10 dhcp6c 73904 set elapsed time (len 2) Jun 30 20:24:10 dhcp6c 73904 set client ID (len 14) Jun 30 20:24:10 dhcp6c 73904 a new XID (b8cbfb) is generated Jun 30 20:24:10 dhcp6c 73904 Sending Solicit Jun 30 20:24:09 dhcp6c 73904 reset a timer on igb0, state=INIT, timeo=0, retrans=891 Jun 30 20:24:09 dhcp6c 73792 called Jun 30 20:24:09 dhcp6c 73792 called Jun 30 20:24:09 dhcp6c 73792 <3>end of sentence [;] (1) Jun 30 20:24:09 dhcp6c 73792 <3>end of closure [}] (1) Jun 30 20:24:09 dhcp6c 73792 <3>end of sentence [;] (1) Jun 30 20:24:09 dhcp6c 73792 <3>end of closure [}] (1) Jun 30 20:24:09 dhcp6c 73792 <3>end of sentence [;] (1) Jun 30 20:24:09 dhcp6c 73792 <3>[8] (1) Jun 30 20:24:09 dhcp6c 73792 <3>[sla-len] (7) Jun 30 20:24:09 dhcp6c 73792 <3>end of sentence [;] (1) Jun 30 20:24:09 dhcp6c 73792 <3>[53] (2) Jun 30 20:24:09 dhcp6c 73792 <3>[sla-id] (6) Jun 30 20:24:09 dhcp6c 73792 <3>begin of closure [{] (1) Jun 30 20:24:09 dhcp6c 73792 <5>[igb3] (4) Jun 30 20:24:09 dhcp6c 73792 <3>[prefix-interface] (16) Jun 30 20:24:09 dhcp6c 73792 <3>end of sentence [;] (1) Jun 30 20:24:09 dhcp6c 73792 <3>end of closure [}] (1) Jun 30 20:24:09 dhcp6c 73792 <3>end of sentence [;] (1) Jun 30 20:24:09 dhcp6c 73792 <3>[8] (1) Jun 30 20:24:09 dhcp6c 73792 <3>[sla-len] (7) Jun 30 20:24:09 dhcp6c 73792 <3>end of sentence [;] (1) Jun 30 20:24:09 dhcp6c 73792 <3>[32] (2) Jun 30 20:24:09 dhcp6c 73792 <3>[sla-id] (6) Jun 30 20:24:09 dhcp6c 73792 <3>begin of closure [{] (1) Jun 30 20:24:09 dhcp6c 73792 <5>[igb2] (4) Jun 30 20:24:09 dhcp6c 73792 <3>[prefix-interface] (16) Jun 30 20:24:09 dhcp6c 73792 <3>end of sentence [;] (1) Jun 30 20:24:09 dhcp6c 73792 <3>end of closure [}] (1) Jun 30 20:24:09 dhcp6c 73792 <3>end of sentence [;] (1) Jun 30 20:24:09 dhcp6c 73792 <3>[8] (1) Jun 30 20:24:09 dhcp6c 73792 <3>[sla-len] (7) Jun 30 20:24:09 dhcp6c 73792 <3>end of sentence [;] (1) Jun 30 20:24:09 dhcp6c 73792 <3>[16] (2) Jun 30 20:24:09 dhcp6c 73792 <3>[sla-id] (6) Jun 30 20:24:09 dhcp6c 73792 <3>begin of closure [{] (1) Jun 30 20:24:09 dhcp6c 73792 <5>[igb1] (4) Jun 30 20:24:09 dhcp6c 73792 <3>[prefix-interface] (16) Jun 30 20:24:09 dhcp6c 73792 <3>end of sentence [;] (1) Jun 30 20:24:09 dhcp6c 73792 <3>[infinity] (8) Jun 30 20:24:09 dhcp6c 73792 <3>[56] (2) Jun 30 20:24:09 dhcp6c 73792 <3>[/] (1) Jun 30 20:24:09 dhcp6c 73792 <3>[::] (2) Jun 30 20:24:09 dhcp6c 73792 <3>[prefix] (6) Jun 30 20:24:09 dhcp6c 73792 <13>begin of closure [{] (1) Jun 30 20:24:09 dhcp6c 73792 <13>[0] (1) Jun 30 20:24:09 dhcp6c 73792 <13>[pd] (2) Jun 30 20:24:09 dhcp6c 73792 <3>[id-assoc] (8) Jun 30 20:24:09 dhcp6c 73792 <3>end of sentence [;] (1) Jun 30 20:24:09 dhcp6c 73792 <3>end of closure [}] (1) Jun 30 20:24:09 dhcp6c 73792 <3>comment [# we'd like nameservers and RTSOLD to do all the work] (53) Jun 30 20:24:09 dhcp6c 73792 <3>end of sentence [;] (1) Jun 30 20:24:09 dhcp6c 73792 <3>["/var/etc/dhcp6c_wan_dhcp6withoutra_script.sh"] (46) Jun 30 20:24:09 dhcp6c 73792 <3>[script] (6) Jun 30 20:24:09 dhcp6c 73792 <3>end of sentence [;] (1) Jun 30 20:24:09 dhcp6c 73792 <3>[domain-name] (11) Jun 30 20:24:09 dhcp6c 73792 <3>[request] (7) Jun 30 20:24:09 dhcp6c 73792 <3>end of sentence [;] (1) Jun 30 20:24:09 dhcp6c 73792 <3>[domain-name-servers] (19) Jun 30 20:24:09 dhcp6c 73792 <3>[request] (7) Jun 30 20:24:09 dhcp6c 73792 <3>comment [# request prefix delegation] (27) Jun 30 20:24:09 dhcp6c 73792 <3>end of sentence [;] (1) Jun 30 20:24:09 dhcp6c 73792 <3>[0] (1) Jun 30 20:24:09 dhcp6c 73792 <3>[ia-pd] (5) Jun 30 20:24:09 dhcp6c 73792 <3>[send] (4) Jun 30 20:24:09 dhcp6c 73792 <3>begin of closure [{] (1) Jun 30 20:24:09 dhcp6c 73792 <5>[igb0] (4) Jun 30 20:24:09 dhcp6c 73792 <3>[interface] (9) Jun 30 20:24:09 dhcp6c 73792 skip opening control port Jun 30 20:24:09 dhcp6c 73792 failed initialize control message authentication Jun 30 20:24:09 dhcp6c 73792 failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory Jun 30 20:24:09 dhcp6c 73792 extracted an existing DUID from /var/db/dhcp6c_duid: 00:01:00:01:2a:47:f1:e8:00:1b:21:73:XX:XX
-
-
