OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: Taomyn on March 29, 2017, 02:36:35 pm
-
I finally have an IPv6 address from my ISP so OPNsense is working just fine in this respect (I have a PPPoE connection, with a VLAN, the IPv6 address is set on the WAN interface as DHCPv6, using IPv4 connectivity).
Now that it's working where do I go next? I'd like to get this working internally now as I have a small test project that can use IPv6 and want to use this to further my knowledge of IPv6.
I'm assuming I need to now enable IPv6 on the LAN interface so what IPv6 option do I set? I did look in the wiki, skipping past the tunnel stuff to "Step 3", and it mentions using "Static IPv6", but no information on what address to use.
BTW, is the wiki search function meant to work, because I enter a search term e.g. ipv6, press enter and all I see is "Searching......"
-
Pick a /64 within your delegation and assign a static IP to the LAN interface from that subnet. Enable router advertisements from the dhcpv6 service and watch the magic happen (SLAAC permitting) ;-)
Bart...
-
Thanks Bart. Spookily my ISP just called to tell me that IPv6 should be enabled, but the only extra information I could get out of them was that I was to use DHCPv6 for the WAN connection, and to use /56 for the prefix delegation size and not /64.
But how to now get a static from my public IP I don't know - see, I'm very new at this ;-) The firewall tells me I have a public IPv6 address with a /64 subnet, the IPv6 test ping to ipv6.google.com works (I did sit the WAN "DHCPv6 Prefix Delegation size" to 56).
-
Given the size of the overall address space, I can't see your ISP changing your range any time soon but it's worth keeping an eye on your WAN interface across a couple of reconnects.
RFC3177 says that you should assign a /64 for any network that contains hosts https://tools.ietf.org/html/rfc3177 so the /56 gives you the option to create a DMZ (or even a few hundred).
Bart...
-
I'm trying to confirm what the /56 prefix is that I've been assigned, but I can't figure out how to get the firewall to tell me. Any ideas?
-
Is there an IPv6 address showing on the interface section of your dashboard?
The first 14 characters is your /56. E.g. 2001:0db8:85a3:4700:feed:8a2e:0370:7334 would be part of a 2001:0db8:85a3:47::0/56 delegation.
You can also get the IPv6 from the console (or SSH) with ifconfig
Ignore the fe80: address, routable addresses start with 2001:
Bart...
-
Ok got that, so if my IPv6 address is:
2065:456:1:88fd:325:22aa:eda2:2fc4/64
Then would my prefix be:
2065:456:1:88::0/56
And then if I wanted to I can subnet it for example:
2065:456:1:8801::0/64
2065:456:1:8802::0/64
etc
And avoid the one being used by the WAN link i.e.
2065:456:1:88fd::0/64
-
Yes, spot on. Once you have your internal computers set up, try http://cav6tf.org/ to test.
Bart...
-
Great, and sorry for all the questions but I was trying things out and nothing works. I'm hoping this thread will be useful to others should they come looking.
When I set an interface to "Static IPv6" the address setting asks for what I assume the "/" number after it (the advanced help is greyed out for this which isn't helpful), so does that mean I assign it the subnet and choose 64? When I do this all I see assigned to the interface is just the subnet.
-
Quick update as I am making progress:
WAN - working, I can ping ipv6.google.com
LAN - working, I assigned it a subnet, can ping ipv6.google.com
Internal PC - I enabled "Unmanaged" router advertisements for the LAN DHCPv6 server (nothing else changed), I renewed the IPs on my workstation, it gets what looks like two IPv6 addresses based off the subnet assigned (one is designated temp), I can ping LAN and WAN, but I cannot ping ipv6.google.com
-
Does your DNS server resolve AAAA records? You can try ping to 2001:4860:4860::8888 or 2001:4860:4860::8844
Bart...
-
Yes, it seems to be working - all my devices are getting IPv6 IPs now which is nice :-)
C:\WINDOWS\system32>ping -6 ipv6.google.com
Pinging ipv6.l.google.com [2a00:1450:4007:812::200e] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 2a00:1450:4007:812::200e:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
C:\WINDOWS\system32>ping -6 2001:4860:4860::8844
Pinging 2001:4860:4860::8844 with 32 bytes of data:
Request timed out.
Ping statistics for 2001:4860:4860::8844:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
Control-C
^C
C:\WINDOWS\system32>nslookup ipv6.google.com 192.168.1.10
Server: homer.windowsserver.local
Address: 192.168.1.10
Non-authoritative answer:
Name: ipv6.l.google.com
Address: 2a00:1450:4007:812::200e
Aliases: ipv6.google.com
-
Just an update, it's still not fully working i.e. none of my internal devices can communicate to the Internet via IPv6, but internally everything is working, and the firewall itself is able to send traffic so I don't think it's my ISP.
I've also added a rule to allow IPv6 ICMP from external and that works fine from a test website I found.
Any ideas? Do I need to enable another option somewhere to allow the traffic to from the LAN to the WAN interfaces? The "Default allow LAN IPv6 to any rule" is present and I don't see the traffic being blocked.
-
Sounds like a routing issue. Perhaps a typo on your lan side? I.e. your traffic is going out OK but return packets never make it back because your lan is outside your range and your ISP routes it to somebody else.
Bart...
-
Ok, well I'm now confused.
I just noticed that the WAN IP has changed, just slightly, though things were still the same and not fully working, but now my ISP has finally come back to me with my prefix and it doesn't match up with the IP their DHCPv6 is giving my WAN interface.
So knowing what the ISP is saying is my prefix, is it possible for it to not match the DHCPv6 address I get assigned?
-
A bit more information, I tested pinging between the 3 interfaces on the firewall, LAN/GLAN/WAN, and my Windows server, SRV which is on the LAN network, and these were the results:
LAN > WAN - OK
GLAN > WAN - OK
WAN > LAN - FAIL
WAN > GLAN - FAIL
SRV > LAN - OK
SRV > GLAN - OK
SRV > WAN - OK
WAN > SRV - FAIL
LAN > SRV - OK
GLAN > SRV OK
So the problem could lie with the WAN interface not being able to ping the other interfaces, so any idea where I look to fix that?
-
Apart from ICPM, does http work over IPv6?
Bart...
-
I don't think so, I visited www.kame.net and I never get the proper dancing kame :-(
I've seen another thread here where someone else lost IPv6 connectivity when they upgraded to 17.1.3 https://forum.opnsense.org/index.php?topic=4816.msg18821#msg18821 and I get the same if I try to use the Track IPv6 option for the LAN interface, as I suspect if my DHCPv6 address on the WAN is going to change, I'll need it.
Perhaps IPv6 is broken in the later releases?
