Verizon Fios and IPV6, Which Settings Work?

MikeV7896

@jknott they’re beginning to roll it out on a larger scale. Over the past couple of weeks, reports of IPv6 now being available have come in from five areas near Baltimore MD and three in VA. A business account in NY (don’t remember where in the state) received an email that it should be rolling out up there in June.

SirSilentBob

@MikeV7896 Thanks for your gracious help and sharing of config info.

Unfortunately I guess at this time I think all I can do is go back to my "wrong" configuration that is only allowing IPv6 on a single LAN. I've pretty much duplicated your setup exactly, but it isn't working, WAN_DHCP6 just stays in a Pending state. I checked the box to start DHCP6 client in debug mode, the only "hint" I have is this below log entry, and a search on that missing dhcp6cctlkey file has been fruitless, and even found posts saying that error is unimportant. It must have some sort of importance though, because my config that gives a single LAN IPv6 (when the prefix interface is set to that LAN and not WAN) does not generate that error. I'm just not sure why I can't get it to work on all LAN interfaces.

May 14 13:30:57	dhcp6c	29013	skip opening control port
May 14 13:30:57	dhcp6c	29013	failed initialize control message authentication
May 14 13:30:57	dhcp6c	29013	failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory

If anyone has any thoughts or things to try, I am open to suggestions...

Edit: Something else I am seeing, the Service Status for RADVD disappears from the dashboard too but according to the command line it is still running? I have a backup I can roll back to though that should get me back to a single LAN with IPv6. Just changing the settings back doesn't restore connectivity, so something is sticking somewhere... I might save another config file to compare differences between files and then restore to the working single-lan config.

SirSilentBob

Well after a few resets, and messing around with configurations, IPv6 just "started working" on a second LAN... I can't claim to understand what change allowed it, but it works now, so hopefully it will continue to do so.

Hopefully over time my knowledge of IPv6 and the process of setting up routers will improve and this will be easier for those who come to use it after us!

Thanks @MikeV7896 !

MikeV7896

Something of note that has been discovered...

It appears that the Alcatel-Lucent ONTs that Verizon provides have firmware that is mangling IPv6 packets by adding additional data after the packet checksum, and Intel wired NICs with hardware checksum offloading are being negatively affected by this (only Intel NICs have been identified as being affected by this issue so far). While the issue has been discovered with other routers (especially Verizon's own G1100 router) and Intel NICs on Windows PCs, it sounds like this could affect pfSense routers where an Intel NIC is used for your WAN connection AND you have hardware checksum offloading enabled.

I personally have always had it disabled... when I started using pfSense, I had seen some articles or posts about problems with it being enabled for some NICs, so I just never chanced it and kept it turned off (I don't remember exactly, but it might've been that I started using pfSense on a PC with Realtek NICs, and just left it disabled after moving my hardware over to Intel NICs). I have not tried enabling the setting to see if things break.

So if you have an Intel NIC for your WAN AND you're experiencing problems with IPv6 connectivity, you might want to try disabling the Hardware Checksum Offload setting in System > Advanced > Networking. My understanding is that it's only the checksum offloading that needs to be disabled... the other hardware offload settings should be fine.

As I've mentioned before also... IPv6 is still very much being rolled out throughout the Fios service areas (still currently only in DC/MD/VA). So you might want to leave your hardware checksum offloading enabled until you know IPv6 is available in your area, then see if it affects your ability to connect via IPv6 or not.

mattlach

@mikev7896 said in Verizon Fios and IPV6, Which Settings Work?:

Something of note that has been discovered...

It appears that the Alcatel-Lucent ONTs that Verizon provides have firmware that is mangling IPv6 packets by adding additional data after the packet checksum, and Intel wired NICs with hardware checksum offloading are being negatively affected by this (only Intel NICs have been identified as being affected by this issue so far). While the issue has been discovered with other routers (especially Verizon's own G1100 router) and Intel NICs on Windows PCs, it sounds like this could affect pfSense routers where an Intel NIC is used for your WAN connection AND you have hardware checksum offloading enabled.

I personally have always had it disabled... when I started using pfSense, I had seen some articles or posts about problems with it being enabled for some NICs, so I just never chanced it and kept it turned off (I don't remember exactly, but it might've been that I started using pfSense on a PC with Realtek NICs, and just left it disabled after moving my hardware over to Intel NICs). I have not tried enabling the setting to see if things break.

So if you have an Intel NIC for your WAN AND you're experiencing problems with IPv6 connectivity, you might want to try disabling the Hardware Checksum Offload setting in System > Advanced > Networking. My understanding is that it's only the checksum offloading that needs to be disabled... the other hardware offload settings should be fine.

