Messages

Hi,

sorry for bothering again ... today I wanted to rule out that IPS has something to do with my issue (no connection to https://heise.de via IPv6) and disabled IPS ... when I changed that setting the IPv6 IPs were lost and since that time (>1h) it did not accept a new PD ...

I did a trace on the WAN interface (and sent sighup to dhcp6c) and I can see the both solicit and advertise in the trace on WAN ... but somehow dhcp6c does not pick these up ...

Best regards,

    Jochen

I noted the following today:

Code Select Expand

May 23 05:28:19 OPNvirt dhcp6c[27959]: Sending Renew
May 23 05:28:19 OPNvirt dhcp6c[27959]: dhcp6c Received INFO
May 23 05:28:19 OPNvirt dhcp6c[27959]: status code: no binding
May 23 05:46:19 OPNvirt dhcp6c[27959]: Sending Rebind
May 23 05:46:19 OPNvirt dhcp6c[27959]: dhcp6c Received REBIND
May 23 05:46:19 OPNvirt dhcp6c[27959]: status code: no binding
May 23 06:58:19 OPNvirt dhcp6c[27959]: remove an address 2a03:f580:c882:9bfe:21f:29ff:fe59:d8b5/64 on em0
May 23 06:58:20 OPNvirt dhcp6c[27959]: Sending Solicit
May 23 06:58:20 OPNvirt dhcp6c[27959]: unknown or unexpected DHCP6 option opt_86, len 16
May 23 06:58:21 OPNvirt dhcp6c[27959]: Sending Request
May 23 06:58:21 OPNvirt dhcp6c[27959]: unknown or unexpected DHCP6 option opt_86, len 16
May 23 06:58:21 OPNvirt dhcp6c[27959]: dhcp6c Received REQUEST
May 23 06:58:21 OPNvirt dhcp6c[27959]: add an address 2a03:f580:c882:abfe:21f:29ff:fe59:d8b5/64 on em0


It seems that OPNsense does not request a new address if the rebind fails (because the FritzBox got a new IP) ... it took  >1h this morning until the new prefix got requested ...

Best regards,

    Jochen

Hi Franco,

I get a 10/10 at that site as well but strangely enough heise is not working over https and some other sites as well. But so far I have not found out which FW blocks the traffic. Because ping and access over http work towards that site.

Best regards,

    Jochen

Reboot did not help but renewal on FritzBox did work.

Best regards,

    Jochen

Hi,

I have not done any tracing ... but I wanted to test and did click save on the WAN interface before applying the patch ... took about a minute and it got a new IPv6 IP ...

Then I applied the patch, did click on save again on the WAN interface .... and it runs for several minutes already without getting an IPv6 IP address ...

I will reboot now and see if it is better after reboot.

Best regards,

    Jochen

Hi Franco,

I am not sure if it's the FritzBox not sending the REPLY. Since I had strange issues (Some ipv6 sites work, like test-ipv6, other's did not, like heise.de) I did further tests and at some point OPNsense did not setup the IPv6 anymore. I then did a trace and while the dhcp.log showed

Code Select Expand

Sending Solicit

The trace itself did not include the solicit messages from OPNsense but only the responses from the FritzBox which includes the prefix delegation:

Code Select Expand

    Identity Association for Prefix Delegation
        Option: Identity Association for Prefix Delegation (25)
        Length: 41
        Value: 000000000000070800000b40001a001900000e1000001c20...
        IAID: 00000000
        T1: 1800
        T2: 2880
        IA Prefix
            Option: IA Prefix (26)
            Length: 25
            Value: 00000e1000001c203c2a03f230c1825ab000000000000000...
            Preferred lifetime: 3600
            Valid lifetime: 7200
            Prefix length: 60
            Prefix address: 2a03:f230:c182:5ab0::

But this did not trigger any address configuration on OPNsense. Right now I am at work and can not check the logs.

Currently I have it running with Native IPv6 enabled on FritzBox and PD works fine. Even when the FritzBox renewed it's connection this morning the IPv6 was setup again correctly.

The connection issue towards https://www.heise.de remains though ... http connection is possible (I see the redirect to https), https connection is not possible ... the last thing I see in a trace is the "CLIENT HELLO" of ssl. If I test via curl https from OPNsense it works, from LAN only http works.

Best regards,

    Jochen

With the dual stack setting in FritzBox I am now able to request a /60 prefix ... I will monitor for some time and hope that I now have a stable configuration.

Thanks for all the support and this wonderful solution.

    Jochen

Hi,

not sure if we are talking about the same ... my FritzBox does get a /56 delegation. But it seems the FritzBox itself only delegates a /62 by default.

But thanks for the hint ... I had not seen that tab in Fritzbox configuration and so far I was using IPv6 tunnel and not Dual stack ... I have changed that and it looks better now. Ping times for IPv6 addresses have improved significantly :)

Best regards,

    Jochen

Hi,

I still had some trouble with IPv6 after updating to 17.1.7 ... OPNsense was sending solicits but did not get an address. So I changed the options that only the following is set:

Code Select Expand

Request only a IPv6 prefix

Then I noticed the following line in the logfile:

Code Select Expand

May 20 09:44:14 OPNvirt dhcp6c[44695]: invalid prefix length 62 + 4 + 64

and remembered the following document:

https://avm.de/service/fritzbox/fritzbox-3270/wissensdatenbank/publication/show/1239_IPv6-Subnetz-im-FRITZ-Box-Heimnetz-einrichten/

So I set my prefix length to 62. Then I let the FritzBox reconnect (so it get's a new IP) and voila, IPv6 is running again.

I will monitor this if it really solves the issue for me again. Could it be that the FritzBox sometimes was not able to provide a /60 delegation?

Best regards,

    Jochen

Sure:

WAN-interface:

Code Select Expand

IPv6 Configuration Type: DHCPv6
Configuration Mode: Basic
Use IPv4 connectivity: yes
Request only a IPv6 prefix: yes
Directly send SOLICIT: yes
DHCPv6 Prefix Delegation size: 60
Send IPv6 prefix hint: yes

LAN-Interface:

Code Select Expand

IPv6 Configuration Type: Track Interface
IPv6 Interface: WAN
IPv6 Prefix ID: 1 or 2

Hope this helps ... But it takes some time to pick up the IPv6 IP when I press save on the LAN interface.

Best regards,

    Jochen

Hm, what puzzles me:

Apr 27 12:19:19 bart dhcp6c[82469]: Sending Solicit
Apr 27 12:19:19 bart dhcp6c[27159]: unexpected interface (11)

There are two different PIDs for dhcp6c ... did you try a reboot? Maybe this thread helps ...

https://forum.pfsense.org/index.php?topic=110797.0

Hope it's ok to post these links here :)

Best regards,

   Jochen

I am out ... of ideas ... But I am a newbie with OPNsense myself :)

Log onto the system via ssh and run as root:

Code Select Expand

clog -f /var/log/dhcpd.log

And then press the Save button on the WAN interface again and report what lines got added to that file.

I don't have an IP on the WAN  either ... that IP moves to the LAN and then the DHCPd is able to send IPs to the systems in your LAN ... but you should be able to connect to IPv6 systems from the Firewall still ...

Correction: I have an IP on the WAN but only in the output of ifconfig ... the GUI only shows the fe80 address.

Please enable

- Request only a IPv6 prefix
- Directly send SOLICIT

Do you get a /56 from your provider?