-
Maybe this is the wrong place to ask this. If you have a WAN address with Public IPv6 address and you want the inside IPv6 LAN address to be fdxx:xxxx:xxxx ( private address ).
Can this be done with opnsense or do all inside LAN IPv6 address haft to be on the public side? If this can be done dose anyone have a simple check list or how to configure IPv6 WAN <-> NAT <-> inside DHCPv6 <-> LAN?
I have IPv6 working fine. I want to be able todo the same as IPv4 WAN <-> NAT <-> inside DHCP <-> LAN but on IPv6 too. If anyone has done this with opnsense I would like to know how you were able to get it working.
I have IPv4 & IPv6 working on 17.1.4
-
Generally IPv6 does away with the reasons for NAT (address space exhaustion, LAN discovery) but there is no reason why you can't do it. However, the fc00::/7 range is reserved for non-routable addresses. Any router (including OPNsense) will refuse to route these. Only addresses in the 2000::/3 range are publicly routed.
You can set up an internal IPv6 /64 subnet and NAT that to another range on OPNsense. The option for this is NPT (Network Prefix Translation) under firewall, NAT. As its name implies, the host portion of the address stays the same and the first 64 bits of the address are NAT-ed.
Bart...
-
Well I would like to have the same setup as IPv4 as IPv6. I looked at that but I could not make it work by just having the public address 2001:xxx:xxx:xxx:xxx and then private address on the LAN side... then have NAT sit between the public 2001: and private fdxx:xxx:xxxx:xxxx:xxxx
NPT how would you config that with lan dhcpv6? Why I was asking if anyone has it working and how they were able to make it work. I can not get anything to work beside the default IPv6 setup.
-
Looks like I'm going to have abandon my attempts to get this working unless someone can help me figure out why OPNsense isn't allowing the traffic through. It's causing slow-downs all over my network with devices trying IPv6 first, failing then eventually falling back to IPv4.
-
Can you see the IPv6 traffic heading out and coming back? Interfaces, Diagnostics, Packet Capture, IPv6 only.
Bart...
-
After restoring the IPv6 settings and rebooting, how awesome is OPNsense 8) I did a capture on the WAN port whilst visiting ipv6-test.com and I'd say no:
11:14:32.064508 IP6 2a02:::::::.62437 > 2001:41d0:8:e8ad::1.80: tcp 0
This just repeats for the entire test, I obfuscated my WAN IP
But if I ping6 ipv6.google.com from the firewall console:
11:23:27.386204 IP6 2a02::::::: > 2a00:1450:4007:814::200e: ICMP6, echo request, seq 0, length 16
11:23:27.423328 IP6 2a00:1450:4007:814::200e > 2a02:::::::: ICMP6, echo reply, seq 0, length 16
Traffic does come back
-
That would indicate that your LAN IP's are not in the delegation and so your ISP is not routing back the packets.
Can you double check that the LAN range is inside? http://www.ipv6calculator.net/
Bart...
-
I'm pretty sure it is because I base the IP of the LAN from the IP gained by the WAN by DHCPv6 from my ISP.
Can I PM you the results of pinging WAN to LAN and then LAN to WAN on the console of the firewall? I don't want to obfuscate them so you can see things exactly as I do nor post them publicly.
-
The LAN IPv6 setting should be set to "Track Interface", this will setup the delegated prefix automatically
-
I did try that, it does nothing, the two internal interfaces simply sit there without ever being assigned an IP, and still no IPv6 traffic flows.
-
are you using the advanced mode for dhcpv6 config on your wan? if so disable it, also, make sure you are not using the same ID on both the internal connections for track interface, and you can take a look at the dhcp log file for hints at why it is not working properly, it could be that you have the wrong prefix size set
-
Nope, using Basic and the IDs are 0 and 1. My ISP has told me that my prefix must be /56.
I could not find a log specific to DHCPv6 and the other DHCP log has nothing of note. After a reboot this is what the system log contains:
Apr 1 05:02:08 configd.py: [23e250ea-4cd5-4b30-8bc2-573d0731c8bc] request mac table
Apr 1 05:00:33 configd.py: [c92d608a-f1df-485f-897c-9fc0138a1d7b] request mac table
Apr 1 05:00:00 configd.py: [382e7999-b920-4ed1-95b3-b17771d597db] refresh url table aliases
Apr 1 04:58:35 opnsense: /diag_logs.php: Successful login for user 'root' from: 192.168.1.12
Apr 1 04:58:33 sshlockout[14408]: sshlockout/webConfigurator v3.0 starting up
Apr 1 04:58:33 flowd_aggregate.py: flowd aggregate died with message Traceback (most recent call last): File "/usr/local/opnsense/scripts/netflow/flowd_aggregate.py", line 148, in run aggregate_flowd(do_vacuum) File "/usr/local/opnsense/scripts/netflow/flowd_aggregate.py", line 79, in aggregate_flowd stream_agg_object.add(flow_record_cpy) File "/usr/local/opnsense/scripts/netflow/lib/aggregates/interface.py", line 70, in add super(FlowInterfaceTotals, self).add(flow) File "/usr/local/opnsense/scripts/netflow/lib/aggregate.py", line 258, in add self._update_cur.execute(self._update_stmt, flow) DatabaseError: database disk image is malformed
Apr 1 04:58:32 kernel:
Apr 1 04:58:32 kernel:
Apr 1 04:58:29 lighttpd[46191]: (log.c.217) server started
Apr 1 04:58:26 kernel: done.
Apr 1 04:58:24 root: /etc/rc.d/hostid: WARNING: hostid: unable to figure out a UUID from DMI data, generating a new one
Apr 1 04:58:24 configd.py: generate template container OPNsense/Syslog
Apr 1 04:58:23 kernel: done.
Apr 1 04:58:23 configd.py: [1480ab46-47c1-4ce6-965e-bf934c4a8271] generate template OPNsense/Syslog
Apr 1 04:58:20 kernel: deferred.
Apr 1 04:58:20 opnsense: /diag_logs.php: Web GUI authentication error for 'root' from 192.168.1.12
Apr 1 04:58:20 kernel: done.
