OPNsense Forum
Archive => 21.7 Legacy Series => Topic started by: joeyboon on September 29, 2021, 03:13:49 pm
-
I finally got around to implementing IPv6 on my network. It works great on all subnets and I score good on the connectiontest on internet.nl and test-ipv6.com. It works on Debian, Android, iOS, MacOS and Windows. However the RADVD log registers an error around every five minutes:
2021-09-29T15:03:30 radvd[80798] sendmsg: Network is down
2021-09-29T14:56:25 radvd[80798] sendmsg: Network is down
2021-09-29T14:51:31 radvd[80798] sendmsg: Network is down
2021-09-29T14:47:39 radvd[80798] sendmsg: Network is down
2021-09-29T14:39:50 radvd[80798] sendmsg: Network is down
I'm currently running:
OPNsense 21.7.3_1-amd64
FreeBSD 12.1-RELEASE-p20-HBSD
LibreSSL 3.3.4
My ISP provides me with a /48 via DHCPv6 through the IPv4 PPPoE tunnel. On my WAN interface I selected DHCPv6 as IPv6 Configuration Type and checked the following options
Request only an IPv6 prefix *checked*
Prefix Delegation size 48
Send IPv6 prefix hint *unchecked*
Use IPv4 Connectivity *checked*
Use VLAN priority *Disabled*
On the LAN interface (and others) I selected Track Interface as IPv6 Configuration Type and selected the following options:
IPv6 interface: WAN
IPv6 Prefix ID: (whatever the VLAN of that particular interface is to make it more recognizable)
Manual configuration *unchecked*
Anyone has any idea what could be wrong? Everything seems to be in working order, so troubleshooting is a bit tough. Any help would be appreciated. Thanks!
-
Are you allowing ICMPv6 on all your internal networks? You need it for hosts to join multicast groups which form the backbone of IPv6 networking.
Bart...
-
Hi Bart,
I've only created an allow ICMPv6 echo requests allow rule to my subnet alias on the WAN interface as described in the post: https://forum.opnsense.org/index.php?topic=16743.msg84771
I was under the impression that internally everything would work. Do I need to to this for every internal network interface? Thanks for the help. I'm fairly new to IPv6 :)
-
I've allowed it everywhere. In IPv4 you block ICMP to stop attackers from mapping out your internal hosts. Working out how long that will take over 1 ms for a /64 subnet is left as an exercise to the reader ;)
Bart...
-
Hi Bart,
I've added the following rule to every internal interface:
(https://forum.opnsense.org/index.php?action=dlattach;topic=24951.0;attach=18962)
However RADVD still logging:
2021-09-30T09:37:21 radvd[89885] sendmsg: Network is down
2021-09-30T09:28:34 radvd[89885] sendmsg: Network is down
2021-09-30T09:21:21 radvd[89885] sendmsg: Network is down
Any other suggestions? Or do I need to enable more then just Echo requests?
-
On the WAN interface I have the following rule btw (also only allowing Echo requests):
(https://forum.opnsense.org/index.php?action=dlattach;topic=24951.0;attach=18964)
-
ICMP echo and specifically unicast addresses are not enough. You need a whole bunch of multicast and different ICMP subprotocols for IPv6 to work.
Did you disable all automatic rules? Because for router advertisements and neighbor discovery all the necessary rules should be created as "floating" by OPNsense automatically.
HTH,
Patrick
-
Hi Patrick,
I have not disabled them. These are the rules that are automagically generated on the same internal example interface:
(https://forum.opnsense.org/index.php?action=dlattach;topic=24951.0;attach=18966)
These are the floating rules generated:
(https://forum.opnsense.org/index.php?action=dlattach;topic=24951.0;attach=18968)
As mentioned IPv6 seems to be working correctly (at least according to all the ipv6 tests on the web I've tried). The only problem is RADVD stating the network is down while it clearly is not (and me being a noob when it comes to IPv6). ;)
-
I've just applied these ICMP types on these interfaces: https://i.kym-cdn.com/photos/images/newsfeed/000/239/389/a24.jpg :D
Bart...
