OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: Space on April 26, 2017, 04:16:51 pm
-
Hello,
with 17.1.4 and 17.1.5 (at least) I do not have IPv6 working on the LAN interface. IPv6 is set to DHCPv6 on WAN and it get's an IP from my Fritzbox:
inet6 fe80::1111:2222:3333:4444%em1 prefixlen 64 scopeid 0x2
inet6 2002:aaaa:bbbb:0:1111:2222:3333:4444 prefixlen 64 autoconf
The "Interface List" in the dashboard only shows the fe80-address but not the one assigned by DHCPv6. The LAN interface is set to "Track Interface" but ifconfig still shows
inet6 fe80::1:1%em0 prefixlen 64 scopeid 0x1
and the clients on LAN are not able to access external IPv6 systems because they are not assigned any IPv6 ip.
Is this a known issue? Should I open an issue on github?
Thanks a lot and best regards,
jochen
-
And this is from the logfile after changing the "IPv6 Prefix ID"
Apr 26 16:35:27 OPNvirt radvd[12988]: attempting to reread config file
Apr 26 16:35:27 OPNvirt radvd[12988]: no auto-selected prefix on interface em0, disabling advertisements
Apr 26 16:35:27 OPNvirt radvd[12988]: can't join ipv6-allrouters on em0
Apr 26 16:35:27 OPNvirt radvd[12988]: sendmsg: Can't assign requested address
Apr 26 16:35:27 OPNvirt radvd[12988]: resuming normal operation
Apr 26 16:35:30 OPNvirt radvd[12988]: attempting to reread config file
Apr 26 16:35:30 OPNvirt radvd[12988]: no auto-selected prefix on interface em0, disabling advertisements
Apr 26 16:35:30 OPNvirt radvd[12988]: can't join ipv6-allrouters on em0
Apr 26 16:35:30 OPNvirt radvd[12988]: resuming normal operation
Apr 26 16:36:42 OPNvirt radvd[12988]: attempting to reread config file
Apr 26 16:36:42 OPNvirt radvd[12988]: no auto-selected prefix on interface em0, disabling advertisements
Apr 26 16:36:42 OPNvirt radvd[12988]: can't join ipv6-allrouters on em0
Apr 26 16:36:42 OPNvirt radvd[12988]: sendmsg: Can't assign requested address
Apr 26 16:36:42 OPNvirt radvd[12988]: resuming normal operation
Best regards,
Jochen
-
Hi,
I have attached the output of the dhcpd.log (IDs are obfuscated). Do I need to change some settings on the FritzBox maybe?
Apr 26 16:36:42 OPNvirt dhcp6c[79517]: get DHCP option opt_86, len 16
Apr 26 16:36:42 OPNvirt dhcp6c[79517]: unknown or unexpected DHCP6 option opt_86, len 16
Thanks for any help and best regards,
Jochen
-
Hi Jochen,
I've been over the code a few times for radvd and nothing changed there that would time with this problem, we also never updated to the bad radvd, luckily caught in time for the initial 17.1 release.
So the real question is some other interface-related code ought to have changed, which would mean we need to look at the OPNsense system log?
Cheers,
Franco
-
Hi Jochen
Please double check your FritzBox and WAN config. I don't see in your logs any entry wrt to prefixes accordingly
When I understand you correctly, you want to assign ipv6 addresses derived from the prefix which your fritzbox is getting from your ISP.
Your fritzbox should then be set in your home net menu->network config->ipv6 addresses to 'Assign DNS Server and ipv6 prefix'.
Then, on the opnsense, WAN interface, click
use ipv4 connection
request only ipv6 prefix
DHCP6 prefix delegation size 60
send prefix hint
on LAN: read from interface WAN
Assign network ID 0; other interfaces get subsequent id 1,2 etc.
Then it should work
Br br
-
Hi br,
I have the following settings active in the FritzBox:
- Unique Local Addresses (ULA) zuweisen, solange keine IPv6-Internetverbindung besteht (empfohlen)
- Diese FRITZ!Box stellt den Standard-Internetzugang zur Verfügung
- DNSv6-Server auch über Router Advertisement bekanntgeben (RFC 5006)
- DNS-Server und IPv6-Präfix (IA_PD)zuweisen
- FRITZ!Box als DNS-Server via DHCPv6 bekannt geben. Teile des vom Internetanbieter zugewiesenen IPv6-Netzes an nachgelagerte Router weitergeben.
In OPNsense I have the settings you mentioned + debug but it still does not work.
Thanks for your suggestions and support!
-
So the real question is some other interface-related code ought to have changed, which would mean we need to look at the OPNsense system log?
Hi Franco,
what infos do you need? Can I send you the logfile somehow?
Thanks and best regards,
Jochen
-
Now ... I ... am ... puzzled ...
I have an IPv6 on LAN and on my servers ... I am not sure (tried many things). E.g.:
- on Fritzbox I have disabled option "DNSv6-Server auch über Router Advertisement bekanntgeben (RFC 5006)" -- could this have caused the "unknown or unexpected DHCP6 option opt_86"?
- on OPNsense I have enabled shared forwarding:
sysctl net.pf.share_forward=1
The only other changes I found was that I disabled "Advanced Mode" and switched the prefix ID back and forth and changed the dhcp6-ia-pd-len.
Could any of these options be related?
Nevertheless: thanks a lot for your support! I really like OPNsense!
Thanks and best regards,
Jochen
-
IMO, advanced mode for the DHCPv6 client configuration is completely broken, it prevents the prefix config for tracked interfaces from being written at all, making the entire config quite pointless. Stick to Basic and it should work fine.
-
Funny ... I had enabled it because it did not work (for whatever reason) at some point in time and I wanted to enable the debug switch :)
Thanks and best regards,
Jochen
-
Jochen, this gives me hope that I can solve the issue as well.
I have a seemingly identical setup with respect to OPNSense which fails to hand out IPv6 addresses to LAN. Would you mind posting the relevant parts of your configuration?
sysctl net.pf.share_forward=1 did not help so far.
Kind regards,
Boris
-
Boris was kind enough to give a peek into his setup. It looks like track behaviour changed and can't pick up the IPv6 anymore, but at this point it's not clear why. WAN IPv6 (prefix) works fine so no problems with ISP, rtsold and dhcp6 configuration.
More on this next week. :)
Cheers,
Franco
-
Sure:
WAN-interface:
IPv6 Configuration Type: DHCPv6
Configuration Mode: Basic
Use IPv4 connectivity: yes
Request only a IPv6 prefix: yes
Directly send SOLICIT: yes
DHCPv6 Prefix Delegation size: 60
Send IPv6 prefix hint: yes
LAN-Interface:
IPv6 Configuration Type: Track Interface
IPv6 Interface: WAN
IPv6 Prefix ID: 1 or 2
Hope this helps ... But it takes some time to pick up the IPv6 IP when I press save on the LAN interface.
Best regards,
Jochen
-
Hi Jochen,
Hope this helps ... But it takes some time to pick up the IPv6 IP when I press save on the LAN interface.