As I've mentioned before also... IPv6 is still very much being rolled out throughout the Fios service areas (still currently only in DC/MD/VA). So you might want to leave your hardware checksum offloading enabled until you know IPv6 is available in your area, then see if it affects your ability to connect via IPv6 or not.

Sounds like Verizon is up to its evil non-removable fingerprinting of users again in order to data mine them.

At some point collection use of user data HAS TO be made illegal. It's an outright assault on peoples right to privacy.

MikeV7896

@mattlach It's not only a Verizon issue... The first item I read about the issue was in the Intel community and was from a user of a fiber service in Canada... no Verizon there. They have an Alcatel-Lucent ONT though.

SirSilentBob

@mikev7896 said in Verizon Fios and IPV6, Which Settings Work?:

@mattlach It's not only a Verizon issue... The first item I read about the issue was in the Intel community and was from a user of a fiber service in Canada... no Verizon there. They have an Alcatel-Lucent ONT though.

Mike, I'm curious, how are your other offloading settings configured?

I checked mine, and apparently I have hardware checksum offloading enabled. I checked what ONT I have, and I believe it was installed in mid-late 2011. Going by the ONT S/N, which the first 4 characters are T0211, I'm assuming that means it was made in February of 2011. The ONT I have is a Motorola DBBU-1238 Firmware rev. C (This might just be the model number of the in-door unit with battery and power supply though.) Assuming the outside guts are also Motorola, then I guess this old Motorola unit doesn't have the IPv6 bug. (Frankly I'm amazed that Motorola seems to have passed on an opportunity for a bug/deficiency!)

So I guess this can be a confirmation that this particular Motorola ONT doesn't have the same issue.

Here's my settings, just curious how they compare to what you are running:

SirSilentBob

I have sent a local friend of mine a message to check what ONT he has, he's on the same street and CO as me, so he should have IPv6 but it's just not working. If he's got an Alcatel/Lucent unit then he'll just have to figure out how to disable hardware checksum offloading in BSD and try again, as I'm 99% sure he's got a quad intel gigabit card like I'm running. If disabling that makes it work, I'll see if I can get him to provide the info on his ONT so it can be confirmed as a "bugged" one if anyone is keeping track.

MikeV7896

@sirsilentbob said in Verizon Fios and IPV6, Which Settings Work?:

Here's my settings, just curious how they compare to what you are running:

I have all of the hardware offloading settings disabled. I'm guessing my CPU is powerful enough to handle everything, because with gigabit service I can still get full 940 Mbps results on speed tests.

As far as the ONT tracking, I think that's a bit outside of the scope of this community. The original issue has only been mentioned as happening with the Alcatel-Lucent ONTs, and I don't believe there have been any reports of other ONTs having a similar issue.

kohenkatz

@sirsilentbob said in Verizon Fios and IPV6, Which Settings Work?:

this old Motorola unit

Since the beginning of FiOS rollouts, Verizon has used at least 24 different Motorola ONT models, 11 Tellabs models, and 14 Alcatel models. Of those, all the Tellabs models and 10 of the Motorola models were using a technology (BPON) that Verizon no longer uses. DSLReports has a list. As far as I can tell, the Motorola units have never exhibited this IPv6 issue.

nolaquen

For the folks that have had IPv6 up and running for a while, has anyone had the /56 prefix change on them? It just went active for me this week, and curious how much effort I need to put into insulating my configuration (to the extent I can) from WAN prefix changes.

For IPv4, the only time in recent memory that it changed was actually this week when it went down and the link came back up with IPv6. Prior to that, it was consistent through power outages, equipment poweroffs, etc.

jeremy.duncan

Woo hoo! Verizon FiOS finally turned up my area for IPv6. I was able to get it working for a few zones on my firewall. I have a few subnets and other routed subnets on my network that I am keeping on my HE tunnel as it's permanent prefix - using some policy-based routing. Otherwise everytime the firewall resets or connection resets it will change the IPv6 prefix. Sure wish Verizon would just allocate a permanent prefix.

SirSilentBob

@jeremy-duncan

Nice, so the IPv6 has made it across the water to Chesapeake finally, congrats!

As for the changing prefix issue, have you considered something like using ULAs?

I have really really considered it (mostly have not yet because lazy and a lot of stuff to set up) because I want to be able to have devices, some of which are mobile and will only use SLAAC have a consistent IPv6, the same as I do on the IPv4 RFC1918 side of things. I think my solution for the mobile devices that can't take IPv6 via DHCP is if I did this, just manually set the ULA on the device and take it off "automatic". Honestly, I would probably make the tail end of the IPv6 address just be the same as it is for IPv4. Even if that meant my LAN devices had a ULA like fd48:dead:beef:50:192:168:50:10 and it's IPv4 was 192.168.50.10.

