IPv6 connectivity lost on prefix change
-
My device connected to an interface loses ipv6 connectivity on isp prefix change. What do I have to do to avoid this?
Here is a description of a case where I finally caught what happens. My laptop has an ipv6 address handed by dhcpv6 (router advertisement mode is managed). Output of
ip -6 routeincludes2xxx:xxxx:xabc:de03::1000 dev enp86s0u1 proto kernel metric 100 pref medium 2xxx:xxxx:xabc:de03::/64 dev enp86s0u1 proto ra metric 100 pref mediumI am connected to my Netgate router on the same device via ip4. I notice that the /56 prefix changes. This is also reflected in
ip -6 route, which now shows both2xxx:xxxx:xmno:pq03::/64 dev enp86s0u1 proto ra metric 100 pref medium 2xxx:xxxx:xabc:de03::/64 dev enp86s0u1 proto ra metric 100 pref mediumAfter this, the ipv6 address of my laptop is still the original
2xxx:xxxx:xabc:de03::1000. However, this lease has disappeared from the list of dhcpv6 leases in Netgate. Furthermore,ip -6 neighgives2xxx:xxxx:xabc:de03:92ec:77ff:fe8e:691f dev enp86s0u1 FAILED 2xxx:xxxx:xmno:pq03:92ec:77ff:fe8e:691f dev enp86s0u1 FAILEDThese addresses should be for the router. To my limited understanding,
- the ipv6 lease of the laptop is no longer valid, and has not been renewed on prefix change
- there is no working ipv6 connection to the router.
Slaac connections are plagued by similar issues.
What should I do to fix this?
I am running the newest version of pfSense.
-
I’m guessing you don’t mean a prefix change but really IP address change.
How often does this happen? Do you notice if there’s something that triggers it, like rebooting your router after an update. My ISP also has dynamic addressing, but I have to be disconnected for over four hours or change routers in order to get assigned a new address. Reading these forms, I have learned from other people that some ISP‘s do it on a weekly basis. What would help is knowing how your ISP provides IPV6.
For example, my ISP gives me a IA_NA/IA_PD with a 56 prefix delegation. This allows me to to have 256/64 subnets. -
@Uglybrian said in IPv6 connectivity lost on prefix change:
I’m guessing you don’t mean a prefix change but really IP address change.
That could be the correct term. I just notice in interfaces that the prefixes change.
@Uglybrian said in IPv6 connectivity lost on prefix change:
How often does this happen? Do you notice if there’s something that triggers it, like rebooting your router after an update.
It happened at least once yesterday, and at least twice today in a span of around 3-4 hours, because the prefix is different now from the two prefixes I observed above. I have not rebooted the router today, and our network has been active all evening.
@Uglybrian said in IPv6 connectivity lost on prefix change:
What would help is knowing how your ISP provides IPV6. For example, my ISP gives me a IA_NA/IA_PD with a 56 prefix delegation. This allows me to to have 256/64 subnets.
I also get /56 prefix delegation. In my message above, the
03at the end of initial /64 of every ipv6 address is what I have assigned for the /64 subnet for that interface. -
As you probably already know, ISP can, and often will, change regularly your 'one and only' WAN IPv4.
This can be a good thing, or a bad thing. The votes are still open on this one.If our ISPs strictly behave as RFCs told them, the IPv6 prefixes assigned to you 'can' also change.
But they don't have to change, which means you have will have static IPv6 for all your networks and devices.
Here, where I live, it's actually the (French) law that says : your IPv4 needs to change at lest ones a year, except if you signed up for a static IPv4.
Same thing for IPv6 (prefixes) and afaik, static IPv6 prefixes for 'end consumer connection' don't exist (yet).
So, yes, if one or more (your entire 256 /64 prefixes range probably) changes, your LAN network will go through what I call 'a messy moment'.