That's what I saw yesterday during testing also. This can take a minute for the IPv6 addresses to show up, though it seems this is forced by the server not answering the client request / solicit right away so the client ends up sending multiple solicit messages before that works.
@Boris, I could see in Services: DHCP: Log file for dhcp6c that when the server on the other side doesn't propagate a prefix tracking doesn't work... There must be something like this in the log:
May 6 09:35:58 dhcp6c[26048]: T1(2250) and/or T2(3600) is locally determined
May 6 09:35:58 dhcp6c[26048]: add an address 2001:470:25:233::ffd1/128 on em1
May 6 09:35:58 dhcp6c[26048]: T1(2250) and/or T2(3600) is locally determined
May 6 09:35:58 dhcp6c[26048]: add an address 2001:470:29:0:a00:27ff:febd:79ad/64 on em0
May 6 09:35:58 dhcp6c[26048]: dhcp6c Received REQUEST
May 6 09:35:58 dhcp6c[26048]: Sending Request
May 6 09:35:57 dhcp6c[26048]: Sending Solicit
May 6 09:35:49 dhcp6c[26048]: Sending Solicit
May 6 09:35:45 dhcp6c[26048]: Sending Solicit
May 6 09:35:43 dhcp6c[26048]: Sending Solicit
May 6 09:35:42 dhcp6c[26048]: Sending Solicit
Cheers,
Franco
-
Thanks, Jochen, for citing your configuration. I had no luck with it either.
Franco, I read your note on the prefix and browsed the web for such issues with my ISP and cable modem brand. I start to believe that the root of the problem is the modem and/or ISP. In particular, if I reconfigure the cable modem's DHCPv6 server from Stateless to Stateful, I do not even get an IPv6 address on the WAN interface. In none of the configurations I tried I ever get anything else than "Sending solicit".
I will ask my ISP.
Best regards,
Boris
-
Hi,
I still had some trouble with IPv6 after updating to 17.1.7 ... OPNsense was sending solicits but did not get an address. So I changed the options that only the following is set:
Request only a IPv6 prefix
Then I noticed the following line in the logfile:
May 20 09:44:14 OPNvirt dhcp6c[44695]: invalid prefix length 62 + 4 + 64
and remembered the following document:
https://avm.de/service/fritzbox/fritzbox-3270/wissensdatenbank/publication/show/1239_IPv6-Subnetz-im-FRITZ-Box-Heimnetz-einrichten/ (https://avm.de/service/fritzbox/fritzbox-3270/wissensdatenbank/publication/show/1239_IPv6-Subnetz-im-FRITZ-Box-Heimnetz-einrichten/)
So I set my prefix length to 62. Then I let the FritzBox reconnect (so it get's a new IP) and voila, IPv6 is running again.
I will monitor this if it really solves the issue for me again. Could it be that the FritzBox sometimes was not able to provide a /60 delegation?
Best regards,
Jochen
-
Well,
there is another ipv6 configuration option on the fritzbox under
Internet->Zugangsdaten->ipv6
There you can configure which prefix length the fritzbox shall request
Default is /62
In my case I changed that to /60 and .... voila
br br
-
Hi,
not sure if we are talking about the same ... my FritzBox does get a /56 delegation. But it seems the FritzBox itself only delegates a /62 by default.
But thanks for the hint ... I had not seen that tab in Fritzbox configuration and so far I was using IPv6 tunnel and not Dual stack ... I have changed that and it looks better now. Ping times for IPv6 addresses have improved significantly :)
Best regards,
Jochen
-
With the dual stack setting in FritzBox I am now able to request a /60 prefix ... I will monitor for some time and hope that I now have a stable configuration.
Thanks for all the support and this wonderful solution.
Jochen
-
I have a new connection based on Vodafone Cable and it brought up similar issues with FritzBox IPv6 refusing to delegate a prefix for downstream routers no matter which of the setting was used.
I'll try changing the prefix size and report back. :)
Cheers,
Franco
-
Hi Franco,
I am not sure if it's the FritzBox not sending the REPLY. Since I had strange issues (Some ipv6 sites work, like test-ipv6, other's did not, like heise.de) I did further tests and at some point OPNsense did not setup the IPv6 anymore. I then did a trace and while the dhcp.log showed
Sending Solicit
The trace itself did not include the solicit messages from OPNsense but only the responses from the FritzBox which includes the prefix delegation:
Identity Association for Prefix Delegation
Option: Identity Association for Prefix Delegation (25)
Length: 41
Value: 000000000000070800000b40001a001900000e1000001c20...
IAID: 00000000
T1: 1800
T2: 2880
IA Prefix
Option: IA Prefix (26)
Length: 25
Value: 00000e1000001c203c2a03f230c1825ab000000000000000...
Preferred lifetime: 3600
Valid lifetime: 7200
Prefix length: 60
Prefix address: 2a03:f230:c182:5ab0::
But this did not trigger any address configuration on OPNsense. Right now I am at work and can not check the logs.
Currently I have it running with Native IPv6 enabled on FritzBox and PD works fine. Even when the FritzBox renewed it's connection this morning the IPv6 was setup again correctly.
The connection issue towards https://www.heise.de (https://www.heise.de) remains though ... http connection is possible (I see the redirect to https), https connection is not possible ... the last thing I see in a trace is the "CLIENT HELLO" of ssl. If I test via curl https from OPNsense it works, from LAN only http works.
Best regards,
Jochen
-
Hi Jochen,
There is a patch here that improved the situation as you described:
https://github.com/opnsense/core/commit/b0e3ec0
Installs via:
# opnsense-patch b0e3ec0
Although it may take up to a minute for OPNsense to latch on to the reply for whatever reason, this made reliable in testing.
This is already queued up for 17.1.8, but any feedback on how this changes the picture is highly appreciated.
Cheers,
Franco
-
Hi,
I have not done any tracing ... but I wanted to test and did click save on the WAN interface before applying the patch ... took about a minute and it got a new IPv6 IP ...
Then I applied the patch, did click on save again on the WAN interface .... and it runs for several minutes already without getting an IPv6 IP address ...
I will reboot now and see if it is better after reboot.
Best regards,
Jochen
-
Reboot did not help but renewal on FritzBox did work.
Best regards,
Jochen
-
It's still a bit shaky, but getting better. What I could see is that on reconfigure it may end up with more dhcp6c processes, which is less than ideal because of "XID mismatch" in the log.
I couldn't get off the /62 prefix for the Fritzbox (the setting just isn't there), but this is what works on the Vodafone Cable for me:
Check: Auch IPv6-Präfixe zulassen, die andere IPv6-Router im Heimnetzwerk bekanntgeben
Check: DNS-Server und IPv6-Präfix (IA_PD) zuweisen
And on the OPNsense:
Check: Nur einen IPv6-Präfix anfordern
Check: Sende SOLICIT direkt
Set: DHCPv6 Prefix Delegation Größe 63
Check: Sende einen IPv6-Präfixhinweis
It tiptoes around /63 and /64 and I can't make no sense of it yet, but the following gives 10/10 score:
http://test-ipv6.com/
So it's a good baseline for further work. :)
Cheers,
Franco
-
Hi Franco,
I get a 10/10 at that site as well but strangely enough heise is not working over https and some other sites as well. But so far I have not found out which FW blocks the traffic. Because ping and access over http work towards that site.