I have certain devices that I want the addresses to stay the same so I can do device specific things / exemptions for filtering.

I thought about leaving a HE tunnel up, but doing it this way I'd avoid issues with changing prefixes and the devices won't be limited to the tunnel speed, they'd all have the full gigabit line speed.

Let me know how it goes if you try this out, please! I'm staring at my access point right now, with currently 28 devices on and active on the network, and it's just me having to probably commit a whole day to this change-over that is stopping me from already having done it, and I still can think of 5 or 6 more devices that are just off right now...

jeremy.duncan

@sirsilentbob ah. No. My fios business is in chesapeake and that's still limping along on v4. My home network in fairfax county was the one that was finally enabled... as for ULA, no because that just means I'd have to do network prefix translation on the firewall which wouldn't be any better performance than a tunnel even with a lower MTU. So to keep these subnets somewhat static I'll just keep the policy routing going and do the cool IPv6 on my wifi and another DMZ.

ingenium13

Verizon rolled out IPv6 in my neighborhood. I'm able to assign /64s (in the right IP ranges) to my vlans, however pfsense won't pass traffic. Packet captures show that pfsense is sending neighbor solicitations, but not getting a response, and upstream is also sending neighbor solicitations, but pfsense isn't responding.

11:04:24.681659 IP6 fe80::2e0:67ff:fe2a:da56 > fe80::e86:10ff:fea1:7bc2: ICMP6, echo request, seq 4139, length 9
11:04:25.143801 IP6 2600:4041:170::1 > ff02::1:ff2a:da56: ICMP6, neighbor solicitation, who has fe80::2e0:67ff:fe2a:da56, length 32
11:04:25.182549 IP6 fe80::2e0:67ff:fe2a:da56 > ff02::1:ffa1:7bc2: ICMP6, neighbor solicitation, who has fe80::e86:10ff:fea1:7bc2, length 32
11:04:26.182638 IP6 fe80::2e0:67ff:fe2a:da56 > ff02::1:ffa1:7bc2: ICMP6, neighbor solicitation, who has fe80::e86:10ff:fea1:7bc2, length 32
11:04:27.182427 IP6 fe80::2e0:67ff:fe2a:da56 > ff02::1:ffa1:7bc2: ICMP6, neighbor solicitation, who has fe80::e86:10ff:fea1:7bc2, length 32
11:04:28.189624 IP6 fe80::2e0:67ff:fe2a:da56 > ff02::1:ffa1:7bc2: ICMP6, neighbor solicitation, who has fe80::e86:10ff:fea1:7bc2, length 32
11:04:28.191316 IP6 2600:4041:170::1 > ff02::1:ff2a:da56: ICMP6, neighbor solicitation, who has fe80::2e0:67ff:fe2a:da56, length 32
11:04:29.189601 IP6 fe80::2e0:67ff:fe2a:da56 > ff02::1:ffa1:7bc2: ICMP6, neighbor solicitation, who has fe80::e86:10ff:fea1:7bc2, length 32
11:04:30.189391 IP6 fe80::2e0:67ff:fe2a:da56 > ff02::1:ffa1:7bc2: ICMP6, neighbor solicitation, who has fe80::e86:10ff:fea1:7bc2, length 32
11:04:31.155646 IP6 2600:4041:170::1 > ff02::1:ff2a:da56: ICMP6, neighbor solicitation, who has fe80::2e0:67ff:fe2a:da56, length 32
11:04:31.195582 IP6 fe80::2e0:67ff:fe2a:da56 > ff02::1:ffa1:7bc2: ICMP6, neighbor solicitation, who has fe80::e86:10ff:fea1:7bc2, length 32
11:04:32.195400 IP6 fe80::2e0:67ff:fe2a:da56 > ff02::1:ffa1:7bc2: ICMP6, neighbor solicitation, who has fe80::e86:10ff:fea1:7bc2, length 32
11:04:33.195391 IP6 fe80::2e0:67ff:fe2a:da56 > ff02::1:ffa1:7bc2: ICMP6, neighbor solicitation, who has fe80::e86:10ff:fea1:7bc2, length 32
11:04:34.162249 IP6 2600:4041:170::1 > ff02::1:ff2a:da56: ICMP6, neighbor solicitation, who has fe80::2e0:67ff:fe2a:da56, length 32
11:04:34.201399 IP6 fe80::2e0:67ff:fe2a:da56 > ff02::1:ffa1:7bc2: ICMP6, neighbor solicitation, who has fe80::e86:10ff:fea1:7bc2, length 32

I tried to ping one of my vlan assigned IPv6 addresses from my VPS, and I see the ping come in in a packet capture on WAN, but again, no response.

