Dual WAN Setup - LAN interfaces lost their IPv6 adresses.

heiko3001

Dear Supporters,

I already posted in the german forum regarding my problems with IPv6.
I'm using dual wan setup with some lan-adresses.
First wan is a static ip from vodafone.
Second wan is a dual stack vdsl connection from freenet.
Both are german ISPs.
The dsl wan gets an ipv6 adress / subnet but it is not, or only rarely passed by the wan interface to the lan interfaces.
A reboot helps only in rare cases.
Sometimes it helps when I disable and enbale the interface. Then the LAN Interfaces gets an IPv6 subnet / adress.
After the renewal by the isp after approximately 24 Hours, the lan interfaces lost the ipv6 adress and it's gone.
Nothing helps.
The guys in the german forum don't know what to do anymore.
The last I found in the logs was this strange error.

Can you please give me an advise what to do?
What do you need for further diagnostic puposes?
You found all screenshots in the german forum. (https://forum.netgate.com/topic/196162/dual-stack-ipv6-an-der-pfsense-interface-verliert-verbindung/41)

Thank you in advance!

Heiko

stephenw10

So on the DSL WAN it is pulling a lease for the WAN itself and a PD to use on internal subnets?

And the LAN is set to track the WAN but fails to be assigned prefix?

JonathanLee

Try setting it to conservative mode so the links don’t go down for the wan as often. Sometimes with the lag it drops the wan and the system can see it as offline. Try that

heiko3001

@stephenw10

Yes correct, the DSL WAN is pulling a correct and working lease (I can ping and resolve dns entries over the pfsense)
I have some LAN interfaces, the are set to track the DSL-WAN, but they failed to be assigned prefix.

heiko3001

This post is deleted!

heiko3001

@JonathanLee said in Dual WAN Setup - LAN interfaces lost their IPv6 adresses.:

Try setting it to conservative mode so the links don’t go down for the wan as often. Sometimes with the lag it drops the wan and the system can see it as offline. Try that

I will give it a try.

Gertjan

@heiko3001

This :

means that dhcp6c wanted to send it's periodic "Solicit" upstream, but the interface was pulled down.
Btw the device/modem at the other side ?
You have two wans, I can't see which one makes dhcp6c unhappy.

You want to know more ?
Ask pfSense : check :

and from now on you can see (DHCP logs) what dhcp6c does, what it obtained as an answer (prefix etc)

heiko3001

@Gertjan

From now I started the DHCP Debug mode...

The VDSL Modem is a Draytek Vigor 167

Gertjan

@heiko3001 said in Dual WAN Setup - LAN interfaces lost their IPv6 adresses.:

The VDSL Modem is ...

Modems have this nice feature to 'signal' the downstream router (or single device like a PC) that the connection is lost by pulling down the interface.
The downstream device now knows that something is going on.
When the modem syncs again, the interface (link) goes up again, and the router (or PC) will kick of the pppoe or DHCP negotiation.

Not related :
I still don't get it, why a modern country like Germany still uses 'modems' (and even pppoe stuff).
That's something of the past ... and I know what I'm talking about : I live in a country from the past : France

heiko3001

@Gertjan

I know what you mean, but in Germany even some of the Telekom's fiber optic connections are still registered via PPPoE.

Back to the topic:
I can hardly imagine that you can detect anything at the modem because the WAN interface of the sense receives an ipv4 and an ipv6 address. my problem is that the ipv6 addresses are not passed on to the lan interfaces.
In very rare cases ipv6 works once and at the latest with the next forced disconnection by the isp the ipv6 addresses on the lan interfaces are gone again. ipv4 continues to work perfectly.

heiko3001

@heiko3001

After a long period of trying (DSL Modem Reboot, Pfsense Reboot, Interface OFF / ON) it is working temporary. But I don't have to much hope. I bet, after the 24h forced disconnect by isp, only ipv4 will work. I'll keep you going.

Gertjan

@heiko3001

In the dhcp6c image I couldn't see any prefixes getting attributed ...

![76b289c3-965e-4a5d-9537-95582ef58fca-image.png](Something went wrong while parsing server response)

You copied the wrong / non interesting part ?

ppp : IPv4 is ok

Interfaces : the 2a00:exxxxxxxx are ISP attributed, right ?

