DHCP-PD does not work properly. Route does not get created!
-
Hi
I'm having trouble getting dhcp-pd (IPv6) to work regarding the route that should automatically be generated by pfSense when a subnet is given to some sub-router. I have tried with pfSense 2.1.5 and pfSense 2.2 RC 6th Jan. 2015. Both versions of pfSense did not create a route to the subnet assigned by dhcp-pd.
So I dug into the php source and I guess something fails in dhcpleases6 or in /etc/inc/services.inc line 1230 pfSense 2.1.5 / line 1328 pfSense 2.2 RC 6th Jan. 2015:
mwexec("/usr/local/sbin/dhcpleases6 -c "/usr/local/bin/php -f /usr/local/sbin/prefixes.php|/bin/sh" -l {$g['dhcpd_chroot_path']}/var/db/dhcpd6.leases");I can see it is running when calling ps -A:
35635 ?? Is 0:00.00 /usr/local/sbin/dhcpleases6 -c /usr/local/bin/php -f /usr/local/sbin/prefixes.php|/bin/sh -l /var/dhcpd/var/db/dhcpd6.leasesMore precise I first tried to run:
/usr/local/bin/php -f /usr/local/sbin/prefixes.php
, which gives this output (text string):
/sbin/route change -inet6 2a02
dcba:3fff::/64The pfSense "Diagnostics: Routing tables" page from the web GUI never shows the route whether I reboot the sub-router or not.
I checked that the computer I use as a pfSense router runs with correct date and time (just in case because of the lease start and end time).If I manually add the route then everything seems to work (I can ping6 from the pfSense router to a tablet connected wirelessly through the sub-router):
route add -net -inet6 2a02dcba:3fff::/64 2a02dcba:1::a391
and the "Diagnostics: Routing tables" page shows the route:
2a02dcba:3fff::/64 2a02dcba:1::a391 UGS 7 1500 em0
, but dhcplease6/pfSense should be able to be doing it on its own I guess! :-/Could anyone give me a clue to what may be the problem when I cannot get pfSense to automatically create the route to my sub-router when dhcp-pd is enabled on my pfSense LAN?
Does it sound like a bug in pfSense?Best wishes
AndersEdit: The DHCPv6 lease and the delegated prefix do get registered in pfSense and get received by the sub-router. Only the automatic route creation in pfSense does not seem to work.
-
Hi
I have now made a demo configuration only containing the relevant parts which demonstratates the problem.
I have attached the configuration file so you are able to test it out. Rename the configuration file from .txt to .xml.
Login and password are set to default admin/pfsense.If you wonder what kind of addresses I have used then they are the documentation addresses for IPv4 and IPv6 so they are clearly safe to use with respect to sharing on this forum.
Again, I could only make dhcp-pd partly work by manually adding a route to the sub-router. It kind of seems like a bug.
To add the route manually you can enter:
route add -net -inet6 2001:db8:1234:<subnet id="">::/64 2001:db8:1234:: <last two="" byte="" blocks="" of="" interface="" id="">(Before I add the route manually I can only ping6 the WAN address of the sub-router. After I add the route I can ping6 the tablet through the sub-router.
Besides that I can add that I use the amd64 NanoBSD version of pfSense 2.2 RC from the 6th of Jan. 2015.)Can someone help me out to say whether there is a bug in pfSense or whether I have made a mistake?
Regards and thanks!
Anders
demo-configuration.txt</last></subnet>
-
It seems that this closed feature #2347 might need a fix: https://redmine.pfsense.org/issues/2347
The title of the feature is "Add routes into the routing table for delegated IPv6 prefixes.", which seems to be where the problem I bump into is related to. -
I am looking into it
-
Can you try with tomorrow snapshot?
-
Hi Ermal
Thank you!
I have tried the pfSense build "2.2-RC (amd64) built on Fri Jan 09 01:08:06 CST 2015".
First I tried with the demo configuration (that I attached above) and then afterwards my normal configuration.
It didn't work with either configuration.
I had to manually add the route to get connection to the IPv6 subnet of the sub-router as before.