Best regards,
Jochen
-
I noted the following today:
May 23 05:28:19 OPNvirt dhcp6c[27959]: Sending Renew
May 23 05:28:19 OPNvirt dhcp6c[27959]: dhcp6c Received INFO
May 23 05:28:19 OPNvirt dhcp6c[27959]: status code: no binding
May 23 05:46:19 OPNvirt dhcp6c[27959]: Sending Rebind
May 23 05:46:19 OPNvirt dhcp6c[27959]: dhcp6c Received REBIND
May 23 05:46:19 OPNvirt dhcp6c[27959]: status code: no binding
May 23 06:58:19 OPNvirt dhcp6c[27959]: remove an address 2a03:f580:c882:9bfe:21f:29ff:fe59:d8b5/64 on em0
May 23 06:58:20 OPNvirt dhcp6c[27959]: Sending Solicit
May 23 06:58:20 OPNvirt dhcp6c[27959]: unknown or unexpected DHCP6 option opt_86, len 16
May 23 06:58:21 OPNvirt dhcp6c[27959]: Sending Request
May 23 06:58:21 OPNvirt dhcp6c[27959]: unknown or unexpected DHCP6 option opt_86, len 16
May 23 06:58:21 OPNvirt dhcp6c[27959]: dhcp6c Received REQUEST
May 23 06:58:21 OPNvirt dhcp6c[27959]: add an address 2a03:f580:c882:abfe:21f:29ff:fe59:d8b5/64 on em0
It seems that OPNsense does not request a new address if the rebind fails (because the FritzBox got a new IP) ... it took >1h this morning until the new prefix got requested ...
Best regards,
Jochen
-
Hi,
sorry for bothering again ... today I wanted to rule out that IPS has something to do with my issue (no connection to https://heise.de via IPv6) and disabled IPS ... when I changed that setting the IPv6 IPs were lost and since that time (>1h) it did not accept a new PD ...
I did a trace on the WAN interface (and sent sighup to dhcp6c) and I can see the both solicit and advertise in the trace on WAN ... but somehow dhcp6c does not pick these up ...
Best regards,
Jochen
-
Should I open an issue for this on github?
Thanks and best regards,
Jochen
-
Hi Jochen,
Yes, please open an issue. I saw this too, Suricata drops UDP6 packets because of a bad checksum, even though checksum offloading is off.
Cheers,
Franco
-
Hi Franco,
in which logfile can I check this? Because I also have this weird issue that e.g. heise.de does not work via https if I try the connection from LAN ... wondering if the SERVER_HELLO get's dropped by Suricata ...
Best regards,
Jochen
-
Services: Intrusion Detection: Alerts tab I think.
-
Hi Franco,
hm, I asked because I did not see any related entries there ... but I am not sure if everything that is dropped is logged there ...
But even when I had disabled IPS it took a long time to renew the IPv6 address.
Best regards,
Jochen
-
Hi Jochen,
Strange, I can see these block messages for checksums, which is funny, because checksumming in hardware is off. May be a loophole in the network stack where checksumming is still done in hardware in some cases...
Regarding DHCP6 not working after I've seen this too but I think there are multiple issues that span to the fritzbox as well. I can't get a prefix anymore because it says they are depleted, which is not very surprising if there is only a /62 and it does not have a lot of /64 prefixes and refuses to reassign them afterwards.
The command sequence is always the same in the dhcp6c client, so maybe we are seeing half-implemented issues in the server because normally nobody plays with their setup all the time (if it works it works).
So at least we have to assume if it works one time it should work all the time with the same sequence, no?
Cheers,
Franco
-
Hi,
maybe it has something to do with the lease time? Or with network packages being discarded before they reach the dhcp6c ... Trying to do some tests now ... Have noticed that the dhcp6c recovered after some time and got an address.
So I tried to reproduce the issue and clicked SAVE on WAN interface ... after about 1m it got it's new address (Network trace is available):
Jun 2 10:12:27 OPNvirt dhcp6c[88237]: Start address release
Jun 2 10:12:27 OPNvirt dhcp6c[88237]: Sending Release
Jun 2 10:12:27 OPNvirt dhcp6c[88237]: remove an address 2a03:f580:c883:bcfc:21f:29ff:fe59:d8b5/64 on em0
Jun 2 10:12:27 OPNvirt dhcp6c[88237]: dhcp6c Received RELEASE
Jun 2 10:12:27 OPNvirt dhcp6c[88237]: status code: success
Jun 2 10:12:27 OPNvirt dhcp6c[88237]: exiting
Jun 2 10:12:27 OPNvirt dhcp6c[31202]: failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
Jun 2 10:12:27 OPNvirt dhcp6c[31202]: failed initialize control message authentication
Jun 2 10:12:27 OPNvirt dhcp6c[31202]: skip opening control port
Jun 2 10:12:28 OPNvirt dhcp6c[31503]: Sending Solicit
Jun 2 10:12:29 OPNvirt dhcp6c[31503]: Sending Solicit
Jun 2 10:12:30 OPNvirt dhcpd: Internet Systems Consortium DHCP Server 4.3.5
Jun 2 10:12:30 OPNvirt dhcpd: Copyright 2004-2016 Internet Systems Consortium.
Jun 2 10:12:30 OPNvirt dhcpd: All rights reserved.
Jun 2 10:12:30 OPNvirt dhcpd: For info, please visit https://www.isc.org/software/dhcp/
Jun 2 10:12:30 OPNvirt dhcpd: Config file: /etc/dhcpd.conf
Jun 2 10:12:30 OPNvirt dhcpd: Database file: /var/db/dhcpd.leases
Jun 2 10:12:30 OPNvirt dhcpd: PID file: /var/run/dhcpd.pid
Jun 2 10:12:30 OPNvirt dhcpd: Internet Systems Consortium DHCP Server 4.3.5
Jun 2 10:12:30 OPNvirt dhcpd: Copyright 2004-2016 Internet Systems Consortium.
Jun 2 10:12:30 OPNvirt dhcpd: All rights reserved.
Jun 2 10:12:30 OPNvirt dhcpd: For info, please visit https://www.isc.org/software/dhcp/
Jun 2 10:12:30 OPNvirt dhcpd: Wrote 0 deleted host decls to leases file.
Jun 2 10:12:30 OPNvirt dhcpd: Wrote 0 new dynamic host decls to leases file.
Jun 2 10:12:30 OPNvirt dhcpd: Wrote 4 leases to leases file.
Jun 2 10:12:30 OPNvirt dhcpd: Listening on BPF/em0/00:1f:29:59:d8:b5/192.168.42.0/24
Jun 2 10:12:30 OPNvirt dhcpd: Sending on BPF/em0/00:1f:29:59:d8:b5/192.168.42.0/24
Jun 2 10:12:30 OPNvirt dhcpd: Sending on Socket/fallback/fallback-net
Jun 2 10:12:30 OPNvirt dhcpd: Server starting service.
