Help Understanding why my ipv6 connection no longer works

Started by kingamajick, February 09, 2025, 05:18:47 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 09, 2025, 05:18:47 PM
Hi, I'm fairly new to using ipv6 which I've been learning about due to my ISP's CG-NATing. I did have a working setup, but since yesterday it's no longer working. The ISP says I have a connection from there end and as I'm using the a custom router it's up to me to debug, so I'm looking for some help debugging my setup.

I "think" the issue is related to DHCPv6, as I see this in the logs repeatedly, which from https://en.wikipedia.org/wiki/DHCPv6 I should get a advertise message back from the server?


2025-02-09T16:17:00   Notice   dhcp6c   reset a timer on vtnet0, state=SOLICIT, timeo=8, retrans=273028   
2025-02-09T16:17:00   Notice   dhcp6c   send solicit to ff02::1:2%vtnet0   
2025-02-09T16:17:00   Notice   dhcp6c   set IA_PD   
2025-02-09T16:17:00   Notice   dhcp6c   set IA_PD prefix   
2025-02-09T16:17:00   Notice   dhcp6c   set option request (len 4)   
2025-02-09T16:17:00   Notice   dhcp6c   set elapsed time (len 2)   
2025-02-09T16:17:00   Notice   dhcp6c   set identity association   
2025-02-09T16:17:00   Notice   dhcp6c   set client ID (len 14)   
2025-02-09T16:17:00   Notice   dhcp6c   Sending Solicit   
2025-02-09T16:14:42   Notice   dhcp6c   reset a timer on vtnet0, state=SOLICIT, timeo=7, retrans=137515   
2025-02-09T16:14:42   Notice   dhcp6c   send solicit to ff02::1:2%vtnet0   
2025-02-09T16:14:42   Notice   dhcp6c   set IA_PD   
2025-02-09T16:14:42   Notice   dhcp6c   set IA_PD prefix   
2025-02-09T16:14:42   Notice   dhcp6c   set option request (len 4)   
2025-02-09T16:14:42   Notice   dhcp6c   set elapsed time (len 2)   
2025-02-09T16:14:42   Notice   dhcp6c   set identity association   
2025-02-09T16:14:42   Notice   dhcp6c   set client ID (len 14)   
2025-02-09T16:14:42   Notice   dhcp6c   Sending Solicit   
2025-02-09T16:13:33   Notice   dhcp6c   reset a timer on vtnet0, state=SOLICIT, timeo=6, retrans=69581   
2025-02-09T16:13:33   Notice   dhcp6c   send solicit to ff02::1:2%vtnet0   
2025-02-09T16:13:33   Notice   dhcp6c   set IA_PD   
2025-02-09T16:13:33   Notice   dhcp6c   set IA_PD prefix   
2025-02-09T16:13:33   Notice   dhcp6c   set option request (len 4)   
2025-02-09T16:13:33   Notice   dhcp6c   set elapsed time (len 2)   
2025-02-09T16:13:33   Notice   dhcp6c   set identity association   
2025-02-09T16:13:33   Notice   dhcp6c   set client ID (len 14)   
2025-02-09T16:13:33   Notice   dhcp6c   Sending Solicit   
2025-02-09T16:12:58   Notice   dhcp6c   reset a timer on vtnet0, state=SOLICIT, timeo=5, retrans=34357   
2025-02-09T16:12:58   Notice   dhcp6c   send solicit to ff02::1:2%vtnet0   
2025-02-09T16:12:58   Notice   dhcp6c   set IA_PD   
2025-02-09T16:12:58   Notice   dhcp6c   set IA_PD prefix   
2025-02-09T16:12:58   Notice   dhcp6c   set option request (len 4)   
2025-02-09T16:12:58   Notice   dhcp6c   set elapsed time (len 2)   
2025-02-09T16:12:58   Notice   dhcp6c   set identity association   
2025-02-09T16:12:58   Notice   dhcp6c   set client ID (len 14)   
2025-02-09T16:12:58   Notice   dhcp6c   Sending Solicit   
2025-02-09T16:12:41   Notice   dhcp6c   reset a timer on vtnet0, state=SOLICIT, timeo=4, retrans=17364   
2025-02-09T16:12:41   Notice   dhcp6c   send solicit to ff02::1:2%vtnet0   
2025-02-09T16:12:41   Notice   dhcp6c   set IA_PD   
2025-02-09T16:12:41   Notice   dhcp6c   set IA_PD prefix   
2025-02-09T16:12:41   Notice   dhcp6c   set option request (len 4)   
2025-02-09T16:12:41   Notice   dhcp6c   set elapsed time (len 2)   
2025-02-09T16:12:41   Notice   dhcp6c   set identity association   
2025-02-09T16:12:41   Notice   dhcp6c   set client ID (len 14)   
2025-02-09T16:12:41   Notice   dhcp6c   Sending Solicit   
2025-02-09T16:12:32   Notice   dhcp6c   reset a timer on vtnet0, state=SOLICIT, timeo=3, retrans=8744   
2025-02-09T16:12:32   Notice   dhcp6c   send solicit to ff02::1:2%vtnet0   
2025-02-09T16:12:32   Notice   dhcp6c   set IA_PD   
2025-02-09T16:12:32   Notice   dhcp6c   set IA_PD prefix   
2025-02-09T16:12:32   Notice   dhcp6c   set option request (len 4)   
2025-02-09T16:12:32   Notice   dhcp6c   set elapsed time (len 2)   
2025-02-09T16:12:32   Notice   dhcp6c   set identity association   
2025-02-09T16:12:32   Notice   dhcp6c   set client ID (len 14)   
2025-02-09T16:12:32   Notice   dhcp6c   Sending Solicit



