Why does my WAN get an autoconf (slaac) address when I'm using DHCP6?
-
I recently upgraded from AT&T dual-dsl to fiber. Everything works great but I noticed my WAN is getting an autoconf address I'm not expecting (to be clear this is almost certainly the way it was with dsl):
pylon 65 # ifconfig mvneta0.4090 mvneta0.4090: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 description: WAN options=3<RXCSUM,TXCSUM> ether f0:ad:4e:09:15:0e inet6 fe80::f2ad:4eff:fe09:150e%mvneta0.4090 prefixlen 64 scopeid 0x10 inet6 2600:1700:ab1b:6800:f2bd:4eff:fe03:140c prefixlen 64 autoconf inet6 2600:1700:ab1b:6800::28 prefixlen 128 inet 99.100.60.3 netmask 0xfffffe00 broadcast 99.100.60.255 groups: vlan vlan: 4090 vlanpcp: 0 parent interface: mvneta0 media: Ethernet 1000baseT <full-duplex> status: active nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>Since the autoconf address is the first non-local address, it's used as the outgoing ip address.
WAN is configured for IPv4 DHCP/IPv6 DHCP6.
DHCPv6 Prefix Delegation sizeis set to None.(I'm not clear if this impacts WAN but
Services -> DHCPv6 Server & RA -> LAN -> Router Advertisementsis set to managed.)Is there a way for me to end up with mvneta0.4090 not having the autoconf IPv6 address?
-
@leres said in Why does my WAN get an autoconf (slaac) address when I'm using DHCP6?:
DHCPv6 Prefix Delegation size is set to None.
That should be whatever size prefix your ISP provides. Mine is 56.
(I'm not clear if this impacts WAN but Services -> DHCPv6 Server & RA -> LAN -> Router Advertisements is set to managed.)
Mine's set to unmanaged, as I do not use DHCPv6 on the LAN.
-
@leres I have the EXACT same problem, and I have described it here in this thread: https://forum.netgate.com/topic/177533/dhcpv6-address-ignored-on-wan
-
I don't see the problem yet.
-
I set the DHCPv6 prefix delegation size to 64 and when I applied the change, I watched WAN (mvneta0.4090) discard all addresses. Next the IPv4 address popped in. Then the DHCPv6 (/128) appeared. But before I could exclaim "success!" the slaac /64 address reappeared...
I tried a bunch of changes but none (including setting the prefix delegation size to 64, 60, or 56) helped. Updating the WAN interface config without rebooting pfsense sometimes resulted in the DHCPv6 coming before the slaac address but it's pretty random.
I think the problem is that the AT&T router advertisement message is setting the "auto" flag:
12:48:37.155725 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 136) fe80::d2fc:d0ff:fe50:e1c1 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 136 hop limit 64, Flags [managed, other stateful], pref medium, router lifetime 1800s, reachable time 0ms, retrans timer 0ms prefix info option (3), length 32 (4): 2600:1700:ab1b:6800::/64, Flags [onlink, auto], valid time 3600s, pref. time 3600s route info option (24), length 24 (3): 2600:1700:ab1b:6800::/60, pref=high, lifetime=3600s rdnss option (25), length 24 (3): lifetime 600s, addr: 2600:1700:ab1b:6800::1 dnssl option (31), length 24 (3): lifetime 600s, domain(s): attlocal.net. mtu option (5), length 8 (1): 1500 source link-address option (1), length 8 (1): d0:fc:d0:52:c1:e1When pfsense sees this, it adds the slaac address.
The best idea I can come up with so far is to rig up a dhclient hook script that sets
prefer_sourceto the DHCPv6 address when it's added. -
There's an AT&T forum, where it appears they're discussing a similar problem. Maybe you can check in there.
https://forums.att.com/conversations/att-fiber-equipment/ipv6-prefix-delegation/6398b0655bc9827e14681578 -
That forums.att.com thread seems to be about prefix delegation, not autoconf/slaac. I'm zeroing in on my problem and it's that the router is telling me to use slaac. I guess I see why they do that, it gives the customer the best chance of a working IPv6 config.
