DHCPv6 / Routeradvertisement seems not to work / not to work correct

louis2

Something in relation to IPV6-address assignment seems not working

23.09.1-RELEASE (amd64)
built on Wed Dec 6 21:22:00 CET 2023
FreeBSD 14.0-CURRENT

Today I did some test and quite unexpected I noticed that some VLAN's did not have IPV^-addresses any more.

So, I checked and checked my config, but they seems to be:

• correct and
• identical for vlans working correct and vlans with failing IPV6-addresses
  Note that I am using DHCP in combination with RA stateless DHCP
  (however, given the problem, I tried if other options solved the problem (NOT))

Assuming my configs are correct, the most likely problem cause is the planned transition to Kea DHCP.

Related to that

• I am using Pfsense Plus, but given the IMHO unclear situation, I was/am not willing to upgrade tp Plus to the extend that I can not go back any more

That together with a lot of messages in the forum showing that Kea is not yet mature, did decide me a couple of month back to switch back to ICS-DHCP

What happened is:

• I got a free Plus licence when that was still free for home use
• some what later I switched for a short time to Kea
• I switch back to ICS shortry after due to licence and signaled trouble
• discovered issues today
• switched to Kea since I could not understand at all what was / is wrong
• and noticed that the problem, was (with Kea) still there

So, I hope to find a clue ....

Below the result of ipconfig /renew on a windows 11 pro system having multiple interfaces

The first output is related to the 1G-vlan with (only) the 1G-interface active. As you can see no IPV6-addresses

The second output is related to the 10G-vlan with (only) the 10G-interface active, In that case there are IPV6 addresses

As far as I can see the configuration is exactly the same (apart from the subnet)

Here the console output. Note that I have a virtual linux machine on my windows, which explains the second parts

Ethernet adapter 1G-LAN:

Connection-specific DNS Suffix . : priv.lan
Link-local IPv6 Address . . . . . : fe80::2ba5:d948:50e4:6db6%22
IPv4 Address. . . . . . . . . . . : 192.168.3.128
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.3.1

Ethernet adapter vEthernet (Default Switch):

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::b042:a8b0:55b7:6cea%50
IPv4 Address. . . . . . . . . . . : 172.20.48.1
Subnet Mask . . . . . . . . . . . : 255.255.240.0
Default Gateway . . . . . . . . . :

C:\Users\Louis>ipconfig /renew

Windows IP Configuration

Ethernet adapter 10G-LAN:

Connection-specific DNS Suffix . : priv.lan
IPv6 Address. . . . . . . . . . . : xxxx:yyyy:zzzz:17:592f:fabc:8811:23a4
Temporary IPv6 Address. . . . . . : xxxx:yyyy:zzzz:17:44c6:bba8:3b8c:e188
Link-local IPv6 Address . . . . . : fe80::ed14:4917:dbaa:2cd2%42
IPv4 Address. . . . . . . . . . . : 192.168.17.34
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::6eb3:11ff:fe09:74a%42
192.168.17.1

Ethernet adapter vEthernet (Default Switch):

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::b042:a8b0:55b7:6cea%50
IPv4 Address. . . . . . . . . . . : 172.20.48.1
Subnet Mask . . . . . . . . . . . : 255.255.240.0
Default Gateway . . . . . . . . . :

Kea DHCP
ISC DHCP (Deprecated)

louis2

@louis2

I did make screenshots from the dhcp6-screen, ra-screen and a comparison of the dhcp6-part of the dumped pf-sense config file.

If you look at the screenshots you can see that they are equal apart from the subnets.

If you look at the config comparison you see that they differ.

So it looks like switching between the two dhcp-server options, is causing problems

Perhaps I have to throw the dhcp-ra configs away and need to define them from zero ...

ANd If so , for which option to go Kea or ISC

• for reason of functionallity
• and to stay compatible with future community editions

louis2

@louis2

I did even more tests E.g. defining a brand new vlan + interface. Reason, I did want to see how a new created dhcpv6/ra configuration looked (generated with actual Kea-setting)

The answer is again different, see comparation below (the 201 subjet is the new test vlan the 200 subnet is the test vlan I did create a couple of days ago)

I can just conclude that, the resulting config is again different, and not working.

I did also disable aDHCPV6 and RA settings, checking if that removes the related config. I does not. So that is no option to generate a brand new dhcpv6 config.

What exactly is causing the failure, I do not know

louis2

@louis2

I just did another test:

• I downloaded the config
• removed the dhcpv6 part of the test_vlan with an editor
• did load the edited config file

After reboot

• ipconfig /renew => as expected no ipv6 other than link-local
• and dhcp6 and ra disabled
• enabled dhcpv6 only the ranges defined
• enabled ra only dhcp stateless
• ipconfig /renew => still only link-local

So ... it is probably not the dhcpv6 part of the config which is causing the trouble ....

Note to exclude any trouble related to FW-rules, I have an allow any thing ipv4 and ipv6 as first rule in floating for the test_vlan

louis2

@louis2

Still trying to understand the problem .... it becomes strange

• connecting another PC to the same vlan ...
• and there are IPV6-addresses ...

But why ??? What is causing the problem ???

• I recently switched to windows 11 ... Is windows 11 causing the issue?? The other PC still has windows 10
• Is there a problem related to the fact that the PC has multiple NIC's ????
  and if so what is the problem, is it:
  1 - the (unique) DUID causing an issue at the PC-side OR
  2 - is it the DUID causing an issue at the pfSense side
  3 - is it a Windows 11 problem
  4 ???

