Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    DHCP6-PD Proper Setup?

    IPv6
    3
    12
    360
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      steve1515 last edited by

      I'm using version 22.05 and trying to get DHCP6-PD to work, but am failing. I have a static /56 which I can request in /59 blocks from Comcast. The modem is using the first /59 for it's DHCP pool, so I'm requesting the 2nd /59 block.

      Under my WAN interface, I have the following settings:

      bde4c241-3bd6-4bbe-8e63-8d63750d7a76-image.png

      This produces a dhcp6c.conf file with the following:

      interface igb0 {
              send ia-na 0;
              send ia-pd 0;
              request domain-name-servers;
              request domain-name;
              script "/var/etc/dhcp6c_wan_script.sh";
      };
      id-assoc na 0 {
              address xxxx:xxxx:xxxx::50 604800;
      };
      id-assoc pd 0 {
              prefix xxxx:xxxx:xxxx:20::/59 604800;
      };
      

      The issues I see:

      1. Under interfaces, the WAN does get an IPv6 address, but it's xxxx:xxxx:xxxx:0:208:a2ff:fe0b:1234 generated from the MAC address instead of the requested address. If I look in the modem's leases, it shows that it has assigned the requested xxxx:xxxx:xxxx::50 address to pfSense. I'm not sure why pfSense isn't using it. (I can also see that the DNS servers are showing on the interfaces page, so DHCP is partially working at least.)

      2. I don't see anything about the prefix delegation working or showing any reference to it on pfSense, and if I set other interfaces to Track Interface, nothing happens on those interfaces.

      3. I don't see a release/renew button in the interface status screen. Is this supposed to be there for IPv6?

      4. In the logs I can see script "/var/etc/dhcp6c_wan_script.sh" cannot be executed safely and failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory

      My dhcp6c_wan_script.sh contains the following:
      Should those ${xxx} variables have been replaced?

      #!/bin/sh
      # This shell script launches /etc/rc.newwanipv6 with a interface argument.
      dmips=${new_domain_name_servers}
      dmnames=${new_domain_name}
      case $REASON in
      REBIND)
      ;;
      REQUEST|RELEASE)
      /usr/local/sbin/fcgicli -f /etc/rc.newwanipv6 -d "interface=igb0&dmnames=${dmnames}&dmips=${dmips}"
      ;;
      RENEW|INFO)
      esac
      

      I'm not sure if this is correct or not, or why this is happening as I'm not exactly sure what cannot be executed safely means here. Turning on debug mode for the DHCP6 client doesn't show any extra useful information.

      Can anyone please help me out with my setup? Have I entered something incorrectly here?
      😖

      1 Reply Last reply Reply Quote 0
      • JKnott
        JKnott last edited by

        @steve1515 said in DHCP6-PD Proper Setup?:

        I'm using version 22.05 and trying to get DHCP6-PD to work, but am failing. I have a static /56 which I can request in /59 blocks from Comcast. The modem is using the first /59 for it's DHCP pool, so I'm requesting the 2nd /59 block.

        That's unusual. Normally, you'd set up individual /64s from the /56. Also, a /59 is huge for a DHCP pool, especially considering a LAN is normally /64.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        S 1 Reply Last reply Reply Quote 0
        • S
          steve1515 @JKnott last edited by

          @jknott From what I've seen, this is pretty standard with Comcast Business static IPs. They give you a /56 and you can PD a /59 which can be split up into 32 /64s. My though was to use some of the 32 /64's on a few of the firewall interfaces and VPN networks.

          If I were to PD /64's instead, how would I ask multiple for each of my interfaces and VPN networks?

