Router advertisement not sending default gateway

Euroguy

@Euroguy Oh, this is how a typical client looks like:

pst

@Euroguy said in Router advertisement not sending default gateway:

Likely due to me not using Track Interface

You need to do that though, if you are on Telia residential services as that is the only way to get a routable prefix for your LAN(s). Your current static address configuration can't be routed onto the internet.

For now, I will disregard the (likely) complication of you having Windows AD services running on your LAN.

But for Telia you need to configure WAN:

LAN: IPv4 address / prefix ID whatever you want...

Then configure Services / Router Advertisment / LAN either as Assisted (DHCP+SLAAC) or Managed (DHCP), no need to specify any parameters as default should suffice (you'll see a default DNS server (grayed out) once the prefix is received (looks like <prefix><your prefix ID in LAN config>:<MAC address of LAN interface>)

Then you probably need the DHCPv6 on LAN, the RED part below is the assigned prefix from Tracking (note: this is very likely to be a different subnet than the WAN IPv6 address). If you don't see it after configuring the WAN/LAN as above, you need to release and renew the WAN interface lease (there's a button on Status / Interfaces)

You could also use SLAAC only by setting RA to unmanaged,

Later, you might need to consider the Prefix Delegation Pool as something to use to delegate a subnet to Windows AD part of the net. That's just a guess as I have no clue how that works

After that, you can try a ipconfig / renew / renew6 and that should have given the windows machine an IPv6 adress from the /64 segment for the LAN (<prefix><your prefix ID>::210 most likely)

I started off by ignoring the Windows AD implication, and I am going to end on the same note. The above will give IPv6 connectivity to the LAN. You might need to tweak the firwall rules on the LAN to get out, but as a basic setup the above should work.

Euroguy

@pst Thanks very much for the very detailed hint list.
Seems kinda like you have first hand knowledge about Telia , and given your horisontal DHCP6 Server list it looks like you know what you're talking about for sure. Wasn't aware that Telia would give me a /56 for instance by just asking for it with a hint.

Will try it out.
It will mean my internal network will have public IPv6 addresses too, but I can live with that. I think I can add a static IPv6 address as a virtual IP to "my" range solving addresses and publishing of internal sites.

Will say this though.
It's a bit going over a river to get a bucket of water.

Given I have link local address on the LAN interface and pfsense knows I do static IPv6 address, wouldn't it be super simple to just add a checkbox on the LAN page stating something along the lines of "Announce this static IPv6 address as default gw in RA?".

It would allow pfsense to be able to function like IPv4 in regards to enabling private IPv6 addresses if one like to have them and not mandate use of Track interface just to get SLAAC to function.

Anyway. off to testing and experimenting a bit.
Thanks once again for the help!

pst

@Euroguy said in Router advertisement not sending default gateway:

Seems kinda like you have first hand knowledge about Telia

Let's just say I'm not making things up ;)

Wasn't aware that Telia would give me a /56 for instance by just asking for it with a hint.

They might give you one without a hint, but hinting works

It will mean my internal network will have public IPv6 addresses too

Which they need if they want to talk IPv6 to the outside world, as NAT isn't normally used on IPv6 (although from experience I can say that it works)

I think I can add a static IPv6 address as a virtual IP to "my" range solving addresses and publishing of internal sites.

Yes, I recently added that too. Makes the network more reliable in case the Tracking fails (which is rarely does), or prefix changes (never happens unless you change the WAN MAC)

Announce this static IPv6 address as default gw in RA

Gateway to where? The internet? You need a GUA to go out there, and without a prefix from Tracking (or a Business leased line static IP) that wouldn't be possible .

allow pfsense to be able to function like IPv4 in regards to enabling private IPv6 addresses

There are plenty of posts on this forum covering the differences between IPv4 and IPv6 so I won't add to those

There might be other network scenarios that I have not considered where a gateway might be useful (internally). Or if the parts of the network has no (or should not have) internet connection In that case the need for a gw might arise. Perhaps that is your scenario? Other might have more useful input to add for such scenarios.

Euroguy

@pst said in Router advertisement not sending default gateway:

Gateway to where? The internet? You need a GUA to go out there, and without a prefix from Tracking (or a Business leased line static IP) that wouldn't be possible .

Well, static ipv6 with

1. Address + mask and
2. Gateway set on the static definition

works as it has the gateway set to "internal address" of the LAN interface.
It's just the DHCP clients lacking that.
Just need to get the route sent somehow for them to reach the router and the router does the rest.

It seems to me only thing I am missing on DHCP clients is the default gateway. If the router would just send out it's internal LAN address, that would accomplish that.

I am probably oversimplifying things but just saying.

by the way, tracking interface now and still not getting routes sent out on RA for some reason.

pst

@Euroguy

If the router would just send out it's internal LAN address, that would accomplish that.

Services / Router Advertisment / LAN needs to be configured, something like this?

If you came from pfSense 2.5, the RA was part of DHCPv6 in 2.5 IIRC, but it was made a separate service in preparation for KEA replacing ICS (in 2.7.x/23.x (?)) . So the RA needs to configured, default is Disabled (I think... as I haven't looked at the default config for a while)

patient0

@pst what is the client OS you are testing with? Unfortunately I don't know Windows well, can't help there. Did it work before with pfSense 2.5?

For me it works on a Debian Linux with pfSense CE 2.8.0 and 'Router Mode' set to 'Router Only'.