Also if I understand from reading other posts here I should expect ifctl -6pi vtnet0 to return the prefix delegated, but this return nothing.

Hopefully this the relevant bit of configuration, but if other bits are needed please let me know.

    <ipv6allow>1</ipv6allow>
    <dhcp6_norelease>yes</dhcp6_norelease>
    <dhcp6_debug>2</dhcp6_debug>
  </system>
  <interfaces>
    <wan>
      <if>vtnet0</if>
      <descr/>
      <enable>1</enable>
      <spoofmac/>
      <blockpriv>1</blockpriv>
      <blockbogons>1</blockbogons>
      <ipaddr>dhcp</ipaddr>
      <dhcphostname/>
      <alias-address/>
      <alias-subnet>32</alias-subnet>
      <dhcprejectfrom/>
      <adv_dhcp_pt_timeout/>
      <adv_dhcp_pt_retry/>
      <adv_dhcp_pt_select_timeout/>
      <adv_dhcp_pt_reboot/>
      <adv_dhcp_pt_backoff_cutoff/>
      <adv_dhcp_pt_initial_interval/>
      <adv_dhcp_pt_values>SavedCfg</adv_dhcp_pt_values>
      <adv_dhcp_send_options/>
      <adv_dhcp_request_options/>
      <adv_dhcp_required_options/>
      <adv_dhcp_option_modifiers/>
      <adv_dhcp_config_advanced/>
      <adv_dhcp_config_file_override/>
      <adv_dhcp_config_file_override_path/>
      <ipaddrv6>dhcp6</ipaddrv6>
      <dhcp6-ia-pd-len>16</dhcp6-ia-pd-len>
      <dhcp6-ia-pd-send-hint>1</dhcp6-ia-pd-send-hint>
      <adv_dhcp6_interface_statement_send_options/>
      <adv_dhcp6_interface_statement_request_options/>
      <adv_dhcp6_interface_statement_information_only_enable/>
      <adv_dhcp6_interface_statement_script/>
      <adv_dhcp6_id_assoc_statement_address_enable/>
      <adv_dhcp6_id_assoc_statement_address/>
      <adv_dhcp6_id_assoc_statement_address_id/>
      <adv_dhcp6_id_assoc_statement_address_pltime/>
      <adv_dhcp6_id_assoc_statement_address_vltime/>
      <adv_dhcp6_id_assoc_statement_prefix_enable/>
      <adv_dhcp6_id_assoc_statement_prefix/>
      <adv_dhcp6_id_assoc_statement_prefix_id/>
      <adv_dhcp6_id_assoc_statement_prefix_pltime/>
      <adv_dhcp6_id_assoc_statement_prefix_vltime/>
      <adv_dhcp6_prefix_interface_statement_sla_len/>
      <adv_dhcp6_authentication_statement_authname/>
      <adv_dhcp6_authentication_statement_protocol/>
      <adv_dhcp6_authentication_statement_algorithm/>
      <adv_dhcp6_authentication_statement_rdm/>
      <adv_dhcp6_key_info_statement_keyname/>
      <adv_dhcp6_key_info_statement_realm/>
      <adv_dhcp6_key_info_statement_keyid/>
      <adv_dhcp6_key_info_statement_secret/>
      <adv_dhcp6_key_info_statement_expire/>
      <adv_dhcp6_config_advanced/>
      <adv_dhcp6_config_file_override/>
      <adv_dhcp6_config_file_override_path/>
    </wan>