I do not know.., but I am 99% sure that it used to work in the past:

• using windows 10 on the same computer
• using a little bit older version of pfSense

PS. I did switch off the windows firewall ...... that did not change this very weird problem

louis2

@louis2

Again another test

• I removed the 10G-card from the PC and rebooted the system
• the test-vlan on the remaining NIC still did not get IPV6-addresses

For info this PC has four NIC's

• two on the 10G-card
• one on the MB (I use this one for the test vlan)
• one wifi

Normally all disabled apart from 1 of the NIC's on the 10G-card.

Gertjan

@louis2 said in DHCPv6 / Routeradvertisement seems not to work / not to work correct:

Today I did some test

You didn't show the most important one :
Where are the logs ????

You should see messages like :

If you do not see messages coming from your LAN devices, then they didn't ask for a DHCPv6 lease.
Check why they don't, or .... because you use extra complexity : VLANs - why DHCP6 traffic isn't pfSense.

Btw : first post : you've shown what ipconfig tells you : no IPv6 GUA.
Then you launch a "ipconfig /renew", and then you have a IPv6 GUA (the "IPv6 Address".)
That tells me : if the device 'asks' for a IPv6 lease, then it will get one.

Btw : I'm using kea, which is rock solid. The only issue is : a lot of option are still missing : the pfSense GUI part. The basic "deal out leases from a pool" works just fine for IPv4 and IPv6.

@louis2 said in DHCPv6 / Routeradvertisement seems not to work / not to work correct:

the fact that the PC has multiple NIC's ??

I've seen messages on the forum that, IIRC, it's using the same DUID on both inyterfaces. This will make the DHCP server complain, like "same DUID used on different networks" or "same DUID asks lease twice" or whatever.
Easy solution : stop using multiple NICs, or ask Microsoft to repair the issue ^^

Looks fine to me.
They have both their own prefix.
Pool has been set up.

You can make it a bit simpler, like :

You use "tracking" on your LAN interfaces for your IPv6, right ?

@louis2 said in DHCPv6 / Routeradvertisement seems not to work / not to work correct:

RA stateless DHCP

I can't justify this : don't use stateless.
I prefer

but ... dono why ... probably because if works fine since I activated IPv6 .... a decade ago.

louis2

@Gertjan

Of course I am scratching my hat. ...

For RA I have been using Stateless DHCP, since I want to assingn specific addresses to my machines. Also for the working interface / vlan. I tried the option you susgested but that does not make a differenc

I checked the state of my interfaces

Seems to be ok

I even removed all interfaces, they are reinstalled automaticly almost inmidiately. And again does not change any thing.

Looking with Wireshark, I do not see any IPV6 on the faulty interfaces, even not as a result of a ifconfig /renew.

I am simply lost for the moment. Dispite that it is highly unlikely, I am thinking in the direction of a windows 11 problem ..

To be continued (I have to fix the problem)

Gertjan

@louis2 said in DHCPv6 / Routeradvertisement seems not to work / not to work correct:

Seems to be ok .....

What I'm seeing looking at that info : IPv6 is supported.
Not that I'm seeing if you've selected a static IP setup, or if DHCP6 is activated ;)

@louis2 said in DHCPv6 / Routeradvertisement seems not to work / not to work correct:

I do not see any IPV6 on the faulty interfaces

I presume : on the device side.
So that's solid info. No IPv6 info asked means : not get one.

louis2

@Gertjan

I agree of course, unless I overlooked something in the wireshark traces, but if so:

• Why for the hell is it working on the interface I normally use and
• not on the other once's

Am I really doing something wrong/stupid (and if so what!!??), or is there a bug in windows 11

Gertjan

@louis2 said in DHCPv6 / Routeradvertisement seems not to work / not to work correct:

not on the other once's

Windows is outsmarting you because it 'sees' on all interfaces the same gateway/DHCP server (same DUID, same MAC) so it uses just one interface to get an IPv6 lease ?
(just thinking out loud here)

louis2

@Gertjan

Yep my verdict is in the same direction. However .... I am almost sure it was working in WIndows10 (64bit Pro).

I forgot to add that windows is in my setup not aware of vlan's. As you probably allready expected, the switch is using pivd and untaged.

What ever it is, it not OK.

For further info:
I have a more or less redundent network structure. pfSense is connected to two main switches. One 10G-switch and one 1G-switch. Part of the vlans are related to the 10G-switch, other vlans to the 1G-switch.

My main computer has an interface connected to the 1G-switch and another interface to the 10G-switch. That setup allows me control large parts of the network in case part of the network is unavailable due to maintenance actions or other outage.

O reading your mail again, all interfaces are assigned to different vlans/different = gateways / different subnets
And I think the DUID should be extended with an interface number ...

louis2

@louis2

I did repeat the test on another computer running windows 10 64bit pro.
--- Every thing working as it should ....

I would have liked to do the test by downgrading the other computer to windows10. I tried that but I did not manage. That computer has its OS on an NVME-SSD. Trying to replace that OS with windows10 .... was an disaster. Luckily I could return to windows11 via a backup.

If someone running Windows11 (64 bit pro) system

• having two UTP-ports
• which are / or can be connected to two different vlan's

Is willing to repeat my test, checking if IPV6 is working on both ports. I would appreciate.

If it is not working there as well we have the proof that there is a WIndows11 bug.

louis2

I found the problem

After spending lots of time/effort searching in the wrong direction, I found the problem.

The option ^Block Unown Multicast Address^ in a relative old 1G-switch, in front of my PC, seems to have blocked IPV6.
Strange that I did not notice that in the past

What ever disabeling that option and swithing the NIC off and on fixed the problem.