I had he.net working previously. I added a firewall rule at the top of WAN to allow all IPv6. "Block private networks and loopback addresses" is disabled.

Any thoughts?

jeremy.duncan

@ingenium13 yeah I had this exact problem when I had the Network Prefix Translation enabled for a few subnets that I was keeping on HE. Do you also have that enabled? If so, just disable them and restart the WAN NIC because that package doesn't seem to work correctly.

Otherwise, you need to make sure your firewall rules allow for IPv6 ICMP-IPv6 for neighbor advertisement, solicitation, and packet too big at the every least on the WAN interface.

lastly, a reboot fixes a lot of hosed up stuff with the firewall and handling multiple IPv6 gateways

ingenium13

@jeremy-duncan nope, I have nothing configured for NPT. Is the only place to confirm it under firewall, NAT?

I added firewall rule at the top of WAN explicitly allowing all IPv6 traffic of any type. I've rebooted several times too. I disabled the he.net interface (I hadn't used it in years, but I left it configured just in case I wanted to eventually use it again).

I also checked in the firewall logs and there's nothing indicating any blocked IPv6 traffic. The States table shows 4 states corresponding to these neighbor solicitations, and they all say NO_TRAFFIC as the state.

jeremy.duncan

@ingenium13 did you follow the instructions for Track interface on the LAN side interfaces for IPv6? You can't statically assign subnets from a DHCPv6-PD allocation unfortunately.

ingenium13

@jeremy-duncan Yeah, I have it set to track interface on the LAN side. The LAN router interface correctly gets a routable IPv6 address, and clients get routable IPv6 addresses as well. However the WAN interface just refuses to respond to the neighbor solicitations, so everything just fails with no route to host.

The gateway is fe80::e86:10ff:fea1:7bc2 and WAN is automatically assigned fe80::e86:10ff:fea1:7bc2%igb0. Manually trying to ping the gateway fails:

[2.6.0-RELEASE][root@pfSense]/root: ping6 -I igb0 fe80::e86:10ff:fea1:7bc2
PING6(56=40+8+8 bytes) fe80::2e0:67ff:fe2a:da56%igb0 --> fe80::e86:10ff:fea1:7bc2
^C
--- fe80::e86:10ff:fea1:7bc2 ping6 statistics ---
12 packets transmitted, 0 packets received, 100.0% packet loss

The packet capture just shows repeat attempts by pfsense to send neighbor solicitation upstream, but no response. And then 2600:4041:170::1 sends a solicitation to pfsense, which also doesn't respond.

It seems like a firewall issue, but I'm not sure what else I can do besides setting a rule to allow all IPv6 traffic, which I've already done.

I've tried pinging from the LAN interface as well with the same result.

jeremy.duncan

@ingenium13 as stupid as this sounds.. did you reboot it?

ingenium13

@jeremy-duncan Yes, many times

jeremy.duncan

@ingenium13 what other 3rd party or extraneous apps you have running? Do you have a Dynamic DNS agent running?

ingenium13

@jeremy-duncan Yeah I have Dynamic DNS running updating an IP on Cloudflare, pfblockerng, suricata (not in blocking mode, and only on some LAN interfaces, but not the one I'm testing IPv6 with), avahi (with ipv6 support turned off), haproxy, bandwidthd, and igmpproxy. And wireguard.

Firewall logs aren't showing any blocked IPv6 traffic.

jeremy.duncan

@ingenium13 I've seen some jacked up stuff with dyn dns trying to update the DNS with the IPv6 address instead of the IPv4. Try disabling those and rebooting and see what happens

ingenium13

@jeremy-duncan Didn't make a difference. I even deleted my he.net config just in case that was somehow causing a problem.

jeremy.duncan

@ingenium13 odd... I'm all outta ideas

ingenium13

@jeremy-duncan I got it working. I had previously cloned my WAN MAC address to match a previous router because I didn't want to lose my IP assignment (I happened to have it memorized and it hadn't changed in 5 years). This resulted in the link local address and IPv6 DUID matching the hardware MAC, but not the assigned MAC. So pfsense ignored everything on it. Setting the MAC to the hardware address alone didn't resolve it (it no longer even got a config from Verizon), because the DUID was still matching the old MAC. I force updated it to match the hardware MAC, and everything started working.

jeremy.duncan

@ingenium13 dang.. cloning MACs... That makes things super hard in DHCPv6 because of the relationship between it and DUIDs and IAIDs.. glad you got it working

SirSilentBob

***Edit: About 30-some hours later IPv6 came back, on it's own. Guessing some local oddity or something....

Anyone having any oddities with IPv6 today? My wife mentioned today that "the internet started running like crap" around 11am-ish. I'm assuming around that time is when the IPv6 issue happened, and devices ran bad until they realized that IPv6 was dead and fell back to IPv4. I've had IPv6 for weeks now w/o issues, and no recent config changes so it's unexpected.

