Gateway widget displaying incorrect(?) IPv6 gateway state

marcg

Running 24.11 with 2.2.20_1 patches on third-party hardware. Issue seen with 24.11 unpatched and previous 24.11 patch set too. Don't recall this behavior with 24.03.

The gateway widget occasionally displays a tilde for the v6 address of its default gateway rather than that upstream gateway's address (upstream gateway is an ATT BGW320). Also, the globe icon is missing, meaning that the interface is not the default v6 route (?). However, v6 is correctly routing through the pfSense in this scenario, e.g., I can ping -6 an Internet host from the LAN. There are no other v6 gateways on the network.

netstat -rn shows the correct default route installed. The address below is the upstream gateway's LLA.

[24.11-RELEASE][admin@pfSense.home.arpa]/root: netstat -rn | grep 'default.*%'
default                           fe80::be9a:8eff:fe0b:3b81%igc0 UG            igc0

The upstream gateway is emitting RAs as confirmed by tcpdump on pfSense.

---

If the upstream gateway is rebooted while pfSense is up, the gateway's address is subsequently displayed in the gateway widget and the globe icon appears.

netstat -rn continues to show the gateway, but with an S flag. pfSense gets its WAN address via SLAAC from the gateway; don't understand what the S (static?) flag means in this context.

[24.11-RELEASE][admin@pfSense.home.arpa]/root: netstat -rn | grep 'default.*%'
default                           fe80::be9a:8eff:fe0b:3b81%igc0 UGS           igc0

96% sure that one time when I rebooted the upstream gateway in this scenario and "restored the globe," this default v6 route appeared twice in the netstat -rn output.

marcg

Bumping this as the behavior continues, now on 24.11 with 2.2.20_4 patches installed. IPv6 is functionally fine, but the Gateway widget shows a tilde for the v6 WAN address.

The WAN interface has both DHCPv6 and SLAAC addresses.

patient0

@marcg have you tried changing the widget to show only the gateway ip? To see if there is an issue with the widget.

marcg

@patient0 said in Gateway widget displaying incorrect(?) IPv6 gateway state:

@marcg have you tried changing the widget to show only the gateway ip? To see if there is an issue with the widget.

Thanks for the response. Unfortunately, not familiar with PHP in general or the GUI code in particular.

That said, the only place that a ~ appears in /usr/local/www/widgets/widgets/gateways.widget.php is at line 110. Appears that $if_gw is either not being set for the v6 interface address, or is being set to an empty string, in the enclosing if block. The monitor IP is set explicitly to an address different from the upstream gateway for that interface (and shows correctly in the widget, 2606:4700:4700::1111).

     95                         $if_gw = '';
     96                         // If the user asked to display Gateway IP or both IPs, or asked for just monitor IP but the monitor IP is blank
     97                         // then find the gateway IP (which is also the monitor IP if the monitor IP was not explicitly set).
     98                         if ($display_type == "gw_ip" || $display_type == "both_ip" || ($display_type == "monitor_ip" && $monitor_address == "")) {
     99                                 if (is_ipaddr($gateway['gateway'])) {
    100                                         $if_gw = htmlspecialchars($gateway['gateway']);
    101                                 } else {
    102                                         if ($gateway['ipprotocol'] == "inet") {
    103                                                 $if_gw = htmlspecialchars(get_interface_gateway($gateway['friendlyiface']));
    104                                         }
    105                                         if ($gateway['ipprotocol'] == "inet6") {
    106                                                 $if_gw = htmlspecialchars(get_interface_gateway_v6($gateway['friendlyiface']));
    107                                         }
    108                                 }
    109                                 if ($if_gw == "") {
    110                                         $if_gw = "~";
    111                                 }
    112                         }

patient0

@marcg said in Gateway widget displaying incorrect(?) IPv6 gateway state:

Thanks for the response. Unfortunately, not familiar with PHP in general or the GUI code in particular.

Oh, no no. I was talking about configuring the widget on the dashboard. There is a wrench, a minus and a plus. Pressing the wrench and then you can choose what you want to display, the gateway ip, monitor ip or both.

Having said that, your finding is interesting. Could be that it can not get the gateway for some reason.

marcg

@patient0 said in Gateway widget displaying incorrect(?) IPv6 gateway state:

Oh, no no. I was talking about configuring the widget on the dashboard. There is a wrench, a minus and a plus. Pressing the wrench and then you can choose what you want to display, the gateway ip, monitor ip or both.