Thanks

February 10, 2025, 11:21:56 PM #1 Last Edit: February 10, 2025, 11:58:57 PM by kingamajick
I dug my ISP's router out the attic, and after plugging it in I was able to connect to it and get ipv6 working (i.e. test-ipv6.com passed fine) so my i've narrowed the problem down to my OPNsense configuration, however I struggle to understand what that might be (especially given that ipv6 was working fine before hand).

I tried created a new instance of OPNSense from scratch in my Proxmox host. Same problem ipv4 works, ipv6 doesn't.

Here is a selection from the overview of the WAN interface overview (which I think is relevant).

Routesdefault
89.45.xxx.xxx/25
default
2a02:6b60:0:11d::/64
fe80::%vtnet0/64
Dynamic router received        89.45.xxx.xxx
fe80::d666:24ff:fe5b:e4db
IPv6 Addressesfe80::8269:1aff:fe76:529b/64
Gateways89.45.xxx.xxx
fe80::d666:24ff:fe5b:e4db


The address fe80::d666:24ff:fe5b:e4db is not pingable and my WAN_DHCP6 interface is showing as offline.
I've tried requesting different prefixes from my ISP (my understanding and what was working before was 56, however they had previously changed from 48 to 56 without notice), but no luck.

Any suggestions on things I could try to debug would be gratefully received.

Edit: If I connect via the ISP router, the ip address I get start with 2a02:6b67:eef6:2100:..... which seems different from from the prefix `2a02:6b60:0:11d::/64` which from the above I assume it should be?
February 11, 2025, 02:38:05 AM #2
Can you post screenshots of your LAN and WAN interface settings from the GUI? I take it the LAN is already set to "track interface" for the IPv6 Configuration type?

For the LAN side delegation, are you using dhcpv6 or just Router Advertisements?
February 11, 2025, 11:35:10 AM #3
Hey, for the LAN side I'm just using Router Advertisements


Here are screenshots of my configuration on the WAN and LAN. I'm trying to also ping ipv6 address from Interfaces -> Diagnostics -> Ping which doesn't work (100% loss), could this be a fire wall issue?


February 11, 2025, 11:58:40 AM #4
I see one problem: You request an IPv6 "prefix only", but give no prefix ID for your WAN interface. I think this would result in "0", however, that is also used for your LAN prefix. You should use different prefixes on all interfaces.
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
February 11, 2025, 12:05:21 PM #5
Hmm, my understanding of "prefix only" was that no IA_NA is requested for the WAN interface. I don't think it implies use of a subnet from the IA_PD on the WAN interface. My expectation would be that the WAN interface would not get any GUA in that case. I'm fairly sure this is how mine was for a while - my ISP provides an IA_PD but no IA_NA.