Apr 1 04:58:20 opnsense: /usr/local/etc/rc.bootup: miniupnpd: Starting service on interface: opt1, lan
Apr 1 04:58:20 configd.py: generate template container OPNsense/Syslog
Apr 1 04:58:20 configd.py: generate template container OPNsense/Sample/sub2
Apr 1 04:58:19 configd.py: generate template container OPNsense/Sample/sub1
Apr 1 04:58:18 configd.py: generate template container OPNsense/Sample
Apr 1 04:58:16 configd.py: generate template container OPNsense/Proxy
Apr 1 04:58:15 configd.py: generate template container OPNsense/Netflow
Apr 1 04:58:15 configd.py: generate template container OPNsense/Macros
Apr 1 04:58:14 configd.py: generate template container OPNsense/IPFW
Apr 1 04:58:12 configd.py: generate template container OPNsense/IDS
Apr 1 04:58:09 configd.py: generate template container OPNsense/HAProxy
Apr 1 04:58:09 configd.py: generate template container OPNsense/Cron
Apr 1 04:58:08 configd.py: generate template container OPNsense/Captiveportal
Apr 1 04:58:07 configd.py: generate template container OPNsense/Auth
Apr 1 04:58:07 configd.py: generate template container OPNsense/AcmeClient
Apr 1 04:58:05 kernel: .done.
Apr 1 04:58:05 configd.py: [50195eb9-e5e5-46f9-a161-ed11da188d32] generate template *
Apr 1 04:58:04 kernel: ..
Apr 1 04:58:04 kernel: ..
Apr 1 04:58:02 sshd[77658]: Server listening on 0.0.0.0 port 22222.
Apr 1 04:58:02 sshd[77658]: Server listening on :: port 22222.
Apr 1 04:58:02 kernel: done.
Apr 1 04:58:02 kernel: done.
Apr 1 04:58:01 kernel: done.
Apr 1 04:58:01 kernel: done.
Apr 1 04:57:58 configd.py: [31586151-aa58-484d-9a88-60ee6f75a597] rc.newwanip starting pppoe0
Apr 1 04:57:58 opnsense: /usr/local/etc/rc.newwanipv6: rc.newwanipv6: Failed to detect IPv6 for WAN[wan]
Apr 1 04:57:58 opnsense: /usr/local/etc/rc.newwanipv6: rc.newwanipv6: Informational is starting pppoe0.
Apr 1 04:57:57 configd.py: [11b513e9-2a0b-45f2-b38c-0a2d5e60a446] rc.newwanip starting pppoe0
Apr 1 04:57:57 kernel: done.
Apr 1 04:57:57 kernel: done.
Apr 1 04:57:56 lighttpd[14222]: (log.c.217) server started
Apr 1 04:57:56 configd.py: [d2f23de4-01ad-482a-9c04-3792acb7f504] Linkup starting em0
-
You will want to run this command from ssh:
clog -f /var/log/dhcpd.log
and watch it while applying interface settings on WAN; you should see log entries from dhcp6c.
-
Nope, still nothing, just entries from "dhcpd"
-
I'm now on 17.1.5 and I wanted to revisit this issue.
I still get an IPv6 address to my WAN (VLAN PPPoE, request IPv6 via IPv4), but none of my LAN interfaces get an address. I've stuck to keeping it simple on the WAN, and chosen "Track Interface" on each LAN network giving them different Prefix IDs.
Any ideas?
-
Hi,
what is your config on the WAN interface for "DHCPv6 client configuration". Which configuration mode are you using? If it is "Advanced" then please switch to "Basic". I had used "Advanced" for the "debug" switch but it stopped it from working. I switched to "Basic", waited some time and then I had IPv6 running on the LAN interface and the clients behind.
Best regards,
Jochen
-
Already on "Basic"
-
Please enable
- Request only a IPv6 prefix
- Directly send SOLICIT
Do you get a /56 from your provider?
-
Please enable
- Request only a IPv6 prefix
- Directly send SOLICIT
Either option causes the WAN to lose the IPv6 address from my ISP
Do you get a /56 from your provider?
That's what I have been told by my provider, but I don't know how to prove this.
-
I don't have an IP on the WAN either ... that IP moves to the LAN and then the DHCPd is able to send IPs to the systems in your LAN ... but you should be able to connect to IPv6 systems from the Firewall still ...
Correction: I have an IP on the WAN but only in the output of ifconfig ... the GUI only shows the fe80 address.
-
I don't have an IP on the WAN either ... that IP moves to the LAN and then the DHCPd is able to send IPs to the systems in your LAN ... but you should be able to connect to IPv6 systems from the Firewall still ...
Tried it again, left it a while, still no IPv6 addresses get assigned to either of my LANs - nothing shows on the dashboard nor on the interface overview page.
-
Log onto the system via ssh and run as root:
clog -f /var/log/dhcpd.log
And then press the Save button on the WAN interface again and report what lines got added to that file.
-
Log onto the system via ssh and run as root:
clog -f /var/log/dhcpd.log
And then press the Save button on the WAN interface again and report what lines got added to that file.
Apr 27 12:17:38 bart dhcpd: Internet Systems Consortium DHCP Server 4.3.5
Apr 27 12:17:38 bart dhcpd: Copyright 2004-2016 Internet Systems Consortium.
Apr 27 12:17:38 bart dhcpd: All rights reserved.
Apr 27 12:17:38 bart dhcpd: For info, please visit https://www.isc.org/software/dhcp/
Apr 27 12:17:38 bart dhcpd: Config file: /etc/dhcpd.conf
Apr 27 12:17:38 bart dhcpd: Database file: /var/db/dhcpd.leases
Apr 27 12:17:38 bart dhcpd: PID file: /var/run/dhcpd.pid
Apr 27 12:17:38 bart dhcpd: Internet Systems Consortium DHCP Server 4.3.5
Apr 27 12:17:38 bart dhcpd: Copyright 2004-2016 Internet Systems Consortium.
Apr 27 12:17:38 bart dhcpd: All rights reserved.
Apr 27 12:17:38 bart dhcpd: For info, please visit https://www.isc.org/software/dhcp/
Apr 27 12:17:38 bart dhcpd: Wrote 3 leases to leases file.
Apr 27 12:17:38 bart dhcpd: Listening on BPF/em3/00:30:xx:xx:xx:xx/192.168.100.0/24
Apr 27 12:17:38 bart dhcpd: Sending on BPF/em3/00:30:xx:xx:xx:xx/192.168.100.0/24
Apr 27 12:17:38 bart dhcpd: Sending on Socket/fallback/fallback-net
Apr 27 12:17:38 bart dhcpd: Server starting service.