Jun 2 10:12:31 OPNvirt dhcp6c[31503]: Sending Solicit
Jun 2 10:12:35 OPNvirt dhcp6c[31503]: Sending Solicit
Jun 2 10:12:43 OPNvirt dhcp6c[31503]: Sending Solicit
Jun 2 10:13:00 OPNvirt dhcp6c[31503]: Sending Solicit
Jun 2 10:13:32 OPNvirt dhcp6c[31503]: Sending Solicit
Jun 2 10:13:32 OPNvirt dhcp6c[31503]: unknown or unexpected DHCP6 option opt_86, len 16
Jun 2 10:13:33 OPNvirt dhcp6c[31503]: Sending Request
Jun 2 10:13:33 OPNvirt dhcp6c[31503]: unknown or unexpected DHCP6 option opt_86, len 16
Jun 2 10:13:33 OPNvirt dhcp6c[31503]: dhcp6c Received REQUEST
Jun 2 10:13:33 OPNvirt dhcp6c[31503]: add an address 2a03:f580:c883:bcfd:21f:29ff:fe59:d8b5/64 on em0
Since I could not match the timestamp in the trace to the logfile I wanted to do the same thing again with a specific action done at a specific time (to know the relative time in the trace) ... but now it's running for 15m without new address ...
[Jun 2 10:22:46 OPNvirt dhcp6c[31503]: Start address release
Jun 2 10:22:46 OPNvirt dhcp6c[31503]: Sending Release
Jun 2 10:22:46 OPNvirt dhcp6c[31503]: remove an address 2a03:f580:c883:bcfd:21f:29ff:fe59:d8b5/64 on em0
Jun 2 10:22:46 OPNvirt dhcp6c[31503]: dhcp6c Received RELEASE
Jun 2 10:22:46 OPNvirt dhcp6c[31503]: status code: success
Jun 2 10:22:46 OPNvirt dhcp6c[31503]: exiting
Jun 2 10:22:46 OPNvirt dhcp6c[84727]: failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
Jun 2 10:22:46 OPNvirt dhcp6c[84727]: failed initialize control message authentication
Jun 2 10:22:46 OPNvirt dhcp6c[84727]: skip opening control port
Jun 2 10:22:47 OPNvirt dhcp6c[84913]: Sending Solicit
Jun 2 10:22:48 OPNvirt dhcp6c[84913]: Sending Solicit
Jun 2 10:22:49 OPNvirt dhcpd: Internet Systems Consortium DHCP Server 4.3.5
Jun 2 10:22:49 OPNvirt dhcpd: Copyright 2004-2016 Internet Systems Consortium.
Jun 2 10:22:49 OPNvirt dhcpd: All rights reserved.
Jun 2 10:22:49 OPNvirt dhcpd: For info, please visit https://www.isc.org/software/dhcp/
Jun 2 10:22:49 OPNvirt dhcpd: Config file: /etc/dhcpd.conf
Jun 2 10:22:49 OPNvirt dhcpd: Database file: /var/db/dhcpd.leases
Jun 2 10:22:49 OPNvirt dhcpd: PID file: /var/run/dhcpd.pid
Jun 2 10:22:49 OPNvirt dhcpd: Internet Systems Consortium DHCP Server 4.3.5
Jun 2 10:22:49 OPNvirt dhcpd: Copyright 2004-2016 Internet Systems Consortium.
Jun 2 10:22:49 OPNvirt dhcpd: All rights reserved.
Jun 2 10:22:49 OPNvirt dhcpd: For info, please visit https://www.isc.org/software/dhcp/
Jun 2 10:22:49 OPNvirt dhcpd: Wrote 0 deleted host decls to leases file.
Jun 2 10:22:49 OPNvirt dhcpd: Wrote 0 new dynamic host decls to leases file.
Jun 2 10:22:49 OPNvirt dhcpd: Wrote 4 leases to leases file.
Jun 2 10:22:49 OPNvirt dhcpd: Listening on BPF/em0/00:1f:29:59:d8:b5/192.168.42.0/24
Jun 2 10:22:49 OPNvirt dhcpd: Sending on BPF/em0/00:1f:29:59:d8:b5/192.168.42.0/24
Jun 2 10:22:49 OPNvirt dhcpd: Sending on Socket/fallback/fallback-net
Jun 2 10:22:49 OPNvirt dhcpd: Server starting service.
Jun 2 10:22:50 OPNvirt dhcp6c[84913]: Sending Solicit
Jun 2 10:22:54 OPNvirt dhcp6c[84913]: Sending Solicit
Jun 2 10:23:02 OPNvirt dhcp6c[84913]: Sending Solicit
Jun 2 10:23:19 OPNvirt dhcp6c[84913]: Sending Solicit
Jun 2 10:23:51 OPNvirt dhcp6c[84913]: Sending Solicit
Jun 2 10:24:55 OPNvirt dhcp6c[84913]: Sending Solicit
Jun 2 10:26:54 OPNvirt dhcp6c[84913]: Sending Solicit
Jun 2 10:28:47 OPNvirt dhcp6c[84913]: Sending Solicit
Jun 2 10:30:50 OPNvirt dhcp6c[84913]: Sending Solicit
Jun 2 10:32:41 OPNvirt dhcp6c[84913]: Sending Solicit
Jun 2 10:34:42 OPNvirt dhcp6c[84913]: Sending Solicit
Jun 2 10:36:30 OPNvirt dhcp6c[84913]: Sending Solicit
Can I provide you the traces in some way?
Best regards,
Jochen
-
I have compared the Advertise packages sent by the Fritzbox in the working and non-working case. The only difference (except of timestamps and stream IDs of Wireshark) is the transaction ID ...
So the Fritzbox sends the same response ... sometimes the dhcp6c answers with a REQUEST and sometimes not ...
How can we trace the packages that dhcp6c sees. Is there something like strace available to trace the dhcp6c client?
