Show Posts
1
General Discussion / Unable to pick client prefix: no IPv6 pools on this shared network
« on: November 07, 2019, 02:26:32 am »
I'll state upfront that IPv6 is not my strong suit. I'm attempting to setup a lab so I can educate myself. That said, I'm a bit stuck and could use some advice. I've searched this forum and online for days and cannot figure out what's going on.
I have two OPNsense hosts. One is on a physical host with 3 ports: WAN, WIFI and LAN. The other is virtual with two ports WAN is bridged to the physical LAN network, and it has it's own LAN on a private network.
On the internet facing host, I am able to successfully request a /60 prefix from my ISP, of which I'm reserving the first half /61 for internal addresses. I am requesting a prefix only and letting the WAN be assigned a random external IP address, which is not in the range of the /60 being delegated to me.
My home network (WIFI) is tracking the WAN (0x1) and has a /64. It doesn't have DHCP enabled, RA is set to "unmanaged" and hosts are using SLAAC. It's prefix is 2001:db8:a:8031::/64. Everything looks fine.
My physical lan (LAN) is also tracking the WAN (0x2) and has another /64. It does have DHCP enabled and RA is set to "assisted". It's prefix is 2001:db8:a:8032::/64. I can reserve leases for specific hosts as expected and all good was well.
From the above, I'm assuming that I'm being delegated the prefix 2001:db8:a:8030::/60.
Here's where things start to go sideways.
The OPNsense DHCPv6 on my LAN indicates an available prefix delegation size of 61. That makes sense to me, given I should only be able to delegate a subset of the block delegate and the next smallest prefix size is 61.
Given I've already used two /64s in the first /61 for my WIFI and LAN networks, I assume this is referring to the latter /61 (from ::8038 to ::8040), however in the Prefix Delegation Size dropdown the available options are 48, 52, 56, 60, 62, 63, and 64. Notice there's no 61. Odd?
Given there's no 61, I've selected 62 and entered the tail-end of my range, let's say ::803c - ::8040. I believe this should give me 4 /64s but I cannot acquire prefixes from it.
Running:
$ sudo tcpdump -i ix0 -vv ip6 and dst port 547 or dst port 546
Results:
Logs under /var/log/dhcpd.log seem to confirm as much:
On the LAB OPNsense side:
OPNsense is on a host on the physical LAN running virtualbox. The VM has one bridged interface (WAN) and another private network (LAB). It can acquire an IPv6 address from the DHCPv6 server for the WAN address and I can reserve the lease based on it's DUID, however, but it cannot acquire a prefix. Running tcpdump on it's WAN interface yields the same results:
I've also tried manually running dhclient -6 -P from a different VM and get similar results (status-code NoPrefixAvail).
I've tried tweaking a number of different options (soliciting prefix only, adjusting the prefix size and range accordingly, different RA modes) to no avail.
Any words of wisdom of how to tackle this? What should I look at next?
I have two OPNsense hosts. One is on a physical host with 3 ports: WAN, WIFI and LAN. The other is virtual with two ports WAN is bridged to the physical LAN network, and it has it's own LAN on a private network.
On the internet facing host, I am able to successfully request a /60 prefix from my ISP, of which I'm reserving the first half /61 for internal addresses. I am requesting a prefix only and letting the WAN be assigned a random external IP address, which is not in the range of the /60 being delegated to me.
My home network (WIFI) is tracking the WAN (0x1) and has a /64. It doesn't have DHCP enabled, RA is set to "unmanaged" and hosts are using SLAAC. It's prefix is 2001:db8:a:8031::/64. Everything looks fine.
My physical lan (LAN) is also tracking the WAN (0x2) and has another /64. It does have DHCP enabled and RA is set to "assisted". It's prefix is 2001:db8:a:8032::/64. I can reserve leases for specific hosts as expected and all good was well.
From the above, I'm assuming that I'm being delegated the prefix 2001:db8:a:8030::/60.
Here's where things start to go sideways.
The OPNsense DHCPv6 on my LAN indicates an available prefix delegation size of 61. That makes sense to me, given I should only be able to delegate a subset of the block delegate and the next smallest prefix size is 61.
Given I've already used two /64s in the first /61 for my WIFI and LAN networks, I assume this is referring to the latter /61 (from ::8038 to ::8040), however in the Prefix Delegation Size dropdown the available options are 48, 52, 56, 60, 62, 63, and 64. Notice there's no 61. Odd?
Given there's no 61, I've selected 62 and entered the tail-end of my range, let's say ::803c - ::8040. I believe this should give me 4 /64s but I cannot acquire prefixes from it.
