Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense does not reply to NS sent by ISP router, ISP does not respond to DHCPv6 request as a result

    Scheduled Pinned Locked Moved IPv6
    48 Posts 4 Posters 9.1k Views 7 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JKnottJ Offline
      JKnott @cnrd
      last edited by

      @cnrd

      Well, I don't know what else to tell you. It works fine for me and many others. But when I look at your capture and see all those unanswered solicitations I don't think the problem is with pfsense. You have to find out why the ISP is not responding to them. I see 14 lines of them and not a single response. While I don't see a router solicitation, I do see the solicit XID to a multicast address. Why no response to that?

      What is your WAN config? Mine says DHCP6.

      Also, in your first post you said "When pfSense sends out a DHCPv6 request, my ISP sends out an NS, which pfSense never replies to <-- This seems to be what causes the problem.", but I don't see that in the packet capture.

      PfSense running on Qotom mini PC
      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
      UniFi AC-Lite access point

      I haven't lost my mind. It's around here...somewhere...

      C 1 Reply Last reply Reply Quote 0
      • C Offline
        cnrd @JKnott
        last edited by

        @JKnott yeah I don't really know what else there is to try either.

        WAN is set to DHCPv6.

        The NS from the ISP comes right after the XID in the latest capture.

        All I can say is that in other OS'es it's working because they reply to that NS.

        I don't really know what to ask my ISP about, as I haven't found any documentation/RFC showing that what they are doing is out of spec.

        Anyways thanks for trying :-) as the same thing is happening upstream in FreeBSD, I'll probably try over there.

        JKnottJ 1 Reply Last reply Reply Quote 0
        • JKnottJ Offline
          JKnott @cnrd
          last edited by

          @cnrd

          You might also mention who your ISP is. Someone else might have experience with them.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          C 1 Reply Last reply Reply Quote 0
          • C Offline
            cnrd @JKnott
            last edited by

            @JKnott My ISP is Gigabit.dk

            As I wanted to test my theory that it would not reply to global addresses, I hand-crafted two different packages using scapy.

            working.pcap
            not-working.pcap

            The only difference between these two packages is the fact that one uses a global IP as the src, while the other uses a local-link address.

            I'm going to open a bug-report with those two minimal examples.

            1 Reply Last reply Reply Quote 0
            • DerelictD Offline
              Derelict LAYER 8 Netgate
              last edited by Derelict

              Not sure this is a bug.

              How is an IPv6 host supposed to source a packet to a GUA unicast address from a link-local address? Link-local is link-local, not GUA. The host has no idea that the GUA address is on the next hop. If it is not, the router receiving the packet should not forward the packet if it is sourced from the link-local address. The host cannot source the packet from a GUA address because DHCP6 has not occurred yet (It doesn't have one).

              I tried to find something hard in the RFCs that states this but came up empty.

              macos to pfSense:
              
              Ping in the link-local context works:
              $ ping6 -S fe80::183d:38c9:7896:973b%vlan0 fe80::1:1%vlan0
              PING6(56=40+8+8 bytes) fe80::183d:38c9:7896:973b%vlan0 --> fe80::1:1%vlan0
              16 bytes from fe80::1:1%vlan0, icmp_seq=0 hlim=64 time=0.168 ms
              16 bytes from fe80::1:1%vlan0, icmp_seq=1 hlim=64 time=0.151 ms
              16 bytes from fe80::1:1%vlan0, icmp_seq=2 hlim=64 time=0.142 ms
              16 bytes from fe80::1:1%vlan0, icmp_seq=3 hlim=64 time=0.225 ms
              ^C
              --- fe80::1:1%vlan0 ping6 statistics ---
              4 packets transmitted, 4 packets received, 0.0% packet loss
              round-trip min/avg/max/std-dev = 0.142/0.171/0.225/0.032 ms
              
              Ping link-local to GUA fails:
              $ ping6 -S fe80::183d:38c9:7896:973b%vlan0 2001:470:beef:1::1
              PING6(56=40+8+8 bytes) fe80::183d:38c9:7896:973b%vlan0 --> 2001:470:beef:1::1
              ^C
              --- 2001:470:beef:1::1 ping6 statistics ---
              5 packets transmitted, 0 packets received, 100.0% packet loss
              
              Ping GUA to GUA works:
              $ ping6 -S 2001:470:beef:1:8444:5b18:abab:96f0 2001:470:beef:1::1
              PING6(56=40+8+8 bytes) 2001:470:beef:1:8444:5b18:abab:96f0 --> 2001:470:beef:1::1
              16 bytes from 2001:470:beef:1::1, icmp_seq=0 hlim=64 time=0.201 ms
              16 bytes from 2001:470:beef:1::1, icmp_seq=1 hlim=64 time=0.203 ms
              16 bytes from 2001:470:beef:1::1, icmp_seq=2 hlim=64 time=0.211 ms
              ^C
              --- 2001:470:beef:1::1 ping6 statistics ---
              3 packets transmitted, 3 packets received, 0.0% packet loss
              round-trip min/avg/max/std-dev = 0.201/0.205/0.211/0.004 ms
              

              Is this the same ISP that expected its customers to periodically send a Router Solicitation even though the RFCs explicitly state one MUST NOT do that except in certain instances like an interface reconfiguration, link down/up, etc?