Apr 27 12:17:40 bart dhcp6c[13806]: Sending Solicit
Apr 27 12:17:40 bart dhcp6c[27159]: unexpected interface (11)
Apr 27 12:17:44 bart dhcp6c[27159]: Sending Solicit
Apr 27 12:17:45 bart dhcp6c[13806]: exiting
Apr 27 12:17:45 bart dhcp6c[34719]: failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
Apr 27 12:17:45 bart dhcp6c[34719]: failed initialize control message authentication
Apr 27 12:17:45 bart dhcp6c[34719]: skip opening control port
Apr 27 12:17:46 bart dhcp6c[35753]: Sending Solicit
Apr 27 12:17:46 bart dhcp6c[27159]: unexpected interface (11)
Apr 27 12:17:47 bart dhcp6c[35753]: Sending Solicit
Apr 27 12:17:47 bart dhcp6c[27159]: unexpected interface (11)
Apr 27 12:17:49 bart dhcp6c[35753]: Sending Solicit
Apr 27 12:17:49 bart dhcp6c[27159]: unexpected interface (11)
Apr 27 12:17:53 bart dhcp6c[35753]: Sending Solicit
Apr 27 12:17:53 bart dhcp6c[27159]: unexpected interface (11)
Apr 27 12:18:01 bart dhcp6c[35753]: Sending Solicit
Apr 27 12:18:01 bart dhcp6c[27159]: unexpected interface (11)
Apr 27 12:18:18 bart dhcp6c[35753]: Sending Solicit
Apr 27 12:18:18 bart dhcp6c[27159]: unexpected interface (11)
Apr 27 12:18:50 bart dhcp6c[35753]: Sending Solicit
Apr 27 12:18:50 bart dhcp6c[27159]: unexpected interface (11)
Apr 27 12:19:05 bart dhcp6c[35753]: exiting
Apr 27 12:19:06 bart dhcp6c[59937]: failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
Apr 27 12:19:06 bart dhcp6c[59937]: failed initialize control message authentication
Apr 27 12:19:06 bart dhcp6c[59937]: skip opening control port
Apr 27 12:19:07 bart dhcp6c[60279]: Sending Solicit
Apr 27 12:19:07 bart dhcp6c[60279]: transmit failed: Device not configured
Apr 27 12:19:08 bart dhcp6c[60279]: Sending Solicit
Apr 27 12:19:08 bart dhcp6c[60279]: transmit failed: Can't assign requested address
Apr 27 12:19:10 bart dhcp6c[60279]: Sending Solicit
Apr 27 12:19:10 bart dhcp6c[27159]: unexpected interface (11)
Apr 27 12:19:12 bart dhcpd: Internet Systems Consortium DHCP Server 4.3.5
Apr 27 12:19:12 bart dhcpd: Copyright 2004-2016 Internet Systems Consortium.
Apr 27 12:19:12 bart dhcpd: All rights reserved.
Apr 27 12:19:12 bart dhcpd: For info, please visit https://www.isc.org/software/dhcp/
Apr 27 12:19:12 bart dhcpd: Config file: /etc/dhcpd.conf
Apr 27 12:19:12 bart dhcpd: Database file: /var/db/dhcpd.leases
Apr 27 12:19:12 bart dhcpd: PID file: /var/run/dhcpd.pid
Apr 27 12:19:12 bart dhcpd: Internet Systems Consortium DHCP Server 4.3.5
Apr 27 12:19:12 bart dhcpd: Copyright 2004-2016 Internet Systems Consortium.
Apr 27 12:19:12 bart dhcpd: All rights reserved.
Apr 27 12:19:12 bart dhcpd: For info, please visit https://www.isc.org/software/dhcp/
Apr 27 12:19:12 bart dhcpd: Wrote 3 leases to leases file.
Apr 27 12:19:12 bart dhcpd: Listening on BPF/em3/00:30:xx:xx:xx:xx/192.168.100.0/24
Apr 27 12:19:12 bart dhcpd: Sending on BPF/em3/00:30:xx:xx:xx:xx/192.168.100.0/24
Apr 27 12:19:12 bart dhcpd: Sending on Socket/fallback/fallback-net
Apr 27 12:19:12 bart dhcpd: Server starting service.
Apr 27 12:19:18 bart dhcp6c[60279]: exiting
Apr 27 12:19:18 bart dhcp6c[81249]: failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
Apr 27 12:19:18 bart dhcp6c[81249]: failed initialize control message authentication
Apr 27 12:19:18 bart dhcp6c[81249]: skip opening control port
Apr 27 12:19:19 bart dhcp6c[82469]: Sending Solicit
Apr 27 12:19:19 bart dhcp6c[27159]: unexpected interface (11)
Apr 27 12:19:20 bart dhcp6c[82469]: Sending Solicit
Apr 27 12:19:20 bart dhcp6c[27159]: unexpected interface (11)
Apr 27 12:19:22 bart dhcp6c[82469]: Sending Solicit
Apr 27 12:19:22 bart dhcp6c[27159]: unexpected interface (11)
Apr 27 12:19:26 bart dhcp6c[82469]: Sending Solicit
Apr 27 12:19:26 bart dhcp6c[27159]: unexpected interface (11)
Apr 27 12:19:34 bart dhcp6c[82469]: Sending Solicit
Apr 27 12:19:35 bart dhcp6c[27159]: unexpected interface (11)
-
That's eerie, how did I end up in your logs?!? :D
Bart...
-
That's eerie, how did I end up in your logs?!? :D
Bart...
Ah, so that's the problem then? ;-)
-
I am out ... of ideas ... But I am a newbie with OPNsense myself :)
-
I am out ... of ideas ... But I am a newbie with OPNsense myself :)
No problem, but thanks for the help - it always helps to try things out in case I missed something before.
Hopefully someone else can help soon.
-
Hm, what puzzles me:
Apr 27 12:19:19 bart dhcp6c[82469]: Sending Solicit
Apr 27 12:19:19 bart dhcp6c[27159]: unexpected interface (11)
There are two different PIDs for dhcp6c ... did you try a reboot? Maybe this thread helps ...
https://forum.pfsense.org/index.php?topic=110797.0 (https://forum.pfsense.org/index.php?topic=110797.0)
Hope it's ok to post these links here :)
Best regards,
Jochen
-
Rebooted it after making the changes again, no difference, same messages. Have set it back again and rebooted.
-
Oh, the reboot also broke the Let's Encrypt plug-in, but reverting back so I get an IP on WAN after rebooting, LE is fine again.
-
I just noticed that the DHCPv6 Server service is present but stopped - it won't start. Should it be even present if I'm not using it?
I go into the service settings and it states I can't add a server because no interfaces exist with a static IP
-
Taomyn,
am somewhat confused. Up to your last mail I thought that:
- you are getting connected to your ISP via PPPoE and get from there
+ an Ipv6 address which is then assigned to your WAN interface
+ an IPv6 /56 prefix which is then used by the Opnsense as a base for your SLACC Ipv6 address assignment for your internal network
+ IPv6 DNS servers (RDNSS) which are obtained via DHCP from your ISP also
According to my understanding
+ You have then only an dhcpv6c (Client) running which is used to obtain the information from your ISP (Address, prefix and DNS) on the WAN interface
+ if this information is available, rtsold triggers the start of radvd which serves your internal networks which ipv6 address and RDNS information (including the internal LAN interfaces of the opnsense; note that DNS server distributed via radvd points only to the internal opnsense DNS server (RDNSS model), which then (internally) points to the other configured servers in general setting for next level requests
If my assumption is right, then an dhcpv6 SERVER is NOT running on the opnsense as all required information is distributed via RA and you have dynamic IPv6 addresses on all your interfaces.