A whole set of protocols exists to detect this moment, as the good old "DHCPv6 server and DHCPv6 client" relation won't cut it anymore. During half the duration of the assigned IPv6 DHCP lease time, the pfSense LAN client won't be aware that the upstream pulled the plug out of the existing gateway path.What can you do on your side to stay away from the IPv6 prefix change moment :
Don't reboot your ISP 'box' router anymore.
Do whatever you can so your ISP WAN link stays up. Handle this as a "no matter what situation".
Same thing for pfSense.
These first 3 cases : it's actually easy : do what the pros do (the guys who don't want to be bothered by stupid physical, easy to circumvent situations) : get an UPS. In short : throw more hardware at it.
The NAS can also power all your main 'behind pfSense' switches so from now on the pfSense NICS won't flip anymore, and this stabilizes all pfSense processes. You're good for an "one year up time" attempt ^^IPv6, here in France, isn't a gadget anymore. 80 % IPv6 coverage !
What I (think I ) do know : my pfSense WAN DUID has to stay the same. If it change, I get other prefix out of the ISP /56 pool for my LANs.
Btw : my setup is this :
ISP <= classic 2 Gbit/sec fiber => ISP Router ** <= 2 feet cable => pfSense <= My pfSense LANs =>
All this equipment is powered by 2 1KwH UPSs.pfSense is the only device connected to my ISP router.
My ISP router offers also "Wifi" : I don't use it.
My ISP router offers also a "phone" : As a company, I have ISDN, so I use this ISP phone number as a fax line. It doesn't' cost my anything ... but (as a hotel) we don't receive faxes anymore 'for some reason'.
My ISP router offers also a second device, a TV set decoder, so that is the second device that is hooked up to the ISP box. Not that we really use it, but it's there as our third method of receiving TV channels (local numeric broadcast being method one, for all the TVs in the hotel rooms, and a satellite receiver being method two).edit sorry for the ramble.
-
@jarmo said in IPv6 connectivity lost on prefix change:
What should I do to fix this?
There is no perfect solution to this. What I do is to use ULAs together with NPt. That has the "benefit" that no clients IPv6 prefix will ever change, this will reduce the mess a lot. Also I am not a heavy IPv6-user anymore, so I still might have problems that I am not aware of.
-
@jarmo said in IPv6 connectivity lost on prefix change:
My device connected to an interface loses ipv6 connectivity on isp prefix change. What do I have to do to avoid this?
On System / Advanced / Networking make sure Do not allow PD/Address release is selected.
-
@jarmo said in IPv6 connectivity lost on prefix change:
My device connected to an interface loses ipv6 connectivity on isp prefix change. What do I have to do to avoid this?
It will be (or should be) automagically handled by pfSense if your
- LAN IPv6 Configuration Type is "Track Interface" and the Interface is "WAN" (Interfaces / LAN )
- The Router Advertisement is not "Disabled" or "Router Only" (Services / Router Advertisement / LAN)
- The DHCPv6 server is enabled (if used). The current IPv6 PD prefix should be seen under "Primary Address Pool" (Services / DHCPv6 Server / LAN)
When your prefix changes, pfSense will update the RA/DHCPv6 server with the new prefix which will be broadcast on the LAN. The clients will detect this change and request new leases (DHCPv6) or incorporate the prefix in their address (for SLAAC). Well, that's my understanding anyway and it has been working fine for the last few years for me (although my prefix has remained fairly static in that time)
-
@pst said in IPv6 connectivity lost on prefix change:
it has been working fine for the last few years for me (although my prefix has remained fairly static in that time
Your perspective might change if your prefix is changing daily, you start to see things...
-
@Bob.Dig said in IPv6 connectivity lost on prefix change:
Your perspective might change
Why? pfSense should automatically handle the prefix change if the setup is as I described; even with a prefix changing every hour I wouldn't even notice :)
-
@pst said in IPv6 connectivity lost on prefix change:
The clients will detect this change and request new leases (DHCPv6) or incorporate the prefix in their address (for SLAAC)
This doesn't work reliably, you just don't know that yet.
-
@jarmo I've found it helpful to lower Valid Lifetime and Preferred Lifetime in the RA settings.