I released my WA. (both IPv4 and IPv6) with :

and waited 30 seconds or so.
Then I activated WAN again with the same button :

My 'dhcp6c' story :

dhcp6c 85796 - - script "/var/etc/dhcp6c_wan_script.sh" terminated
dhcp6c 85796 - - removing an event on ix3, state=RELEASE
dhcp6c 85796 - - got an expected reply, sleeping.
dhcp6c 85796 - - Sending Solicit
dhcp6c 85796 - - a new XID (743e50) is generated
dhcp6c 85796 - - set client ID (len 14)
dhcp6c 85796 - - set identity association
dhcp6c 85796 - - set elapsed time (len 2)
dhcp6c 85796 - - set option request (len 4)
dhcp6c 85796 - - set IA_PD
dhcp6c 85796 - - send solicit to ff02::1:2%ix3
dhcp6c 85796 - - reset a timer on ix3, state=SOLICIT, timeo=0, retrans=1055
dhcp6c 85796 - - receive advertise from fe80::46d4:54ff:fe2a:3600%ix3 on ix3
dhcp6c 85796 - - get DHCP option client ID, len 14
dhcp6c 85796 - -   DUID: 00:01:00:01:2c:ec:aa:20:90:ec:77:29:39:2a
dhcp6c 85796 - - get DHCP option server ID, len 10
dhcp6c 85796 - -   DUID: 00:03:00:01:44:d4:54:2a:36:00
dhcp6c 85796 - - get DHCP option IA_PD, len 41
dhcp6c 85796 - -   IA_PD: ID=0, T1=300, T2=480
dhcp6c 85796 - - get DHCP option IA_PD prefix, len 25
dhcp6c 85796 - -   IA_PD prefix: 2a01:dead:beef:a6e2::/64 pltime=600 vltime=5055960300268816136
dhcp6c 85796 - - get DHCP option preference, len 1
dhcp6c 85796 - -   preference: 255
dhcp6c 85796 - - get DHCP option DNS, len 16
dhcp6c 85796 - - get DHCP option domain search list, len 6
dhcp6c 85796 - - server ID: 00:03:00:01:44:d4:54:2a:36:00, pref=255
dhcp6c 85796 - - Sending Request
dhcp6c 85796 - - a new XID (52a2b6) is generated
dhcp6c 85796 - - set client ID (len 14)
dhcp6c 85796 - - set server ID (len 10)
dhcp6c 85796 - - set elapsed time (len 2)
dhcp6c 85796 - - set option request (len 4)
dhcp6c 85796 - - set IA_PD prefix
dhcp6c 85796 - - set IA_PD
dhcp6c 85796 - - send request to ff02::1:2%ix3
dhcp6c 85796 - - reset a timer on ix3, state=REQUEST, timeo=0, retrans=1019
dhcp6c 85796 - - receive reply from fe80::46d4:54ff:fe2a:3600%ix3 on ix3
dhcp6c 85796 - - get DHCP option client ID, len 14
dhcp6c 85796 - -   DUID: 00:01:00:01:2c:ec:aa:20:90:ec:77:29:39:2a
dhcp6c 85796 - - get DHCP option server ID, len 10
dhcp6c 85796 - -   DUID: 00:03:00:01:44:d4:54:2a:36:00
dhcp6c 85796 - - get DHCP option IA_PD, len 41
dhcp6c 85796 - -   IA_PD: ID=0, T1=300, T2=480
dhcp6c 85796 - - get DHCP option IA_PD prefix, len 25
dhcp6c 85796 - -   IA_PD prefix: 2a01:dead:beef:a6e2::/64 pltime=600 vltime=5055960300268816136
dhcp6c 85796 - - get DHCP option preference, len 1
dhcp6c 85796 - -   preference: 255
dhcp6c 85796 - - get DHCP option DNS, len 16
dhcp6c 85796 - - get DHCP option domain search list, len 6
dhcp6c 85796 - - dhcp6c Received REQUEST
dhcp6c 85796 - - nameserver[0] 2a01:dead:beef:a600:46d4:54ff:fe2a:3600
dhcp6c 85796 - - Domain search list[0] home.
dhcp6c 85796 - - make an IA: PD-0
dhcp6c 85796 - - create a prefix 2a01:dead:beef:a6e2::/64 pltime=600, vltime=1800
dhcp6c 85796 - - add an address 2a01:dead:beef:a6e2:92ec:77ff:fe29:392c/64 on igc0
dhcp6c 85796 - - executes /var/etc/dhcp6c_wan_script.sh
dhcp6c 22579 - - dhcp6c RELEASE, REQUEST or EXIT on ix3 running rc.newwanipv6

