WAN_DHCP6 Pending - Pfsense 2.5.2

Thondwe

So my Gateway's widget is showing "Pending" against my WAN_DHCP6 connection - seen much discussion on an old redmine ticket about this, but am on 2.5.2 and IPv6 seems to be working fine for me - so assume this is just cosmetic?

Thondwe

@thondwe So I've revisited this, and I notice when I save the Gateway Configs I see a message in the logs from dpinger

"send_interval 500ms loss_interval 2000ms time_period 60000ms report_interval 0ms data_len 1 alert_interval 1000ms latency_alarm 500ms loss_alarm 20% dest_addr 8.8.8.8 bind_addr xxx.xxx.xxx.xxx identifier "WAN_PPPOE "

For the IPV4 address, BUT nothing corresponding for the IPV6 Gateway. Running 2.5.2, but it's been though a few upgrade cycles...

So assume "Pending" is because dpinger isn't running for IPV6 at all??

Any thoughts?

Paul

Thondwe

@thondwe Exploring dpinger command lines and if I manually construct the command using the Link Local address for the -B option I get this error

"bind: Can't assign requested address"

If I sub my own (internal) gateway address it's happy and runs fine - so I assume that using the link local address is the problem, dpinger errrors...

This is DHCP6 over the PPPoE connection and IPV6 is working fine otherwise.

Thondwe

@thondwe Final note - ISP does not provide an external IPv6 for the Firewall other than the link local address - this seems to be common across any ISP using BT Openreach?

mr.rosh

@thondwe On your WAN interface, you can configure IPV6 to none;

JKnott

@mr-rosh said in WAN_DHCP6 Pending - Pfsense 2.5.2:

On your WAN interface, you can configure IPV6 to none;

Given the ISP is providing IPv6, why would he want to do that?

Gertjan

@jknott said in WAN_DHCP6 Pending - Pfsense 2.5.2:

Given the ISP is providing IPv6, why would he want to do that?

Because it's the most easy "solution".

My ISP also says "we do IPv6" and yes, all devices connected to my ISP router can use IPv6 just fine.
But the only device connected to my ISP router is my pfSense (router), like many of us.

My ISP hands over a nice a.b.c.d.e::/56 but only actually routes the first /64.
No prefix handling, no access to the other 255-1 /64's.

So, my pfSense WAN gets an IPv6 ... and can use it for itself, but this IPv6 is useless for all the LAN's and devices connected.

My Pro (from Professional usage - I'm not sure) ISP Internet offer still doesn't understands that companies could have multiple LAN's - and not just "one".

I really would like to get rid of my ISP router, but right now, its still running on ancient copper wires (POTS) using a protocol called VDSL, and to make things worse, the ISP uses their propriety version of VDSL, to their Router is needed to connect.

True, for classic, simple home setups with just one LAN - as all soho routers offer, this IPv6 will do just fine.

@Thondwe
Tell us about your "IPv6" : does the ISP offer these "prefixes" ?
Only when they do that, you can 'carve' out the first /64 for your first LAN, a second /64 for your second LAN, etc.
Btw : these blocks are not uses for your WAN IPv6, which could be a local-link type of IPv6.

Or : another solution, what I use for years now :
Use a "ISP' that offers the "close to perfect" IPv6. they will give you /64 and a woping /48.
Rock solid and free of charge.
They will even learn you with free courses what rally IPv6 is, as it smells like IPvb4, looks like IPv4, but's that's just the image that's been sold to the big public. Admins know that this isn't the case.

Thondwe

@gertjan So my ISP (Aquiss) provides a /56 IPV6 address space which I have it properly routed across multiple VLANs (I separate out untrusted gadgets - talking to you Sky!) and Gaming devices) - but all PCs, Phones, Tablets and the xbox are working dual stack IPV4/IPV6.

The external router interface itself only needs a single IPV6 address which comes from the ISP on their side and is a Link Local address as it doesn't need to be directly addressable with a full IPV6 address.

(Xbox on IPV4 creates a tunnel to use IPV6 if it only has IPv4).

So switching IPV6 off isn't something I want to do!

Gertjan

@thondwe
Ok, so thinks do look good, except the dpinger info shown on the dashboard.

You can see all the dpinger at work with this :

ps ax | grep 'dpinger'

Mine shows, for the IPv6 gateway :

The important ones are :
-B : the local IPv6 (the one used by the interface - this one must exist locally).
-L (at the end) : the remote IPv6 to be pinged :

( edit : click on the image, and zoom in a lot as it is very long )

This is an IPv6 of one of my mail servers. It's rock solid, not much solicited and close to the POP of my IPv6 (he.net in Paris).
From what I know, dpinger can 'discover' the gateway IP to be pinged. But who says it will actually reply to a ICMP request ?
Can choose your own IPv6 - or one that you know where it is - to be pinged, chose one that is close to your gateway (or POP) that you trust and is always 'on'.

JKnott

@gertjan said in WAN_DHCP6 Pending - Pfsense 2.5.2:

Because it's the most easy "solution".