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              C 1 Reply Last reply Reply Quote 0
              • C Offline
                cnrd @Derelict
                last edited by

                @Derelict No they are sending out RA as expected, they had a problem where the RA packages was thrown away, but that was fixed by their HW vendor.

                I have been speaking to one of their internal IT guys, they have been very helpful and tried changing the config of their routers, such that it would send the NS using a link local address, that fixed this problem, but unfortunately broke the DHCP hand-out.

                I tried to find something hard in the RFCs that states this but came up empty.

                I know that it sounds wierd, but as Linux supports it and there is nothing in the RFC stating that it's wrong, I can't really see why it shouldn't be okay. I can see your argument, it does make sense, but if it's not disallowed by the RFC, then someone (in this case the HW vendor of my ISP) chooses to do it.

                How is an IPv6 host supposed to source a packet to a GUA unicast address from a link-local address?

                Here is how debian does it:
                2 0.000005 fe80::541e:337d:38c9:11ee 2a00:7660::248 ICMPv6 86 Neighbor Advertisement fe80::541e:337d:38c9:11ee (sol, ovr) is at ac:16:2d:94:bb:d3

                It is the responsibility of the receiver (router) to not forward that outside of the link local.

                JKnottJ 1 Reply Last reply Reply Quote 0
                • JKnottJ Offline
                  JKnott @cnrd
                  last edited by

                  @cnrd said in pfSense does not reply to NS sent by ISP router, ISP does not respond to DHCPv6 request as a result:

                  I have been speaking to one of their internal IT guys, they have been very helpful and tried changing the config of their routers, such that it would send the NS using a link local address, that fixed this problem, but unfortunately broke the DHCP hand-out.

                  One thing I've noticed is the ISPs tech are not fully up to speed on IPv6. A couple of years ago, I had a problem with my ISP where I could not reach the Internet with IPv6. After testing on my own, I had determined the problem was not on my network. I called 2nd level support (I don't waste my time with 1st) and had to talk him through how DHCPv6-PD works and how the WAN address is not used for routing. He was then able to verify the problem was elsewhere. But when he tried to get the network guys to work on it, they refused because I had my own router, even though a neighbour had the same problem and he was only using the ISP's router. I had even determined the failing system, by host name, at the head end, by examining the DHCPv6-PD sequence with Wireshark. I then had a senior tech come to my home and again explained how things worked. He tried, with his own computer and modem, and it failed for him too. He then took his computer to the office and tried with 4 different systems and only the one I was connected to failed. The network guys finally accepted the problem and resolved it.

                  I was able to work my way through this because I have decades of experience with telecom, computers and networks. An average customer wouldn't have a hope.

                  Bottom line, you can't always count on the ISP's techs to fully understand what they're doing.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  C 1 Reply Last reply Reply Quote 0
                  • C Offline
                    cnrd @JKnott
                    last edited by

                    @JKnott can't really reveal who I talked to, but trust me, not an average tech.

                    1 Reply Last reply Reply Quote 0
                    • C Offline
                      cnrd
                      last edited by

                      This post is deleted!
                      1 Reply Last reply Reply Quote 0
                      • A Offline
                        abw
                        last edited by

                        @cnrd I have been following this thread with great interest.

                        I use the same ISP, and have exactly the same issue, in that the NS coming in is being ignored, and the DHCP6 requests in turn keep being ignored by Gigabit.

                        Funny thing is that this worked me for several years, until it stopped, around the time there was a large outage in connection with some infra upgrades being done at the time. It's possibly related with those infrastructure changes.

                        Did you have any luck with support? I have a support case registered a couple of weeks ago for the same thing, and I think I will point them to this thread, unless you found a workaround on the BSD/pfSense side.

                        C 1 Reply Last reply Reply Quote 0
                        • C Offline
                          cnrd @abw
                          last edited by

                          @abw Unfortunately not. Yeah it seems like the upgrade of hardware caused the problem.

                          A 1 Reply Last reply Reply Quote 0
                          • A Offline
                            abw @cnrd
                            last edited by

                            @cnrd Just had a breakthrough, and now have the full /48 running with DHCPv6 on pfSense.
                            My problem was due to having a user defined MAC address on the WAN interface.

                            I've always had a user defined MAC address configured on the WAN interface (Interfaces > WAN > MAC Address), so as to ensure my static IPv4 address over several hardware changes.

                            After reading everything you had tried, I wanted to test the theory that this user-defined address might have an impact on pfSense/FreeBSDs ability to respond to the NS.

                            It seems that this is the root cause of my issue, because when removed it, and let it default to the hardware MAC, DHCPv6 and the PD came up immediately.
                            Of course I no longer had an IPv4 address, but I just called up the ISP and they changed the static DHCP4 allocation to my new MAC for me on the spot.

                            Now, with the hardware MAC in use, the NS works perfectly.