Having said that, your finding is interesting. Could be that it can not get the gateway for some reason.

Much easier :)

Changing from Both to Gateway IP displays just the tilde, so the issue remains.

No idea why it wouldn't be able to get the gateway IP. It's able to do that for the v4 interfaces and, as mentioned, the v6 gateway is up and routing.

EDIT: As mentioned at the start of the thread, rebooting the upstream gateway causes the widget to display the gateway LLA and the globe icon to reappear. ifconfig shows the same LLA and GUAs after the reboot as before.

patient0

@marcg said in Gateway widget displaying incorrect(?) IPv6 gateway state:

Changing from Both to Gateway IP displays just the tilde, so the issue remains.

I guess that's a bug, now the question is how to reproduce it. PHP is not my thing either.

get_interface_gateway_v6($gateway['friendlyiface']); is not doing it's job, I'm sure there are clever people in this forum who can help. I'll see if there is a way to manually call get_interface_gateway_v6() to see what is returned.

    105           if ($gateway['ipprotocol'] == "inet6") {
    106             $if_gw = htmlspecialchars(get_interface_gateway_v6($gateway['friendlyiface']));
    107           }

The menu 12) PHP shell + Netgate pfSense Plus tools from the login menu maybe of help, providing a PHP shell, never used it though.

marcg

@patient0 said in Gateway widget displaying incorrect(?) IPv6 gateway state:

I guess that's a bug, now the question is how to reproduce it. PHP is not my thing either.

get_interface_gateway_v6($gateway['friendlyiface']); is not doing it's job, I'm sure there are clever people in this forum who can help. I'll see if there is a way to manually call get_interface_gateway_v6() to see what is returned.

Guessing that the issue is a larger one with the gateway array than just the v6 address. The globe icon, indicating that the interface is the default interface, also disappears (even though the interface is active and the default, in fact the only, v6 WAN interface). The globe icon is enabled at line 78 of the widget code from the gateway array.

Appreciate the help. This is a low priority issue for me, please spend time only if it's of interest.

patient0

@marcg said in Gateway widget displaying incorrect(?) IPv6 gateway state:

The globe icon, indicating that the interface is the default interface

It can't get/parse any of the IPv6 info it seems, yes. I just switched WAN for one of my pfSense test instances from static to DHCP. And the ~ was there when upstream DHCP wasn't ready.

This is a low priority issue for me, please spend time only if it's of interest.

No worries, I won't overwork me :) ... soon done for today, but I'm interested and will have another go tomorrow.

marcg

@patient0 said in Gateway widget displaying incorrect(?) IPv6 gateway state:

It can't get/parse any of the IPv6 info it seems, yes. I just switched WAN for one of my pfSense test instances from static to DHCP. And the ~ was there when upstream DHCP wasn't ready.

I got a bit off-track with today's ifconfig comments, apologies for any confusion. The gateway IP is instead available from netstat -r.

As shown in the original post, netstat returns the v6 gateway IP as the default route both when the widget displays properly and when it displays improperly.

patient0

@marcg I had a little playtime with PHP and pfSense, taking gateways.widget.php as the starting point.

The following small PHP iterates through the gateways and outputs some of the fields of it. If you uncomment the // var_dump($gateway); it will output all the fields for every gateway. In my case there were two gateways (wan v4 and wan v6) with 14 entries in each gateway array:

<?php

require_once("pfsense-utils.inc");

        $a_gateways = return_gateways_array();
        foreach ($a_gateways as $gname => $gateway) {
                echo "gateway: ", $gateway['name'], "\n";
                echo "... friendly iface: ", $gateway['friendlyiface'], "\n";
                echo "... isdefault: '", $gateway['isdefaultgw'], "'\n";
                echo "... inactive: '", $gateway['inactive'], "'\n";
                if ($gateway['ipprotocol'] == "inet") {
                        $if_gw = get_interface_gateway($gateway['friendlyiface']);
                } else {
                        $if_gw = get_interface_gateway_v6($gateway['friendlyiface']);
                }
                echo "... get iface gateway: '", $if_gw, "'\n";
                // var_dump($gateway);
        }
?>

And running it outputs the below on my test system:

[2.7.2-RELEASE][root@pfsense.home.arpa]/root: php justforfun.php 
gateway: WAN_DHCP
... friendly iface: wan
... isdefault: '1'
... inactive: ''
... get iface gateway: '10.199.200.1'
gateway: WAN_DHCP6
... friendly iface: wan
... isdefault: '1'
... inactive: ''
... get iface gateway: 'fe80::be24:11ff:fecf:686b%vtnet0'

I would assume that isdefault and get iface gateway are empty for IPv6 in your case, right?

