OPNsense Forum
Archive => 23.1 Legacy Series => Topic started by: newsense on January 22, 2023, 06:11:09 pm
-
Hi again,
The first time I bumped into this issue was back in December, so this is not 23.1 specific, posting it here since the FW is already on 23.1.RC2.
I'm seeing this weird behavior on a FW connected to Telus Canada where the WAN doesn't get a routable 2001:: IP yet based on the prefix delegation received the internal network interfaces get configured with 2001::/64 just fine tracking the WAN.
The only information I could find pertains to Edgerouter or pfSense configuration and it's not really 1:1 when compared to the options in the GUI:
https://heald.ca/configuring-telus-optik-ipv6-ubiquiti-edgerouter/ (https://heald.ca/configuring-telus-optik-ipv6-ubiquiti-edgerouter/)
https://www.zacharyschneider.ca/2020/12/pfsense-ipv6-telus/ (https://www.zacharyschneider.ca/2020/12/pfsense-ipv6-telus/)
I tried toggling On and Off "Request only an IPv6 prefix" and "Send IPv6 prefix hint" along with requesting a different PD Size other than the /56 but it wasn't helpful.
Any guidance on how to move foward troubleshooting this issue is most welcome.
Thank you.
-
No GUA on WAN can be perfectly normal. What are you trying to achieve?
Cheers,
Franco
-
Hi Fanco, thank you for answering on a Sunday. :)
In a nutshell, testing the connectivity on https://ipv6-test.com (https://ipv6-test.com) from the laptop that is provisioned with a GUA on the VLAN interface that has a GUA as well - having a rule on the VLAN to allow any IPv6 ight at the top (temporarily) ---and the result is on that page that only IPv4 is working.
The local DNS is resolving IPv6 as well:ping -6 isc.org
Pinging isc.org [2001:4f8:1:f::66] with 32 bytes of data:
Request timed out.
What appears to eb wrong, if my understanding is correct, is that I don't see a GUA on the WAN - so even if I could try to select the GW in the IPv6 rule, the available options ae as follows:
LAN_TRACK - fe80::
WAN_DHCP6 - No IPv6 Address
WAN_DHCP - expected IPv4 Address
Filtering for DHCP Debug messages in System: Log Files: General doesn't reveal anything abnormal that I could see...
2023-01-22T08:21:13-08:00 Notice opnsense-devel /interfaces.php: plugins_configure monitor (,WAN_DHCP)
2023-01-22T08:21:13-08:00 Notice opnsense-devel /interfaces.php: plugins_configure monitor (execute task : dpinger_configure_do(,WAN_DHCP6))
2023-01-22T08:21:13-08:00 Notice opnsense-devel /interfaces.php: plugins_configure monitor (,WAN_DHCP6)
2023-01-22T08:21:13-08:00 Notice dhcp6c RTSOLD script - Sending SIGHUP to dhcp6c
2023-01-22T08:21:11-08:00 Notice opnsense-devel /interfaces.php: plugins_configure dhcp (execute task : dhcpd_dhcp_configure(,inet6,Array))
2023-01-22T08:21:11-08:00 Notice opnsense-devel /interfaces.php: plugins_configure dhcp (,inet6,Array)
2023-01-22T08:13:48-08:00 Notice dhcp6c dhcp6c REQUEST on igb0 - running newipv6
Please let me know whether there's any other, more useful info that I could provide here.
Thanks again.
-
Actually I just manage to capture this from the WAN interface, started the capture and went back to the interface setting the PD size back to /56 to toggle a DHCP6 request, so based on the pfSense guide these are the options on the interface that are set if available:
Enable IPv6
If you haven't already, pfSense must have IPv6 support turned on. Under System > Advanced > Networking > IPv6 Options, enable Allow IPv6.