-
If I understand correctly all the rules mentioned in the RFC https://datatracker.ietf.org/doc/html/rfc4890 (https://datatracker.ietf.org/doc/html/rfc4890) are taken care of automagically by OPNsense. I found this post on the Netgate forum discussing this https://forum.netgate.com/topic/138243/2-4-4-icmpv6-firewall-rules (https://forum.netgate.com/topic/138243/2-4-4-icmpv6-firewall-rules). They mention everything should work out of the box (except for Echo requests).
The above seem to correspond with my experience. Since everything seems to be working correctly, except RADVD telling me that the network is down. How does it check this?
Since I receive a /48 via DHCPv6 through the IPv4 PPPoE tunnel, my WAN interface and IPv6 default gateway both are a link local address and do not have their own IPv6 address. Could this be the problem? Because of this IPv6 gateway monitoring also can't be enabled as far as I understand (and would be not very useful anyway).
-
If you use "Track Interface" for LAN, you can enable "Manual Configuration" for Router Advertisements. This will enable a "Router Advertisments" section in the "Services" menu with fine grained control over which interface to run rdadvd on and which one not.
HTH,
Patrick
-
Hi Patrick,
IPv6 works on all internal interfaces, so I don't think using that option will help. I increased radvd debuglevel to 5 and this is what it reports:
2021-09-30T20:20:28 radvd[40069] polling for 10 second(s), next iface is lo
2021-09-30T20:20:28 radvd[40069] lo next scheduled RA in 10 second(s)
2021-09-30T20:20:28 radvd[40069] send_ra_forall failed on interface lo
2021-09-30T20:20:28 radvd[40069] not sending RA for lo, interface is not ready
2021-09-30T20:20:28 radvd[40069] lo not found: Device not configured
2021-09-30T20:20:28 radvd[40069] timer_handler called for lo
2021-09-30T20:20:18 radvd[40069] polling for 10 second(s), next iface is lo
2021-09-30T20:20:18 radvd[40069] lo next scheduled RA in 10 second(s)
2021-09-30T20:20:18 radvd[40069] send_ra_forall failed on interface lo
2021-09-30T20:20:18 radvd[40069] not sending RA for lo, interface is not ready
2021-09-30T20:20:18 radvd[40069] lo not found: Device not configured
2021-09-30T20:20:18 radvd[40069] timer_handler called for lo
2021-09-30T20:20:08 radvd[40069] polling for 10 second(s), next iface is lo
2021-09-30T20:20:08 radvd[40069] lo next scheduled RA in 10 second(s)
2021-09-30T20:20:08 radvd[40069] send_ra_forall failed on interface lo
2021-09-30T20:20:08 radvd[40069] not sending RA for lo, interface is not ready
2021-09-30T20:20:08 radvd[40069] lo not found: Device not configured
2021-09-30T20:20:08 radvd[40069] timer_handler called for lo
2021-09-30T20:19:58 radvd[40069] polling for 10 second(s), next iface is lo
2021-09-30T20:19:58 radvd[40069] lo next scheduled RA in 10 second(s)
2021-09-30T20:19:58 radvd[40069] send_ra_forall failed on interface lo
2021-09-30T20:19:58 radvd[40069] not sending RA for lo, interface is not ready
2021-09-30T20:19:58 radvd[40069] lo not found: Device not configured
2021-09-30T20:19:58 radvd[40069] timer_handler called for lo
2021-09-30T20:19:58 radvd[40069] polling for 0 second(s), next iface is lo
2021-09-30T20:19:58 radvd[40069] interface lo does not exist or is not set up properly, ignoring the interface
2021-09-30T20:19:58 radvd[40069] lo not found: Device not configured
2021-09-30T20:19:58 radvd[40069] validated pid file, /var/run/radvd.pid: 40069
Any suggestions?
-
RADVD seems to try and address the loopback interface, but the loopbackinterface is called lo0 not lo. I can't seem to find where in the config of radvd this is configured. The search continues