Messages

This is the created /var/etc/radvd.conf config:

Code Select Expand

# Automatically generated, do not edit
# Generated config for dhcp6 delegation from wan on lan
interface igb0 {
        AdvSendAdvert on;
        MinRtrAdvInterval 3;
        MaxRtrAdvInterval 10;
        AdvLinkMTU 1500;
        AdvOtherConfigFlag on;
        prefix ::/64 {
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr on;
        };
        RDNSS 2a03:....60 2a03:.....:160 { };
        DNSSL spacenet { };
};


Hi,

I see the same issue ... I checked with tcpdump on the clients and it looks like radvd does not hand out the prefix ...

Code Select Expand

00:55:47.112912 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 96) fe80::1:1 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 96
hop limit 64, Flags [other stateful], pref medium, router lifetime 30s, reachable time 0s, retrans time 0s
  rdnss option (25), length 40 (5):  lifetime 10s, addr: 2a03:..... addr: 2a03:.....
  dnssl option (31), length 24 (3):  lifetime 10s, domain(s): spacenet.
  mtu option (5), length 8 (1):  1500
  source link-address option (1), length 8 (1): f4:ce:....:f4

Best regards,

    Jochen

But I had it running on 17.7.x without issues (after some fights and several releases) :)

Hi Franco,

I have upgraded to the dev version and rebooted. Directly after the reboot IPv6 was available on all interfaces (because suricata service was not yet started). As soon as suricata was running IPv6 became unavailable on the internal interfaces and only the WAN interface still has an IPv6 IP.

FYI: I have suricata enabled only on the WAN interface. Home networks are only the ones from the internal interfaces but not the network from the WAN interface. But even when I added that as home network as well it did not make any difference.

Since it did work with 17.7.x ... what was upgraded when moving to 18.1? Do we have a new suricata version?

Cheers, Space

Hi Franco,

great ... if there is any patch to test, just let me know :)

In the meantime I create some debug logs (which works with 18.1 :) )

- with IPS enabled:

Code Select Expand

Apr 10 20:20:45 OPNvirt dhcp6c[35283]: a new XID (601c8d) is generated
Apr 10 20:20:45 OPNvirt dhcp6c[35283]: set client ID (len 14)
Apr 10 20:20:45 OPNvirt dhcp6c[35283]: set elapsed time (len 2)
Apr 10 20:20:45 OPNvirt dhcp6c[35283]: set option request (len 4)
Apr 10 20:20:45 OPNvirt dhcp6c[35283]: set IA_PD prefix
Apr 10 20:20:45 OPNvirt dhcp6c[35283]: set IA_PD
Apr 10 20:20:45 OPNvirt dhcp6c[35283]: send solicit to ff02::1:2%igb1
Apr 10 20:20:45 OPNvirt dhcp6c[35283]: reset a timer on igb1, state=SOLICIT, timeo=0, retrans=1091
Apr 10 20:20:46 OPNvirt dhcp6c[35283]: Sending Solicit
Apr 10 20:20:46 OPNvirt dhcp6c[35283]: set client ID (len 14)
Apr 10 20:20:46 OPNvirt dhcp6c[35283]: set elapsed time (len 2)
Apr 10 20:20:46 OPNvirt dhcp6c[35283]: set option request (len 4)
Apr 10 20:20:46 OPNvirt dhcp6c[35283]: set IA_PD prefix
Apr 10 20:20:46 OPNvirt dhcp6c[35283]: set IA_PD
Apr 10 20:20:46 OPNvirt dhcp6c[35283]: send solicit to ff02::1:2%igb1
Apr 10 20:20:46 OPNvirt dhcp6c[35283]: reset a timer on igb1, state=SOLICIT, timeo=1, retrans=2083
Apr 10 20:20:49 OPNvirt dhcp6c[35283]: Sending Solicit


- with IPS disabled:

