RA Daemon "Assisted" Bug Fix (maybe, I'm not sure if this was by design)



  • Hi Guys,

    I just made videos on how to configure IPv6 on pfSense. While I was making them, I noticed that the "Assisted" option in the Router Advertisement Daemon always set the "Managed Address Configuration" flag to set (enabled). Now from what I understood "Assisted" basically is Stateless DHCP. And in Stateless DHCP, clients Autoconfig their addresses using SLAAC and ONLY get their IPv6 Options from the DHCPv6 Server. But the pfSense RA Daemon was not only telling everyone on the network to autoconfigure their IPv6 addresses using SLAAC, but to ALSO get an IPv6 address from the DHCPv6 server.

    So I modified the services.inc to write the radvd.conf properly, so that the option, tAdvManagedFlag is set to Off, when we choose Assisted. Now when I choose Assisted and run a packet capture, the Router Advertisement is setting the "Managed Address Configuration" flag to disabled (not set). This is the expected behavior (or at least I think the expected behavior) of Stateless DHCP.

    Once I knew where to modify the setting it was fairly simple. I'll document it below:-

    One of the functions that runs when you hit save on the Router Advertisements page is services_radvd_configure(), and this function writes the radvd.conf file. This function resides in /etc/inc/services.inc

    So open up services.inc  and modify the following chunk of code FROM:

    switch($dhcpv6ifconf['ramode']) {
                            case "managed":
                            case "assist":
                                    $radvdconf .= "\tAdvManagedFlag on;\n";
                                    $radvdconf .= "\tAdvOtherConfigFlag on;\n";
                                    break;
                    }

    TO:

    switch($dhcpv6ifconf['ramode']) {
                            case "managed":
                                    $radvdconf .= "\tAdvManagedFlag on;\n";
                                    $radvdconf .= "\tAdvOtherConfigFlag on;\n";
                                    break;
                            case "assist":
                                    $radvdconf .= "\tAdvManagedFlag off;\n";
                                    $radvdconf .= "\tAdvOtherConfigFlag on;\n";
                                    break;
                    }

    Save and exit and now your RA Daemon on pfSense is going to advertise the RA's with the "Managed Address Configuration" flag to not set (disabled)!!!

    I hope this helps someone out!! I have made a video of this on Youtube showing you step by step how to do this. Part 3 of the following video series explains this (I think  around minute 14). http://www.youtube.com/playlist?list=PL4T5Ac0HrL3PeGPoixe8RpHEeZuhf_hDD

    Please subscribe to my channel and/or "Like" my videos if anything there helps you out!!!

    Kind regards,
    Aqueeb.


  • Banned



  • Alright, so "Assisted" is by design. But then, is there no option for Stateless DHCP? If there is not, I'd like to volunteer to add "Stateless DHCP" option added to the drop down of Router Advertisement page.

    Before I start doing that, I'd just like a confirmation, that there indeed is no way of doing Stateless DHCP in pfSense.

    Kind regards,
    Aqueeb.



  • I was actually too excited to be able to change something on an open source project as big as pfSense. So I went ahead and modified the appropriate files to add Stateless DHCP. Created a video as I was doing the modifications. Video is at

    Youtube Video

    I will also document the changes here.

    Files that need to be modified.
    1. /usr/local/www/services_router_advertisements.php
    2. /etc/inc/services.inc

    First we modify the services_router_advertisements.php to add the "Stateless DHCP" option to the drop down box. Super easy:-

    CHANGE

    $advertise_modes = array("disabled" => "Disabled",
    "router" => "Router Only",
    "unmanaged" => "Unmanaged",
    "managed" => "Managed",
    "assist" => "Assisted");

    TO

    $advertise_modes = array("disabled" => "Disabled",
    "router" => "Router Only",
    "unmanaged" => "Unmanaged",
    "managed" => "Managed",
    "assist" => "Assisted",
    "stateless_dhcp" => "Stateless DHCP");

    Save and Exit. Then modify the file, services.inc. Change is at TWO places:-
    CHANGE-ONE
    CHANGE FROM

    switch($dhcpv6ifconf['ramode']) {
                            case "managed":
                            case "assist":
                                    $radvdconf .= "\tAdvManagedFlag on;\n";
                                    $radvdconf .= "\tAdvOtherConfigFlag on;\n";
                                    break;
                    }

