Android and "radvd"

AberDino

Just to state upfront I don't have an explanation for this one, but as it resolved an issue I was having I thought I'd post the "fix" here.

I recently upgraded two Android devices (a tablet and a phone) with custom ROMs to newer builds, one v7.1.2 and the other v11.0. After that, the Wi-Fi connection became extremely unstable, and the devices would disconnect frequently, to the extent they became unusable. Other wireless devices on my network were absolutely fine, staying connected for days/weeks.

I spent quite a bit of time trying to tune Android and trying different wireless configurations. In the end, I stumbled upon an article based on a FRITZ!Box device, which suggested to disable the announcement of DNSv6 servers via router advertisement. I do use IPv6 on my local network (via a HE tunnel) and I did have "Provide DNS configuration via radvd" ticked, so I decided to untick it. As if by magic, the two Android devices now remain connected, so there must be something different about the way those Android devices deal with IPv6. FYI, I have a DHCPv6 server enabled and router advertisements is set to assisted. I don't know what the implications are associated with disabling "Provide DNS configuration via radvd", but so far I have not noticed any adverse effects.

JKnott

@aberdino

1. Android doesn't work with DHCPv6, thanks to some genius at Google.
2. Provide DNS configuration via radvd uses RDNSS to provide server addresses.

Are you saying it now works with DHCPv6? How do you get the device addresses when it's not supported? I use SLAAC here.

AberDino

@jknott
I just checked my Android-based phone, and it has picked up an IPv6 address with the correct prefix associated with that VLAN interface. When I perform the test on https://ipv6-test.com it completes successfully with a score 19/20, only because there is no IPv6 hostname. SLAAC is reported as "No".

Just as background information, my ISP does not support IPv6 so I signed up to HE's IPv6 tunnel broker so I could start experimenting with IPv6. I have a number of VLANs so also have a routed /48 HE subnet which I split up into /64 subnets for use on the various VLANs. I run both IPv4 and IPv6 on each VLAN, with DHCP and DHCPv6 services. All is working well with a variety of devices (Windows, Linux, iOS, webcams, etc.). pfSense is on the latest 2.6.0 release.

AberDino

OK, did a bit more troubleshooting, and it turns out disabling "Provide DNS configuration via radvd" was a bit of a red herring.

I have the DNS Resolver service configured on each VLAN and I would prefer to use that so that I can control how results are being returned (I don't want IPv6 hosts returned for certain domains, all to do with HE traffic being denied by certain companies).

With "Provide DNS configuration via radvd" ticked, the local DNS address is provided to the Android client, but as it turns out I cannot ping this address from the Android client, so likely DNS won't be accessible either, which is why the Android device disconnects. I can successfully ping another host on the same network though from the same Android device.

I then tried the same from a Windows 10 laptop, on the same wireless network, and ping does work and I can resolve DNS queries against the local DNS server. So, I need to find out why the Android device cannot access the IPv6 interface address on the pfSense box.

JKnott

@aberdino

I still suspect your problem is with using DHCPv6 instead of SLAAC.

Funny thing. I just came across this app to allow Android devices to use DHCPv6 to get addresses. However, you have to have root permission to install it.

AberDino

@jknott

I believe I'm using both DHCPv6 and SLAAC, as the router mode is set to "Assisted". The Android device picks up a correct IPv6 address for that VLAN, so that must be through the SLAAC functionality I would have thought.

From the Android device, I can ping another host on the same VLAN using its global IPv6 address, but I cannot ping the global IPv6 address of the pfSense interface for that VLAN, and the other way around I cannot ping the Android device from pfSense either. However, I can ping the pfSense interface from the Android device using the link-local address.

There are no issues performing the same tests from a Windows 10 laptop and an iPhone.

From a pfSense packet trace I can see that the Android device uses its global IPv6 address ("source") to put out a Neighbor Solicitation request for the global IPv6 address of the pfSense interface ("info") to a multicast address "ff02::1:ff00:x" ("destination"), which does not receive a response, while the Windows laptop and the iPhone seem to send the same request to the global IPv6 address of the pfSense interface, which does receive a response. In those latter traces, I only see packets to multicast addresses from local-link addresses. It all remains a mystery to me .

JKnott

@aberdino

This is the first I knew you were using SLAAC. Unless you have a specific need for it, get rid of DHCPv6. I use SLAAC only with "Unmanaged". Works fine with Android and everything else.

AberDino

@jknott

As suggested, I disabled DHCPv6 and switched SLAAC to "Unmanaged", and although the Android device picked up the correct IPv6 details (as it did before), it still was not able to ping the global IPv6 address of the pfSense interface for that VLAN, so the issue remained.

At that point I decided to change the global IPv6 address of the pfSense interface for that VLAN (from ending ::1 to ending ::2) and I was able to successfully ping that address from the Android device. At that point the Android device was also able to successfully utilise the DNS server on that same address, so the Wi-Fi connection stayed up. Problem solved . I still don't know though why the Android devices on my network didn't like the ::1 address. As I said previously, no such problems with my Windows 10 and iOS devices.

After that, rather than keeping the interface address ending ::2, I decided to follow the SLAAC approach and I updated the VLAN interface global IPv6 address to the combination of the network prefix (/64) with the EUI-64 interface identifier. All was still well after that; I could ping the address from my Android device and I could utilise the pfSense DNS Resolver.

For the avoidance of doubt, all devices (Android, iOS and Windows 10) are now happy. DHCPv6 remains disabled and I'm only using SLAAC in "Unmanaged" mode. Only peculiarity to note is that as long as DHCPv4 is active on the same VLAN, Windows 10 does not pick up the IPv6 DNS servers, it uses the IPv4 DNS servers instead. As soon as I disable DHCPv4 though, Windows 10 picks up the IPv6 DNS servers (via SLAAC). From what I've read, this seems to be a Windows 'feature' .