The PHP commands can also be run from the menu 12) PHP shell + pfSense tools.

As usual, don't post any public IP ranges on the forum. Mine are ULAs or private IPs, no issue here.

Regarding the netstat -rn output: On my prod (24.11) and in the test system (CE 2.7.2) - used above - the default gateways always have the 'S' flag set, and both get their default route per DHCP.

netstat man page tells me:

S RTF_STATIC Manually added`

I'm not knowledgable enough to know how you can have a default getway that is not manually added, while getting the gateway per DHCP client).

marcg

@patient0 Excellent ... thanks!

At the moment, the widget is correctly displaying the state (result of yesterday's reboots).

That's consistent with the PHP script output.

gateway: WAN_DHCP6
... friendly iface: wan
... isdefault: true
... gateway status: enabled
... get iface gateway: 'fe80::be9a:8eff:fe0b:3b81%igc0'
gateway: WAN_DHCP
... friendly iface: wan
... isdefault: true
... gateway status: enabled
... get iface gateway: a.b.c.d
gateway: E1V95_LTEGW
... friendly iface: opt12
... isdefault: false
... gateway status: enabled
... get iface gateway: '192.168.95.1'

It's also consistent with netstat.

[24.11-RELEASE][admin@pfSense.home.arpa]/root: netstat -rn | grep default
default            a.b.c.d                                         UGS           igc0
default            fe80::be9a:8eff:fe0b:3b81%igc0                  UGS           igc0

I'll run the script again and post the results when I next see the failure.

I made small changes to the script to handle different gateway statuses and missing addresses. The WAN_DHCP and E1V95_LTEGW interfaces on my system are set up as a gateway group -- IPv4 failover -- so it's normal for one of them not to be the default gateway.

require_once("pfsense-utils.inc");

$a_gateways = return_gateways_array();
foreach ($a_gateways as $gname => $gateway) {
    echo "gateway: ", $gateway['name'], "\n";
    echo "... friendly iface: ", $gateway['friendlyiface'], "\n";
    echo "... isdefault: ";
    if (isset($gateway['isdefaultgw'])) {
         echo "true\n";
    } else {
         echo "false\n";
    }
    echo "... gateway status: ";
    if (isset($gateway['inactive'])) {
        echo "inactive\n";
    } elseif  (isset($gateway['disabled'])) {
        echo "disabled\n";
    } else {
        echo "enabled\n";
    }
    $if_gw = '';
    if ($gateway['ipprotocol'] == "inet") {
        $if_gw = get_interface_gateway($gateway['friendlyiface']);
    } else {
        $if_gw = get_interface_gateway_v6($gateway['friendlyiface']);
    }
    echo "... get iface gateway: '", $if_gw, "'\n";
    //var_dump($gateway);
}

marcg

[filed as https://redmine.pfsense.org/issues/16163]

After a ~month of correctly displaying the v6 gateway state, a reboot of pfSense again causes the widget to incorrectly display the state. WAN_DHCP6 is the active v6 gateway, however the gateway address shows as a ~ and the default gateway globe icon does not appear.

Runnining 24.11 + System_Patches 2.2.20_4 as before.

Output from previous post's script is consistent with widget display.

gateway: WAN_DHCP6
... friendly iface: wan
... isdefault: false
... gateway status: enabled
... get iface gateway: ''
gateway: WAN_DHCP
... friendly iface: wan
... isdefault: true
... gateway status: enabled
... get iface gateway: '99.121.58.1'
gateway: E1V95_LTEGW
... friendly iface: opt12
... isdefault: false
... gateway status: enabled
... get iface gateway: '192.168.95.1'

netstat -rn output differs from the case where the widget correctly displays the output in that the "S" flag for the v6 gateway does not appear.

[24.11-RELEASE][admin@pfSense.home.arpa]/root: netstat -rn | grep default
default            a.b.c.d                          UGS            igc0
default            fe80::be9a:8eff:fe0b:3b81%igc0   UG             igc0

System>Routing>Gateways appears as follows.