IPv6 testing
-
Another little bug for the todo-list:
- When running the dhcpv6d server without specifying an ipv6 DNS option, the dhcpv6d will fail to start if you have not have specified an ipv6 DNS server for the PFsense box itself (System: General Setup).
Strange, dnsmasq listens on a v6 socket anyhow, so you could use the pfSense IPv6 address as the dns option.
I'd need to replicate this.Feb 15 21:13:42 check_reload_status: syncing firewall Feb 15 21:13:43 dhcpd: Internet Systems Consortium DHCP Server 4.1.1-P1 Feb 15 21:13:43 dhcpd: Copyright 2004-2010 Internet Systems Consortium. Feb 15 21:13:43 dhcpd: All rights reserved. Feb 15 21:13:43 dhcpd: For info, please visit https://www.isc.org/software/dhcp/ Feb 15 21:13:43 dhcpd: /etc/dhcpdv6.conf line 17: Invalid IPv6 address. Feb 15 21:13:43 dhcpd: /etc/dhcpdv6.conf line 17: Invalid IPv6 address. Feb 15 21:13:43 dhcpd: option dhcp6.name-servers 192.168.111.2, Feb 15 21:13:43 dhcpd: option dhcp6.name-servers 192.168.111.2, Feb 15 21:13:43 dhcpd: ^ Feb 15 21:13:43 dhcpd: ^ Feb 15 21:13:43 dhcpd: Configuration file errors encountered -- exiting Feb 15 21:13:43 dhcpd: Configuration file errors encountered -- exiting Feb 15 21:13:43 dhcpd: Feb 15 21:13:43 dhcpd: Feb 15 21:13:43 dhcpd: If you did not get this software from ftp.isc.org, please Feb 15 21:13:43 dhcpd: If you did not get this software from ftp.isc.org, please Feb 15 21:13:43 dhcpd: get the latest from ftp.isc.org and install that before Feb 15 21:13:43 dhcpd: get the latest from ftp.isc.org and install that before Feb 15 21:13:43 dhcpd: requesting help. Feb 15 21:13:43 dhcpd: requesting help. Feb 15 21:13:43 dhcpd: Feb 15 21:13:43 dhcpd: Feb 15 21:13:43 dhcpd: If you did get this software from ftp.isc.org and have not Feb 15 21:13:43 dhcpd: If you did get this software from ftp.isc.org and have not Feb 15 21:13:43 dhcpd: yet read the README, please read it before requesting help. Feb 15 21:13:43 dhcpd: yet read the README, please read it before requesting help. Feb 15 21:13:43 dhcpd: If you intend to request help from the dhcp-server@isc.org Feb 15 21:13:43 dhcpd: If you intend to request help from the dhcp-server@isc.org Feb 15 21:13:43 dhcpd: mailing list, please read the section on the README about Feb 15 21:13:43 dhcpd: mailing list, please read the section on the README about Feb 15 21:13:43 dhcpd: submitting bug reports and requests for help. Feb 15 21:13:43 dhcpd: submitting bug reports and requests for help. Feb 15 21:13:43 dhcpd: Feb 15 21:13:43 dhcpd: Feb 15 21:13:43 dhcpd: Please do not under any circumstances send requests for Feb 15 21:13:43 dhcpd: Please do not under any circumstances send requests for Feb 15 21:13:43 dhcpd: help directly to the authors of this software - please Feb 15 21:13:43 dhcpd: help directly to the authors of this software - please Feb 15 21:13:43 dhcpd: send them to the appropriate mailing list as described in Feb 15 21:13:43 dhcpd: send them to the appropriate mailing list as described in Feb 15 21:13:43 dhcpd: the README file. Feb 15 21:13:43 dhcpd: the README file. Feb 15 21:13:43 dhcpd: Feb 15 21:13:43 dhcpd: Feb 15 21:13:43 dhcpd: exiting. Feb 15 21:13:43 dhcpd: exiting. Feb 15 21:13:43 php: /services_dhcpv6.php: The command '/usr/local/sbin/dhcpd -6 -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpdv6.conf em1' returned exit code '1', the output was 'Internet Systems Consortium DHCP Server 4.1.1-P1 Copyright 2004-2010 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ /etc/dhcpdv6.conf line 17: Invalid IPv6 address. option dhcp6.name-servers 192.168.111.2, ^ Configuration file errors encountered -- exiting If you did not get this software from ftp.isc.org, please get the latest from ftp.isc.org and install that before requesting help. If you did get this software from ftp.isc.org and have not yet read the README, please read it before requesting help. If you intend to request help from the dhcp-server@isc.org mailing list, please read the section on the README about submitting bug reports and requests for help. Please do not under any circumstances send requ
If I add a ipv6 DNS server to the PFsense box itself (System: General Setup), this error is gone.