    TO

    switch($dhcpv6ifconf['ramode']) {
                            case "managed":
                            case "assist":
                                    $radvdconf .= "\tAdvManagedFlag on;\n";
                                    $radvdconf .= "\tAdvOtherConfigFlag on;\n";
                                    break;
                            case "stateless_dhcp":
                                    $radvdconf .= "\tAdvManagedFlag off;\n";     
                                    $radvdconf .= "\tAdvOtherConfigFlag on;\n";     
                                    break;
                    }

    CHANGE-TWO
    CHANGE FROM

    switch($dhcpv6ifconf['ramode']) {
                            case "managed":
                                    $radvdconf .= "\t\tAdvOnLink on;\n";
                                    $radvdconf .= "\t\tAdvAutonomous off;\n";
                                    $radvdconf .= "\t\tAdvRouterAddr on;\n";
                                    break;
                            case "router":
                                    $radvdconf .= "\t\tAdvOnLink off;\n";
                                    $radvdconf .= "\t\tAdvAutonomous off;\n";
                                    $radvdconf .= "\t\tAdvRouterAddr on;\n";
                                    break;
                            case "assist":
                                    $radvdconf .= "\t\tAdvOnLink on;\n";
                                    $radvdconf .= "\t\tAdvAutonomous on;\n";
                                    $radvdconf .= "\t\tAdvRouterAddr on;\n";
                                    break;
                            case "unmanaged":
                                    $radvdconf .= "\t\tAdvOnLink on;\n";
                                    $radvdconf .= "\t\tAdvAutonomous on;\n";
                                    $radvdconf .= "\t\tAdvRouterAddr on;\n";
                                    break;
                    }

    TO

    switch($dhcpv6ifconf['ramode']) {
                            case "managed":
                                    $radvdconf .= "\t\tAdvOnLink on;\n";
                                    $radvdconf .= "\t\tAdvAutonomous off;\n";
                                    $radvdconf .= "\t\tAdvRouterAddr on;\n";
                                    break;
                            case "router":
                                    $radvdconf .= "\t\tAdvOnLink off;\n";
                                    $radvdconf .= "\t\tAdvAutonomous off;\n";
                                    $radvdconf .= "\t\tAdvRouterAddr on;\n";
                                    break;
                            case "stateless_dhcp":
                            case "assist":
                                    $radvdconf .= "\t\tAdvOnLink on;\n";
                                    $radvdconf .= "\t\tAdvAutonomous on;\n";
                                    $radvdconf .= "\t\tAdvRouterAddr on;\n";
                                    break;
                            case "unmanaged":
                                    $radvdconf .= "\t\tAdvOnLink on;\n";
                                    $radvdconf .= "\t\tAdvAutonomous on;\n";
                                    $radvdconf .= "\t\tAdvRouterAddr on;\n";
                                    break;
                    }

    For CHANGE-TWO all we do is add the line
    case "stateless_dhcp":
    above
    case "assist":

    Save and exit

    And that's it guys. After this, when you choose the option Stateless DHCP, the Managed Flag in Router Advertisements will be not set (disabled)!!

    I hope this helps someone out!

    Kind regards,
    Aqueeb.



  • In the case of adding another option I would suggest to clean up the text on the Router Advertisements option on services_router_advertisements.php so that each option is explained in a bullet list, because it is kind of messy right now. It would help first time IPv6 users to easier understand the options and their scope/consequences (well briefly).

    • al :-)


  • Hi Al,

    I think the way pfSense's team has described it is because they have dumbed it down. Maybe a description describing what each setting does with the way it sets the RA packet flags?

    If you have any suggestions let me know, I'll probably draft something up Wednesday night and post here.

    Kind regards,
    Aqueeb.


  • Banned

    What exactly are you "fixing" here? You've duplicated Unmanaged.



  • Unmanaged sets the "Other Configuration" flag to not set (disabled). So if I wanted my DHCP server to give out DNS servers, NTP servers, SIP servers, AND I wanted my clients to use SLAAC, pfSense does not allow me to do that. I think the term is "Stateless DHCP" where you can have your IPv6 computers use Stateless Address Autoconfiguration, but ALSO get DHCP options, WITHOUT getting a DHCP address. And that is what I've fixed.