Best regards,
Jochen
-
Ok, you can use something like truss ... so I traced it dhcp6c. It opens the following sockets / files
Following sockets/files are opened:
55890: socket(PF_LOCAL,SOCK_DGRAM|SOCK_CLOEXEC,0) = 3 (0x3)
55890: connect(3,{ AF_UNIX "/var/run/logpriv" },106) = 0 (0x0)
55890: socket(PF_INET6,SOCK_DGRAM,17) = 4 (0x4)
55890: fcntl(4,F_GETFL,) = 2 (0x2)
55890: fcntl(4,F_SETFL,0x3) = 0 (0x0)
55890: bind(4,{ AF_INET6 [::]:546 },28) = 0 (0x0)
55890: open("/var/etc/dhcp6c_wan.conf",O_RDONLY,0666) = 5 (0x5)
55890: ioctl(5,TIOCGETA,0x53dce490) ERR#25 'Inappropriate ioctl for device'
And then you can see the following repeating all the time:
55959: clock_gettime(13,{ 1496394429.000000000 }) = 0 (0x0)
55959: getpid() = 55959 (0xda97)
55959: sendto(3,"<30>Jun 2 11:07:09 dhcp6c[55959"...,50,0x0,NULL,0x0) = 50 (0x32)
55959: gettimeofday({ 1496394429.744324 },0x0) = 0 (0x0)
55959: sendto(4,"\^A*a]\0\^A\0\^N\0\^A\0\^A\^_u"...,81,0x0,{ AF_INET6 [ff02::1:2]:547 },0x1c) = 81 (0x51)
55959: __sysctl(0x6a0c53dcdce0,0x6,0x0,0x6a0c53dcdcd8,0x0,0x0) = 0 (0x0)
55959: __sysctl(0x6a0c53dcdce0,0x6,0x46583c3d400,0x6a0c53dcdcd8,0x0,0x0) = 0 (0x0)
55959: gettimeofday({ 1496394429.744816 },0x0) = 0 (0x0)
55959: select(5,{ 4 },0x0,0x0,{ 123.337096 }) = 0 (0x0)
55959: gettimeofday({ 1496394553.093143 },0x0) = 0 (0x0)
55959: clock_gettime(13,{ 1496394553.000000000 }) = 0 (0x0)
Shouldn't it read sometimes from 4 as well if it did receive the Advertise packet? Maybe the advertise package really does not reach the dhcp6c.
Best regards,
Jochen
-
The firewall logs show both packets as PASS:
Jun 2 11:24:28 OPNvirt filterlog: 53,,,0,em1,match,pass,out,6,0x00,0x00000,1,UDP,17,89,fe80::21f:29ff:fe59:d8b4,ff02::1:2,546,547,89
Jun 2 11:24:28 OPNvirt filterlog: 69,,,0,lo0,match,pass,in,6,0x00,0x00000,1,UDP,17,89,fe80::21f:29ff:fe59:d8b4,ff02::1:2,546,547,89
Jun 2 11:24:28 OPNvirt filterlog: 52,,,0,em1,match,pass,in,6,0x00,0x00000,64,UDP,17,134,fe80::2665:11ff:fe6c:3714,fe80::21f:29ff:fe59:d8b4,547,546,134
Best regards,
Jochen
-
Hm, could the issue be caused by OpenVPN also listening on 546?
root@OPNvirt:/var/log # sockstat -l | grep :546
root dhcp6c 33878 5 udp6 *:546 *:*
root openvpn 22884 5 udp6 *:546 *:*
EDIT: yes! I stopped OpenVPN and after next solicit IP address was immediately set!
Best regards,
Jochen
-
Funny thing is: after OpenVPN was disabled and the interface got the IP from the Fritzbox ... there are lot's more processes listening on port 546:
root@OPNvirt:~ # sockstat -l -6 | grep :546
root sleep 89181 8 udp6 *:546 *:*
root sh 47212 8 udp6 *:546 *:*
root radvd 30324 8 udp6 *:546 *:*
dhcpd dhcpd 26396 8 udp6 *:546 *:*
root dhcp6c 91012 8 udp6 *:546 *:*
sleep and sh belong to this one:
root 47212 0.0 0.1 1078840 3168 - Ss 14:01 0:00.06 |-- /bin/sh /var/db/rrd/updaterrd.sh
root 89181 0.0 0.1 1073972 2376 - S 14:10 0:00.00 | `-- sleep 60
Not sure if all of them should be listening to :546 as well :)
Best regards,
Jochen
-
Just a brief update on my potentially related issue (no prefix delegation from cable model to OPNSense box and LAN does not track WAN IPv6):
- ISP support is poor: helpline told me that prefix delegation may work or may not work.
- That information is consistent with what other clients of the ISP experience according to forum posts across the internet: for some it works and for some it doesn't.
- My neighbor uses a Fritzbox with same ISP but has a IPv4-only line; I have DSlite (dual stack lite), i.e. IPv6-only and IPv4 via CGN (carrier grade NAT); thus no chance to cross-check.
- I will buy a Fritzbox, try it and report back.
Cheers,
Boris
-
The connection issue towards https://www.heise.de (https://www.heise.de) remains though ... http connection is possible (I see the redirect to https), https connection is not possible ... the last thing I see in a trace is the "CLIENT HELLO" of ssl. If I test via curl https from OPNsense it works, from LAN only http works.
To follow up on this as well ... I have found out why https connection was not possible to some sites ... once I had reduced the MTU on my Linux system to 1486 even the https connection works without issues. So I guess the PMTU discovery fails at some point ... since it works fine if I run the curl on the OPNsense box, could this be an issue in OPNsense?
Thanks and best regards,
Space
-
- I will buy a Fritzbox, try it and report back.
Got my Fritzbox and got IPV6 on LAN working, finally. Only because of the additional insights and configuration options the Fritzbox provides in addition with a Ubuntu box added in parallel to the OPNSense box to make sure that the Fritzbox really can delegate prefixes (dhclient, wireshark, ...).
It still took quite some time to get it done. I ended up with the configuration that I have been trying out for weeks, in accordance with what Jochen proposed. Seemingly, the only difference is that I turned Intrusion Detection off. Please let me know if you like me to investigate if there is an issue with suricata.
Best regards
Boris
-
Hey,
do someone have a working configuration with a ppoe over modem connection? I still have a problem with ipv6 and opnsense:
- ISP Deutsche Telekom
- opnsense 17.1.9
- Vigor 130 modem only (vlan7)
- Unifi AC PRO Access Point
I configured my opnsense in this way: https://moerbst.wordpress.com/2016/07/31/ipv6mit-pfsense-an-dsl-der-telekom/
I got a ipv6 address for my opnsense (working) but my clients are still without ipv6 address :-(
maybe someone can help me!
thank you
-
Hmm, check if radvd is running (services: diagnostics), from the console see the config has a prefix:
# cat /var/etc/radvd.conf
Without a delegated prefix, your clients won't receive an IPv6.
-
do someone have a working configuration with a ppoe over modem connection? I still have a problem with ipv6 and opnsense:
Have you suricata (Intrusion Detection) turned on or off? If it is turned on, could you please turn it off and reboot and see if the prefix and IPv6 at the LAN interface come up?
-
Hello,
@gothbert: no surica is off.
@franco: I will check when Im back home
thank you all
-
So I made a few screenshots:
-
When I add some ipv6 DNS Servers I get an error:
-
I made two firewall rules:
WAN: IPv4+6 ICMP Allow all
LAN: IPv4+6 ICMP Allow all
-
I can ping any host from my opnsense GUI:
PING6(56=40+8+8 bytes) 2003:c2:ebbf:1d64:20d:xxxx:xxxx:xxxx --> 2001:1900:2254:206a::50:0
16 bytes from 2001:1900:2254:206a::50:0, icmp_seq=0 hlim=58 time=171.710 ms
16 bytes from 2001:1900:2254:206a::50:0, icmp_seq=1 hlim=58 time=171.586 ms
16 bytes from 2001:1900:2254:206a::50:0, icmp_seq=2 hlim=58 time=171.838 ms
--- freebsd.org ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 171.586/171.711/171.838/0.103 ms
-
mg@ZOS1337:~ % cat /var/etc/radvd.conf
# Automatically Generated, do not edit
# Generated config for dhcp6 delegation from wan on lan
interface igb1 {
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
AdvLinkMTU 1500;
AdvOtherConfigFlag on;
prefix ::/64 {
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
RDNSS 2620:0:ccc::2 2620:0:ccd::2 { };
DNSSL localdomain { };
};
-
Hi,
if you check the interfaces ... on which interface do you see an IPv6 address? Is it on WAN or LAN?
