SLAAC radvd problem in 2.2-RELEASE

michaesc

I just reported https://redmine.pfsense.org/issues/4429/ describing a IPv6/DHCP6 radvd( 8 ) SLAAC autoconfiguration problem in 2.2-RELEASE (amd64).

If you're routing IPv6 (native or tunneled) and had SLAAC (that means IPv6 router/neighbor advertisements) working in 2.1.5 but lost the IPv6 addresses on all your hosts since upgrading to 2.2 please comment here, and we'll try to find a work around or something.

Hint: if you look in the radvd( 8 ) logs by clicking Status: System logs: Routing, you'll see in Routing daemon log entries:

radvd[<some-number>: sendmsg: Permission denied
radvd[<some-number>: sendmsg: Permission denied
radvd[<some-number>: sendmsg: Permission denied
radvd[<some-number>: sendmsg: Permission denied
[/code]

...regardless of how liberal your IPv6 firewall rules are.

See the bug report #4429 (above) for comprehensive information.</some-number></some-number></some-number></some-number>

doktornotor

Absolutely no such issue here. 10 or so boxes with IPv6. You must be special. Sounds like a broken configuration to me.  :P

KarlZ

I see the same issue on 2.2
tcmpdump shows RS arriving from the client but no reply and no RA. Logs shows the same permission denied.
radvd is runnign and the .conf looks sane.
All ICMP6 is allowed in the rules.

maverick_slo

HA!

I have 3 internal VLANs working with IPv6 and now I upgraded to 2.2 and added 4th VLAN.
I configured IPv6 on it (and yes, it is NOT configuration issue, and yes, it is NOT firewall ICPM or whatever issue) and it`s not working.
radvd.conf is exactly the same as for other VLANs, just different subnets.

Will try to reboot the box.

maverick_slo

OK you used /50 subnet.
I used /64 subnet and have exactly the same issue ( for others, see redmine ticked, OP updated it).

EDIT:

Unrelated, sorry my mistake.
I had captive portal enabled and apparently ipv6 doest`t like captive portal…
I disabled it and here we go all is fine.

KarlZ

Yes I see thi snow. Disabling captive portal lets IPv6 work. You can either have captive portal or IPv6 not both. :-\

doktornotor

Uhm…

1/ CP does not support IPv6 at all.
2/ You should NEVER use captive portal on your LAN. Set up dedicated interfaces for any CPs.

maverick_slo

Now you smarta** ing around :)

1. You could post sooner you know
2. Yes I have 4 vlans one of them is dedicated to CP

After war it`s easy to be gneral :)

doktornotor

Perhaps IPv6 should be made no-op somehow visibly in the GUI once you enable CP on an interface.

kejianshi

My IPV6 also isn't broken.

I somehow keep managing to brute force and ignorance my way through things without issue on pfsense.

maverick_slo

@kejianshi:

My IPV6 also isn't broken.

I somehow keep managing to brute force and ignorance my way through things without issue on pfsense.

Yeah that would be great.
Or maybe captive portal code rewrite to support ipv6 ? :) hehe
I know its a lot of work. Its in the redmine and targeted version is future :S

kejianshi

I think IPV6 is ready for the world and am baffled as to why it hasn't replace IPV4 already.

So, yeah - I agree.