## client got a route
$ ip -6 r s
fe80::/64 dev enp6s18 proto kernel metric 256 pref medium
default via fe80::be24:11ff:fef5:cf5f dev enp6s18 proto ra metric 1024 expires 1575sec hoplimit 64 pref medium

## but no IPv6 since there is no other RA or DHCP server available
$ ip -6 a s enp6s18
2: enp6s18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    inet6 fe80::be24:11ff:fee4:634b/64 scope link 
       valid_lft forever preferred_lft forever

Regarding the 'Router address flag (R)', it is not set either but it may not have to be set. According to IPv6 NDP Explained: Router Solicitation and Router Advertisement:

"Router Address Flag (R): This flag indicates whether the prefix can be used for assigning addresses to routers. If the R flag is set, hosts can assign the prefix to an interface on the device acting as a router. This flag is typically used by routers to advertise the prefixes they can serve as a default gateway for."

Text comprehension is not my strongest point, so I may have missed the point here.

pst

@patient0 I'll let @Euroguy answer as he's the one with the issue :)

patient0

@pst sorry :) /me just pressed reply button, no brain :)

Euroguy

@patient0 @pst

I am testing on windows. Only have VM labs on linux; all user computers are windows. And all linux machines have static ip:s.

I actually have two issues. DHCP6 and the router problem.
Switched to use DHCP on the pfsense, and IPv6 leases don't work on KEA at all (it gets permission denied sending message().
Switched to ISC and then the engine issues addresses, but pfsense does it wierdly somehow, from a windows perspective, so windows clients never accept the address, so ISC issues 4 or 5 before giving up, and the client ends up without an address.
It sends them to the fe80 address that requested it, with XID matching that client and the address in the IAA tag.
Instead of sending out addresses directly they are sending it in IAA tag to the questioning link local address. Which windows don't seem to handle. To my unpracticed eye
Tried to run KEA and ISC on Debian, and there DHCP6 works, and ISC on openSuSE works as well.

I can see if I can share some wireshark ss later on using them as DHCP6 server.
But here is a ws screenshot of it from pfSense:

Euroguy

@patient0
Yes it worked on pfsense 2.5.something.
But could not upgrade it so figured I'd try a clean install for 2.8.

I had exact same setup as I do now, Track Interface, although I used a 6RD tunnel, as I only discovered Telia had enabled DHCP6 on it's fiber network as I got an IPv6 address before changing to 6RD and was like wot....?

Anyway:

• private IP-addresses,
• track interface on lan.
• virtual IP on LAN side (in the private IPv6 range) so static private IPv6 servers could reach it.
• Public tracked 2001:2000 from the 6RD on internal network devices from RA.

Changed as pst hinted and restarted the box (an old Xeon E3-1230)

Now, here's my current config:
RA Mode: Assisted.
DHCP 4 and 6 on pfSense machine (ISC).
No reservations setup.

LAN:

RA:

DHCP:

Euroguy

@patient0
This is a linux vm running latest openSuSE doing DHCP:

Meanwhile, it seems some IP address leases were in fact working:
They weren't last night but seems to have kicked in sometimes later.

They are all for Windows Server VM's running on Virtual NIC's.
Here they can be seen in the DNS server:

pst

@Euroguy said in Router advertisement not sending default gateway:

Switched to use DHCP on the pfsense, and IPv6 leases don't work on KEA at all (it gets permission denied sending message().

I still recommend you use KEA, as makes it easier to support you :) Debugging permission denied should be fairly simple (...)

You seem to have gotten the DHCPv6 Tracking on WAN working, prefix on LAN DHCPv6 looking good.

It is sometimes difficult "to see the forest for all the trees", so I suggest testing the setup in smaller steps, starting with just the pfsense, and a LAN with one client active. Running DNS on the pfsense also simplifies matters.

Is pfsense a bare metal machine, or is it a virtual setup? (==complication)

pfsense does it wierdly somehow, from a windows perspective, so windows clients never accept the address,

I run windows clients (Win10 and Win10 VMs) as well as Linux VMs and I have not noticed anything weird going on. Are the windows clients VMs or regular machines? Are they configured with default DHCP configs or are there legacy configurations from your previous (=current setup)?

Switched to use DHCP on the pfsense,

this suggests you ran DHCP elsewhere previously?

Tried to run KEA and ISC on Debian, and there DHCP6 works, and ISC on openSuSE works as well.

So, what you are saying is that a windows client can get an address from a non-pfsense DHCP server, but not from the pfsense running the dhcp server?

Again, I suggest turning off/disconnecting everything that complicates the debugging of the pfsense setup (suggestion above). Once the basic setup of pfsense works it should be easy to hook up the rest of your network...

Euroguy

@pst
I have two AD DC machines running DNS etc, and one of them ran DHCP.

But after nothing worked and I got into trouble, I wanted to know if the problem was due to me running DHCP on a separate machine, so switched to running it on the pfSense machine.
And that didn't work at all.

Then i tested an debian and an open suse (VMs) I had.
Installed and confed DHCP on both of them to test.
Ran flawlessly and without a hitch (once I got them up and running, conf was a bit of a mess)

pfsense is running on a

I had saved the old version (saved the disk) so just reconnected it and fired it up.

It is running 2.5.2.
And immedietly I got working RA:s

And RA config is the same it seems:

I'll try to reinstall 2.8 and see if I can get that to work as a baseline.
Else I think I'll settle for 2.7.2 for now.