And on Windows one can manually remove old IPs via:
netsh interface ipv6 delete address interface="Ethernet 2" ipv6hereOtherwise I find it tends to keep trying to use them even if it's acquired a new IP. (presumably, until the lifetime ends)
I am running the newest version of pfSense.
2.8.1 and 25.11 are both newest. :)
-
@JKnott said in IPv6 connectivity lost on prefix change:
@jarmo said in IPv6 connectivity lost on prefix change:
My device connected to an interface loses ipv6 connectivity on isp prefix change. What do I have to do to avoid this?
On System / Advanced / Networking make sure Do not allow PD/Address release is selected.
This might actually help! After router reboot, my ipv6 connection has now been stable for 5 hours. I will monitor this and keep you up to date.
However, I still do not understand why a prefix change is not propagated, so let us consider the options.
@Bob.Dig said in IPv6 connectivity lost on prefix change:
@jarmo said in IPv6 connectivity lost on prefix change:
What should I do to fix this?
There is no perfect solution to this.
Is this fundamentally an ipv6 problem? A netgate / pfsense problem? A client problem?
@pst said in IPv6 connectivity lost on prefix change:
@jarmo said in IPv6 connectivity lost on prefix change:
My device connected to an interface loses ipv6 connectivity on isp prefix change. What do I have to do to avoid this?
It will be (or should be) automagically handled by pfSense if your
- LAN IPv6 Configuration Type is "Track Interface" and the Interface is "WAN" (Interfaces / LAN )
- The Router Advertisement is not "Disabled" or "Router Only" (Services / Router Advertisement / LAN)
- The DHCPv6 server is enabled (if used). The current IPv6 PD prefix should be seen under "Primary Address Pool" (Services / DHCPv6 Server / LAN)
These are not sufficient: I had these.
@pst said in IPv6 connectivity lost on prefix change:
When your prefix changes, pfSense will update the RA/DHCPv6 server with the new prefix which will be broadcast on the LAN.
Judging from what was observed in the opening post, these do happen. Old dhcpv6 leases disappear from router list. New prefix is advertised.
@pst said in IPv6 connectivity lost on prefix change:
The clients will detect this change and request new leases (DHCPv6) or incorporate the prefix in their address (for SLAAC).
But, again from what I observed, these do not take place. Clients think old leases are valid. It does not seem to depend on dhcpv6 vs. slaac. It does not seem to depend on client type as in linux vs. macos.
@Bob.Dig said in IPv6 connectivity lost on prefix change:
@pst said in IPv6 connectivity lost on prefix change:
The clients will detect this change and request new leases (DHCPv6) or incorporate the prefix in their address (for SLAAC)
This doesn't work reliably, you just don't know that yet.
My observations support this.
@SteveITS said in IPv6 connectivity lost on prefix change:
@jarmo I've found it helpful to lower Valid Lifetime and Preferred Lifetime in the RA settings.
I will explore this.
@SteveITS said in IPv6 connectivity lost on prefix change:
I am running the newest version of pfSense.
2.8.1 and 25.11 are both newest. :)
Fair enough: I am running 25.11 on Netgate 4200.
I really appreciate all the efforts here, thanks!
-
@Gertjan said in IPv6 connectivity lost on prefix change:
@jarmo
So, yes, if one or more (your entire 256 /64 prefixes range probably) changes, your LAN network will go through what I call 'a messy moment'.
A whole set of protocols exists to detect this moment, as the good old "DHCPv6 server and DHCPv6 client" relation won't cut it anymore. During half the duration of the assigned IPv6 DHCP lease time, the pfSense LAN client won't be aware that the upstream pulled the plug out of the existing gateway path.Answers provided by AI can be incorrect, so I know this is risky. Still, out of curiosity, I asked Claude:
what processes should take place between the router and the clients in an ipv6 network when a prefix delegated by isp changes?