Please tell if I can do something to help you again with this issue.- Anders
-
This is working just fine for me, mine isn't a terribly complicated setup either. DHCPv6 server set to hand out from a /64 and then delegate some /60 blocks from my /48. I have pfSense VMs that hit that edge firewall and get prefixes and the delegated subnet routes show up fine for me.
There may be something peculiar about the content of your /var/dhcpd/var/db/dhcpd6.leases file that is causing a problem.
-
Hi Jim and Ermal
The sub-router is on link with the LAN, but I guess everyone already figured that one out (I just mention it to be sure).
In my normal configuration I also got a /48 block from the ISP. Like in your case Jim the DHCPv6 server hands out from a /64 but delegates out /64 blocks (not /60 or /56).
In the same way I have set the demo configuration into a clean installed pfSense and also sometimes into a factory reset pfSense (but with the same result). The demo configuration is set up from scratch, but contains the same Prefix Delegation Range, Prefix Delegation Size and DHCPv6 Server Range(well the interface ID part of the IPv6 range - http://www.roesen.org/files/ipv6_cheat_sheet.pdf ) as my normal configuration.I have saved the dhcpd6.leases file and some screenshots, because I might have made an error without knowing it.
Because of the many files I have PMed you both with a link to the files.(I haven't mentioned it earlier, but I am in the timezone GMT+1. So I guess the "Status DHCPv6 leases" page in pfSense reflects that (GMT+1) where as the leases file shows the time in GMT, but I guess that is perfectly ok and hopefully this is not the cause why the route is not created.)
-
Hi Jim and Ermal
I found were the bug resides.
It is in prefixes.php combined with my sub-router which is from D-Link.The possible solutions are either to:
- take a part of the ia-na string and ia-pd string (see below) that corresponds to the DUID and remove/leaving out the first 4 blocks (1 block => \xxx) or
- forcing the first 4 blocks zeroed out (\000) or
- do and verify what the dhcpdv6 service or my D-Link sub-router does
Maybe you have an idea which solution is the correct approach?
So that was the 3 possible solutions, now to what the problem is more specific.
The problem is a bit complicated.
The ia-na string and ia-pd are not equal. The result of that is that when we reach line 57 in prefixes.php:55 $routes = array(); 56 foreach ($duid_arr as $entry) { 57 if(!empty($entry['ia-pd'])) { 58 $routes[$entry['ia-na']] = $entry['ia-pd']; 59 } 60 }, and want to insert an entry into $routes in the next line then $entry['ia-na'] does not exist and the result is the empty string! Why? Because ia-na lies in another entry of the $duid_arr, because as I stated above the ia-na string is in my case != ia-pd.
So now to the contents of those two octal strings (\xxx => censored by me):
ia-na: ia-na "\273\240\300\034\000\003\000\001\300\240\273\034\xxx\xxx" { ia-na in hex: BB A0 C0 1C 00 03 00 01 C0 A0 BB 1C XX XX ia-pd: ia-pd "\000\000\000\000\000\003\000\001\300\240\273\034\xxx\xxx" { ia-pd in hex: 00 00 00 00 00 03 00 01 C0 A0 BB 1C XX XX mac address of the sub-router: c0 :a0 :bb :1c :xx :xxNow, I don't want to reveal all of the mac address, because it is not necessary to show what is wrong, so I censored the strings a bit, but you've got the entire dhcpd6.leases file in the PM I sent to you.
So either the dhcpd6 service in pfSense or my D-Link sub-router take the WAN mac address of the sub-router and move the first 4 blocks of the mac address around to generate the ia-na string so that:
c0 :a0 :bb :1c :xx :xx <-- MAC c0 :a0 :bb :1c <-- First 4 blocks of MAC BB A0 C0 1C <-- two blocks (first and third) switch placesThese 4 blocks are then prepended to the DUID and that becomes the ia-na string!
Why it is so, I don't know. For sure it is not modified EUI-64 format ( http://www.roesen.org/files/ipv6_cheat_sheet.pdf ).
Maybe it is described in some RFC (if it is not some strange D-Link way of doing it)?
So back to the 3 possible solutions. I hope you have an idea which solution is the best! :-)
-
I just added a bug report here: https://redmine.pfsense.org/issues/4206
-
Could you get us a packet capture of the Dlink's DHCPv6 traffic in a pcap file?