At this point I think I should draft a feature request to automatically add
prefer_sourcewhen DHCPv6 is selected for an interface (or at least make it an option)./etc/rc.newwanipv6already does quite a bit... -
Maybe you can ask them about their experiences with pfSense. The thread I referred to is about OPNsense, which is a fork of pfSense.
-
@jknott said in Why does my WAN get an autoconf (slaac) address when I'm using DHCP6?:
Maybe you can ask them about their experiences with pfSense. The thread I referred to is about OPNsense, which is a fork of pfSense.
OPNsense uses a patched version of dhcp6c that also allows for RAW dhcp options, which is required with lots of ISP's across europe. This is one reason why I'm forced to use OPNsenses dhcp6c on my pfSense (replaced it) in fx. France.
pfSense's dhcp6c is not really cutting it in most scenarios I encounter.I will investigate if my own ISP here in Denmark is also asking me to use Slaac in their RA, even though DHCP6 is the only supported access method. It might be a misconfiguration on their side.
But it would be a VERY welcome add-on to pfSense if it would actually prefer the address method you selected for the interface (DHCP6 instead of Slaac).
-
I notice now that the DHCPv6 address I receive is a /128. Which according to rfc3484 gives it the highest precedence for source address selection based on the default FreeBSD/pfsense policy table:
pylon 33 # ip6addrctl Prefix Prec Label Use ::1/128 50 0 0 ::/0 40 1 37588 ::ffff:0.0.0.0/96 35 4 0 2002::/16 30 2 0 2001::/32 5 5 0 fc00::/7 3 13 0 ::/96 1 3 0 fec0::/10 1 11 0 3ffe::/16 1 12 0Certainly after all the testing and rebooting I've done recently the desired source address is being used. So perhaps something different with dsl vs. fiber. (With dsl I had a bgw210 and now my gateway is a bgw320 and both report the same 3.20.5 firmware version...) Anyway I think the DHCPv6 address I had been receiving was a /64.
Anyway I guess I no longer care about the gratuitous slaac address.
-
That /128 is not used for routing. You can use it for connecting directly to the pfSense box.
-
@keyser said in Why does my WAN get an autoconf (slaac) address when I'm using DHCP6?:
https://forum.netgate.com/topic/177533/dhcpv6-address-ignored-on-wan
Hello @keyser and @leres .Were either of you able to resolve this issue? I am seeing the same thing with my AT&T Fiber connection. I have WAN set to dhcpv6 and delegation size to /60. I also enable "Send IPv6 prefix hint" and "Do not wait for a RA". My pfSense instance receives a SLAAC address for some weird reason which causes IPv6 DNS and NTP to not work. Another symptom is I cannot access Netgate's software upgrade nor package manager servers.
As additional information, my LAN is setup as SLAAC. Devices on my LAN have IPv6 access but cannot access local IPv6 DNS resolver. IPv4 resolves fine via DNS resolver.
-
@tibere86 said in Why does my WAN get an autoconf (slaac) address when I'm using DHCP6?:
Hello @keyser and @leres .Were either of you able to resolve this issue?
I to get both DHCP6 and autoconf addresses with the autoconf address usually before the DHCP6 address so it's the one that gets used. I found I can change the order by manually removing and adding ones of the addresses but this reverts after awhile so I gave up and just live with the order I end up with.
[anonymized addresses]
pylon 724 # ifconfig mvneta0 mvneta0: flags=1008b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500 description: WAN options=800bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,LINKSTATE> ether 58:9c:fc:01:02:03 inet 99.105.88.5 netmask 0xfffffe00 broadcast 99.105.88.255 inet6 fe80::29c:fcff:fe01:7f15%mvneta0 prefixlen 64 scopeid 0x1 inet6 2600:1700:c01b:5700:29c:fcff:fe01:7f15 prefixlen 64 autoconf pltime 3600 vltime 3600 inet6 2600:1700:c01b:5700::36 prefixlen 128 pltime 3600 vltime 3600 media: Ethernet autoselect (1000baseT <full-duplex>) status: active nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