and here is the answer as raw text:
# IPv6 Prefix Delegation Change Process When an ISP changes a delegated prefix, the following processes should occur: ## 1. **ISP to Router** - ISP sends new prefix via **DHCPv6-PD** (Prefix Delegation) - Router's WAN interface receives the new prefix - Old prefix lease expires or is explicitly revoked ## 2. **Router Processing** - Router accepts the new prefix - Updates its routing tables - Reconfigures internal interfaces with new prefix addresses - Prepares to deprecate old prefix ## 3. **Router to Clients (via SLAAC)** - Router sends **Router Advertisement (RA)** messages with: - **New prefix** with valid and preferred lifetimes - **Old prefix** with: - Preferred lifetime = 0 (deprecated) - Valid lifetime = reduced (typically 2 hours) ## 4. **Client Processing** - Clients receive RAs and: - Generate new addresses from the new prefix (SLAAC) - Mark old addresses as **deprecated** (stop using for new connections) - Keep old addresses **valid** temporarily for existing connections - Update DNS records (if using dynamic DNS) ## 5. **Gradual Transition** - New outbound connections use new addresses - Existing connections continue on old addresses until completion - Old addresses expire after valid lifetime (graceful shutdown) ## 6. **DHCPv6 Clients (if used)** - Router's DHCPv6 server updates its pool - Clients renew leases and receive new addresses - Old addresses are released ## Best Practices - Configure appropriate lifetimes (RFC 8028 recommends 2h valid, 30min preferred for old prefix) - Monitor for connectivity issues during transition - Some applications may need restart if they cache addressesIs this even approximately correct?
-
@jarmo did you try lowering the lifetime settings as it and I suggested? :) pfSense defaults are 1 day and 4 hours.
-
@SteveITS said in IPv6 connectivity lost on prefix change:
@jarmo did you try lowering the lifetime settings as it and I suggested? :) pfSense defaults are 1 day and 4 hours.
Hi @SteveITS.
Not yet, because I am still running my experiment on the stability of the connections with disallowing pd/address release. Out of curiosity, what values do you use?
-
@jarmo said in IPv6 connectivity lost on prefix change:
Out of curiosity, what values do you use?
Fritzbox is using 2 and 1 hour.
-
@jarmo in our office, I think 1h and 30m
-
@jarmo said in IPv6 connectivity lost on prefix change:
This might actually help! After router reboot, my ipv6 connection has now been stable for 5 hours. I will monitor this and keep you up to date.
A way to test is to disconnect & reconnect the WAN cable.
-
@JKnott said in IPv6 connectivity lost on prefix change:
@jarmo said in IPv6 connectivity lost on prefix change:
My device connected to an interface loses ipv6 connectivity on isp prefix change. What do I have to do to avoid this?
On System / Advanced / Networking make sure Do not allow PD/Address release is selected.
In my case this turned out to be a game changer. I have been running experiments, and after this change my ipv6 connections are stable within the timeframe I have tested, that is, of the order of a single day. This is sufficient for my purposes, and it might even turn out that stability persists over longer time periods.
I do not know whether my case is an edge one, but given that prefix change (or address change) is not currently propagated, I am not sure why this setting is not the default.
@SteveITS said in IPv6 connectivity lost on prefix change:
@jarmo I've found it helpful to lower Valid Lifetime and Preferred Lifetime in the RA settings.
I have also adopted this with one of the recommended 2 hours for valid and 1 hour for preferred lifetime. At some point I will try solely this without denying pd/address release and see how it works.
If github would support ipv6, I think I could operate some interfaces without ipv4 now. On some interfaces I use relatively few online services.
Thanks to everyone. If prefix/address change propagation is fixed at some point, it will hopefully propagate on this board.
-
@JKnott said in IPv6 connectivity lost on prefix change:
On System / Advanced / Networking make sure Do not allow PD/Address release is selected.
Per the docs this would apply if dhcp6c "exits." Does it also apply if the link is lost? (ISP router reboots) I would think the link loss would happen before dhcp6c could do anything...
IOW is the implication that OP's dhcp6c is restarting?
Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
Upvote 👍 helpful posts!