-
An additional bug is that if you specify a DNS server in the DHCPv6 config, the setting is saved correctly, but it does not showup when you refresh the settingspage.
-
Just followed my own howto but could not replicate the missing default route issue.
I followed the same steps outlined and ended up with 2 default routes, one for v4 and one for v6. Both survive a reboot.
I'll add code that prevents entering a v4 address there.
Edit: Fixed 06-03-2011
-
Hi, I've been lurking for a while but I've been on 2.0 for a few months now and trying out the IPv6 with he.net tunnelbroker.
I can't seem to get DHCPv6 to work. In the logs it says "send_packet no route to host." I believe this is when it sends the advertise. With a manually assigned IP it works fine. I don't know if this was covered before so my apologies in advance if this was covered already.
-
Here are the exact log entries
Feb 19 01:36:14 firewall dhcpd: send_packet6: No route to host Feb 19 01:36:14 firewall dhcpd: dhcpv6: send_packet6() sent -1 of 104 bytes Feb 19 01:36:16 firewall dhcpd: Solicit message from fe80::311e:568e:5624:2040 port 546, transaction ID 0x784DC000 Feb 19 01:36:16 firewall dhcpd: Picking pool address 2001:XXX:XXX:XXX::200 Feb 19 01:36:16 firewall dhcpd: Sending Advertise to fe80::311e:568e:5624:2040 port 546 Feb 19 01:36:16 firewall dhcpd: send_packet6: No route to host Feb 19 01:36:16 firewall dhcpd: dhcpv6: send_packet6() sent -1 of 104 bytes Feb 19 01:36:20 firewall dhcpd: Solicit message from fe80::311e:568e:5624:2040 port 546, transaction ID 0x784DC000 Feb 19 01:36:20 firewall dhcpd: Picking pool address 2001:XXX:XXXX:XXX::200 Feb 19 01:36:20 firewall dhcpd: Sending Advertise to fe80::311e:568e:5624:2040 port 546
My LAN is bridged and I suspect that may be the problem since it has no link local address.
-
@|DSI|:
When creating firewall rule, would it be possible to add option "Both" to TCP/IP Version - so that firewall rule would apply to both IPv4 and IPv6?
That makes no sense, the pf firewall rule can only apply to v4 or v6 traffic, not both. Are you referring here to aliases perhaps?
I know that it can only apply to v4 of v6. Both would "invisibly" create separate rule for IPv4 and IPv6 but user would see only one - having this option would reduce needed firewall rules.
Example:
I would like to allow outbound traffic on port 80 for both IPv4 and IPv6. Now i have to create Allow rule for IPv4 traffic on port 80, and separate rule for IPv6 traffic on port 80.
Or another example - Allow inbound traffic to webserver on LAN side:
Firstly you create alias where you list both IPv4 and IPv6 IP address of some host. Then on WAN interface you create firewall rule that allows inbound traffic on port 80, as destination IP you specify previously created alias. -
Is the problem with the outlining in the firewall log widget in combination with IPv6 on the buglist already? Check the attached screenshot.