What messages do you see in the dhcp log?
Best regards,
Jochen
-
Yes, you do not receive a prefix (empty "::/64"). It's likely due to your device in front of OPNsense not giving out one.
Under Interfaces: [WAN], can you try to set "Directly send SOLICIT"?
Cheers,
Franco
-
And if you are using OpenVPN ... please try to disable the OpenVPN service.
Whenever I boot up my OPNsense box or do an action that forces a save of the interfaces I have to stop the OpenVPN service. Then the router advertisements are received by dhcp6c and the IPv6 is then set on the LAN interface and apinger, ntpd and OpenVPN services are started again automatically afterwards.
@Franco: do you think there is an option to stop OpenVPN like ntpd and apinger are stopped until IPv6 is up and running? Or do you have an idea why OpenVPN is listening on port 546 and intercepts the packets that dhcp6c should get? See the issue I opened some time ago: https://github.com/opnsense/core/issues/1668 (https://github.com/opnsense/core/issues/1668).
Thanks,
Jochen
-
Hi,
if you check the interfaces ... on which interface do you see an IPv6 address? Is it on WAN or LAN?
What messages do you see in the dhcp log?
Best regards,
Jochen
only on ppoe0
pppoe0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1492
inet6 fe80::20d:b9ff:fe47:1a9c%pppoe0 prefixlen 64 scopeid 0xb
inet6 fe80::20d:b9ff:fe47:1a9d%pppoe0 prefixlen 64 scopeid 0xb
inet6 2003:c2:ebbf:2ea9:xxx:xxxx:xxxx:1a9c prefixlen 64 autoconf
inet 46.91.190.79 --> 62.155.241.133 netmask 0xffffffff
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
-
igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=4400b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,TXCSUM_IPV6>
ether 00:0d:b9:47:1a:9c
inet6 fe80::20d:b9ff:fe47:1a9c%igb0 prefixlen 64 scopeid 0x1
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
igb1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=4500b8<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWFILTER,VLAN_HWTSO,TXCSUM_IPV6>
ether 00:0d:b9:47:1a:9d
inet 192.168.91.254 netmask 0xffffff00 broadcast 192.168.91.255
inet6 fe80::1:1%igb1 prefixlen 64 scopeid 0x2
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
igb2: flags=8c02<BROADCAST,OACTIVE,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=6403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6>
ether 00:0d:b9:47:1a:9e
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect
status: no carrier
enc0: flags=41<UP,RUNNING> metric 0 mtu 1536
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: enc
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: lo
pflog0: flags=100<PROMISC> metric 0 mtu 33160
groups: pflog
pfsync0: flags=0<> metric 0 mtu 1500
groups: pfsync
syncpeer: 0.0.0.0 maxupd: 128 defer: off
ovpns1: flags=8010<POINTOPOINT,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
groups: tun openvpn
igb1_vlan20: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 00:0d:b9:47:1a:9d
inet6 fe80::20d:b9ff:fe47:1a9d%igb1_vlan20 prefixlen 64 scopeid 0x9
inet 192.168.20.254 netmask 0xffffff00 broadcast 192.168.20.255
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 20 vlanpcp: 0 parent interface: igb1
groups: vlan
igb1_vlan30: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 00:0d:b9:47:1a:9d
inet6 fe80::20d:b9ff:fe47:1a9d%igb1_vlan30 prefixlen 64 scopeid 0xa
inet 192.168.30.254 netmask 0xffffff00 broadcast 192.168.30.255
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 30 vlanpcp: 0 parent interface: igb1
groups: vlan
pppoe0: flags=88d1<UP,POINTOPOINT,RUNNING,NOARP,SIMPLEX,MULTICAST> metric 0 mtu 1492
inet6 fe80::20d:b9ff:fe47:1a9c%pppoe0 prefixlen 64 scopeid 0xb
inet6 fe80::20d:b9ff:fe47:1a9d%pppoe0 prefixlen 64 scopeid 0xb
inet6 2003:c2:ebbf:2ea9:20d:xxxx:xxxx:xxxx prefixlen 64 autoconf
inet 46.91.xxx.xx --> 62.155.241.xxx netmask 0xffffffff
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
-
Yes, you do not receive a prefix (empty "::/64"). It's likely due to your device in front of OPNsense not giving out one.
Under Interfaces: [WAN], can you try to set "Directly send SOLICIT"?
Cheers,
Franco
OK SOLICIT is active
cat /var/etc/radvd.conf
# Automatically Generated, do not edit
# Generated config for dhcp6 delegation from wan on lan
interface igb1 {
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
AdvLinkMTU 1500;
AdvOtherConfigFlag on;
prefix ::/64 {
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
RDNSS 2620:0:ccc::2 2620:0:ccd::2 { };
DNSSL localdomain { };
};
-
Yes, you do not receive a prefix (empty "::/64"). It's likely due to your device in front of OPNsense not giving out one.
Under Interfaces: [WAN], can you try to set "Directly send SOLICIT"?