Code Select Expand

Apr 10 20:22:32 OPNvirt dhcp6c[53019]: a new XID (31012e) is generated
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: set client ID (len 14)
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: set elapsed time (len 2)
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: set option request (len 4)
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: set IA_PD prefix
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: set IA_PD
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: send solicit to ff02::1:2%igb1
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: reset a timer on igb1, state=SOLICIT, timeo=0, retrans=1091
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: receive advertise from fe80::2656:11ff:fe6c:3174%igb1 on igb1
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: get DHCP option client ID, len 14
Apr 10 20:22:32 OPNvirt dhcp6c[53019]:   DUID: 00:01:00:01:22:0f:8a:61:f4:ce:46:a8:9b:f4
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: get DHCP option server ID, len 10
Apr 10 20:22:32 OPNvirt dhcp6c[53019]:   DUID: 00:03:00:01:24:65:11:6c:37:14
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: get DHCP option preference, len 1
Apr 10 20:22:32 OPNvirt dhcp6c[53019]:   preference: 0
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: get DHCP option DNS, len 16
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: get DHCP option opt_86, len 16
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: unknown or unexpected DHCP6 option opt_86, len 16
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: get DHCP option IA_PD, len 41
Apr 10 20:22:32 OPNvirt dhcp6c[53019]:   IA_PD: ID=0, T1=1800, T2=2880
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: get DHCP option IA_PD prefix, len 25
Apr 10 20:22:32 OPNvirt dhcp6c[53019]:   IA_PD prefix: 2a03:f590:c803:f1f0::/60 pltime=3600 vltime=335467976956320800
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: server ID: 00:03:00:01:24:65:11:6c:37:14, pref=0
Apr 10 20:22:32 OPNvirt dhcp6c[53019]: reset timer for igb1 to 0.996209


So with IPS enabled the advertise is not received ... I will install Wireshark so I can trace on the Fritzbox if the advertise is sent in both cases. Is there anything else I can test?

Thanks,

    Space

And after renewing the lease of the FritzBox it does not work anymore ... at all ... even with IPS off ...

EDIT: there are multiple dhcp6c running:

Code Select Expand

root@OPNvirt:~ # ps aux | grep dhcp6c
root    2294   0.0  0.1 1074180   2812  -  Ss   18:04    0:00.02 /usr/local/sbin/dhcp6c -dn -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_
root   13561   0.0  0.1 1074180   2812  -  Ss   18:10    0:00.00 /usr/local/sbin/dhcp6c -dn -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_
root   24167   0.0  0.1 1074180   2820  -  Is   18:05    0:00.00 /usr/local/sbin/dhcp6c -dn -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_
root   72817   0.0  0.1 1074180   2816  -  Is   18:11    0:00.00 /usr/local/sbin/dhcp6c -Dn -c /var/etc/dhcp6c_wan.conf -p /var/run/dhcp6c_


EDIT2: after a reboot it at least get's the IPv6 address again if IPS is disabled ... need to do some other work now :(

Ok, I need to continue research ... at first I thought it was because I added ff02::1 to home networks ... but then I noticed that the IPS button was not active ... so I activated it and again it did not work ... so I removed ff02::1 again and now it works by restarting suricata ... go figure.

I just can't find anything in the logs that gives me a direction to continue analysis. Where can I find details on console if suricata IPS drops something?

Huh, now it's gone again :( I need to double check ...

[add ff02::1 to home networks in suricata settings]

check the logs - maybe a rule blocks it (false positive?).

I found it ... I had to add ff02::1 to home networks in suricata settings. This is probably the case because following option was disabled for dhcpv6 client configuration:

Code Select Expand

Use IPv4 connectivity

But with 17.x it must have worked because I know that I had it running like that at some point in time ... But maybe it would make sense to add ff02::1 to home networks by default.

Hi,

can anyone give me a hint how to analyse the problem? With 17.7.x it was working fine but with 18.1.6 it still does not work. As soon as I enable IPS mode there is no IPv6 prefix configured on any of the internal interfaces. Only the WAN interface does have an IPv6 IP.

And as soon as I disable IPS the internal interfaces aquire an IPv6 IP as well.

Best regards,

    Space

For testing I have disabled all Rulesets for Suricata --> still no success. But in IDS alerts I only see alerts, no drops ...

I see the following in IDS alerts:

Code Select Expand

Timestamp 2018-03-21T08:40:56.980402+0100
Alert SURICATA UDPv6 invalid checksum

But it's configured to alert only ... In dhcp.log I see the following:

Code Select Expand

Mar 21 08:30:50 OPNvirt dhcp6c[46361]: Sending Solicit
Mar 21 08:32:38 OPNvirt dhcp6c[46361]: Sending Solicit


Is there some rule that needs to be deactivated?

Hi,

once I activate the IPS button in the Intrusion Detection there is no IPv6 announced on the internal networks anymore. WAN is set to DHCPv6 and does get it's IPv6 address but the internal interfaces (LAN/OPT1) do not get any IPv6 address / prefix anymore. DHCPv6 Server does not start anymore.

I will check tomorrow if I find anything in the logs. Or is this issue already known?

Thanks and best regards,

    Space

Hi,

are you using the most current OPNsense version (17.1.11) which fixed the issue for me ... show us your configuration on OPNsense on the WAN interface please ...

Best regards,

    Space

Interfaces -> Diagnostics -> Packet Capture --> Select WAN Interface, Protocol should be ICMPv6 (I think) ... then press start and wait for a couple of minutes. Then download the trace and check it with Wireshark.

Best regards,

   Space