IPv6 forwarding routinely broken; disable/enable DHCP6 on WAN to fix

jpwoodbu · Jul 4, 2023, 5:54 PM

Re: [IPv6 not working on boot](but after editing WAN interface)

The topic referenced above sounds a lot like what I see. TL;DR every time I reboot my pfsense appliance or my ONT has a power blip (which seems to happen daily), I need to set the WAN IPv6 configuration type to None and than back to DHCP6 to get IPv6 forwarding working again.

Maybe it's an ISP issue. I'm on Spectrum in the Raleigh/Durham area. Packet captures show IPv6 packets going out of the WAN interface but none coming in (except that I can ping the gateway over its link-local v6 address).

But I'm hoping there's some way to configure the IPv6 settings in pfSense to make my IPv6 setup more reliable. I'm close to just setting up a cronjob to try pinging google.com over IPv6 and automatically bouncing the IPv6 config if it can't.

keyser · Jul 4, 2023, 6:11 PM

@jpwoodbu said in IPv6 forwarding routinely broken; disable/enable DHCP6 on WAN to fix:

Re: [IPv6 not working on boot](but after editing WAN interface)

The topic referenced above sounds a lot like what I see. TL;DR every time I reboot my pfsense appliance or my ONT has a power blip (which seems to happen daily), I need to set the WAN IPv6 configuration type to None and than back to DHCP6 to get IPv6 forwarding working again.

Maybe it's an ISP issue. I'm on Spectrum in the Raleigh/Durham area. Packet captures show IPv6 packets going out of the WAN interface but none coming in (except that I can ping the gateway over its link-local v6 address).

But I'm hoping there's some way to configure the IPv6 settings in pfSense to make my IPv6 setup more reliable. I'm close to just setting up a cronjob to try pinging google.com over IPv6 and automatically bouncing the IPv6 config if it can't.

Like many places in the world your ISP requires IPv6 DHCP to be configured outside of the pfSense Defaults - in fact, I have never tried that pfSense DHCPv6 defaults have worked anywhere which is why I started a thread here about the matureness of IPv6 and especially DHCPv6. Seems DHCPv6 with ISPs is a dumpsterfire because DHCPv6 is not standardized properly.

jpwoodbu · Jul 4, 2023, 6:22 PM

@keyser thanks for the reply. Can you direct me to that thread? I looked at your posts but I don't think I found it. Also, do you have any suggestions for which settings to change from their defaults? Or should I just experiment?

jpwoodbu · Jul 4, 2023, 6:25 PM

@keyser I think I found your thread: https://forum.netgate.com/topic/180601/matureness-of-ipv6-generally?_=1688494596729

keyser · Jul 4, 2023, 8:08 PM

@jpwoodbu That is the core point of my post - experimentation is almost pointless as there million of combinations of settings to test….
Because DHCPv6 is so terribly customizable instead of just a “ON/OFF settings, and then have the standard require that server settings configures the client”.

Failing to renew and rebind DHCPv6 seems the most common problem with pfSense as a DHCPv6 client. Could be that FreeBSD/pfSense has some settings that are more outside the average standard config than Linux or Windows (They seem to renew fine in more cases during my ISP tests)

I can’t tell you waht to configure because your problem is a specific requirement from your ISP. Your only option is to somehow get a packetcapture of your current ISPs CPE doing DHCPv6 solicit and renew. Then use those packetcaptures and start flicking settings in pfSense to attempt to replicate the needed settings. (Blo**** annoying)

jpwoodbu · Jul 9, 2023, 4:06 AM

I might have found a config that's working for me (Spectrum in Raleigh/Durham). It's been stable for several days.

The config produces the following content for /var/etc/dhcp6c.conf:

interface mvneta0.4090 {
        send ia-na 0;
        send ia-pd 0;
        request refreshtime;
        script "/var/etc/dhcp6c_wan_dhcp6withoutra_script.sh";
};
id-assoc na 0 { };
id-assoc pd 0 {
        prefix-interface mvneta0.4091 {
                sla-id 0;
                sla-len 0;
        };
};

I think the key thing might be that I've got request refreshtime in the mix. I also happened to have removed the DNS related request lines since I don't need them (I just use Google Public DNS).

To get there, under the DHCP6 Client Configuration menu, I did the follow:

Checked Advanced Configuration
Checked Do not wait for a RA (not sure this matters; I don't see it in the dhcp6c.conf file)
Set Send options to ia-na 0 , ia-pd 0
Set Request Options to refreshtime
Checked Non-Temporary Address Allocation
Put 0 in the id-assoc na ID field
Checked Prefix Delgation
Put 0 in the id-assoc pd ID field
Put 0 in the Prefix interface sla-id
Put 0 in the sla-len field
Set Prefix Interface to LAN

Hope this might help someone else.

jpwoodbu · Jul 9, 2023, 4:08 AM

I should add that the only difference between my custom config and the default (non-advanced) config was that request refreshtime; was added and the DNS related request lines were removed.

This why I have a suspicion that adding in request refreshtime might be the thing that actually helped.