How to adjust WAN DHCPv6 Solicit Messages?
-
Hello,
My Problem is that my pfSense Firewall does not receive an IPv6 Prefix from my ISP via DHCPv6 - which works without any issues using another router. Recording the traffic sent from and to my modem, it becomes obvious that pfSense and the other router send different DHCPv6 Solicit Messages.
This is the DHCPv6 Solicit Message sent by the pfSense Firewall (the MAC addresses have been anonymized):
Ethernet II, Src: 00:e2:69:xx:xx:xx (00:e2:69:xx:xx:xx), Dst: JuniperN_fd:94:ad (f4:b5:2f:fd:94:ad) PPP-over-Ethernet Session Point-to-Point Protocol Internet Protocol Version 6, Src: fe80::2e2:69xx:xxxx:xxxx, Dst: ff02::1:2 User Datagram Protocol, Src Port: 546, Dst Port: 547 DHCPv6 Message type: Solicit (1) Transaction ID: 0xefbaff Client Identifier Option: Client Identifier (1) Length: 14 DUID: 000100012bd189e400e269xxxxxx DUID Type: link-layer address plus time (1) Hardware type: Ethernet (1) DUID Time: Apr 18, 2023 19:03:32.000000000 Mitteleuropäische Sommerzeit Link-layer address: 00:e2:69:xx:xx:xx Elapsed time Option: Elapsed time (8) Length: 2 Elapsed time: 655350msThere is no response by the ISP to that messages which are repeated periodically. But the connection is working in general. The IPv4 connection is established via PPPoE. There are IPv6 Router Advertisements and the firewall learns an IPv6 address for the WAN interface. The configuration for IPv6 is DHCP6 using the "IPv4 connectivity as parent interface" option. It makes no difference if "Request prefix only" and "Do not wait for a RA" options are active or not.
The next example is captured using another router. This one is working and the ISP answers with a DHCPv6 Reply Message:
Ethernet II, Src: AVMAudio_xx:xx:xx (44:4e:6d:xx:xx:xx), Dst: JuniperN_fd:94:ad (f4:b5:2f:fd:94:ad) PPP-over-Ethernet Session Point-to-Point Protocol Internet Protocol Version 6, Src: fe80::464e:6dff:xxxx:xxxx, Dst: ff02::1:2 User Datagram Protocol, Src Port: 546, Dst Port: 547 DHCPv6 Message type: Solicit (1) Transaction ID: 0x21c3e2 Elapsed time Option: Elapsed time (8) Length: 2 Elapsed time: 0ms Client Identifier Option: Client Identifier (1) Length: 10 DUID: 00030001444e6dxxxxxx DUID Type: link-layer address (3) Hardware type: Ethernet (1) Link-layer address: 44:4e:6d:xx:xx:xx Rapid Commit Option: Rapid Commit (14) Length: 0 Identity Association for Prefix Delegation Option: Identity Association for Prefix Delegation (25) Length: 41 IAID: 6da8c8a7 T1: 0 T2: 0 IA Prefix Option: IA Prefix (26) Length: 25 Preferred lifetime: 0 Valid lifetime: 0 Prefix length: 56 Prefix address: :: Reconfigure Accept Option: Reconfigure Accept (20) Length: 0 Option Request Option: Option Request (6) Length: 18 Requested Option code: DNS recursive name server (23) Requested Option code: NTP Server (56) Requested Option code: Simple Network Time Protocol Server (31) Requested Option code: Identity Association for Prefix Delegation (25) Requested Option code: Prefix Exclude (67) Requested Option code: Vendor-specific Information (17) Requested Option code: SOL_MAX_RT (82) Requested Option code: INF_MAX_RT (83) Requested Option code: PCP Server (86) Vendor Class Option: Vendor Class (16) Length: 4 Enterprise ID: AVM GmbH (872)This is the ISP's response:
Ethernet II, Src: JuniperN_fd:94:ad (f4:b5:2f:fd:94:ad), Dst: AVMAudio_xx:xx:xx (44:4e:6d:xx:xx:xx) PPP-over-Ethernet Session Point-to-Point Protocol Internet Protocol Version 6, Src: fe80::f6b5:2fff:fefd:94ad, Dst: fe80::464e:6dff:xxxx:xxxx User Datagram Protocol, Src Port: 547, Dst Port: 546 DHCPv6 Message type: Reply (7) Transaction ID: 0x21c3e2 Client Identifier Option: Client Identifier (1) Length: 10 DUID: 00030001444e6dxxxxxx DUID Type: link-layer address (3) Hardware type: Ethernet (1) Link-layer address: 44:4e:6d:xx:xx:xx Server Identifier Option: Server Identifier (2) Length: 26 DUID: 00020000058366343a62353a32663a66643a39373a6330000000 DUID Type: assigned by vendor based on Enterprise number (2) Enterprise ID: Juniper Networks/Funk Software (1411) Identifier: 66343a62353a32663a66643a39373a6330000000 Identity Association for Prefix Delegation Option: Identity Association for Prefix Delegation (25) Length: 41 IAID: 6da8c8a7 T1: 900 T2: 1440 IA Prefix Option: IA Prefix (26) Length: 25 Preferred lifetime: 1800 Valid lifetime: 14400 Prefix length: 56 Prefix address: 2003:ca:xxxx:xxxx:: Rapid Commit Option: Rapid Commit (14) Length: 0 DNS recursive name server Option: DNS recursive name server (23) Length: 32 1 DNS server address: 2003:180:2::53 2 DNS server address: 2003:180:2:6000::53My Question is:
How can I make pfSense's dhclient6 send DHCPv6 Solicit Messages containing all required elements to get a response by the ISP?
I am a bit of confused by the DHCPv6 Advanced Options section and don't know what to do now.Thank you very much for your help.
Best regards,
Tobi -
OK, I am pretty sure now I need this
https://redmine.pfsense.org/issues/8173
https://github.com/pfsense/FreeBSD-ports/pull/1181to include option 20 (Reconf Accept).
-
@sowqwick said in How to adjust WAN DHCPv6 Solicit Messages?:
OK, I am pretty sure now I need this
https://redmine.pfsense.org/issues/8173
https://github.com/pfsense/FreeBSD-ports/pull/1181to include option 20 (Reconf Accept).
Don’t get your hopes up for a native fix. pfSense has been missing a proper working DHCPv6 client for many years, but it no longer recieves any love from the devs. I think the general IPv6 support project has been lovered so much in priority that it’s dying now with all the focus on FreeBSD 14, drivers and a new PHP.
In favor of the devs it should be mentioned that DHCPv6 is a hornets nest of crap that no-one adheres to, and thus has about zero standardisation in actual practice.