    Am I missing something???

    Kind regards,
    Aqueeb.


  • Banned

    What are your clients? Because that's exactly what "assisted" does, as is… without any fixes. With Windows clients at least.



  • "Assisted" ALSO gives out an IPv6 address. I do NOT want my clients to get an IPv6 address from my DHCPv6 server. I want them to ONLY get the extra DHCPv6 options.

    I've made a quick 2 minute video demostrating EXACTLY what I mean.

    Youtube Video

    Kind regards,
    Aqueeb.


  • Banned

    Again, depends on the client. We're going in circles here; "assisted" produces exact same result as your "stateless" with Windows.



  • I am talking about Windows clients.

    Assisted gives out IPv6 addresses from the DHCP pool to windows clients, agreed??
    Assisted also gives out DHCP options to clients, like dns, agreed?

    Unmanaged, asks the windows client, to autoconfigure itself, using SLAAC, but does NOT ask the client to get extra options from DHCP, agreed? So if I used Unamaged, my windows client, autoconfigures itself with an IPv6 address, but DOES NOT have any DNS servers, agreed??

    My custom option "Stateless DHCP", asks the client to NOT GET an IPv6 address from DHCP, BUT DO GET DNS servers from DHCP, AND TO ALSO configure itself using SLAAC.

    I am using Windows 7 x64 SP1 by the way. Which clients are you talking about by the way?

    How are we going in circles?

    Kind regards,
    Aqueeb.


  • Banned

    @aqueeb:

    Assisted gives out IPv6 addresses from the DHCP pool to windows clients, agreed??

    Nope. Not what I can see here.



  • You may not be running a DHCPv6 server or you may have something else wrong with your configuration.

    And that's besides the point anyway.

    "Assisted" sets the "Managed Address Configuration" flag to SET (enabled) in the Router Advertisement packet, where as my custom option "Stateless DHCP" sets that same flag to NOT SET (disabled). You can do a packet capture of Router Advertisements using wireshark to verify what I am saying.

    All the other options "Router Only", "Unmanaged", "Managed","Assisted", do NOT have a combination of the following flags:-

    "Managed Address Configuration" to NOT SET
    "Other Configuration" to SET
    "OnLink" to SET
    "Autonomous" to SET

    And this combination is REQUIRED for Stateless DHCP to work. And Stateless DHCP is something I have not come up with myself. It is an RFC (https://tools.ietf.org/rfc/rfc3736.txt).

    And the above combination is what  I have added as a FIX.

    You can argue to the end of time, that what I have done, is what is already implemented in pfSense. For that, I suggest 2 things.

    1. Look at the radvd.conf file that is generated with each of the modes ("Router Only", "Unmanaged", etc.). You will see that none of the radvd.conf auto-generated contains the above mentioned combination.

    2. Do a packet capture of the Router Advertisement packet, in each of the modes, and then compare the flags that are set. Again you will find, that the combination required for Stateless DHCP to work, is missing.

    And I HAVE done all of the above, and now I am convinced that the custom option "Stateless DHCP", should NOT be custom, it should be a part of the standard pfSense install.

    Kind regards,
    Aqueeb.


  • Banned

    @aqueeb:

    You may not be running a DHCPv6 server or you may have something else wrong with your configuration.

    I damn sure am running a DHCPv6 server. The only way to get W7/8/8.1 a DHCP6 lease is to set radvd to Managed. Otherwise, stateless IP outside of the DHCP range is used. Vista I don't have. IPv6 in XP sucks enormously. I can do all wireshark you want and that does not change a thing -  since what happens heavily depends on the DHCP client, which apparently you refuse to acknowledge.

    Now, with Assisted, e.g. one HP printer gets both stateful and stateless IPs, so do some Apple devices.  Some printers do not get any IPv6 with Managed. Linux is a complete mess, depending on distro, its age, NetworkManager being used or not and which version, sysctl config, etc. etc. etc. So yeah, anyone can add yet another option, will not make the mess any more consistent. And then someone will come and invent yet something else. ::)



  • @aqueeb:

    And this combination is REQUIRED for Stateless DHCP to work. And Stateless DHCP is something I have not come up with myself. It is an RFC (https://tools.ietf.org/rfc/rfc3736.txt).