As someone who's been a tech for many years, that is no solution. A solution is finding the cause of the problem and correcting it. You're not fixing the problem, you're ignoring it.

My ISP hands over a nice a.b.c.d.e::/56 but only actually routes the first /64.
No prefix handling, no access to the other 255-1 /64's.

My ISP also provides a /56 via DHCPv6-PD. What does yours do? It seems strange they'd provide a /56 with no way to deal with it. If I leave my cable modem in the default gateway mode, I only get a single /64, but in bridge mode, pfsense can provide multiple /64s.

Thondwe

@gertjan Been round that dpinger doesn't run for my IPV6 network, which I determined is because it feeds the link local address to the -B option. I use google's DNS for the monitor IP itself.

"bind: Can't assign requested address"

If I construct a dpinger cmd with a non link local address (e.g. internal IPv6 of the pfsense box) it's happy. So I think GUI just needs a way to ignore it. I'm not sure about changing the gateway field from dynamic to something else (like internal IPV6 address) as a fix, as it might bust IPV6 completely?

Gertjan

@jknott said in WAN_DHCP6 Pending - Pfsense 2.5.2:

As someone who's been a tech

You know it. I know it. We all had to sit back, and learn ( and unlearn !!) many new things.
IPv6 is not IPv4 + 2.
Not everybody want to know the basics of IPv6. Most of 'us" still battle with IPv4.
The one click "solution" was : remove red crosses on the screen, and 'Internet' works just fine.

@jknott said in WAN_DHCP6 Pending - Pfsense 2.5.2:

It seems strange they'd provide a /56 with no way to deal with it.

It's a fact.
And I would be a happy person as I was proven wrong. I'll edit all my post on this forum one by one where I speak about Orange (french ISP - ancient France Telecom, France's first and only original phone operator).
Their own equipment (the so called Livebox) can't deal with delegations (prefixes etc) maybe because their own box has just one LAN anyway.

@jknott said in WAN_DHCP6 Pending - Pfsense 2.5.2:

but in bridge mode

Not possible for me.
That is, is far as I know, today, I have to use that other oPENSense product, which is based in the netherlands, and thus is more aware of european way of doing things. They same to have a adapted DHCP-client that can handle Orange's special VDSL connections. A hand crafted DHCP Option answer needs to be sended out. this can change at any time, so not really a stable solution.
So 'bridging' is not a viable solution for me.
This will change as soon as the fibre comes into the building.

@thondwe said in WAN_DHCP6 Pending - Pfsense 2.5.2:

If I construct a dpinger cmd with a non link local address (e.g. internal IPv6 of the pfsense box) it's happy

If pinging a local IPv6 doesn't work then that would be a real issue.
But pinging one of your own local IPv6 addresses doesn't make sense.
The idea is to use one on the net, like this one :

ping -6 google.com

The IPv6 version of 'ping needs to work, as IPv6 is needs ICMPv6 to work.

Shutting down dpinger is the next best (less worse) solution that I posted initially : shut down Ipv6 all together.

You should be able to ICMPv6 (ping ober IPv6) to some remote IPv6. Because IPv6 needs it.
And while testing this, the RTT is also known, and the fact that the connection is up.

Thondwe

@gertjan I'm trying to dpinger google - but the dpinger command uses -B "Gateway Address" as an option - final address on the command is the final "ping" target. in my case the -B value is the link local address of the WAN nic, and the final address is for google's DNS.

It's the -B option which causes the dpinger error - I believe it's there for multi-wan environments where you need to chose the WAN route for monitoring.

If you look at the example you posted for the Hurricane Electric Tunnel -B address is different to the final ping target at the end...

Gertjan

@thondwe said in WAN_DHCP6 Pending - Pfsense 2.5.2:

but the dpinger command uses -B "Gateway Address" as an option

Not a gateway.

type

dpinger

without any options, and you see what it want : the local address to bind to :

bind (source) address

Like "192.168.1.1" if you want to "dpinger" to a device on your LAN (seems absurd, but I do just that).
So it knows from what address ( and interface) to start pinging from.

@thondwe said in WAN_DHCP6 Pending - Pfsense 2.5.2:

for the Hurricane Electric Tunnel -B address is different to the final ping target at the end..

he.net give us static IPv6's for our "our side' and their side
2001:470:1f12:5cx::1/64 == their side
2001:470:1f12:5cx::2/64 == pfSense side.

Thus "2001:470:1f12:5cx::2" is the address used for dpinger == the address to bind to.

Btw :

here is the "GIF" tunnel info :

gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1480
        description: HeNetv6
        options=80000<LINKSTATE>
        tunnel inet 192.168.10.3 --> 216.66.84.42
        inet6 2001:470:1f12:5cx::2 --> 2001:470:1f12:5cx::1 prefixlen 128
        inet6 fe80::215:17ff:fe77:d119%gif0 prefixlen 64 scopeid 0xa
        groups: gif
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

I do have a "fe80::215:17ff:fe77:d119" but it's not use any where..