After a short (~45min) outage last night, IPV6 became available on my Verizon FiOS circuit as well. I can confirm that the setup instructions in post 2 above from @MikeV7896 work great. The only thing that took me a second to figure out is that the WAN interface needs to be cycled (up/down) for IPV6 to start working after it has been enabled if it wasn't enabled before. After rebooting the firewall, I saw an IPV6 prefix delegated as expected to the LAN interface which I had setup to track the WAN interface.
Once all this is working, one can further configure IPV6 on pfSense for downstream clients by going to Services > DHCPv6 Server & RA:
https://docs.netgate.com/pfsense/en/latest/services/dhcp/ipv6.html
-
Is there a default alias or anything that can be used to reference the delegated IPv6 prefix in firewall rules? I use an invert-match rule pointing to an alias for my security networks (DMZ, IOT, etc.) so that they can get to any Internet destination but can't get to my local networks by default. This was fine with my HE tunnel because I had a statically assigned /48 that was routable across the tunnel from which I assigned /64 networks. With DHCP-PD, I can't see any easy way to explicitly block IPv6 traffic between the networks within the delegated prefix.. Any ideas?
-
There aren't any aliases (as in something in Firewall > Aliases), but you could create block rules with a destination of "LAN Network" (or whatever network you want to prevent access to) and if the prefix changes in the future, the rule would automatically update with the new prefix for your LAN network (or whatever network you've selected in the rule).
-
@mikev7896 Thanks for the note. Yeah, what you describe is how I approached blocking "internal" networks before someone tipped me off to how to effectively use the inverse-rules (allow everything except certain networks covered by an alias). I can go back to an implicit allow at the bottom of my rules and then explicit blocks rules above for my internal networks, but I was hoping there was a way to do this without reverting to this approach. I'm spoiled by the inverse rule now and going back to the other mode seems like a step backwards. Oh well. I think I'll stick with the inverse-rule, and hard code the prefix I've been assigned and cross my fingers for a while. Thanks for the input though!
-
I just saw that my Verizon Fios WAN_DHCP6 Gateway came online for the first time after a reboot of my 3100 (version 22.01).
I followed the settings in post 2 above (and rebooted). From pfSense ping, I can IPv6 ping to an external address (google) and I can ping to the pfSense LAN interface IPv6 address (I would hope so). But I can’t IPv6 ping from pfSense to clients on the LAN that have an IPv6 address. And I can’t “ping -6” from Win10 client to pfSense or externally (request timed out).
Also, when I try to run ipv6-test.com I get “IPv6 connectivity Not Supported” and “DNS4 + IP6 Unreachable”, “DNS6 + IP4 Reachable”, and “DNS6 + IP6 Unreachable.”
The routing logs have a warning on startup but nothing else:
radvd 51430 warning: AdvDNSSLLifetime <= 2*MaxRtrAdvInterval would allow stale DNS suffixes to be deleted faster
I did read through this post and Netgate docs multiple times but I don’t know where else to look or other troubleshooting steps I should do.
-
Couple questions for you:
- What settings do you have enabled for your LAN Interface under Services > DHCPv6 Server & RA? Are your LAN clients getting valid IPv6 addresses (not just link local addresses)?
- Are your firewall rules allowing outbound IPv6 traffic from LAN?
Hope this helps.
-
Thank you very much @tman222. I did not have a firewall rule to allow IPv6.
-
Good Morning everybody;
I tried everything, I did all @MikeV7896 setting and I have all the IPV6 address, but I don't have network traffic, I can ping all my internal network IPV6 address and also the one assigned by FIOS but I can ping anything else outside of my network. IPV6 test show my IPV6 address but no connection to any IPV6 servers.
I tried using the default DNS servers and also tried Google's DNS server still not working.
Below are my settings, thanks for the help.
-
@betapc I am skeptical about the "LAN net" alias when it comes to tracked DHCPv6-PD. For shits and giggles add a rule on your LAN side allowing all IPv6 any any...