    Unless I'm missing something, that RFC only deals with the DHCP side of things; it doesn't address advertisement flags at all. Are you saying that your clients are not getting an address at all in this scenario? If you just don't want your DHCP server to give out stateful addresses at all, that really seems like more of a configuration issue with the DHCP server than with the advertisements.



  • @razzfazz:

    Unless I'm missing something, that RFC only deals with the DHCP side of things; it doesn't address advertisement flags at all. Are you saying that your clients are not getting an address at all in this scenario? If you just don't want your DHCP server to give out stateful addresses at all, that really seems like more of a configuration issue with the DHCP server than with the advertisements.

    In IPv6, clients requesting an IP need to have two conditions fulfilled. One is to have a DHCP server and the second is to receive a Router Advertisement packet with the Managed flag SET. Clients will NOT get an IP, if either of these conditions are not met.

    @doktornotor:

    I damn sure am running a DHCPv6 server. The only way to get W7/8/8.1 a DHCP6 lease is to set radvd to Managed.

    The ONLY way to get ANY DHCP6 client to get a DHCP6 lease IS to set the Managed flag to SET, which the "Managed" mode does.
    Which the "Assisted" mode does.
    Which the "Router Only" mode DOES NOT.
    Which the "Unmanaged" mode DOES NOT.

    Hence NO MATTER WHAT you do on the DHCPv6 Tab, your clients will NOT get an IP address from the DHCP server in, "Router Only" and "Unmanaged" mode.

    @doktornotor:

    Otherwise, stateless IP outside of the DHCP range is used. Vista I don't have. IPv6 in XP sucks enormously. I can do all wireshark you want and that does not change a thing -  since what happens heavily depends on the DHCP client, which apparently you refuse to acknowledge.

    Only reason I have not commented on the client side of things is because I am only talking about how the flags in the RA packet are set. And because the RA packet is sent out by the router ONLY, the point what the clients do, is moot.

    @doktornotor:

    Now, with Assisted, e.g. one HP printer gets both stateful and stateless IPs, so do some Apple devices.

    The reason why your devices are REQUESTING an address from the DHCP server AND autoconfiguring themselves is because in "Assisted" mode, BOTH flags are SET.

    The Managed flag is SET.
    The Autonomous flag is SET.

    @doktornotor:

    Some printers do not get any IPv6 with Managed.

    I'd like to know the model numbers of these printers. Without a packet capture of the packets sent out by your printers, my guess is as good as yours as to WHY they are NOT getting any IPv6 addresses from the DHCP server. Maybe there is something on the websites of these printers manufacturers that may clue me in to their current behaviour.

    @doktornotor:

    Linux is a complete mess, depending on distro, its age, NetworkManager being used or not and which version, sysctl config, etc. etc. etc.

    Sorry to hear you have such trouble with Linux. Give me a distro name that you are having trouble with and I'll try and find out what is the source of your trouble.

    @doktornotor:

    So yeah, anyone can add yet another option, will not make the mess any more consistent. And then someone will come and invent yet something else. ::)

    I can't say what someone else WILL or WILL NOT do. Only that, thankfully, I have not invented something. Just added on an option to the pfSense router that it is obviously lacking.

    Not ONE of the modes in pfSense generate a RA packet, which

    Have the "Managed" flag UNSET
    AND
    the "Other Configuration" flag SET
    AND
    the "Autoconf" flag SET

    These are required flags for 2 things to happen on the client:-
    1. Get ONLY Other options from DHCP (NOT an IPv6 address)
    2. Use Stateless Address Autoconfiguration to create your own IPv6 address.

    These 2 things working together is called Stateless DHCP in IPv6.

    Kind regards,
    Aqueeb.


  • Banned

    I'm having no trouble, thanks. I simply live with reality, which is that

    • some printers have broken firmware
    • implementations differ between platforms
    • implementations change in time
    • the RFCs/specs change in time and new ones are being created
    • etc. etc. etc.

    Now, I think you made it pretty clear you cannot live without your magic combo of flags for unspecified reason. Have a nice day.