I'll say upfront that more then half of what I've showed is Chinese or rocket science language for me.
Let try :
First, there's a SOLICIT .... and info comes back.
I guess this is the phase where the upstream DHCPv6 router announces what it can offer.
Then there is a REQUEST ....
Now a real IPv6 for WAN - and a prefix are retrieved.
The last several lines show clearly that the prefix is obtaiend and mode aviable on igc0 = the LAN interface. From there on, the DHCPv6 server will make of it (my case : I don't use SLAAC but the DHCPv6 server).

stephenw10

Yes if you have dhcpv6 debug enabled you should see a line like:
Jun 12 13:54:32 dhcp6c 15485 IA_PD prefix: 2a00:23c8:xxx:xxx::/56 pltime=315360000 vltime=12732255525095080704
With the prefix delegation you requested.

And then lines showing prefixes from within that being assigned to tracking interfaces like:

Jun 12 13:54:33 	dhcp6c 	15485 	make an IA: PD-0
Jun 12 13:54:33 	dhcp6c 	15485 	create a prefix 2a00:23c8:xxx:xxx::/56 pltime=315360000, vltime=315360000
Jun 12 13:54:33 	dhcp6c 	15485 	add an address 2a00:23c8:xxx:xx1:201:21ff:fe01:6777/64 on igb2
Jun 12 13:54:33 	dhcp6c 	15485 	add an address 2a00:23c8:xxx:xx2:201:21ff:fe01:6778/64 on igb3

JKnott

I don't know if this will affect it, but have you set router priority? This is on the Router Advertisement page and the choices are high, normal and low. You'd decide which connection you want to be priority. Also, any reason why you're using DHCP6 on the LAN? SLAAC generally does what's needed and Android devices don't work properly with DHCP6.

heiko3001

@JKnott

DHCPv6 was only activated for testing reasons. In the meantime it is deactivated.

heiko3001

At the moment it is working, but pfsense doesn't do it independently.
You have to trigger, or wait a long time (<10-15 min)
Before it works I got this error message:

After triggering (Interface Off, Interface On, Interface Off ....) I got this log, and everything looks good.

Gertjan

@heiko3001

pfSense works best when interfaces stop flapping around.
This would impact IPv6 and IPv4.
You mission, if you accept it : do whatever is needed so interfaces don't get pulled down anymore.

A plan Z : put a switch between you pfSense WAN and the upstream device.
This can have a minor negative impact : when the upstream ISP device goes belly up (again), pfSense doesn't get informed ... so it will presume that the connection is still ok, but it isn't, it broken again.
The gateway observer (dpinger - System > Routing > Gateways) would notice something bad has happened, and will try to rebuild the connection .... It does this by resetting the WAN interface .... which would introduce the same scenario, but at least dhcp6c wouldn't fail as it get starts when the interface is up.

edit : wait : you've showed dhcp6c issues.
All this time, the IPv4 party of the WAN connection had no issues ?
If so, then the connection by itself is ok, and it seems tjhe IPv6 part that is "broken".

heiko3001

@Gertjan
I think you misunderstand me...

I have to trigger that it works. I do this by turning the VDSL Interface off and on and again.

After a clean restart IPv6 is not working and I get the error message above (Permission denied- transmit failed)
Then I trigger the VDSL interface by turning it off and on, then it takes a few seconds and all LAN interface have a working IPv6 connection.

stephenw10

Do you see any Received RA messages in the main system log?

If not do you have 'Do not wait for a RA' set in the dhcpv6 client setup?

It sounds like you may need that.

Also are you using if_pppoe in 2.8?

Gertjan

@heiko3001 said in Dual WAN Setup - LAN interfaces lost their IPv6 adresses.:

I do this by turning the VDSL Interface off and on and again.

That's what I understood.
The dhcp6c gets started when the WAN interface becomes active.
And then it fails with the message "Transmit failed - Permission denied" which means : the interface is down (again).

Or, is this something else :

at 04h42:31 a solicit is send - it does this very often, I see Solicit every 300 seconds or so.
at 04h46:27 same thing, 116 seconds later,
at 04h46:35 same thing, 8 seconds later .... wow...
at 04h46:35 This solicit failed - interface gone.

If you saved the WAN config at that moment - between 46:27 and 46:35 - then I presume the dhcp6c would log would show a lot more - like the logs you've showed above.

Btw : Not sure if this is related - dhcprelay - are you using dhcprelay ?