Next, configure your WAN interface:
Interfaces > WAN > General Configuration:
IPv6 Configuration Type: DHCP6
Interfaces > WAN > DHCP6 Client Configuration:
Request only an IPv6 prefix: Enabled
DHCPv6 Prefix Delegation size: 56
Send IPv6 prefix hint: Enabled
Do not wait for a RA: Enabled (request a prefix from the Telus router immediately)
Do not allow PD release: Enabled
and the PCAP details:
Interface Timestamp SRC DST output
WAN
igb0 2023-01-22
15:08:43.558984 00:0d:b9:57:74:5c 33:33:00:01:00:02 ethertype IPv6 (0x86dd), length 114: (hlim 1, next-header UDP (17) payload length: 60) fe80::20d:b9ff:fe57:745c.546 > ff02::1:2.547: [bad udp cksum 0x2c95 -> 0x1afa!] dhcp6 solicit (xid=193eec (client-ID hwaddr/time type 1 time 570277845 000db957745c) (IA_NA IAID:0 T1:0 T2:0) (elapsed-time 25587) (option-request DNS-server DNS-search-list))
WAN
igb0 2023-01-22
15:08:43.567313 f8:13:08:26:58:97 00:0d:b9:57:74:5c ethertype IPv6 (0x86dd), length 151: (class 0x40, hlim 255, next-header UDP (17) payload length: 97) fe80::fa13:8ff:fe26:5711.547 > fe80::20d:b9ff:fe57:745c.546: [udp sum ok] dhcp6 advertise (xid=193eec (server-ID hwaddr type 1 f81308265711) (client-ID hwaddr/time type 1 time 570277845 000db957745c) (IA_NA IAID:0 T1:0 T2:0 (status-code NoAddrsAvail)))
WAN
igb0 2023-01-22
15:09:04.018056 00:0d:b9:57:74:5c 33:33:00:01:00:02 ethertype IPv6 (0x86dd), length 90: (hlim 1, next-header UDP (17) payload length: 36) fe80::20d:b9ff:fe57:745c.546 > ff02::1:2.547: [bad udp cksum 0x2c7d -> 0x9d35!] dhcp6 solicit (xid=4b20ea (client-ID hwaddr/time type 1 time 570277845 000db957745c) (elapsed-time 0))
WAN
igb0 2023-01-22
15:09:04.020604 f8:13:08:26:58:97 00:0d:b9:57:74:5c ethertype IPv6 (0x86dd), length 104: (class 0x40, hlim 255, next-header UDP (17) payload length: 50) fe80::fa13:8ff:fe26:5711.547 > fe80::20d:b9ff:fe57:745c.546: [udp sum ok] dhcp6 advertise (xid=4b20ea (server-ID hwaddr type 1 f81308265711) (client-ID hwaddr/time type 1 time 570277845 000db957745c) (status-code UnspecFail))
WAN
igb0 2023-01-22
15:09:05.020173 00:0d:b9:57:74:5c 33:33:00:01:00:02 ethertype IPv6 (0x86dd), length 104: (hlim 1, next-header UDP (17) payload length: 50) fe80::20d:b9ff:fe57:745c.546 > ff02::1:2.547: [bad udp cksum 0x2c8b -> 0xf3ff!] dhcp6 request (xid=5a7099 (client-ID hwaddr/time type 1 time 570277845 000db957745c) (server-ID hwaddr type 1 f81308265711) (elapsed-time 0))
WAN
igb0 2023-01-22
15:09:05.023739 f8:13:08:26:58:97 00:0d:b9:57:74:5c ethertype IPv6 (0x86dd), length 104: (class 0x40, hlim 255, next-header UDP (17) payload length: 50) fe80::fa13:8ff:fe26:5711.547 > fe80::20d:b9ff:fe57:745c.546: [udp sum ok] dhcp6 reply (xid=5a7099 (server-ID hwaddr type 1 f81308265711) (client-ID hwaddr/time type 1 time 570277845 000db957745c) (status-code UnspecFail))
WAN
igb0 2023-01-22
15:09:05.473101 00:0d:b9:57:74:5c 33:33:00:00:00:02 ethertype IPv6 (0x86dd), length 70: (hlim 255, next-header ICMPv6 (58) payload length: 16) fe80::20d:b9ff:fe57:745c > ff02::2: [icmp6 sum ok] ICMP6, router solicitation, length 16
source link-address option (1), length 8 (1): 00:0d:b9:57:74:5c
0x0000: 000d b957 745c
WAN
igb0 2023-01-22
15:09:05.569563 f8:13:08:26:58:97 00:0d:b9:57:74:5c ethertype IPv6 (0x86dd), length 78: (class 0xe0, hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::fa13:8ff:fe26:5711 > fe80::20d:b9ff:fe57:745c: [icmp6 sum ok] ICMP6, router advertisement, length 24
hop limit 64, Flags [none], pref medium, router lifetime 4500s, reachable time 0ms, retrans timer 100ms
source link-address option (1), length 8 (1): f8:13:08:26:58:97
0x0000: f813 0826 5897
WAN
igb0 2023-01-22
15:09:06.033298 00:0d:b9:57:74:5c 33:33:00:01:00:02 ethertype IPv6 (0x86dd), length 143: (hlim 1, next-header UDP (17) payload length: 89) fe80::20d:b9ff:fe57:745c.546 > ff02::1:2.547: [bad udp cksum 0x2cb2 -> 0xa290!] dhcp6 solicit (xid=a2e21f (client-ID hwaddr/time type 1 time 570277845 000db957745c) (elapsed-time 0) (option-request DNS-server DNS-search-list) (IA_PD IAID:0 T1:0 T2:0 (IA_PD-prefix ::/56 pltime:4294967295 vltime:4294967295)))
WAN
igb0 2023-01-22
15:09:06.050816 f8:13:08:26:58:97 00:0d:b9:57:74:5c ethertype IPv6 (0x86dd), length 179: (class 0x40, hlim 255, next-header UDP (17) payload length: 125) fe80::fa13:8ff:fe26:5711.547 > fe80::20d:b9ff:fe57:745c.546: [udp sum ok] dhcp6 advertise (xid=a2e21f (server-ID hwaddr type 1 f81308265711) (client-ID hwaddr/time type 1 time 570277845 000db957745c) (IA_PD IAID:0 T1:7200 T2:10800 (IA_PD-prefix 2001:56a:7db2:3c00::/56 pltime:14400 vltime:14700)) (DNS-server 2001:568:ff09:10c::67 2001:568:ff09:10a::116))
