Ipv6 dual stack Deutsche Telekom VDSL not working
-
Hi,
I am working with pfsense 2.3 behind a Vigor 130 in bridge mode. pfsense is doing PPPoE with my provider Deutsche Telekom.
Deutsche Telekom is using a ipv4+ipv6 dual stack and offers /56 prefix delegation (unfortunately with changing prefixes on each pppoe connect). The information I found so far was to configure this:
-
WAN IPv6: DHCPv6
-
WAN DHCPv6: Request a IPv6 prefix/information through the IPv4 connectivity link
-
WAN DHCPv6: Prefix delevation size = /56
-
WAN DHCPv6: Send an IPv6 prefix hint to indicate the desired prefix size for delegation
-
LAN IPv6: Track interface –> WAN --> ID 0 (tried 1 as well with no change)
I also enabled RA (unmanaged) on the LAN interface.
I am getting a /64 IPv6 on my pppoe0 interface after connection establishment. However the prefix delegation seems to fail. I see things like
Apr 26 11:22:21 dhcp6c 96921 set IA_PD prefix Apr 26 11:22:21 dhcp6c 96921 set IA_PD Apr 26 11:22:21 dhcp6c 96921 send solicit to ff02::1:2%pppoe0 Apr 26 11:22:21 dhcp6c 96921 reset a timer on pppoe0, state=SOLICIT, timeo=23, retrans=129384 Apr 26 11:22:21 dhcp6c 89842 unexpected interface (8)In the system log. If I start dhcp6c in debug mode I get:
Apr/26/2016 11:14:02: called Apr/26/2016 11:14:02: called Apr/26/2016 11:14:02: reset a timer on pppoe0, state=INIT, timeo=0, retrans=383 Apr/26/2016 11:14:02: a new XID (96231) is generated Apr/26/2016 11:14:02: set client ID (len 14) Apr/26/2016 11:14:02: set identity association Apr/26/2016 11:14:02: set elapsed time (len 2) Apr/26/2016 11:14:02: set option request (len 4) Apr/26/2016 11:14:02: set IA_PD prefix Apr/26/2016 11:14:02: set IA_PD Apr/26/2016 11:14:02: send solicit to ff02::1:2%pppoe0 Apr/26/2016 11:14:02: reset a timer on pppoe0, state=SOLICIT, timeo=0, retrans=1088 Apr/26/2016 11:14:03: set client ID (len 14) Apr/26/2016 11:14:03: set identity association Apr/26/2016 11:14:03: set elapsed time (len 2) Apr/26/2016 11:14:03: set option request (len 4) Apr/26/2016 11:14:03: set IA_PD prefix Apr/26/2016 11:14:03: set IA_PD Apr/26/2016 11:14:03: send solicit to ff02::1:2%pppoe0 Apr/26/2016 11:14:03: reset a timer on pppoe0, state=SOLICIT, timeo=1, retrans=2151 Apr/26/2016 11:14:06: set client ID (len 14) Apr/26/2016 11:14:06: set identity association Apr/26/2016 11:14:06: set elapsed time (len 2) Apr/26/2016 11:14:06: set option request (len 4) Apr/26/2016 11:14:06: set IA_PD prefix Apr/26/2016 11:14:06: set IA_PD Apr/26/2016 11:14:06: send solicit to ff02::1:2%pppoe0 Apr/26/2016 11:14:06: reset a timer on pppoe0, state=SOLICIT, timeo=2, retrans=4283 Apr/26/2016 11:14:10: set client ID (len 14) Apr/26/2016 11:14:10: set identity association Apr/26/2016 11:14:10: set elapsed time (len 2) Apr/26/2016 11:14:10: set option request (len 4) Apr/26/2016 11:14:10: set IA_PD prefix Apr/26/2016 11:14:10: set IA_PD Apr/26/2016 11:14:10: send solicit to ff02::1:2%pppoe0 Apr/26/2016 11:14:10: reset a timer on pppoe0, state=SOLICIT, timeo=3, retrans=8905radv complains about "no auto-selected prefix on interface igb2, disabling advertisements" which sounds logical as the dhcp6c call does not seem to work.
Is there any insight you guys can shed on this?
Regards,
JP -
-
Even looks as if the DHCP request is working (sniffing pppoe) and a prefix is assigned. Please take a look at the pcap. However something after that does not seem to do the trick. I am really out of ideas…
-
You are confined to your ISP protocols, there is no problem with pfSense.
Have you configured the DT130 the right way? (e.g. no VLAN termination, leave that to pfSense).
Does IPv4 work OK ?
Are you sure you need IPv6 over IPv4 ? (ISP protocol)If you know your quasi-permanent IPv6 prefix /56-number, make a Static LAN in stead of Track Interface.
Next to your basic settings in Interfaces-WAN, add IPv6 > Advanced:(send options(ia-pd 0) and Prefix delegation = checked only).
-
DT130 is working like a charm. As is IPv4. No problem. The challenge only is the IPv6 part of the communication. I simply restricted the pcap to the relevant IPv6 traffic.
I do NOT use IPv6 over IPv4. I am using IPv6 Dual Stack. The only problem is the DHCP based prefix delegation (Deutsche Telekom is using it so I have to get this to work). I do not seem to be the only one esp. with 2.3. Unfortunately the /56 to the best of my belief is not quasi-permanent but is changing on every PPPoE connect.