Cheers,
Franco
DHCP6 log
ul 11 21:35:37 ZOS1337 dhcp6c[55924]: extracted an existing DUID from /var/db/dhcp6c_duid: 00:01:00:01:20:f6:7f:5e:00:0d:b9:47:1a:9c
Jul 11 21:35:37 ZOS1337 dhcp6c[55924]: failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
Jul 11 21:35:37 ZOS1337 dhcp6c[55924]: failed initialize control message authentication
Jul 11 21:35:37 ZOS1337 dhcp6c[55924]: skip opening control port
Jul 11 21:35:37 ZOS1337 dhcp6c[55924]: <3>[interface] (9)
Jul 11 21:35:37 ZOS1337 dhcp6c[55924]: <5>[pppoe0] (6)
Jul 11 21:35:37 ZOS1337 dhcp6c[55924]: <3>begin of closure [{] (1)
Jul 11 21:35:37 ZOS1337 dhcp6c[55924]: <3>[script] (6)
Jul 11 21:35:37 ZOS1337 dhcp6c[55924]: <3>["/var/etc/dhcp6c_wan_script.sh"] (31)
Jul 11 21:35:37 ZOS1337 dhcp6c[55924]: <3>end of sentence [;] (1)
Jul 11 21:35:37 ZOS1337 dhcp6c[55924]: <3>end of closure [}] (1)
Jul 11 21:35:37 ZOS1337 dhcp6c[55924]: <3>end of sentence [;] (1)
Jul 11 21:35:37 ZOS1337 dhcp6c[55924]: called
Jul 11 21:35:37 ZOS1337 dhcp6c[55924]: called
Jul 11 21:35:37 ZOS1337 dhcp6c[56598]: reset a timer on pppoe0, state=INIT, timeo=0, retrans=891
Jul 11 21:35:38 ZOS1337 dhcp6c[56598]: Sending Solicit
Jul 11 21:35:38 ZOS1337 dhcp6c[56598]: a new XID (85ac73) is generated
Jul 11 21:35:38 ZOS1337 dhcp6c[56598]: set client ID (len 14)
Jul 11 21:35:38 ZOS1337 dhcp6c[56598]: set elapsed time (len 2)
Jul 11 21:35:38 ZOS1337 dhcp6c[56598]: send solicit to ff02::1:2%pppoe0
Jul 11 21:35:38 ZOS1337 dhcp6c[56598]: reset a timer on pppoe0, state=SOLICIT, timeo=0, retrans=1091
Jul 11 21:35:39 ZOS1337 dhcp6c[56598]: Sending Solicit
Jul 11 21:35:39 ZOS1337 dhcp6c[56598]: set client ID (len 14)
Jul 11 21:35:39 ZOS1337 dhcp6c[56598]: set elapsed time (len 2)
Jul 11 21:35:39 ZOS1337 dhcp6c[56598]: send solicit to ff02::1:2%pppoe0
Jul 11 21:35:39 ZOS1337 dhcp6c[56598]: reset a timer on pppoe0, state=SOLICIT, timeo=1, retrans=2083
Jul 11 21:35:41 ZOS1337 dhcp6c[56598]: Sending Solicit
Jul 11 21:35:41 ZOS1337 dhcp6c[56598]: set client ID (len 14)
Jul 11 21:35:41 ZOS1337 dhcp6c[56598]: set elapsed time (len 2)
Jul 11 21:35:41 ZOS1337 dhcp6c[56598]: send solicit to ff02::1:2%pppoe0
Jul 11 21:35:41 ZOS1337 dhcp6c[56598]: reset a timer on pppoe0, state=SOLICIT, timeo=2, retrans=3982
Jul 11 21:35:45 ZOS1337 dhcp6c[56598]: Sending Solicit
Jul 11 21:35:45 ZOS1337 dhcp6c[56598]: set client ID (len 14)
Jul 11 21:35:45 ZOS1337 dhcp6c[56598]: set elapsed time (len 2)
Jul 11 21:35:45 ZOS1337 dhcp6c[56598]: send solicit to ff02::1:2%pppoe0
Jul 11 21:35:45 ZOS1337 dhcp6c[56598]: reset a timer on pppoe0, state=SOLICIT, timeo=3, retrans=8065
Jul 11 21:35:53 ZOS1337 dhcp6c[56598]: Sending Solicit
Jul 11 21:35:53 ZOS1337 dhcp6c[56598]: set client ID (len 14)
Jul 11 21:35:53 ZOS1337 dhcp6c[56598]: set elapsed time (len 2)
Jul 11 21:35:53 ZOS1337 dhcp6c[56598]: send solicit to ff02::1:2%pppoe0
Jul 11 21:35:53 ZOS1337 dhcp6c[56598]: reset a timer on pppoe0, state=SOLICIT, timeo=4, retrans=16326
Jul 11 21:36:04 ZOS1337 dhcp6c[99764]: Sending Solicit
Jul 11 21:36:09 ZOS1337 dhcp6c[56598]: Sending Solicit
Jul 11 21:36:09 ZOS1337 dhcp6c[56598]: set client ID (len 14)
Jul 11 21:36:09 ZOS1337 dhcp6c[56598]: set elapsed time (len 2)
Jul 11 21:36:09 ZOS1337 dhcp6c[56598]: send solicit to ff02::1:2%pppoe0
Jul 11 21:36:09 ZOS1337 dhcp6c[56598]: reset a timer on pppoe0, state=SOLICIT, timeo=5, retrans=31928
Jul 11 21:36:26 ZOS1337 dhcp6c[56598]: removing an event on pppoe0, state=SOLICIT
Jul 11 21:36:26 ZOS1337 dhcp6c[56598]: executes /var/etc/dhcp6c_wan_script.sh
Jul 11 21:36:27 ZOS1337 dhcp6c[55726]: extracted an existing DUID from /var/db/dhcp6c_duid: 00:01:00:01:20:f6:7f:5e:00:0d:b9:47:1a:9c
Jul 11 21:36:27 ZOS1337 dhcp6c[55726]: failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
Jul 11 21:36:27 ZOS1337 dhcp6c[55726]: failed initialize control message authentication
Jul 11 21:36:27 ZOS1337 dhcp6c[55726]: skip opening control port
Jul 11 21:36:27 ZOS1337 dhcp6c[55726]: <3>[interface] (9)
Jul 11 21:36:27 ZOS1337 dhcp6c[55726]: <5>[pppoe0] (6)
Jul 11 21:36:27 ZOS1337 dhcp6c[55726]: <3>begin of closure [{] (1)
Jul 11 21:36:27 ZOS1337 dhcp6c[55726]: <3>[script] (6)
Jul 11 21:36:27 ZOS1337 dhcp6c[55726]: <3>["/var/etc/dhcp6c_wan_script.sh"] (31)
Jul 11 21:36:27 ZOS1337 dhcp6c[55726]: <3>end of sentence [;] (1)
Jul 11 21:36:27 ZOS1337 dhcp6c[55726]: <3>end of closure [}] (1)
Jul 11 21:36:27 ZOS1337 dhcp6c[55726]: <3>end of sentence [;] (1)
Jul 11 21:36:27 ZOS1337 dhcp6c[55726]: called
Jul 11 21:36:27 ZOS1337 dhcp6c[55726]: called
Jul 11 21:36:27 ZOS1337 dhcp6c[55879]: reset a timer on pppoe0, state=INIT, timeo=0, retrans=891
Jul 11 21:36:28 ZOS1337 dhcp6c[55879]: Sending Solicit
Jul 11 21:36:28 ZOS1337 dhcp6c[55879]: a new XID (7ac87) is generated
Jul 11 21:36:28 ZOS1337 dhcp6c[55879]: set client ID (len 14)
Jul 11 21:36:28 ZOS1337 dhcp6c[55879]: set elapsed time (len 2)
Jul 11 21:36:28 ZOS1337 dhcp6c[55879]: send solicit to ff02::1:2%pppoe0