                            So my current root cause theory is that, whatever mechanism pfSense uses to "spoof" the MAC address, does not appear to propagate to the part of FreeBSD that is responsible for NS responses. Only a theory though.

                            I really hope this helps you.

                            By the way, I only have the following checked in the WAN configuration now:

                            Prefix Delegation Size: /48
                            Send IPv6 Prefix Hint: SET

                            Reboot pfSense, and that's it.

                            C JKnottJ 2 Replies Last reply Reply Quote 0
                            • C Offline
                              cnrd @abw
                              last edited by

                              @abw huh wierd, any chance you can try to capture the NS/NA handshake? Maybe they have a different router setup where you are connected.

                              If you cannot capture the handshake, could you try to figure out what IP the router is presenting in packages?

                              Thanks!

                              1 Reply Last reply Reply Quote 0
                              • JKnottJ Offline
                                JKnott @abw
                                last edited by

                                @abw said in pfSense does not reply to NS sent by ISP router, ISP does not respond to DHCPv6 request as a result:

                                So my current root cause theory is that, whatever mechanism pfSense uses to "spoof" the MAC address, does not appear to propagate to the part of FreeBSD that is responsible for NS responses. Only a theory though.

                                There's a bit in the MAC to designate a universal or locally assigned address. Perhaps that's what's causing the problem. You should be able to check that with a packet capture.

                                PfSense running on Qotom mini PC
                                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                                UniFi AC-Lite access point

                                I haven't lost my mind. It's around here...somewhere...

                                A 1 Reply Last reply Reply Quote 0
                                • A Offline
                                  abw @JKnott
                                  last edited by

                                  @JKnott Thanks for the idea!

                                  My old statically coded MAC address OUI was bc:05:43 which came from a FritzBox I had for many years.
                                  The new OUI, which works, is 00:1f:29, which is registered to HP.

                                  Both have the second LSB of the first octet set to zero (UAA), so I guess that's not it.

                                  In my working configuration I had also set the tunable net.inet6.icmp6.nd6_onlink_ns_rfc4861 to 1, but I have not yet retested with it set to zero to determine if it's actually necessary.

                                  I still need to experiment a little more to isolate the fix.

                                  1 Reply Last reply Reply Quote 0
                                  • DerelictD Offline
                                    Derelict LAYER 8 Netgate
                                    last edited by

                                    This is why I always tell people it is better to just call the ISP and get them to do whatever it is they need to do instead of relying on hacks like MAC address spoofing.

                                    It is almost always better to fix the problem correctly than to paper over it so it can come back and bite you in unexpected ways at some unexpected time in the future. NAT reflection and, without a doubt, any routing asymmetry fall into this category. As does correcting misapplied public addresses instead of using RFC1918 (and a random choice at that).

                                    Was the captured negotiation that was failing using the hardware or the spoofed MAC address?

                                    Chattanooga, Tennessee, USA
                                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                    C JKnottJ 2 Replies Last reply Reply Quote 0
                                    • C Offline
                                      cnrd @Derelict
                                      last edited by

                                      @Derelict there are two different people in this thread using the same ISP @abw and me. @abw seems to have his problem fixed, I however have never used a spoofed MAC, but still have problems.

                                      DerelictD 1 Reply Last reply Reply Quote 0
                                      • DerelictD Offline
                                        Derelict LAYER 8 Netgate
                                        last edited by

                                        @abw said in pfSense does not reply to NS sent by ISP router, ISP does not respond to DHCPv6 request as a result:

                                        My old statically coded MAC address OUI was bc:05:43

                                        Not a locally-generated MAC address, which is the second-least-significant bit as 1 in the first octet there.

                                        Chattanooga, Tennessee, USA
                                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                        1 Reply Last reply Reply Quote 0
                                        • DerelictD Offline
                                          Derelict LAYER 8 Netgate @cnrd
                                          last edited by

                                          @cnrd I understand that. I wasn't really talking to you but everyone in general.

                                          Chattanooga, Tennessee, USA
                                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                          1 Reply Last reply Reply Quote 0
                                          • C Offline
                                            cnrd
                                            last edited by

                                            @Derelict sorry I had a million things going on when I wrote that reply.

                                            It seems like I finally have it solved, thanks to @abw, who had the following system tuneable set: net.inet6.icmp6.nd6_onlink_ns_rfc4861=1

                                            Setting this tuneable combined with doing something will allow pfSense to reply. In my case just applying the tuneable was not enough, restarting did not fix it, saving and applying the WAN interface did not fix it, I had to change and apply the DUID for the tunable to finally apply.

                                            As stated here: https://www.freebsd.org/security/advisories/FreeBSD-SA-08:10.nd6.asc

                                            The solution described below causes IPv6 Neighbor Discovery Neighbor Solicitation messages from non-neighbors to be ignored.
                                            This can be re-enabled if required by setting the newly added net.inet6.icmp6.nd6_onlink_ns_rfc4861 sysctl to a non-zero value.

                                            I think a package coming from a global address to a link local would be considered a non-neighbor.

                                            A JKnottJ 2 Replies Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.