Show Posts
1
21.7 Legacy Series / 6RD, RDNSS, radvd, and the case(s) of missing ipv6 NS packets
« on: August 24, 2021, 06:08:56 am »
Been chewing on this one for two days now. My google-fu must have missed something, especially because most of these are newer to me (ipv6 "has always just worked" so no need for me to figure it out).
For some reason, I cannot get ipv6 NS packets to respond from my opnsense router, specifically the RDNSS's set address. I can *ping6* the darn IP just fine, but not `ndisc6 -1 xxxx:xxxx:xxxx:d700::1 enp6s0` i get "Timed Out". Other devices that must traverse through the OPNSense (from [LAN] to [LAN_Servers]) for the NS packets work fine.
The reason this is a problem, is that certain Android devices if they receive one or more RDNSS over wifi, *require* for at least one RDNSS to reply to NS packets. (Tested android device: Pixel 3a with RQ3A.21.0805.001.A1) If it does not get responses, it assumes the wifi is bad/wrong and disconnects. See IpReachabilityMonitor and related google searches of "Android ipv6 RDNSS". The log message via adb-logcat to look out for is (scrubbed ipv6 addr):
[IpReachabilityMonitor] WARN ALERT neighbor went from: null to: NeighborEvent{@983249427,RTM_NEWNEIGH,if=30,xxxx:xxxx:xxxx:d700::1,NUD_FAILED,[null]}
My temporary fix is to enable on the LAN "Track IPv6 Interface --> Manual Configuration" which then allows the "Services --> Router Advertisements --> [LAN]". And set the settings as "Unmanaged" with "Do not send DNS settings to clients".
Sadly from what I can read of the config-gen code dhcpd.inc there is no way to disable RDNSS for 6RD, while Issue #4537 exists, it did not seem to cover 6RD style. So this means that I now have to be very very careful about my 6RD I think? Or if it ever changes? Or is my "Temp fix" of above the expected way to disable RDNSS for 6RD? This seems sub optimal D: and/or unclear in docs.
All that above to say, while this "works" as a temp-fix, I would much rather figure out what I am missing on the ipv6 Neighbor Solicitation Packets not existing from the OPNSense device. I haven't touched the default firewall settings to the best of my knowledge for them, and I am not seeing any firewall logs that stand out to me (DENY) when I trigger a NS request.
For some reason, I cannot get ipv6 NS packets to respond from my opnsense router, specifically the RDNSS's set address. I can *ping6* the darn IP just fine, but not `ndisc6 -1 xxxx:xxxx:xxxx:d700::1 enp6s0` i get "Timed Out". Other devices that must traverse through the OPNSense (from [LAN] to [LAN_Servers]) for the NS packets work fine.
The reason this is a problem, is that certain Android devices if they receive one or more RDNSS over wifi, *require* for at least one RDNSS to reply to NS packets. (Tested android device: Pixel 3a with RQ3A.21.0805.001.A1) If it does not get responses, it assumes the wifi is bad/wrong and disconnects. See IpReachabilityMonitor and related google searches of "Android ipv6 RDNSS". The log message via adb-logcat to look out for is (scrubbed ipv6 addr):
[IpReachabilityMonitor] WARN ALERT neighbor went from: null to: NeighborEvent{@983249427,RTM_NEWNEIGH,if=30,xxxx:xxxx:xxxx:d700::1,NUD_FAILED,[null]}
My temporary fix is to enable on the LAN "Track IPv6 Interface --> Manual Configuration" which then allows the "Services --> Router Advertisements --> [LAN]". And set the settings as "Unmanaged" with "Do not send DNS settings to clients".
Sadly from what I can read of the config-gen code dhcpd.inc there is no way to disable RDNSS for 6RD, while Issue #4537 exists, it did not seem to cover 6RD style. So this means that I now have to be very very careful about my 6RD I think? Or if it ever changes? Or is my "Temp fix" of above the expected way to disable RDNSS for 6RD? This seems sub optimal D: and/or unclear in docs.
All that above to say, while this "works" as a temp-fix, I would much rather figure out what I am missing on the ipv6 Neighbor Solicitation Packets not existing from the OPNSense device. I haven't touched the default firewall settings to the best of my knowledge for them, and I am not seeing any firewall logs that stand out to me (DENY) when I trigger a NS request.