Not sure what you mean by "confined to you ISP protocols". Things are working on a Fritzbox or Lancom router but not on a pfsense (terminating the PPPoE session). If you take a look at the wireshark you will see that Telekom is even responding with a DHCP Advertise XID with the prefix and DNS servers. It is just that the pfsense (maybe due to a misconfiguration) is not using this information or is ignoring the Advertise XID.
what good is th advanced config doing?
Current config is:
interface pppoe0 { send ia-na 0; # request stateful address send ia-pd 0; # request prefix delegation request domain-name-servers; request domain-name; script "/var/etc/dhcp6c_wan_script.sh"; # we'd like some nameservers please }; id-assoc na 0 { }; id-assoc pd 0 { prefix ::/56 infinity; prefix-interface igb2 { sla-id 0; sla-len 8; }; }; -
Have you allowed IPv6 at: System > Advanced > Networking > Allow IPv6 ?
Did you UNcheck for Interfaces > WAN > Block bogon networks ?
Applied a Floating rule for protocol IPv6 ICMP any any ?
Do you allow LAN outbound port 547 ? -
@hda:
Have you allowed IPv6 at: System > Advanced > Networking > Allow IPv6 ?
Yes
Did you UNcheck for Interfaces > WAN > Block bogon networks ?
Yes
Applied a Floating rule for protocol IPv6 ICMP any any ?
Nope. ICMP6 from all zones to all zones? Have not found this in the instructions anywhere but it is worth a try. Will do this later today. But why would this be relevant? Should the dhcp6c not assign the prefix it receives directly to the LAN interface? This does not work via ICMP or does it?
Do you allow LAN outbound port 547 ?
Outbound is not restricted. Why would 547 be helpful? The WAN interface can communicate with Telekom via DHCP and the LAN should not do DHCP6 at all.
Regards,
JP -
If you take a look at the wireshark you will see that Telekom is even responding with a DHCP Advertise XID with the prefix and DNS servers. It is just that the pfsense (maybe due to a misconfiguration) is not using this information or is ignoring the Advertise XID.
[…]
Current config is:[...] id-assoc pd 0 { prefix ::/56 infinity; prefix-interface igb2 { sla-id 0; sla-len 8; }; };Yes: The pcap shows a prefix being delegated.
I'm just guessing and I may be completely mistaken, but is it possible that the prefix option in the configuration simply overrides the delegated prefix? ::/56 (= 0000:0000:0000:00) would then possibly be delegated as a prefix.
prefix ipv6-prefix pltime [vltime]; specifies a prefix and related parameters that the client wants to be delegated.
(Source: dhcp6c.conf documentation)
From this I understand that you should be able to specify a concrete static prefix here. If I read the examples on the man page correct there should be no need to specify a prefix if one is delegated.
So I would expect that this should suffice:
id-assoc pd 0 { prefix-interface igb2 { sla-id 0; sla-len 8; }; };-flo-
-
Hi Flo,
your suggestion did not work. However I took a deeper look at the puzzling "unexpected interface" message. Looking for the PID I finally discovered that an old dhcp6c daemon was still running but it was referring to igb0 instead of pppoe0. So that daemon received the answers and could not do anything with it. I rebooted the box and believe it or not: The config did work after all…. grrrr... I should have refrained to the old Microsoft solution "reboot" earlier I believe.
Thanks all for your help. I will take away some changes like the floating rule and see if these are really necessary!
-
Congratulations on getting this to work!
I would really appreciate a summary of your working configuration. I tried to get IPv6 to work a while back without success.
-flo-
-
Hi,
it will take a few days and reboots/reconnect/new prefixes to be sure. But to the best of my knowledge it in the end (after the reboot) was pretty simple.
First of all I threw out my DSL router and replaced it with a Vigor 130 which I put into bridge mode. I then switched the WAN configuration to pppoe. For IPv4 I chose the PPPoE session. For IPv6 I chose DHCP. Moreover the options: "Request a IPv6 prefix/information through the IPv4 connectivity link", prefix (in my case /56) and "Send an IPv6 prefix hint to indicate the desired prefix size for delegation". Under services DHCPv6 Server&RA page I chose "unmanaged" under Router Advertisements and changed the router priority to "normal". I believe that is about it. And then don't forget the reboot…. :-)
Of course this is now for Deutsche Telekom AllIP and might differ for other carriers.
Regards,
JP
-
Thank you so much j.koopmann
I've been tinkering around with this for weeks and it seems that it just didn't work because I did not reboot.
That's REALLY annoying.Anyway. I just wanted to confirm that your given pfsense IPv6 configuration also works with NetAachen/Netcologne VDSL dual stack. Also running a Vigor 130 over here.
Those Fritzbox devices are crap. -
First of all, thanks for this thread.
I can confirm DS is working with pfSense 2.2.6 (not 2.2.4) and Deutsche Telekom using a Zyxel VMG1312-B30A; which is also officially supported by DTAG and Deuschland LAN IP/VioPIn case of Deutsche Telekom, requesting a prefix longer than /64 via DHCP6 seems to be of no use; I always get a /64 only.
Instead, a route of a /56 net is added though the /64 net(?); DK calls this "Kundennetz/LAN". While I can get the /64 net working, I cannot get the /56 prefix assigned to me to work. Did anyone succeed with this task?
Thanks!
-
Yes your pfSense get the "Kundennetz/WAN" Subnet on the WAN interface and the "Kundennetz/Lan"/56 on all other interfaces splitted as /64.
You configured Track Interface(WAN) on the other Interfaces? And dont forgett to reboot.