Jul 11 21:36:28 ZOS1337 dhcp6c[55879]: reset a timer on pppoe0, state=SOLICIT, timeo=0, retrans=1091
Jul 11 21:36:29 ZOS1337 dhcp6c[55879]: Sending Solicit
Jul 11 21:36:29 ZOS1337 dhcp6c[55879]: set client ID (len 14)
Jul 11 21:36:29 ZOS1337 dhcp6c[55879]: set elapsed time (len 2)
Jul 11 21:36:29 ZOS1337 dhcp6c[55879]: send solicit to ff02::1:2%pppoe0
Jul 11 21:36:29 ZOS1337 dhcp6c[55879]: reset a timer on pppoe0, state=SOLICIT, timeo=1, retrans=2083
Jul 11 21:36:31 ZOS1337 dhcp6c[56598]: script "/var/etc/dhcp6c_wan_script.sh" terminated
Jul 11 21:36:31 ZOS1337 dhcp6c[56598]: exiting
Jul 11 21:36:31 ZOS1337 dhcp6c[55879]: Sending Solicit
Jul 11 21:36:31 ZOS1337 dhcp6c[55879]: set client ID (len 14)
Jul 11 21:36:31 ZOS1337 dhcp6c[55879]: set elapsed time (len 2)
Jul 11 21:36:31 ZOS1337 dhcp6c[55879]: send solicit to ff02::1:2%pppoe0
Jul 11 21:36:31 ZOS1337 dhcp6c[55879]: reset a timer on pppoe0, state=SOLICIT, timeo=2, retrans=3982
Jul 11 21:36:35 ZOS1337 dhcp6c[55879]: Sending Solicit
Jul 11 21:36:35 ZOS1337 dhcp6c[55879]: set client ID (len 14)
Jul 11 21:36:35 ZOS1337 dhcp6c[55879]: set elapsed time (len 2)
Jul 11 21:36:35 ZOS1337 dhcp6c[55879]: send solicit to ff02::1:2%pppoe0
Jul 11 21:36:35 ZOS1337 dhcp6c[55879]: reset a timer on pppoe0, state=SOLICIT, timeo=3, retrans=8065
Jul 11 21:36:43 ZOS1337 dhcp6c[55879]: Sending Solicit
Jul 11 21:36:43 ZOS1337 dhcp6c[55879]: set client ID (len 14)
Jul 11 21:36:43 ZOS1337 dhcp6c[55879]: set elapsed time (len 2)
Jul 11 21:36:43 ZOS1337 dhcp6c[55879]: send solicit to ff02::1:2%pppoe0
Jul 11 21:36:43 ZOS1337 dhcp6c[55879]: reset a timer on pppoe0, state=SOLICIT, timeo=4, retrans=16326
Jul 11 21:37:00 ZOS1337 dhcp6c[55879]: Sending Solicit
Jul 11 21:37:00 ZOS1337 dhcp6c[55879]: set client ID (len 14)
Jul 11 21:37:00 ZOS1337 dhcp6c[55879]: set elapsed time (len 2)
Jul 11 21:37:00 ZOS1337 dhcp6c[55879]: send solicit to ff02::1:2%pppoe0
Jul 11 21:37:00 ZOS1337 dhcp6c[55879]: reset a timer on pppoe0, state=SOLICIT, timeo=5, retrans=31928
Jul 11 21:37:32 ZOS1337 dhcp6c[55879]: Sending Solicit
Jul 11 21:37:32 ZOS1337 dhcp6c[55879]: set client ID (len 14)
Jul 11 21:37:32 ZOS1337 dhcp6c[55879]: set elapsed time (len 2)
Jul 11 21:37:32 ZOS1337 dhcp6c[55879]: send solicit to ff02::1:2%pppoe0
Jul 11 21:37:32 ZOS1337 dhcp6c[55879]: reset a timer on pppoe0, state=SOLICIT, timeo=6, retrans=64469
Jul 11 21:37:57 ZOS1337 dhcp6c[99764]: Sending Solicit
Jul 11 21:44:31 ZOS1337 dhcp6c[55879]: Sending Solicit
Jul 11 21:44:31 ZOS1337 dhcp6c[55879]: set client ID (len 14)
Jul 11 21:44:31 ZOS1337 dhcp6c[55879]: set elapsed time (len 2)
Jul 11 21:44:31 ZOS1337 dhcp6c[55879]: send solicit to ff02::1:2%pppoe0
Jul 11 21:44:31 ZOS1337 dhcp6c[55879]: reset a timer on pppoe0, state=SOLICIT, timeo=10, retrans=111000
Jul 11 21:45:40 ZOS1337 dhcp6c[99764]: Sending Solicit
Jul 11 21:46:22 ZOS1337 dhcp6c[55879]: Sending Solicit
Jul 11 21:46:22 ZOS1337 dhcp6c[55879]: set client ID (len 14)
Jul 11 21:46:22 ZOS1337 dhcp6c[55879]: set elapsed time (len 2)
Jul 11 21:46:22 ZOS1337 dhcp6c[55879]: send solicit to ff02::1:2%pppoe0
Jul 11 21:46:22 ZOS1337 dhcp6c[55879]: reset a timer on pppoe0, state=SOLICIT, timeo=11, retrans=120720
Jul 11 21:47:31 ZOS1337 dhcp6c[99764]: Sending Solicit
Jul 11 21:48:23 ZOS1337 dhcp6c[55879]: Sending Solicit
Jul 11 21:48:23 ZOS1337 dhcp6c[55879]: set client ID (len 14)
Jul 11 21:48:23 ZOS1337 dhcp6c[55879]: set elapsed time (len 2)
Jul 11 21:48:23 ZOS1337 dhcp6c[55879]: send solicit to ff02::1:2%pppoe0
Jul 11 21:48:23 ZOS1337 dhcp6c[55879]: reset a timer on pppoe0, state=SOLICIT, timeo=12, retrans=108504
Jul 11 21:49:29 ZOS1337 dhcp6c[99764]: Sending Solicit
Jul 11 21:50:11 ZOS1337 dhcp6c[55879]: Sending Solicit
Jul 11 21:50:11 ZOS1337 dhcp6c[55879]: set client ID (len 14)
Jul 11 21:50:11 ZOS1337 dhcp6c[55879]: set elapsed time (len 2)
Jul 11 21:50:11 ZOS1337 dhcp6c[55879]: send solicit to ff02::1:2%pppoe0
Jul 11 21:50:11 ZOS1337 dhcp6c[55879]: reset a timer on pppoe0, state=SOLICIT, timeo=13, retrans=110940
-
Sorry for posting in a row.
Thank you for your help!
I deactivated openvpn and restarted opnsense.
-
I made it!
I deactivated OpenVPN.
Settings for Deutsche Telekom AG ipv6 with opnsense:
Interface WAN:
Check firewall option "Allow IPv6" is enabled
IPv6 Configuration Type: DHCP6
Request IPv6 prefix/information trough the IPv4connectivity link
DHCPv6 Prefix Delegation Size: 56 Bit
Send IPv6 prefix hint
Only request an ipv6 prefix
Interface LAN:
IPv4 configuration type: static
– IPv6 configuration type: track interface
– IPv6 interface: WAN
– IPv6 prefix ID: 1
Gateway:
check if gateway for ipv6 is enabled
DNS: DNS for ipv6 enable
then I made some ICMP and ICMP-v6 allow all on LAN and WAN firewall rules, I dont know if they are relevant. I will check this later.
check with sockstat -l | grep ':546' if some services (like openvpn) listen on port 546
so happy for now.