Nothing really jumps out at me in the log. I connected to my neighbor's Verizon-provided router, and they don't seem to have IPv6 connectivity either, when they also have previously had it like me. Looks like pfsense is keeping the prefix, and the WAN link-local address is showing as online as well, so that part of the connection is working...

Maybe locally (Newport News, VA) there's some sort of work, or IPv6 outage for some reason.

Verbose log below if anyone sees anything interesting!

Jun 30 20:24:28	dhcp6c	73904	got an expected reply, sleeping.
Jun 30 20:24:28	dhcp6c	73904	removing server (ID: 00:02:00:00:05:83:66:34:3a:62:35:3a:32:66:3a:30:34:3a:65:30:3a:63:30:00:00:00)
Jun 30 20:24:28	dhcp6c	73904	removing an event on igb0, state=REQUEST
Jun 30 20:24:28	dhcp6c	73904	script "/var/etc/dhcp6c_wan_dhcp6withoutra_script.sh" terminated
Jun 30 20:24:28	dhcp6c	84659	dhcp6c REQUEST on igb0 - running rtsold
Jun 30 20:24:26	dhcp6c	73904	executes /var/etc/dhcp6c_wan_dhcp6withoutra_script.sh
Jun 30 20:24:26	dhcp6c	73904	add an address 2600:4040:13e5:1a35:21b:21ff:fe73:d35d/64 on igb3
Jun 30 20:24:26	dhcp6c	73904	add an address 2600:4040:13e5:1a20:21b:21ff:fe73:d35c/64 on igb2
Jun 30 20:24:26	dhcp6c	73904	add an address 2600:4040:13e5:1a10:21b:21ff:fe73:d359/64 on igb1
Jun 30 20:24:26	dhcp6c	73904	create a prefix 2600:4040:13e5:1a00::/56 pltime=7200, vltime=7200
Jun 30 20:24:26	dhcp6c	73904	make an IA: PD-0
Jun 30 20:24:26	dhcp6c	73904	dhcp6c Received REQUEST
Jun 30 20:24:26	dhcp6c	73904	IA_PD prefix: 2600:4040:13e5:1a00::/56 pltime=7200 vltime=7200
Jun 30 20:24:26	dhcp6c	73904	get DHCP option IA_PD prefix, len 25
Jun 30 20:24:26	dhcp6c	73904	IA_PD: ID=0, T1=3600, T2=5760
Jun 30 20:24:26	dhcp6c	73904	get DHCP option IA_PD, len 41
Jun 30 20:24:26	dhcp6c	73904	DUID: 00:02:00:00:05:83:66:34:3a:62:35:3a:32:66:3a:30:34:3a:65:30:3a:63:30:00:00:00
Jun 30 20:24:26	dhcp6c	73904	get DHCP option server ID, len 26
Jun 30 20:24:26	dhcp6c	73904	DUID: 00:01:00:01:2a:47:f1:e8:00:1b:21:73:XX:XX
Jun 30 20:24:26	dhcp6c	73904	get DHCP option client ID, len 14
Jun 30 20:24:26	dhcp6c	73904	receive reply from fe80::f6b5:2fff:fe04:d9da%igb0 on igb0
Jun 30 20:24:26	dhcp6c	73904	reset a timer on igb0, state=REQUEST, timeo=0, retrans=955
Jun 30 20:24:26	dhcp6c	73904	send request to ff02::1:2%igb0
Jun 30 20:24:26	dhcp6c	73904	set IA_PD
Jun 30 20:24:26	dhcp6c	73904	set IA_PD prefix
Jun 30 20:24:26	dhcp6c	73904	set option request (len 4)
Jun 30 20:24:26	dhcp6c	73904	set elapsed time (len 2)
Jun 30 20:24:26	dhcp6c	73904	set server ID (len 26)
Jun 30 20:24:26	dhcp6c	73904	set client ID (len 14)
Jun 30 20:24:26	dhcp6c	73904	a new XID (803dba) is generated
Jun 30 20:24:26	dhcp6c	73904	Sending Request
Jun 30 20:24:26	dhcp6c	73904	picked a server (ID: 00:02:00:00:05:83:66:34:3a:62:35:3a:32:66:3a:30:34:3a:65:30:3a:63:30:00:00:00)
Jun 30 20:24:25	dhcp6c	73904	reset timer for igb0 to 0.995807
Jun 30 20:24:25	dhcp6c	73904	server ID: 00:02:00:00:05:83:66:34:3a:62:35:3a:32:66:3a:30:34:3a:65:30:3a:63:30:00:00:00, pref=-1
Jun 30 20:24:25	dhcp6c	73904	IA_PD prefix: 2600:4040:13e5:1a00::/56 pltime=7200 vltime=7200
Jun 30 20:24:25	dhcp6c	73904	get DHCP option IA_PD prefix, len 25
Jun 30 20:24:25	dhcp6c	73904	IA_PD: ID=0, T1=3600, T2=5760
Jun 30 20:24:25	dhcp6c	73904	get DHCP option IA_PD, len 41
Jun 30 20:24:25	dhcp6c	73904	DUID: 00:02:00:00:05:83:66:34:3a:62:35:3a:32:66:3a:30:34:3a:65:30:3a:63:30:00:00:00
Jun 30 20:24:25	dhcp6c	73904	get DHCP option server ID, len 26