I share Space' view that only BASIC settings of IPv6 WAN config is workable. I obtain from some of your earlier logs that you did obviously use extended settings (with key authorization, there was a keyfile not found message in your dhcp.log)
Br br
-
Hi Bringha,
Ok, now I'm confused.
The closest I have gotten to getting IPv6 working on my OPNsense is:
- WAN obtaining an IPv6 address via IPv4 from my ISP - when this happens any IPv6 test on the firewall to the Internet appears to work so I have the external connectivity.
- LAN and GUEST_LAN are given fixed IPv6 /64 IPs using the /56 prefix based off the WAN IP
- With the above internal devices all start getting IPv6 addresses allocated
- IPv6 traffic works within each LAN
- IPv6 will not travel between LAN and WAN properly (I mention this way back in this thread), and hence to the Internet
It was then suggested I really should use "Track interface", which I had originally tried when I first decided to play with IPv6, but that has never worked because nothing except the WAN gets an IPv6 address.
I actually think it's an issue with OPNsense and the use of a VLAN'd PPPoE connection, because Suricata won't work either for me (nothing is checked/alerted) and no-one seems capable of fixing that issue either. I'm not complaining, just stating the situation.
-
It was then suggested I really should use "Track interface", which I had originally tried when I first decided to play with IPv6, but that has never worked because nothing except the WAN gets an IPv6 address.
Were you by any chance using Advanced mode for the DHCPv6 client options? Because advanced mode will not work properly, because it doesn't actually write out the config sections for tracked interfaces, if you stick to basic mode, it should work properly while using track interface.
-
@djGrrr - same opinion ... according to my understanding finding lines like
(...)
Apr 27 12:17:45 bart dhcp6c[34719]: failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
Apr 27 12:17:45 bart dhcp6c[34719]: failed initialize control message authentication
Apr 27 12:17:45 bart dhcp6c[34719]: skip opening control port
(...)
in the log indicate advanced mode - never have had those in basic mode ... Then the WAN configuration fail ...
@Taomyn How do you get step 2 of your bullet list done if not via rtsold/radvd then? Indeed, the address is build from the prefix obtained on WAN and the derived address part which is usually defined related to the Mac address (SLACC). Or do you config that manually/set up radvd.conf manually
Br br
-
Were you by any chance using Advanced mode for the DHCPv6 client options? Because advanced mode will not work properly, because it doesn't actually write out the config sections for tracked interfaces, if you stick to basic mode, it should work properly while using track interface.
No, I don't use Advanced mode for the reasons you give
-
@Taomyn How do you get step 2 of your bullet list done if not via rtsold/radvd then? Indeed, the address is build from the prefix obtained on WAN and the derived address part which is usually defined related to the Mac address (SLACC). Or do you config that manually/set up radvd.conf manually
Br br
I simply entered an IPv6 address - I found no other way to assign the LAN interfaces any kind of address
-
Can you please check whether your rtsold and radvd agents are running?
-
Can you please check whether your rtsold and radvd agents are running?
These I can see in system activity:
/usr/sbin/rtsold -p /var/run/rtsold_pppoe0.pid -O /var/etc/rtsold_pppoe0_script.sh -R /usr/bin/true -d pppoe0
/usr/local/sbin/radvd -p /var/run/radvd.pid -C /var/etc/radvd.conf -m syslog
-
And how do your /var/etc/dhcp6c_wan.conf and your /var/etc/radvd.conf look like?
-
And how do your /var/etc/dhcp6c_wan.conf and your /var/etc/radvd.conf look like?
interface pppoe0 {
send ia-na 0; # request stateful address
send ia-pd 0; # request prefix delegation
request domain-name-servers;
request domain-name;
script "/var/etc/dhcp6c_wan_script.sh"; # we'd like some nameservers please
};
id-assoc na 0 { };
id-assoc pd 0 {
prefix ::/56 infinity;
prefix-interface em3 {
sla-id 1;
sla-len 8;
};
prefix-interface em0 {
sla-id 0;
sla-len 8;
};
};
# Automatically Generated, do not edit
# Generated config for dhcp6 delegation from wan on opt1
interface em3 {
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
AdvLinkMTU 1500;
AdvOtherConfigFlag on;
prefix ::/64 {
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
DNSSL star-one.co.uk { };
};
# Generated config for dhcp6 delegation from wan on lan
interface em0 {
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
AdvLinkMTU 1500;
AdvOtherConfigFlag on;
prefix ::/64 {
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
DNSSL star-one.co.uk { };
};
-
Hello,
sorry for the late reply, was off yesterday.
Your radvd.conf file is incomplete. if you use SLACC /what you obviously have configured on your WAN interface, the individual lines in your radvd.conf must contain
interface em0 {
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
AdvLinkMTU 1500;
AdvOtherConfigFlag on;
prefix 200X:XXXX:XXXX:XXXX::/64 {
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
DNSSL star-one.co.uk { };
};
while yours only contain
interface em0 {
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
AdvLinkMTU 1500;
AdvOtherConfigFlag on;
prefix ::/64 {
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
DNSSL star-one.co.uk { };
};
i.e. your prefix is empty.
Moreover you seem not to have set a domain name in your general config.
So, either the /56 prefix which your ISP sends is not recognized or it even does not send one but only an address.
Br br
-
Moreover you seem not to have set a domain name in your general config.
If you mean under "System: Settings: General", then yes I do have my domain there, otherwise where do you mean?
-
Yes, this is what I meant - however, for what reasons ever, this setting did not find its way into your ipv6 config (radvd.conf).
Can you somehow check whether your ISP is really sending you a prefix or an IPv6 address only?
And still - your configuration contains values which are only accessible when using extended config options.
The line
id-assoc na 0 { };
indicates that you have used extended config options for your WAN interface (having ticked non temporary address assignment). You should consequently use Basic!
Perhaps it is best to start the entire ipv6 config once again from scratch
Br br
-
Yeah I probably used "Advanced" weeks ago, but since then I've never gone back to it having seen all the negative reports about it.