-
Another one.. is adding IPv6 networks to Aliases on the todo list already?
-
IPv6 addresses in aliases should just work? Am I missing something here? My install already use aliases with ipv6 addresses.
There is one issue I know of on the networks type. It saves with /32, then save and edit, and you can change it to /64 or higher.
-
IPv6 addresses in aliases should just work? Am I missing something here? My install already use aliases with ipv6 addresses.
There is one issue I know of on the networks type. It saves with /32, then save and edit, and you can change it to /64 or higher.
You're right. I didn't know yet about that "trick". I meant the dropdown list only to show up to CIDR 32. I just tried it again based on your posting and I can indeed enter an IPv6 address with CIDR 32, save it, edit it and change it to the appropriate CIDR 64. Guess that changes the todo item to making the dropdown list contain all 128 entries when adding a new alias :)
-
@|DSI|:
I know that it can only apply to v4 of v6. Both would "invisibly" create separate rule for IPv4 and IPv6 but user would see only one - having this option would reduce needed firewall rules.
Example:We will not create functionality that would create rules that would not be properly visible to the user. There needs to be a rather direct connection between the UI rules and those in rules.debug.
I know fully well it is possible. But I choose not to make that functionality.
-
@databeesje: please make those images also for the nanobsd builds !
-
@databeestje, I saw you created an update for the Alias /128 problem yesterday. I just updated with the the latest 2.0RC1 release and gitsynced with smos but it still only shows 32 on a new alias entry here.
-
@databeestje, any chance to have a look at the DHCPv6 IP reservations feature? DHCPv6 works fine, but when trying to create a reservation based on a MAC address, I'm getting an error stating the address does not lie within the subnet. I'm sure it is within the defined subnet though. Check the attached screenshot.
-
@databeestje, any chance to have a look at the DHCPv6 IP reservations feature? DHCPv6 works fine, but when trying to create a reservation based on a MAC address, I'm getting an error stating the address does not lie within the subnet. I'm sure it is within the defined subnet though. Check the attached screenshot.
I have not touched the edit page yet, I'll do so later.
Regarding the alias edit issue, it's javascript which i'm very uncomfortable with. I'll see if I can poke someone to have a look see.
-
If I can lend you a helping hand in the JavaScript piece, let me know. I'm a software developer for my profession. Aimed on Microsoft Technology though, but I've done a couple of implementations with custom written JavaScript. If I can help, I'll be happy to.
-
@|DSI|:
I have now received native IPv6 connectivity from my ISP.
I am using Link Aggregation on WAN interface. IPv4 works fine on LAGG interface but I have trouble configuring IPv6 on LAGG interface.
It seems that there is problem with setting IPv6 default route on LAGG interface, because Diagnostic->Routes shows this output under IPv6:default 2a01:260:XXXX::d UGS 0 2937 1500 em0
For IPv4 it shows this
default 89.212.0.1 UGS 0 663297 1500 lagg0
So I assume that under IPv6 default route, interface should also be lagg0, not em0?
I've looked at your config but are unable to replicate with 2.0 RC1 with IPv6 bits. Perhaps something else was fixed in mainline.
I see both the v4 and v6 route attached to lagg1.
-
Seems to work now.
Maybee it also worked before, because I noticed that after moving (em0 and em1) interfaces to lagg and assigning lagg interface to WAN, IPv4 default route is correctly changed from em0 to lagg1.
But in order to change default IPv6 route from em0 to lagg1, reboot is required.
Thank you for your investigation! -
I've made a number of fixes over the weekend regarding the routing bits. Seems that I've made a horrendous hodgepodge of that code, I was overwriting existing variables, forgetting the clear existing variables etc.
i think I've fixed a bunch of those which should help.
-
@databeestje, not sure if you're aware of this, but since you checked in your blind coded IPv6 DHCP reservations page, the reservations icon on the DHCPv6 Server page points to 'services_dhcpv6_edit.php' which returns a 404 not found.