IPv6 prefix6 not working as expected

  • Hi,

    I'm running pfSense 2.2.4-RELEASE, and trying to delegate prefixes downstream from this pfSense to other pfSense boxes, but the dhcp service keeps crashing with the following error:

    /services_dhcpv6.php: The command '/usr/local/sbin/dhcpd -6 -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpdv6.conf -pf /var/run/dhcpdv6.pid em1 em2' returned exit code '1', the output was 'Internet Systems Consortium DHCP Server 4.2.8 Copyright 2004-2015 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ /etc/dhcpdv6.conf line 17: network mask too short prefix6 fd33:3e94:8260:8000:: fd33:3e94:8260:8fff:: /63;

    Head-end config:

    subnet6 fd33:3e94:8260:2100::/64 {
            range6 fd33:3e94:8260:2100::1:1 fd33:3e94:8260:2100::1:ffff;
            option dhcp6.name-servers fd33:3e94:8260:2100::1;
            prefix6 fd33:3e94:8260:8000:: fd33:3e94:8260:8fff:: /63;
            default-lease-time 1800;
            max-lease-time 3600;

    I would expect that it would give out an IP in the range …2100::1:1 to ...2100::1:ffff along with a subnet like fd33:3e94:8260:8ffe::/63

    I'm thinking this is exactly Bug #4829, but I thought it was resolved in 2.2.4.


  • Banned

    1/ Would suggest to stick to /64, /60, /56 or /48…

    2/ Not really sure what you are trying to do here? Delegate /63 out of /64? That's indeed obviously "too short" as the error tells you,

  • Maybe I'm missing something…

    I have set aside fd33:3e94:8260:8000:: through fd33:3e94:8260:8fff:: as the prefix delegation range, or more specifically fd33:3e94:8260:8xxx:xxxx:xxxx:xxxx:xxxx so that's in fact a /52, in which case it is wholly appropriate to allocate anything longer than /52 out of it.

    Anything other than /64 doesn't work.


  • Banned

    See #1 above.

  • Anything other than /64 doesn't work.
    Tried /60, /56, no go.

  • Rebel Alliance Developer Netgate

    Delegation works great in my home setup on 2.2.4 with /60 chunks.

    Delegation Range:
    <my_48_prefix>:F000:: to <my_48_prefix>:FF00::
    Prefix Delegation Size: 60

    Delegating anything smaller than a /64 is probably not wise, I'm not sure why the options like 63 are there, to be honest.</my_48_prefix></my_48_prefix>

  • LAYER 8 Global Moderator

    what / are you working with total?  Do you have a /48, /56?  /32 maybe??  Really would hand out anything less than /56 to a site.  That site can then break that up into /64s

  • Here's my LAB setup…
    Everything is carved out of a unique /48
    The lab consists of 2 arms, each connected together with a central pfSense called sim-internet.  The expected behavior is that each arm receive IPv6 addresses and prefix delegations from this central  point.

    LAB NETWORK: fd33:3e94:8260::/48  I'll call this N for short in the diagram below...

    If the prefix delegations are set to /64, everything works as expected.
    Setting the prefix to anything else causes dhcpd to crash with error message on pfSense "sim-internet"

    Please see https://redmine.pfsense.org/issues/4829 where this exact issue occurs.  All I wanted to know is whether or not this is resolved in 2.2.4 as the bug report seems to indicate it.  My experience shows differently.

    Some Friday afternoon ASCII art…

    Expected outcome is that the LAN-if interfaces on pfSense 1 and 2 obtain prefixes delegated by the "Sim-internet" pfSense.

    LAB 1   
                  LAN-if    (expecting delegated ipv6 subnet in N:8000:: => N:8fff:: range)
                pfSense 1
                  WAN-if    (dhcp ipv6)  Gets [N:2100::1:xxxx] IP correctly
                vswitch 1
                  WAN-if    [N:2100::1/64]
                    |        dhcpv6 serves N:2100::1:0 => N:2100::1:ffff
                    |        dhcpv6 prefix N:8000:: => N:8fff:: /60
    PC–> LAN-if  pfSense "sim-internet"
                    |        dhcpv6 serves N:2200::1:0 => N:2200::1:ffff
                    |        dhcpv6 prefix N:9000:: => N:9fff:: /60
                  WAN2-if    [N:2200::1/64]
                vswitch 2
                  WAN-if    (dhcp ipv6)  Gets [N:2200::1:xxxx] IP correctly
                pfSense 2
                  LAN-if      (expecting delegated ipv6 subnet in N:9000:: => N:9fff:: range)
                  LAB 2

  • Banned

    I frankly cannot see how's "prefix is outside the subnet" exactly same issue like "network mask too short".

  • Rebel Alliance Developer Netgate

    The issue stated in that ticket is different. I was the one who opened that after hitting it on my home router, which is now working fine with the corrections in place on 2.2.4. It's not related to what you're seeing.

  • Jimp,

    The discussion that ensued over on the ISC mailing list seems to indicate that it is related.

    Specifically that the delegated prefix doesn't/shouldn't need to be inside the interface's subnet.

    Help, I'm confused!


  • Rebel Alliance Developer Netgate

    Your error message is different than the ones stated there. It's not the same issue. If any of the problems from that ticket or the thread (in which I also posted) were still present, it could not be working on my setup which I quoted above. It's a different problem.

  • ~~Jimp,

    Fair enough…, but is there something fundamentally wrong with what I am trying to setup?

    My expectations seem to be out of line with reality.~~

    I'm an ID10T…it sure works great when the bits AFTER the prefix delegation size are zeroes, and not ones!

    Many thanks for all your input that kept me going back to it.


  • I will add a little followup to this.

    After some experimentation, I've determined that the DHCP leases file in /var/dhcpd/var/db has to be manually edited or deleted if you decide to make the prefix delegation mask shorter at any point, for instance if you go from a /64 prefix delegation size to a /60.

    This is because the leases file contains previously allocated leases, and despite the fact that the client is asking for shorter mask (/60 for instance), continues to hand out the same subnet (/64) as it had previously.


Log in to reply