So how do I reset all the IPv6 settings? I did this through the GUI weeks ago when I first tried this out and found that enabling IPv6 with manual IPs for my LANs caused most of my local devices to stop working (because their IPv6 traffic was blocked). So I removed IPv6 from them and also from my WAN. If that's not clearing my settings then I'm not sure how else to do it.
-
I would simply try to copy your radvd.conf and your dhcp6c_wan.conf to a backup and empty the file and then reconfigure WAN interface and LAN interfaces again.
don't forget to save and then confirm the settings (this are 2 steps), WAN first and then the LANs. Check the config files afterwards again.
Then reboot.
If then again you don't have a prefix, then I would assume that your ISP is not sending one (or your modem config prevents ...)
Br br
-
Ok, well that will have to wait until the weekend now, if I have time as I have to work.
I'll see if I can contact my ISP again and hopefully get someone that understands these things.
Oh, and I don't use a modem - VLAN'd PPPoE connection to my fibre box, via an Ethernet cable.
-
Oh ..yesl - the fibre box needs to connect to your ISP provider - its then indeed a (fibre) cable modem ;)
-
I've made some progress having looked at another thread here about IPv6 but I'm still a little stumped.
If I set the WAN to the following as per the other thread:
IPv6 Configuration Type: DHCPv6
Configuration Mode: Basic
Use IPv4 connectivity: yes
Request only a IPv6 prefix: yes
Directly send SOLICIT: yes
DHCPv6 Prefix Delegation size: 56
Send IPv6 prefix hint: yes
With this both my LAN interfaces get an IPv6 address, although I discovered that an ID of "0" does not work even though that's what the help-hint says, so I set them to "1" and "2".
However, the WAN no longer has an IPv6 address. Tweaking the WAN settings in any way I either end up with no IPv6 addresses, or just the WAN gets an IPv6 and neither LAN gets one. Even after waiting several minutes or rebooting the firewall.
I did see this in the system log when the WAN did not get an address:
May 6 14:38:26 opnsense: /usr/local/etc/rc.newwanipv6: rc.newwanipv6: Informational is starting pppoe0.
May 6 14:38:25 opnsense: /usr/local/etc/rc.newwanipv6: rc.newwanipv6: Failed to detect IPv6 for WAN[wan]
May 6 14:38:24 opnsense: /usr/local/etc/rc.newwanipv6: rc.newwanipv6: Informational is starting pppoe0.
May 6 14:38:23 opnsense: /usr/local/etc/rc.newwanipv6: rc.newwanipv6: Failed to detect IPv6 for WAN[wan]
So in the end, I currently have IPv6 addresses or the LAN interfaces but nothing on the WAN interface. Any idea how I can sort that out?
-
Request only a IPv6 prefix: yes
So in the end, I currently have IPv6 addresses or the LAN interfaces but nothing on the WAN interface. Any idea how I can sort that out?
If you want an IPv6 address on the WAN, then you must disable "Request only a IPv6 prefix" as the purpose of this option is to not request an address, only a prefix.
-
If you want an IPv6 address on the WAN, then you must disable "Request only a IPv6 prefix" as the purpose of this option is to not request an address, only a prefix.
This part:
Tweaking the WAN settings in any way I either end up with no IPv6 addresses, or just the WAN gets an IPv6 and neither LAN gets one.
-
Does the WAN even need an address? The delegated prefixes should be routed by your ISP via the link-local address on your WAN. Are you getting an IPv6 default gateway?
BTW, there are at least 16 different combinations of the basic options (assuming you know the correct prefix size from the ISP), are you sure you tried every combination?
-
Does the WAN even need an address? The delegated prefixes should be routed by your ISP via the link-local address on your WAN. Are you getting an IPv6 default gateway?
BTW, there are at least 16 different combinations of the basic options (assuming you know the correct prefix size from the ISP), are you sure you tried every combination?
How would I connect to VPN (or other service running on the firewall) via IPv6 if my WAN does not have an IP?
Yeah, cycled through all the combinations, for a few even tried different prefixes and none gave me an IP on both WAN and LANs
-
Do you remember which combination(s) gave you an address on the WAN but no delegated prefixes? I think that is where you'd need to start to figure out exactly how to get both address and prefix.
Also, who is your ISP?
-
I will also note that in my own testing, with OPNsense as the DHCPv6 server, and another OPNsense being the client, that the client seems to start completely ignoring the server responses after a few reconfigurations of WAN, even with settings that previously worked perfectly fine. So you may need to reboot after every reconfiguration if you truely want to test which configurations work and which don't.
I have been trying to narrow down why this happens but so far have not had any luck.
-
So you may need to reboot after every reconfiguration if you truely want to test which configurations work and which don't.
It sounds funny but I've seen this too. First boot is perfect, afterwards reconfigure takes a up to a minute or it fails. Next reboot is perfect again.
What I've also seen is that although LAN is tracking, reloading LAN doesn't have any effect other than removing the IPv6, so you always want to reload WAN or better yet use the console option 11 to fully cycle the interface configuration.
Cheers,
Franco
-
This
Even after waiting several minutes or rebooting the firewall.
-
Taomyn,
What's in your Services: DHCP: Log file regarding "dhcp6c" (use the filter)?