WAN
igb0 2023-01-22
15:09:07.035027 00:0d:b9:57:74:5c 33:33:00:01:00:02 ethertype IPv6 (0x86dd), length 157: (hlim 1, next-header UDP (17) payload length: 103) fe80::20d:b9ff:fe57:745c.546 > ff02::1:2.547: [bad udp cksum 0x2cc0 -> 0x75c4!] dhcp6 request (xid=60262b (client-ID hwaddr/time type 1 time 570277845 000db957745c) (server-ID hwaddr type 1 f81308265711) (elapsed-time 0) (option-request DNS-server DNS-search-list) (IA_PD IAID:0 T1:0 T2:0 (IA_PD-prefix 2001:56a:7db2:3c00::/56 pltime:14400 vltime:14700)))
WAN
igb0 2023-01-22
15:09:07.499966 f8:13:08:26:58:97 00:0d:b9:57:74:5c ethertype IPv6 (0x86dd), length 179: (class 0x40, hlim 255, next-header UDP (17) payload length: 125) fe80::fa13:8ff:fe26:5711.547 > fe80::20d:b9ff:fe57:745c.546: [udp sum ok] dhcp6 reply (xid=60262b (server-ID hwaddr type 1 f81308265711) (client-ID hwaddr/time type 1 time 570277845 000db957745c) (IA_PD IAID:0 T1:7200 T2:10800 (IA_PD-prefix 2001:56a:7db2:3c00::/56 pltime:14400 vltime:14700)) (DNS-server 2001:568:ff09:10c::67 2001:568:ff09:10a::116))
-
> What appears to be wrong, if my understanding is correct, is that I don't see a GUA on the WAN
As mentioned that is not a requirement for IPv6 connectivity since you state you have a functional GUA on LAN.
The ping was from the OPNsense? And do clients have connectivity?
Cheers,
Franco
-
So I get the following when pinging from client and OPNsense.
Ping google.com, source address vlan wiith GUA:
# /sbin/ping -6 -S '2001:56a:7db2:3c10:20d:b9ff:fe57:745f' -c '3' 'google.com'
PING6(56=40+8+8 bytes) 2001:56a:7db2:3c10:20d:b9ff:fe57:745f --> 2607:f8b0:4020:804::200e
--- google.com ping6 statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss
Ping google.com, client with GUA on the same vlan mentioned above, Allow Any Out IPv6 in the vlan rules, no FW active on the client:
C:\>ping -6 google.com
Pinging google.com [2607:f8b0:4020:804::200e] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 2607:f8b0:4020:804::200e:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Ping from client with GUA on the Lan interface, I see some icmpv6 activity in the live log but it's coming from the link local address of the client
[root@manjaro-arm]# ping -6 2607:f8b0:4020:804::200e
PING 2607:f8b0:4020:804::200e(2607:f8b0:4020:804::200e) 56 data bytes
^C
--- 2607:f8b0:4020:804::200e ping statistics ---
287 packets transmitted, 0 received, 100% packet loss, time 292866ms
Back to OPNsense, ping google.com, source address "Default":
# /sbin/ping -6 -c '3' 'google.com'
PING6(56=40+8+8 bytes) 2001:56a:7db2:3c00:20d:b9ff:fe57:745f --> 2607:f8b0:4020:804::200e
16 bytes from 2001:56a:7db2:3c00:20d:b9ff:fe57:745f, icmp_seq=0 hlim=64 time=0.581 ms
16 bytes from 2001:56a:7db2:3c00:20d:b9ff:fe57:745f, icmp_seq=1 hlim=64 time=0.474 ms
16 bytes from 2001:56a:7db2:3c00:20d:b9ff:fe57:745f, icmp_seq=2 hlim=64 time=0.418 ms
--- google.com ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.418/0.491/0.581/0.067 ms
When I'm looking at the IPv6 assignments on OPNsense it becomes apparent the "Default" source address is actually present on the Lan interface and that's the only time I get ping replies, while selecting the vlan as source does nothing.
-
And both VLAN and LAN are tracking the WAN with different prefix IDs? What are your prefix IDs being used? Is there a PPPoE involved?
Cheers,
Franco
-
No PPPoE involved, DHCP for WAN IPv4, Lan Prefix ID 0x0 and Vlan Prefix ID 0x10 -- not 100% sure the values are correct(?) but the interfaces get a GUA. Both are tracking the Wan interface.
-
Hi Franco,
In a weird twist, IPv6 appears to be working now fine from all vlans. I'm unsure what triggered this, I haven't seen any fiixes or github issues tha went into 23.1 tthat would explain this.
I've just rebooted the APU in question for the new coreboot 4.19.0.1 and IPv6 continues to be working fine.
For future reference, this is the required configuration for DHCPv6:
-
I had the same problem. No IPv6-connectivity from the clients, but OPNsense was okay. I then noticed that the GUA is not passed to the clients. Restarting the RA service nor a reboot didn't help.
I then checked and saved the RA settings (without changing anything) and after that it worked. Since then the problem has not occurred.
-
Not really 1:1 - my clients had GUAs - but thanks for sharing.