Toob (UK) IPV6 NDP Table Issues
-
Hello,
Wondering if anyone is able to assist with an issue I am having with Toob (UK) and IPv6 on a newly implemented PFSense Box.
I did come across this post here which has helped in terms of configuring IPv6, however towards the end of the thread is detailing the exact issue I am having at the moment.
If I pay attention to the NDP Table (Diagnostics > NDP Table) I can see Leases being issued for devices on the network for 24 hours. After about 1-2 minutes the Lease times drop from 24 hours to 40 seconds and then expire. Shortly after this they do auto renew but this doesn't look like normal behaviour and I am not sure if this is down to my Firewall or Toob UK.
I also have noticed if I disconnect a device when it has a v6 address and then reconnect the device will not grab a new address for a while (unsure of timescale) unless I refresh the WAN interface and then it issues an IP to the device straight away.
I can provide some more details if required when I am back at home.
Thanks in advance
-
@Rewels said in Toob (UK) IPV6 NDP Table Issues:
I also have noticed if I disconnect a device ....
Like pulling out the cable, shutting down the device, or shutting down the Wifi ? In all these cases, like IPv4, the DHCPv6 client exactly as the DHCPv4 client process of the device will initiate a new request.
and from now on the pfSense DHCPv6 client, the requests, who negotiates with the upstream ISP DHCP4v6 server, will be logged in the DHCP logs with the mention dhcp6c. You can see what actually happens.
@Rewels said in Toob (UK) IPV6 NDP Table Issues:
If I pay attention to the NDP Table (Diagnostics > NDP Table) I can see Leases
Dono what 'NDP' is or means
But :
so, whatever** NDP shows isn't the DHCPv6 lease duration.
( ** probably more like what ARP is for IPv4 : a local cache )
@Rewels said in Toob (UK) IPV6 NDP Table Issues:
After about 1-2 minutes the Lease times drop from 24 hours to 40 seconds and then expire.
So this :
@Rewels said in Toob (UK) IPV6 NDP Table Issues:
After about 1-2 minutes the Lease times drop from 24 hours to 40 seconds and then expire
is a NDP thing, and it refreshes all the time.
Ones a device gets a lease, neither the device nor the DHCPv6 server can change it. The connection can get lost, the lease will be renewed.For your LAN IPv6 to work, the LAN DHCPv6 server needs a 'stable' prefix. this prefix can get renewed and should stay 'the same' as long as possible.
The ISP gave it to the DHCPv6 client on the pfSEnse WAN interface, who transfers (as the LAN interface => DHCP server uses "tracking") it to the LAN DHCPv6 server, who uses it to deal out leases from the prefix - Lease - pool.
No science degree needed to understand what happens if the ISP changes your prefix every xxx time.Btw : a /56 prefix size, or 2^(56-64) = 256 prefixs is pretty standard. Enough to create 254 LANs (one /64 fore each LAN) and one prefix can be used for the pfSense WAN side, for the pfSense IPv6 WAN IP.
I'm not in the UK, but France.
See my reply as generic IPv6 info. -
@Gertjan said in Toob (UK) IPV6 NDP Table Issues:
Like pulling out the cable, shutting down the device, or shutting down the Wifi ? In all these cases, like IPv4, the DHCPv6 client exactly as the DHCPv4 client process of the device will initiate a new request.
So whenever I disconnect a Wi-Fi Device or a Device plugged in via Ethernet this happens where the issued IPv6 Addresses clear which is expected but when reconnected addresses are not issued again (at least in a timely manner). I am finding that it is taking roughly 5-10 Minutes after reconnecting for the addresses to maybe repopulate and this doesn't seem like normal behaviour.
@Gertjan said in Toob (UK) IPV6 NDP Table Issues:
and from now on the pfSense DHCPv6 client, the requests, who negotiates with the upstream ISP DHCP4v6 server, will be logged in the DHCP logs with the mention dhcp6c. You can see what actually happens.
I have switched on debugging for the dhcpv6 client now and after tailing these logs now I can see every 5 minutes that the IP on my WAN interface is renewed with the exact same IP as this is static from my ISP on IPv6, The prefix is also renewed but no change as the prefix is the exact same. I do not see anything in here from the clients itself.
@Gertjan said in Toob (UK) IPV6 NDP Table Issues:
( ** probably more like what ARP is for IPv4 : a local cache )
You are correct about this, NDP Table is just the ARP equivalent of IPv4. I may have been getting myself confused looking at those timeouts but the sudden change from 1 day to 40 seconds just seemed very odd.
Just hope there's a solution for as to why devices take forever to get their v6 addresses again after disconnecting briefly, I don't remember this happening on the ISP Router so it would seem possibly a config error in PFSense?
Appreciate your help so far if you want any more screenshots etc more than happy to provide if it helps.
-
@Rewels said in Toob (UK) IPV6 NDP Table Issues:
So whenever I disconnect a Wi-Fi Device or a Device plugged in via Ethernet this happens ..
As soon as the link comes up, the OS starts executing a todo list.
The very first thing that happens : it start the DHCPv4 client so your device gets a IPv4 (and a network, and a gateway, and a DNS).
That's know stuff, works fine - as it took 60 years or so to make this one (IPv4) stable.
If the device goes off-line, that's no big deal, the DHCPv4 server doesn't care less. The IP attributes will disappear from the ARP table, sure, but that's no big deal neither : it won't reply anymore, it off line after all.
Now, let's apply the IPv4 to IPv6 (this is totally forbidden (so I didn't say this^^)) : IPv6 is the same thing.The client interface comes up, the DHCPv6 client also starts, and requests an IPv6, and probably, like IPv4, it will request a an IP (lease) that it previously got.