Jun 30 20:24:25	dhcp6c	73904	DUID: 00:01:00:01:2a:47:f1:e8:00:1b:21:73:XX:XX
Jun 30 20:24:25	dhcp6c	73904	get DHCP option client ID, len 14
Jun 30 20:24:25	dhcp6c	73904	receive advertise from fe80::f6b5:2fff:fe04:d9da%igb0 on igb0
Jun 30 20:24:25	dhcp6c	73904	reset a timer on igb0, state=SOLICIT, timeo=4, retrans=16326
Jun 30 20:24:25	dhcp6c	73904	send solicit to ff02::1:2%igb0
Jun 30 20:24:25	dhcp6c	73904	set IA_PD
Jun 30 20:24:25	dhcp6c	73904	set IA_PD prefix
Jun 30 20:24:25	dhcp6c	73904	set option request (len 4)
Jun 30 20:24:25	dhcp6c	73904	set elapsed time (len 2)
Jun 30 20:24:25	dhcp6c	73904	set client ID (len 14)
Jun 30 20:24:25	dhcp6c	73904	Sending Solicit
Jun 30 20:24:17	dhcp6c	73904	reset a timer on igb0, state=SOLICIT, timeo=3, retrans=8065
Jun 30 20:24:17	dhcp6c	73904	send solicit to ff02::1:2%igb0
Jun 30 20:24:17	dhcp6c	73904	set IA_PD
Jun 30 20:24:17	dhcp6c	73904	set IA_PD prefix
Jun 30 20:24:17	dhcp6c	73904	set option request (len 4)
Jun 30 20:24:17	dhcp6c	73904	set elapsed time (len 2)
Jun 30 20:24:17	dhcp6c	73904	set client ID (len 14)
Jun 30 20:24:17	dhcp6c	73904	Sending Solicit
Jun 30 20:24:13	dhcpleases	23855	Could not deliver signal HUP to process 69147: No such process.
Jun 30 20:24:13	dhcpleases	23855	Sending HUP signal to dns daemon(69147)
Jun 30 20:24:13	dhcp6c	73904	reset a timer on igb0, state=SOLICIT, timeo=2, retrans=3982
Jun 30 20:24:13	dhcp6c	73904	send solicit to ff02::1:2%igb0
Jun 30 20:24:13	dhcp6c	73904	set IA_PD
Jun 30 20:24:13	dhcp6c	73904	set IA_PD prefix
Jun 30 20:24:13	dhcp6c	73904	set option request (len 4)
Jun 30 20:24:13	dhcp6c	73904	set elapsed time (len 2)
Jun 30 20:24:13	dhcp6c	73904	set client ID (len 14)
Jun 30 20:24:13	dhcp6c	73904	Sending Solicit
Jun 30 20:24:11	dhcp6c	73904	reset a timer on igb0, state=SOLICIT, timeo=1, retrans=2083
Jun 30 20:24:11	dhcp6c	73904	send solicit to ff02::1:2%igb0
Jun 30 20:24:11	dhcp6c	73904	set IA_PD
Jun 30 20:24:11	dhcp6c	73904	set IA_PD prefix
Jun 30 20:24:11	dhcp6c	73904	set option request (len 4)
Jun 30 20:24:11	dhcp6c	73904	set elapsed time (len 2)
Jun 30 20:24:11	dhcp6c	73904	set client ID (len 14)
Jun 30 20:24:11	dhcp6c	73904	Sending Solicit
Jun 30 20:24:10	dhcp6c	73904	reset a timer on igb0, state=SOLICIT, timeo=0, retrans=1091
Jun 30 20:24:10	dhcp6c	73904	send solicit to ff02::1:2%igb0
Jun 30 20:24:10	dhcp6c	73904	set IA_PD
Jun 30 20:24:10	dhcp6c	73904	set IA_PD prefix
Jun 30 20:24:10	dhcp6c	73904	set option request (len 4)
Jun 30 20:24:10	dhcp6c	73904	set elapsed time (len 2)
Jun 30 20:24:10	dhcp6c	73904	set client ID (len 14)
Jun 30 20:24:10	dhcp6c	73904	a new XID (b8cbfb) is generated
Jun 30 20:24:10	dhcp6c	73904	Sending Solicit
Jun 30 20:24:09	dhcp6c	73904	reset a timer on igb0, state=INIT, timeo=0, retrans=891
Jun 30 20:24:09	dhcp6c	73792	called
Jun 30 20:24:09	dhcp6c	73792	called
Jun 30 20:24:09	dhcp6c	73792	<3>end of sentence [;] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>end of closure [}] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>end of sentence [;] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>end of closure [}] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>end of sentence [;] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>[8] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>[sla-len] (7)
Jun 30 20:24:09	dhcp6c	73792	<3>end of sentence [;] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>[53] (2)
Jun 30 20:24:09	dhcp6c	73792	<3>[sla-id] (6)