Running:
$ sudo tcpdump -i ix0 -vv ip6 and dst port 547 or dst port 546
Results:
Code: [Select]
16:12:25.942585 IP6 (hlim 1, next-header UDP (17) payload length: 84) fe80::a00:27ff:fe3e:af77.dhcpv6-client > ff02::1:2.dhcpv6-server: [udp sum ok] dhcp6 request (xid=b33316 (client-ID hwaddr/time type 1 time 626338757 0800274c4d5d) (server-ID hwaddr/time type 1 time 620825045 ac1f6bb1f2d4) (elapsed-time 0) (option-request DNS-server DNS-search-list) (IA_PD IAID:0 T1:0 T2:0 (status-code NoPrefixAvail)))
16:12:25.942785 IP6 (hlim 64, next-header UDP (17) payload length: 111) fe80::ae1f:6bff:feb1:f2d4.dhcpv6-server > fe80::a00:27ff:fe3e:af77.dhcpv6-client: [udp sum ok] dhcp6 reply (xid=b33316 (IA_PD IAID:0 T1:0 T2:0 (status-code NoPrefixAvail)) (client-ID hwaddr/time type 1 time 626338757 0800274c4d5d) (server-ID hwaddr/time type 1 time 620825045 ac1f6bb1f2d4))
16:12:26.627149 IP6 (hlim 1, next-header UDP (17) payload length: 89) fe80::a00:27ff:fe3e:af77.dhcpv6-client > ff02::1:2.dhcpv6-server: [udp sum ok] dhcp6 solicit (xid=33e9bb (client-ID hwaddr/time type 1 time 626338757 0800274c4d5d) (elapsed-time 0) (option-request DNS-server DNS-search-list) (IA_PD IAID:0 T1:0 T2:0 (IA_PD-prefix ::/64 pltime:4294967295 vltime:4294967295)))
16:12:26.627393 IP6 (hlim 64, next-header UDP (17) payload length: 111) fe80::ae1f:6bff:feb1:f2d4.dhcpv6-server > fe80::a00:27ff:fe3e:af77.dhcpv6-client: [udp sum ok] dhcp6 advertise (xid=33e9bb (IA_PD IAID:0 T1:0 T2:0 (status-code NoPrefixAvail)) (client-ID hwaddr/time type 1 time 626338757 0800274c4d5d) (server-ID hwaddr/time type 1 time 620825045 ac1f6bb1f2d4))Logs under /var/log/dhcpd.log seem to confirm as much:
Code: [Select]
Nov 6 16:08:50 core dhcpd: Solicit message from fe80::a00:27ff:fe3e:af77 port 546, transaction ID 0x8D5CE000
Nov 6 16:08:50 core dhcpd: Unable to pick client prefix: no IPv6 pools on this shared network
Nov 6 16:08:50 core dhcpd: Sending Advertise to fe80::a00:27ff:fe3e:af77 port 546
Nov 6 16:08:51 core dhcpd: Request message from fe80::a00:27ff:fe3e:af77 port 546, transaction ID 0x60E31500
Nov 6 16:08:51 core dhcpd: Unable to pick client prefix: no IPv6 pools on this shared network
Nov 6 16:08:51 core dhcpd: Sending Reply to fe80::a00:27ff:fe3e:af77 port 546 On the LAB OPNsense side:
OPNsense is on a host on the physical LAN running virtualbox. The VM has one bridged interface (WAN) and another private network (LAB). It can acquire an IPv6 address from the DHCPv6 server for the WAN address and I can reserve the lease based on it's DUID, however, but it cannot acquire a prefix. Running tcpdump on it's WAN interface yields the same results:
Code: [Select]
16:21:03.282083 IP6 (hlim 1, next-header UDP (17) payload length: 89) fe80::a00:27ff:fe3e:af77.dhcpv6-client > ff02::1:2.dhcpv6-server: [udp sum ok] dhcp6 solicit (xid=aa1cfd (client-ID hwaddr/time type 1 time 626338757 0800274c4d5d) (elapsed-time 0) (option-request DNS-server DNS-search-list) (IA_PD IAID:0 T1:0 T2:0 (IA_PD-prefix ::/64 pltime:4294967295 vltime:4294967295)))
16:21:03.282581 IP6 (hlim 64, next-header UDP (17) payload length: 111) fe80::ae1f:6bff:feb1:f2d4.dhcpv6-server > fe80::a00:27ff:fe3e:af77.dhcpv6-client: [udp sum ok] dhcp6 advertise (xid=aa1cfd (IA_PD IAID:0 T1:0 T2:0 (status-code NoPrefixAvail)) (client-ID hwaddr/time type 1 time 626338757 0800274c4d5d) (server-ID hwaddr/time type 1 time 620825045 ac1f6bb1f2d4))
16:21:04.289572 IP6 (hlim 1, next-header UDP (17) payload length: 84) fe80::a00:27ff:fe3e:af77.dhcpv6-client > ff02::1:2.dhcpv6-server: [udp sum ok] dhcp6 request (xid=624ddf (client-ID hwaddr/time type 1 time 626338757 0800274c4d5d) (server-ID hwaddr/time type 1 time 620825045 ac1f6bb1f2d4) (elapsed-time 0) (option-request DNS-server DNS-search-list) (IA_PD IAID:0 T1:0 T2:0 (status-code NoPrefixAvail)))
16:21:04.290115 IP6 (hlim 64, next-header UDP (17) payload length: 111) fe80::ae1f:6bff:feb1:f2d4.dhcpv6-server > fe80::a00:27ff:fe3e:af77.dhcpv6-client: [udp sum ok] dhcp6 reply (xid=624ddf (IA_PD IAID:0 T1:0 T2:0 (status-code NoPrefixAvail)) (client-ID hwaddr/time type 1 time 626338757 0800274c4d5d) (server-ID hwaddr/time type 1 time 620825045 ac1f6bb1f2d4))I've also tried manually running dhclient -6 -P from a different VM and get similar results (status-code NoPrefixAvail).
I've tried tweaking a number of different options (soliciting prefix only, adjusting the prefix size and range accordingly, different RA modes) to no avail.
Any words of wisdom of how to tackle this? What should I look at next?