          JKnott 1 Reply Last reply Reply Quote 0
          • JKnott
            JKnott @steve1515 last edited by

            @steve1515

            If you request multiple, you'd then have to split again to get /64s. Is that what you plan? If so, I'd get the entire /56 and then route portions of it to downstream routers. Or is Comcast expecting you to have multiple routers connected directly to them? Again, a /59 for a DHCP server is a bit much, given any LAN will be a /64. I haven't worked with Comcast, let alone Comcast Business.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            S 1 Reply Last reply Reply Quote 0
            • S
              steve1515 @JKnott last edited by

              @jknott
              My plan was to request one /59 and then break that up between my different interfaces and VPN's. For example, I'd request xxxx:xxxx:xxxx:20::/59 and then assign xxxx:xxxx:xxxx:21::/64 to the LAN, xxxx:xxxx:xxxx:22::/64 to OPT1, xxxx:xxxx:xxxx:23::/64 to OpenVPN, xxxx:xxxx:xxxx:24::/64 to WireGuard, etc.

              I can't request the /56 because the modem's interface (the one connected to pfSense WAN) has the first /64 of the first /59 assigned to it.

              I also tried requesting a /60 like people say works on Comcast's residential service and I get the same results.

              Should I see a message somewhere in pfSense showing that the prefix requested has been acquired? I don't see any reference to it anywhere. Is there a command line command I can enter to show what pfSense acquired?

              I'm thinking this might be a broken implementation in pfSense, but I have not way of knowing that. I would have thought that I'd at least see a "release" button show up in Status -> Interfaces.

              JKnott 1 Reply Last reply Reply Quote 0
              • JKnott
                JKnott @steve1515 last edited by

                @steve1515

                I don't know. What you're describing is foreign to me. Maybe someone else here has experience with Comcast.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                1 Reply Last reply Reply Quote 0
                • S
                  steve1515 last edited by

                  I've been looking into this a little more...

                  I captured the DHCPv6 exchanges on the WAN interface and I can see that the modem does in fact assign the requested IP and Prefix to the pfSense dhcp6c client. When I look around in pfSense, I see no reference to the assigned address or prefix. There is also no route for the prefix shown on the routes status page. This seems like something is broken in pfSense to me as it appears to completely ignore the assigned information.

                  Can someone confirm where an assigned prefix would be shown in pfSense? It's possible I'm looking in the wrong place.

                  J 1 Reply Last reply Reply Quote 0
                  • J
                    jabbera @steve1515 last edited by

                    @steve1515 Did you every solve this? I'm having the same issue.

                    S 1 Reply Last reply Reply Quote 0
                    • S
                      steve1515 @jabbera last edited by

                      @jabbera Unfortunately, no, I did not. I think the DHCP6-PD implementation in pfSense is broken.

                      JKnott 1 Reply Last reply Reply Quote 0
                      • JKnott
                        JKnott @steve1515 last edited by

                        @steve1515 said in DHCP6-PD Proper Setup?:

                        I think the DHCP6-PD implementation in pfSense is broken.

                        It's been working here for 7 years and many others have no problem with it.
                        Either there's a problem with what your ISP provides or you configured something wrong.

                        PfSense running on Qotom mini PC
                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                        UniFi AC-Lite access point

                        I haven't lost my mind. It's around here...somewhere...

                        S 1 Reply Last reply Reply Quote 0
                        • S
                          steve1515 @JKnott last edited by

                          @jknott Yeah, I'm not sure what's going on. I feel something is broken because, I can do a packet capture and see that pfSense correctly requests the prefix and IP that I enter/request and the modem responds with the correct allocation. The issue is pfSense doesn't seem to do anything with this data that's returned from the modem. I see zero references to the requested allocations in the pfSense GUI. I'm not really sure what else to do or try. I was hoping 23.01 which is supposed to come out this month would possibly fix the issue.

                          JKnott 1 Reply Last reply Reply Quote 0
                          • JKnott
                            JKnott @steve1515 last edited by

                            @steve1515

                            Sometimes the solution is to start from scratch, as you may have set something and not realized it.

                            PfSense running on Qotom mini PC
                            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                            UniFi AC-Lite access point

                            I haven't lost my mind. It's around here...somewhere...

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post