Jun 30 20:24:09	dhcp6c	73792	<3>begin of closure [{] (1)
Jun 30 20:24:09	dhcp6c	73792	<5>[igb3] (4)
Jun 30 20:24:09	dhcp6c	73792	<3>[prefix-interface] (16)
Jun 30 20:24:09	dhcp6c	73792	<3>end of sentence [;] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>end of closure [}] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>end of sentence [;] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>[8] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>[sla-len] (7)
Jun 30 20:24:09	dhcp6c	73792	<3>end of sentence [;] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>[32] (2)
Jun 30 20:24:09	dhcp6c	73792	<3>[sla-id] (6)
Jun 30 20:24:09	dhcp6c	73792	<3>begin of closure [{] (1)
Jun 30 20:24:09	dhcp6c	73792	<5>[igb2] (4)
Jun 30 20:24:09	dhcp6c	73792	<3>[prefix-interface] (16)
Jun 30 20:24:09	dhcp6c	73792	<3>end of sentence [;] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>end of closure [}] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>end of sentence [;] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>[8] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>[sla-len] (7)
Jun 30 20:24:09	dhcp6c	73792	<3>end of sentence [;] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>[16] (2)
Jun 30 20:24:09	dhcp6c	73792	<3>[sla-id] (6)
Jun 30 20:24:09	dhcp6c	73792	<3>begin of closure [{] (1)
Jun 30 20:24:09	dhcp6c	73792	<5>[igb1] (4)
Jun 30 20:24:09	dhcp6c	73792	<3>[prefix-interface] (16)
Jun 30 20:24:09	dhcp6c	73792	<3>end of sentence [;] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>[infinity] (8)
Jun 30 20:24:09	dhcp6c	73792	<3>[56] (2)
Jun 30 20:24:09	dhcp6c	73792	<3>[/] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>[::] (2)
Jun 30 20:24:09	dhcp6c	73792	<3>[prefix] (6)
Jun 30 20:24:09	dhcp6c	73792	<13>begin of closure [{] (1)
Jun 30 20:24:09	dhcp6c	73792	<13>[0] (1)
Jun 30 20:24:09	dhcp6c	73792	<13>[pd] (2)
Jun 30 20:24:09	dhcp6c	73792	<3>[id-assoc] (8)
Jun 30 20:24:09	dhcp6c	73792	<3>end of sentence [;] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>end of closure [}] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>comment [# we'd like nameservers and RTSOLD to do all the work] (53)
Jun 30 20:24:09	dhcp6c	73792	<3>end of sentence [;] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>["/var/etc/dhcp6c_wan_dhcp6withoutra_script.sh"] (46)
Jun 30 20:24:09	dhcp6c	73792	<3>[script] (6)
Jun 30 20:24:09	dhcp6c	73792	<3>end of sentence [;] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>[domain-name] (11)
Jun 30 20:24:09	dhcp6c	73792	<3>[request] (7)
Jun 30 20:24:09	dhcp6c	73792	<3>end of sentence [;] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>[domain-name-servers] (19)
Jun 30 20:24:09	dhcp6c	73792	<3>[request] (7)
Jun 30 20:24:09	dhcp6c	73792	<3>comment [# request prefix delegation] (27)
Jun 30 20:24:09	dhcp6c	73792	<3>end of sentence [;] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>[0] (1)
Jun 30 20:24:09	dhcp6c	73792	<3>[ia-pd] (5)
Jun 30 20:24:09	dhcp6c	73792	<3>[send] (4)
Jun 30 20:24:09	dhcp6c	73792	<3>begin of closure [{] (1)
Jun 30 20:24:09	dhcp6c	73792	<5>[igb0] (4)
Jun 30 20:24:09	dhcp6c	73792	<3>[interface] (9)
Jun 30 20:24:09	dhcp6c	73792	skip opening control port
Jun 30 20:24:09	dhcp6c	73792	failed initialize control message authentication
Jun 30 20:24:09	dhcp6c	73792	failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
Jun 30 20:24:09	dhcp6c	73792	extracted an existing DUID from /var/db/dhcp6c_duid: 00:01:00:01:2a:47:f1:e8:00:1b:21:73:XX:XX