  • @doktornotor:

    I'm having no trouble, thanks. I simply live with reality, which is that

    • some printers have broken firmware
    • implementations differ between platforms
    • implementations change in time
    • the RFCs/specs change in time and new ones are being created
    • etc. etc. etc.

    I never argued with any of the above mentioned issues. I do not understand why are you even bringing them up.

    @doktornotor:

    Now, I think you made it pretty clear you cannot live without your magic combo of flags for unspecified reason. Have a nice day.

    How is it MY magic combo, when AT THE CURRENT MOMENT, implementing Stateless DHCP, involves having those flags set??

    If I understand you correctly, I should not be using Stateless DHCP because I don't have a reason for it? Or because your experience with the current crop of clients tells you that it is pointless?

    Have you ever considered that my environment is not the same as yours? That the clients I do have (Windows 7 x64 SP1) play very nice with IPv6. And if my clients DO play nice with IPv6, I should be left high and dry because pfSense does not support an industry standard?

    I'm confused as to why you think that implementing a standard, when that standard actually makes your life easier, is a pointless thing??

    Since you mentioned that I have not specified my reasons, here they are:-

    I have just implemented port forwarding for 45 pc's all running ipv6 and Windows 7 x64 SP1. All I needed to do was create the appropriate port forwarding rules. No need to to add address reservations in DHCP, since all are autoconfiguring themselves with the same IPv6 address everytime. BUT, how do I assign DNS servers, if I'm NOT using DHCpv6??? Enter "MY magic combo".

    You have a nice day too!



  • Hi

    It is late here, where I live so I'll try to make it short :-)

    Regarding stateless DHCP I have found something that supports Aqueeb's arguments.
    Microsoft mentions it here:
    http://technet.microsoft.com/en-us/library/cc753493.aspx

    But yes it is really a jungle with all these possible options although each of them (likely) have their use case.

    Now regarding my earlier suggestion aligning the descriptions of the individual options in a list would help changing services_router_advertisements.php:

    Select the Operating Mode for the Router Advertisement (RA) Daemon. Use "Router Only" to only advertise this router, "Unmanaged" for Router Advertising with Stateless Autoconfig, "Managed" for assignment through (a) DHCPv6 Server, "Assisted" for DHCPv6 Server assignment combined with Stateless Autoconfig It is not required to activate this DHCPv6 server when set to "Managed", this can be another host on the network

    e.g. into:
    –--

    • Router Only: Use only to advertise this router

    • Unmanaged: For Router advertising with Stateless Autoconfig. IPv6 address is client configured

    • Managed: For assignment through (a) DHCPv6 Server

    • Assisted: DHCPv6 Server assignment (Managed) combined with Stateless Autoconfig (Unmanaged)

    • Stateless DHCPv6: All DHCPv6 options except IPv6 address which is client configured (Unmanaged)

    It is not required to activate this DHCPv6 server when set to "Managed", this can be another host on the network
    –--

    Although I might haven't nailed every description perfectly I think this is more helpful for the user. Please feel free to comment :-)



  • @aqueeb:

    In IPv6, clients requesting an IP need to have two conditions fulfilled. One is to have a DHCP server and the second is to receive a Router Advertisement packet with the Managed flag SET. Clients will NOT get an IP, if either of these conditions are not met.

    I'm not sure how that relates to my post?!

    In any case, I guess I'm simply not sure why you think that the existing "assisted" setting is somehow not workable for your purposes; specifically, why do you feel that it's a problem that your clients get both a stateless and a stateful address? You can still do your port forwarding based on the SLAAC addresses if you want?! Why do you think you need to actively prevent your clients from getting a stateful address as well?



  • Al, the only change I could think of suggesting was the rewording of Managed. Maybe something like:-

    Managed: For assignment through any (does not have to be THIS pfSense box) DHCPv6 server.

    Sorry I could not manage better than that. :D

    razzfazz, I am sorry I could not understand your question before. I do now. And I was completely stumped and taken aback by your question. Coming from the Cisco world, and thinking "everything Cisco" is awesome (not saying that Cisco came up with Stateless DHCP, but I definitely learnt about it from Cisco), I never ONCE stopped to think WHY would I EVER have the need to stop my clients from getting their IPv6 addresses from the DHCP server.

    How about waste of IP addresses?? (I say that as a joke!). Certainly NOT, as we have PLENTY of IPv6 addresses.