Cheers,
Franco
-
At the moment it gives me:
May 8 10:51:27 dhcp6c[21133]: Sending Solicit
May 8 10:51:26 dhcp6c[21133]: status code for NA-0: no addresses
May 8 10:51:26 dhcp6c[21133]: dhcp6c Received REQUEST
May 8 10:51:26 dhcp6c[21133]: Sending Request
May 8 10:51:25 dhcp6c[21133]: Sending Solicit
May 8 10:51:25 dhcp6c[21133]: status code for NA-0: no addresses
May 8 10:51:25 dhcp6c[21133]: dhcp6c Received REQUEST
May 8 10:51:25 dhcp6c[21133]: Sending Request
May 8 10:51:24 dhcp6c[21133]: Sending Solicit
May 8 10:51:23 dhcp6c[21133]: status code for NA-0: no addresses
May 8 10:51:23 dhcp6c[21133]: dhcp6c Received REQUEST
May 8 10:51:23 dhcp6c[21133]: Sending Request
May 8 10:51:22 dhcp6c[21133]: Sending Solicit
May 8 10:51:21 dhcp6c[21133]: status code for NA-0: no addresses
May 8 10:51:21 dhcp6c[21133]: dhcp6c Received REQUEST
May 8 10:51:21 dhcp6c[21133]: Sending Request
May 8 10:51:20 dhcp6c[21133]: Sending Solicit
May 8 10:51:19 dhcp6c[21133]: status code for NA-0: no addresses
May 8 10:51:19 dhcp6c[21133]: dhcp6c Received REQUEST
May 8 10:51:19 dhcp6c[21133]: Sending Request
May 8 10:51:18 dhcp6c[21133]: Sending Solicit
May 8 10:51:18 dhcp6c[21133]: status code for NA-0: no addresses
May 8 10:51:18 dhcp6c[21133]: dhcp6c Received REQUEST
May 8 10:51:18 dhcp6c[21133]: Sending Request
May 8 10:51:17 dhcp6c[21133]: Sending Solicit
May 8 10:51:17 dhcp6c[21133]: status code for NA-0: no addresses
May 8 10:51:17 dhcp6c[21133]: dhcp6c Received REQUEST
May 8 10:51:16 dhcp6c[21133]: Sending Request
May 8 10:51:15 dhcp6c[21133]: Sending Solicit
May 8 10:51:15 dhcp6c[21133]: status code for NA-0: no addresses
May 8 10:51:15 dhcp6c[21133]: dhcp6c Received REQUEST
May 8 10:51:15 dhcp6c[21133]: Sending Request
May 8 10:51:14 dhcp6c[21133]: Sending Solicit
May 8 10:51:14 dhcp6c[21133]: status code for NA-0: no addresses
May 8 10:51:14 dhcp6c[21133]: dhcp6c Received REQUEST
May 8 10:51:14 dhcp6c[21133]: Sending Request
May 8 10:51:13 dhcp6c[21133]: Sending Solicit
May 8 10:51:12 dhcp6c[21133]: status code for NA-0: no addresses
May 8 10:51:12 dhcp6c[21133]: dhcp6c Received REQUEST
May 8 10:51:12 dhcp6c[21133]: Sending Request
May 8 10:51:11 dhcp6c[21133]: Sending Solicit
May 8 10:51:11 dhcp6c[21133]: status code for NA-0: no addresses
May 8 10:51:11 dhcp6c[21133]: dhcp6c Received REQUEST
May 8 10:51:11 dhcp6c[21133]: Sending Request
May 8 10:51:10 dhcp6c[21133]: Sending Solicit
May 8 10:51:09 dhcp6c[21133]: status code for NA-0: no addresses
May 8 10:51:09 dhcp6c[21133]: dhcp6c Received REQUEST
May 8 10:51:09 dhcp6c[21133]: Sending Request
May 8 10:51:08 dhcp6c[21133]: Sending Solicit
May 8 10:51:08 dhcp6c[21133]: status code for NA-0: no addresses
-
Courtesy of https://redmine.pfsense.org/issues/3097 your ISP seems to refuse giving you a WAN IPv6 so you need to request a prefix only.
For all intents and purposes your LAN IPv6 should be able to act as a "WAN" IPv6 in case you need dynamic DNS services or something else reachable from the outside. Make sure to change your firewall rules accordingly to be able to connect to LAN from the outside on IPv6.
Cheers,
Franco
-
Courtesy of https://redmine.pfsense.org/issues/3097 your ISP seems to refuse giving you a WAN IPv6 so you need to request a prefix only.
But I can get a WAN IP, I have proven this, but when I do, neither LANs get an IP
-
Whether or not the addresses are provided are at the mercy of the server's configuration. Maybe it's either prefix or address? :)
If prefix + LAN works that should give you the connectivityy you need, unless I'm missing something.
Cheers,
Franco
-
Nope, at moment I have:
IPv6 Configuration Type: DHCPv6
Configuration Mode: Basic
Use IPv4 connectivity: yes
Request only a IPv6 prefix: no
Directly send SOLICIT: yes
DHCPv6 Prefix Delegation size: 56
Send IPv6 prefix hint: yes
And I only get LAN IPs, the WAN does not have one.
-
Can you refine your log query? "dhcp6c address"
-
I did a reboot the checked the logs (I'm doing this remotely btw):
May 8 11:37:07 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:37:06 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:37:04 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:37:03 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:37:01 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:59 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:57 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:55 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:54 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:52 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:50 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:49 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:47 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:45 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:44 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:42 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:40 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:39 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:37 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:36 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:34 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:32 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:31 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:29 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:27 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:25 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:23 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:22 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:20 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:18 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:17 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:16 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:14 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:12 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:10 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:08 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:06 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:04 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:03 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:01 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:00 dhcp6c[28012]: status code for NA-0: no addresses
May 8 11:36:00 dhcp6c[28012]: add an address 2a02:678:10:b01:XXX:XXXX:XXXX:XXXX/64 on em0
May 8 11:36:00 dhcp6c[28012]: add an address 2a02:678:10:b02:XXX:XXXX:XXXX:XXXX/64 on em3
May 8 11:35:52 dhcp6c[28012]: transmit failed: Can't assign requested address
May 8 11:34:55 dhcp6c[25303]: status code for NA-0: no addresses
May 8 11:34:54 dhcp6c[25303]: status code for NA-0: no addresses
May 8 11:34:52 dhcp6c[25303]: status code for NA-0: no addresses
May 8 11:34:51 dhcp6c[25303]: status code for NA-0: no addresses
May 8 11:34:49 dhcp6c[25303]: status code for NA-0: no addresses
May 8 11:34:47 dhcp6c[25303]: status code for NA-0: no addresses
-
You get two prefixes and no address. Do you have two interfaces in track mode?
-
Sorry, yes one is my main LAN, and the other a GUEST_LAN - they have IDs of 1 and 2.
-
You could probably get a prefix for WAN with some trickery so it gets an IPv6 address as well, but it's not useful. ;)
You should talk to the ISP why they don't assign an IPv6 address to your WAN in this case. They would be the best bet to getting to the bottom of it at this point.
-
Well I changed the WAN connection and disabled "Directly send SOLICIT", and my WAN has an IP from the ISP, but the LANs do not. Looking at the log for "dhcp6c" I see nothing logged since the reboot, just the exit of the shutdown.
-
rtsold waits for solicitation in this case, and runs dhcp6c when it gets one. but where does the WAN IPv6 come from if not from dhcp6c? :)
-
rtsold waits for solicitation in this case, and runs dhcp6c when it gets one. but where does the WAN IPv6 come from if not from dhcp6c? :)
No idea, but it gets it one assigned as I don't set one - where else can I check to find that out?
-
fe80:... or a real one?
-
A real one
-
This is confusing. I need a break. :/
-
Welcome to my world :-)
-
Taomyn, can you try setting it to request ipv6 prefix only, and disable directly send solicit?
This should allow Router Advertisements to give you the IP, while letting dhcp6c to request the prefixes.
Make sure to reboot after making these changes to verify if they work.