tman222

After a short (~45min) outage last night, IPV6 became available on my Verizon FiOS circuit as well. I can confirm that the setup instructions in post 2 above from @MikeV7896 work great. The only thing that took me a second to figure out is that the WAN interface needs to be cycled (up/down) for IPV6 to start working after it has been enabled if it wasn't enabled before. After rebooting the firewall, I saw an IPV6 prefix delegated as expected to the LAN interface which I had setup to track the WAN interface.

Once all this is working, one can further configure IPV6 on pfSense for downstream clients by going to Services > DHCPv6 Server & RA:

https://docs.netgate.com/pfsense/en/latest/services/dhcp/ipv6.html

arion

Is there a default alias or anything that can be used to reference the delegated IPv6 prefix in firewall rules? I use an invert-match rule pointing to an alias for my security networks (DMZ, IOT, etc.) so that they can get to any Internet destination but can't get to my local networks by default. This was fine with my HE tunnel because I had a statically assigned /48 that was routable across the tunnel from which I assigned /64 networks. With DHCP-PD, I can't see any easy way to explicitly block IPv6 traffic between the networks within the delegated prefix.. Any ideas?

MikeV7896

@arion

There aren't any aliases (as in something in Firewall > Aliases), but you could create block rules with a destination of "LAN Network" (or whatever network you want to prevent access to) and if the prefix changes in the future, the rule would automatically update with the new prefix for your LAN network (or whatever network you've selected in the rule).

arion

@mikev7896 Thanks for the note. Yeah, what you describe is how I approached blocking "internal" networks before someone tipped me off to how to effectively use the inverse-rules (allow everything except certain networks covered by an alias). I can go back to an implicit allow at the bottom of my rules and then explicit blocks rules above for my internal networks, but I was hoping there was a way to do this without reverting to this approach. I'm spoiled by the inverse rule now and going back to the other mode seems like a step backwards. Oh well. I think I'll stick with the inverse-rule, and hard code the prefix I've been assigned and cross my fingers for a while. Thanks for the input though!

MaxK 0

I just saw that my Verizon Fios WAN_DHCP6 Gateway came online for the first time after a reboot of my 3100 (version 22.01).

I followed the settings in post 2 above (and rebooted). From pfSense ping, I can IPv6 ping to an external address (google) and I can ping to the pfSense LAN interface IPv6 address (I would hope so). But I can’t IPv6 ping from pfSense to clients on the LAN that have an IPv6 address. And I can’t “ping -6” from Win10 client to pfSense or externally (request timed out).

Also, when I try to run ipv6-test.com I get “IPv6 connectivity Not Supported” and “DNS4 + IP6 Unreachable”, “DNS6 + IP4 Reachable”, and “DNS6 + IP6 Unreachable.”

The routing logs have a warning on startup but nothing else:

radvd 51430 warning: AdvDNSSLLifetime <= 2*MaxRtrAdvInterval would allow stale DNS suffixes to be deleted faster

I did read through this post and Netgate docs multiple times but I don’t know where else to look or other troubleshooting steps I should do.

tman222

@maxk-0

Couple questions for you:

1. What settings do you have enabled for your LAN Interface under Services > DHCPv6 Server & RA? Are your LAN clients getting valid IPv6 addresses (not just link local addresses)?
2. Are your firewall rules allowing outbound IPv6 traffic from LAN?

Hope this helps.

MaxK 0

Thank you very much @tman222. I did not have a firewall rule to allow IPv6.

betapc

Good Morning everybody;

I tried everything, I did all @MikeV7896 setting and I have all the IPV6 address, but I don't have network traffic, I can ping all my internal network IPV6 address and also the one assigned by FIOS but I can ping anything else outside of my network. IPV6 test show my IPV6 address but no connection to any IPV6 servers.

I tried using the default DNS servers and also tried Google's DNS server still not working.

Below are my settings, thanks for the help.

jeremy.duncan

@betapc I am skeptical about the "LAN net" alias when it comes to tracked DHCPv6-PD. For shits and giggles add a rule on your LAN side allowing all IPv6 any any...

betapc

@jeremy-duncan Thanks for the replied. Change, still no working.

IPV6 test result change:

The setting for DHCP6 and Advertisement are correct?

Thanks

jeremy.duncan

@betapc no you have to set the router mode to managed on the RA section if you are using DHCPv6.