    But then how about management and/or auditing? Having to deal with 2 ip addresses is certainly more work than 1 ip address. Twice the work to go through logs, twice the work to follow Netflow streams, I'd assume, twice everything. I am just thinking out loud here, these thoughts are just my musings at the moment.

    How about Policy Based Routing? Routing packets based on the source IP, would require that our packets have the same source IP, every time. Hmm…maybe not as a case could be made here that assigning clients ip addresses from a specific subset of our prefix using dhcp is a better method. Okay scratch that.

    Only solid reason I can think of is to allow our packet through, at a destination network firewall. We would only have to define our firewall rule once at the destination, since our ip is not changing at intervals. So this is ONE reason. We have very fine and granular control of our packets. Having the option of an ip address that does not change over time, is unique, and is unmanaged works in this case!!! +1 to having Stateless DHCP  ;)

    My point being, why would you NOT have Stateless DHCP as an option? And let the people using pfSense decide the use case?

    This feature certainly is offered by Cisco (that's where I learned of it first), why not pfSense?

    Kind regards,
    Aqueeb.



  • @aqueeb:

    But then how about management and/or auditing? Having to deal with 2 ip addresses is certainly more work than 1 ip address. Twice the work to go through logs, twice the work to follow Netflow streams, I'd assume, twice everything. I am just thinking out loud here, these thoughts are just my musings at the moment.
    […]
    Only solid reason I can think of is to allow our packet through, at a destination network firewall. We would only have to define our firewall rule once at the destination, since our ip is not changing at intervals. So this is ONE reason. We have very fine and granular control of our packets. Having the option of an ip address that does not change over time, is unique, and is unmanaged works in this case!!! +1 to having Stateless DHCP  ;)

    Virtually all modern devices support IPv6 privacy extensions and will prefer RFC4941 addresses (which are random and change over time) for outbound traffic in the interest of privacy. So even without DHCPv6, you'll generally be looking at non-deterministic and non-constant source addresses for any given client.



  • Yes, you are right, my argument for Stateless DHCP was very weak. But just because I cannot think of a good enough reason to use Stateless DHCP, does not mean, it has no place in the networking world.

    Or is that exactly what you are saying. That pfSense users should not even have the option of Stateless DHCP?

    As a side note, at least on windows systems, from my very brief research, you can set a GPO to run once, the appropriate netsh commands to disable the randomizer and the privacy state. I haven't done this myself but according to the guy in this link

    http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/Q_26968185.html

    it can be done.

    Otherwise you can always manually run the netsh commands to disable the automatic address generation using the randomizer and privacy state. But this was just an FYI.

    I really would like to know the answer to the question "Should pfSense users not even have the option of Stateless DHCP?"

    Kind regards,
    Aqueeb.



  • You could always submit a pull request on GitHub and see what the folks in charge think. I would imagine that having an actual use case would increase your chances of getting the change accepted, but hey, can't hurt to give it a shot?!



  • Thanks for the suggestion razzafazz!! I will definitely do that and see.

    Till then I have messaged Keith Barker on YouTube, and asked him if he has any use case scenarios for Stateless DHCP. Hopefully he'll reply back!

    Have a good day!

    Kind regards,
    Aqueeb.



  • No reply from Keith Barker so far  :-\

    BUT, I learnt what a Pull Request is!! Thank You for pointing me in the right direction with your wording, razzfazz! Without you actually saying "Pull Request" I would have had NO idea how to get my changes submitted to the github repository.

    I have just submitted a Pull Request to the pfSense github repository.

    Hopefully they'll think "Stateless DHCP" is worth adding my changes to the main codebase.

    Kind regards,
    Aqueeb.



  • any update from the pfsense dev team on your pull request? Would it be possible for you to share the request link?



  • Just wanted to provide an update that my pull request for committed to master.

    https://github.com/pfsense/pfsense/pull/1033

    Kind regards,
    Aqueeb.



  • I've started using RA in Stateless DHCP mode and have enabled DHCPv6 to hand out DNS addresses. This seems to work fine for Windows 8.1 machines on my network but Windows 10 doesn't get the IPv6 DNS server addresses. Is this a problem with Win10 or pfsense?


Log in to reply