IPv6 Route Advertisement (RA) not working



  • Hi all,

    We have a PFsense 2.2 running our office firewall. We have configured IPv6 on this box when it was still on PFsense 2.1.5. At that time we couldn't get  Route Advertisement to work. We waited for 2.2 release as it might have some IPv6 improvements/bugfixes. Unfortunately we still have the same problem.

    • We have DHCPv6 working, this is working fine. All clients get an IPv6 address
    • RA is configured with "Managed", "High" and we have put the RA subnet in as "beef:beef:beef:beef::" <- but then our public IPv6 of course.. and put the puldown on "64"..
    • Added firewall rule on IPv6 protocol to allow "all/*" on LAN network

    The above will result in that clients will get an IPV6 address from the DHCPv6 but don't get a IPv6 default gateway (RA). If I configure a static route on the client IPv6 work with no problem.
    The only difference with our config compared to what I have found online is that our Internal interface is a trunk instead as we have multiple LAN's. But that shouldn't be an issue I guess.

    Any help will be very much appreciated.



  • Hmmm. What is the operational specification (how is the env suppose to work with Managed) ?

    What is the effect of Assisted vs Managed ?



  • See: https://doc.pfsense.org/index.php/Router_Advertisements For the various operational modes.

    I have tried various combinations but alll failed to assign a RA to the client.



  • What were the results with DHCPv6-Server() & Router Advertisements(Router Only) ?



  • C,

    I have a similar setup, 5 vlans on an lacp lagg.

    I'm using a 4to6 GIF Tunnel to he.net on the front-end with a routed /48 on the back-end.

    DHCPv6 is configured to hand out a small number of addresses :ff00 through :ffff, I've manually assigned IPv6 name servers in the DHCPv6 config.  RA is configured as Managed, Normal, with the "use same settings as dhcpv6" setting checked.

    My machines pull an IPv6 address and dns servers from dhcpv6, and then within a few seconds I'll see the link-local ipv6 address of the firewall get populated under the default gateway.  (Windows 7)

    ..ct


  • Banned

    @cthomas:

    within a few seconds I'll see the link-local ipv6 address of the firewall get populated under the default gateway.  (Windows 7)

    And the issue with that is exactly what?


  • LAYER 8 Netgate

    Is something not working?

    Link-local addresses are expected for your next hop gateway.  That's the way it works.

    
    $ ifconfig vlan0
    vlan0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
    	options=3 <rxcsum,txcsum>ether 3c:07:aa:0c:23:16 
    	inet6 fe80::3e07:54ff:fe0c:2316%vlan0 prefixlen 64 scopeid 0xa 
    	inet6 2001:470:cafe:223:3e07:aaff:fe0c:2316 prefixlen 64 autoconf 
    	inet6 2001:470:cafe:223:70d4:e50b:eee7:4fd6 prefixlen 64 autoconf temporary
    
    $ netstat -rn -finet6
    Routing tables
    
    Internet6:
    Destination                             Gateway                         Flags         Netif Expire
    default                       fe80::230:18ff:fea4:ec72%vlan0  UGc           vlan0</rxcsum,txcsum></up,broadcast,running,simplex,multicast> 
    

    I don't use DHCPv6.  Not worth the hassle here.  I leave it off and set RA to unmanaged and it all just works.



  • So I disabled the DHCPv6 and only rely on RA for now. Clients still don't get handed out any default routes on IPv6, and now with DHCPv6 disabled also don't get any IPv6 address assigned to them. Even though RA is set to "Unmanaged" and with priority "High".

    • How can i debug radvd ?
    • Are there any settings that could prevent RA to advertise?

  • LAYER 8 Netgate

    Not having IPv6 enabled might.

    There is, quite literally, nothing to configure.  Set a public /64 on LAN, make sure radvd is enabled in unmanaged state on LAN and DHCPv6 is disabled.

    You don't have to set the priority to high or set any name servers (as long as you have an IPv6 name server defined.)

    What client are you trying to get working?  I just tried a Windows 8.1 VM in bridged mode (first time I've tried windows on IPv6, believe it or not) and everything seems to work except I can't ping out to the internet.  I can resolve names (So DNS is working), and I can ping other subnets on pfSense (so the default gateway is working) but I can't, for example, ping -6 www.he.net.  Name resolves but I get nothing back.  Out of time right now but you might want to post some cut and past or screen shots of the client on which you say radvd isn't working.

    Yes, my default gateway on windows is link-local.



  • @chiel:

    • How can i debug radvd ?

    Assure yourself of the effects of reconfiguring IPv6 by reboot pfSense.

    I don't do DHCP6-Server(), but have LAN Static IPv6 & Router Advertisements(Router Only) to avoid SLAAC.
    And I imagine DHCP6-Server() & Router Advertisements(Router Only) could work for you.



  • I had IPv6 working using a he.net tunnel and unmanaged mode, but then somewhere down the line it stopped working and I couldn't figure out why.

    It turns out anything other than a /64 prefix makes the SLAAC/unmanaged mode stop working. I set it to /112 because I would have very limited clients, but that made pfSense stop handing out IPv6 IPs. Set it back to /64 and now everything works.

    Is this a bug, or is this by IPv6 design?



  • That's a fact of how SLAAC works, it requires a /64 network to function.



  • No issues, my setup works fine.

    …ct


Log in to reply