On the pfSense server side, both IPv4 and IPv6, as for this device a already known lease exists, the server will re distribute the same info.
This is quiet normal for a wifi connection, as wifi can come and go as the radio connection is bad (but we humans don't know that).What you already know :
Your pfSense LAN IPv4 is set up using a stic RFC1918 IP network. It never changes.
The IPv6 side is different, as the DHCPc6 server uses a network, a /64 prefix that came from .... upstream == your ISP. You are not allowed to pick your own GUA IPv6 network.
dhcp6c :
Here is mine : my dhcp6c got a pefix from my ISP :
a prefix is always a /64 ....
You should see it here :
You got a /56, that's 254 prefixs.
You DHCPv6 LAN server has a /64 - and not a /56, right ?!Btw : not saying that a /56 doesn't work, but it should be a /64 - imho.
The dhcp6c renewing like every 300 seconds : I know, I see the same thing here.
I still don't know 'why' but that is apparently normal.Btw : my PC's, phones etc, when coming online, don't take '10 minutes" to get an IPv4 or IPv6 .... that's, I agree, not normal. Why would a DHCP server take minutes to answer ? Its more like 10 ms max.
Your DNS/DHCP/whatever pfSense services aren't restarting xx times per minute, right ? (see system, resolver and DHCP logs) ?
-
@Gertjan said in Toob (UK) IPV6 NDP Table Issues:
You got a /56, that's 254 prefixs.
You DHCPv6 LAN server has a /64 - and not a /56, right ?!Btw : not saying that a /56 doesn't work, but it should be a /64 - imho.
This is what I can see in my DHCPv6 Server and you are correct it does show /64 but as far as I know my ISP issues /56 Prefix, I can change it on my WAN Interface if you think it should be /64?
@Gertjan said in Toob (UK) IPV6 NDP Table Issues:
The dhcp6c renewing like every 300 seconds : I know, I see the same thing here.
I still don't know 'why' but that is apparently normal.Im glad you also experience this so I can rule that out as being a problem from my ISP.
@Gertjan said in Toob (UK) IPV6 NDP Table Issues:
Btw : my PC's, phones etc, when coming online, don't take '10 minutes" to get an IPv4 or IPv6 .... that's, I agree, not normal. Why would a DHCP server take minutes to answer ? Its more like 10 ms max.
Exactly, now with IPv4 no issues at all it just works as expected. Now what I have just discovered is if I restart Router Advertisement service whilst my Phone has no active IPv6 Address after reconnecting it to the WiFi I seem to get an address.
@Gertjan said in Toob (UK) IPV6 NDP Table Issues:
Your DNS/DHCP/whatever pfSense services aren't restarting xx times per minute, right ? (see system, resolver and DHCP logs) ?
I can't seem to see anything else regarding DHCP but I can see this regarding DNS Resolver but again not sure if this is normal.
I am running pfblocker if this helps too.
I have an issue with my system log at the moment.
-
I think I may have fixed my issue by playing around with the settings in Router Advertisement.
After changing Router Mode to Unmanaged to utilise SLAAC and disabled DHCPv6 Server.
I also made a change to the Priority from Normal to High and amended the Intervals and Router Lifetime.
Now when I disconnect a device and reconnect the device is able to grab a IPv6 Address within about Roughly 10 Seconds consistently.
This seems to work for my use case currently as I believe the default settings are just a bit too high if you are wanting a device to reconnect via Router Advertisements.
-
I believe you're talking about the LAN side. If so, I recommend using SLAAC rather that DHCP. It's easier to configure and Android devices don't like DHCPv6.
-
This :
is bad / not normal /shouldn't do this.
Unbound restarting every x seconds was an issue in the past.
You use pfBlockerng so this could be the cause : read and check this :
Don't tell me you are still using "Unbound mode" ^^
Btw : not using DHCPv6 servers at all for your pfSense LAN(s), and rely on SLAAC if you use Android devices.
I've never seen these device, and have a preference for "DHCP" as this permits me to use shorter GUA IPv6 addresses. I'm aware that this is a just me wanting to do this, technically, it isn't better.
DHCPv6 always works fine for me.
-
@Gertjan said in Toob (UK) IPV6 NDP Table Issues:
Don't tell me you are still using "Unbound mode" ^^
Thanks for pointing this out, to be honest I had no idea as this was set by default when installing the add-on devel version too. I have since changed this and that has resolved that issue thank you.
@Gertjan said in Toob (UK) IPV6 NDP Table Issues:
Btw : not using DHCPv6 servers at all for your pfSense LAN(s), and rely on SLAAC if you use Android devices.
We have a few android devices in the house so SLAAC is the best option. I believe I may have found the culprit now as I have now reverted all the settings I listed above.
Currently using the ISP router in Bridge Mode to provide WiFi in the house whilst I sort out my UniFi shopping list (not long moved in).
If I connect a Windows Laptop directly to the PFSense Firewall I get an IPv6 address instantly which is expected and subsequently if I disconnect and reconnect the cable I get another address instantly. I believe the Router running in Bridge mode is blocking ICMP6 Router Advertisement and Router Solicitation packets (even though there are no settings available on the Web UI in Bridge Mode and it suggests that all items have been disabled relating to Security. I was able to prove this by running a Packet Capture on the PFSense Firewall for ICMP6.
Otherwise the only other way I was able to get this to work via the Bridge Mode router is to wait for the Interval timeout or to restart Router Advertisements Service in PFSense for it to force issue IPs.
Didn't think it could be that purely cause IPv6 was working on that unit when it was the active Router and assumed Bridge Mode would work, clearly not the case.
Thanks for all your help :) Maybe I will look into DHCPv6 in the future but for now SLAAC will do.