-
WAN ended up with just an FE80, the LANs with no IPv6. I rebooted the firewall as well. The log shows:
May 8 15:41:46 dhcp6c[53628]: exiting
May 8 15:41:45 dhcp6c[53628]: no responses were received
May 8 15:41:27 dhcp6c[53628]: transmit failed: Device not configured
May 8 15:41:27 dhcp6c[53628]: Sending Release
May 8 15:41:18 dhcp6c[53628]: transmit failed: Device not configured
May 8 15:41:18 dhcp6c[53628]: Sending Release
May 8 15:41:14 dhcp6c[53628]: transmit failed: Device not configured
May 8 15:41:14 dhcp6c[53628]: Sending Release
May 8 15:41:12 dhcp6c[53628]: transmit failed: Device not configured
May 8 15:41:12 dhcp6c[53628]: Sending Release
May 8 15:41:10 dhcp6c[53628]: remove an address 2a02:678:10:b01:XXX:XXXX:XXXX:XXXX/64 on em0
May 8 15:41:10 dhcp6c[53628]: remove an address 2a02:678:10:b02:XXX:XXXX:fXXXX:XXXX/64 on em3
May 8 15:41:10 dhcp6c[53628]: transmit failed: Can't assign requested address
May 8 15:41:10 dhcp6c[53628]: Sending Release
May 8 15:41:10 dhcp6c[53628]: Start address release
May 8 15:41:04 dhcp6c[53628]: status code for NA-0: no addresses
May 8 15:41:04 dhcp6c[53628]: dhcp6c Received REQUEST
May 8 15:41:04 dhcp6c[53628]: Sending Request
May 8 15:41:03 dhcp6c[53628]: Sending Solicit
May 8 15:41:03 dhcp6c[53628]: status code for NA-0: no addresses
May 8 15:41:03 dhcp6c[53628]: dhcp6c Received REQUEST
May 8 15:41:03 dhcp6c[53628]: Sending Request
May 8 15:41:02 dhcp6c[53628]: Sending Solicit
May 8 15:41:01 dhcp6c[53628]: status code for NA-0: no addresses
May 8 15:41:01 dhcp6c[53628]: dhcp6c Received REQUEST
May 8 15:41:01 dhcp6c[53628]: Sending Request
May 8 15:41:00 dhcp6c[53628]: Sending Solicit
May 8 15:41:00 dhcp6c[53628]: status code for NA-0: no addresses
May 8 15:41:00 dhcp6c[53628]: dhcp6c Received REQUEST
May 8 15:41:00 dhcp6c[53628]: Sending Request
May 8 15:40:59 dhcp6c[53628]: Sending Solicit
May 8 15:40:58 dhcp6c[53628]: status code for NA-0: no addresses
May 8 15:40:58 dhcp6c[53628]: dhcp6c Received REQUEST
May 8 15:40:58 dhcp6c[53628]: Sending Request
May 8 15:40:57 dhcp6c[53628]: Sending Solicit
May 8 15:40:57 dhcp6c[53628]: status code for NA-0: no addresses
May 8 15:40:57 dhcp6c[53628]: dhcp6c Received REQUEST
May 8 15:40:57 dhcp6c[53628]: Sending Request
May 8 15:40:56 dhcp6c[53628]: Sending Solicit
May 8 15:40:55 dhcp6c[53628]: status code for NA-0: no addresses
May 8 15:40:55 dhcp6c[53628]: dhcp6c Received REQUEST
May 8 15:40:55 dhcp6c[53628]: Sending Request
May 8 15:40:54 dhcp6c[53628]: Sending Solicit
May 8 15:40:54 dhcp6c[53628]: status code for NA-0: no addresses
May 8 15:40:54 dhcp6c[53628]: dhcp6c Received REQUEST
May 8 15:40:54 dhcp6c[53628]: Sending Request
May 8 15:40:53 dhcp6c[53628]: Sending Solicit
May 8 15:40:53 dhcp6c[53628]: status code for NA-0: no addresses
May 8 15:40:53 dhcp6c[53628]: dhcp6c Received REQUEST
May 8 15:40:53 dhcp6c[53628]: Sending Request
-
The log says that it seems to be still asking for an address, did you enable the request prefix only option? Perhaps the logs are from before?
-
It sounds funny but I've seen this too. First boot is perfect, afterwards reconfigure takes a up to a minute or it fails. Next reboot is perfect again.
Taking up to a minute is likely due to having to wait for the next Router Advertisement when "Directly Send Solicit" is disabled. But when it completely fails, even with config that previously worked perfectly, it is some kind of bug.
What I've also seen is that although LAN is tracking, reloading LAN doesn't have any effect other than removing the IPv6, so you always want to reload WAN or better yet use the console option 11 to fully cycle the interface configuration.
All that is required to fix that is to send the HUP signal to the dhcp6c process of the "Parent Interface" when reconfiguring a Track Interface interface. This will cause it to reconfigure.
-
The log says that it seems to be still asking for an address, did you enable the request prefix only option? Perhaps the logs are from before?
-
What happens if you set the WAN IPv6 config to SLAAC? do you get an ip address then?
-
Nope, I even rebooted and waited 10 minutes - no IPv6 addresses anywhere
-
Then honestly, the only thing i can suggest is that your ISP has a misconfiguration somewhere, there is no reason why you shouldn't be able to request both a an address and a prefix at the same time.
Does routing work when you only have a prefix delegation?
-
Yes, routing is working as far as I can tell - I have performed some IPv6 testing internally and it appears to work.
I'll try to contact my ISP again, but they've been next to useless so far. They told me to connect my old FritzBox router and that that would work - which is all they officially support. Just getting them to enable IPv6 took me two months, and then they never told me until after I found out for myself.
-
It sounds funny but I've seen this too. First boot is perfect, afterwards reconfigure takes a up to a minute or it fails. Next reboot is perfect again.
Taking up to a minute is likely due to having to wait for the next Router Advertisement when "Directly Send Solicit" is disabled. But when it completely fails, even with config that previously worked perfectly, it is some kind of bug.
What I've also seen is that although LAN is tracking, reloading LAN doesn't have any effect other than removing the IPv6, so you always want to reload WAN or better yet use the console option 11 to fully cycle the interface configuration.
All that is required to fix that is to send the HUP signal to the dhcp6c process of the "Parent Interface" when reconfiguring a Track Interface interface. This will cause it to reconfigure.
master should be a lot better now. Reloading works reliably although the delay is there sometimes. Releasing WAN lease removes LAN track IPv6. Renewing WAN lease brings back LAN tracking. Reloading LAN brings back tracked IPv6.
I also think I found that HUP bug:
https://github.com/opnsense/core/commit/d0a94a5b
To be honest, there was not a lot of work done on this code area in a few years. ;)
Cheers,
Franco