Do we know what the OP's ISP provides in terms of delegated prefix? OP, in the interfaces overview, if you click on the Magnifier ("Details") next to your WAN interface, do you see any "Dynamic IPv6 prefix received"?
February 11, 2025, 12:08:04 PM #6
> Hmm, my understanding of "prefix only" was that no IA_NA is requested for the WAN interface.

Correct.


Cheers,
Franco
February 11, 2025, 12:50:05 PM #7 Last Edit: February 11, 2025, 12:52:51 PM by kingamajick
@meyergru this was a bit of a hail mary where I was trying some different settings (I found a post for the same ISP Community Fibre which did this), this been selected or not doesn't make any difference.

@dseven I don't see "Dynamic IPv6 prefix received" (I assume I would need a DHCPv6 response for this?)

February 11, 2025, 01:01:48 PM #8
Additional note, when attempting traceroute from OPNSense, it just stops at the Gateway address

February 11, 2025, 01:31:15 PM #9
Googling around a bit, this caught my eye: https://forums.thinkbroadband.com/otherisp/4688999-has-anyone-got-community-fibre-ipv6-set-up-right.html#Post4697615

Maybe try spoofing the MAC address of the router they supplied onto your OPNsense WAN interface?

The other thing I noticed is that several say the delegated prefix size is /48, but requesting a different size probably won't matter.
February 11, 2025, 02:02:14 PM #10 Last Edit: February 11, 2025, 02:12:20 PM by kingamajick
I think I looked at that thread when I initially got it setup and working. I was originally using a /48, but then they seemed to change to a /56 (which I found a few other folks talking about recently). I've tried /48 /56 and /64 (I guess I could iterate though all of them).

I have the MAC address of the router supplied spoofed by OPNsense WAN interface (I wondering if this was the issue, but it did't seem to help).

Btw, the gateway I'm been given fe80::d666:24ff:fe5b:e4db, where would that be assigned from, would that be the ISP, the Modem or something else? (still have a lot of ipv6 learning)
February 11, 2025, 03:00:43 PM #11
That is a link-local EUI-64 address that is derived from the MAC of the gateway. The MAC OUI seems to be D4:66:24, so that mean there is Cisco equipment on the other side. You should be able to ping that address, at least if you suffix it with an interface name: "ping fe80::d666:24ff:fe5b:e4db%vtnet0".

You are on a Proxmox VM, so have you disabled the Proxmox firewall for vtnet0?

What looks strange is that this does not seem to be a default route?
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
February 11, 2025, 06:35:24 PM #12 Last Edit: February 11, 2025, 06:39:13 PM by kingamajick
The firewall is disabled for both interfaces in Proxmox. I don't suppose it could be anything with OPNsenses autogenerated rules or something down that path could it?

Yea I can ping the gateway fine

~ $ ping fe80::d666:24ff:fe5b:e4db
PING(56=40+8+8 bytes) fe80::8269:1aff:fe76:529b%vtnet0 --> fe80::d666:24ff:fe5b:e4db
16 bytes from fe80::d666:24ff:fe5b:e4db%vtnet0, icmp_seq=0 hlim=64 time=1.392 ms
16 bytes from fe80::d666:24ff:fe5b:e4db%vtnet0, icmp_seq=1 hlim=64 time=1.296 ms
16 bytes from fe80::d666:24ff:fe5b:e4db%vtnet0, icmp_seq=2 hlim=64 time=1.854 ms
16 bytes from fe80::d666:24ff:fe5b:e4db%vtnet0, icmp_seq=3 hlim=64 time=1.420 ms
16 bytes from fe80::d666:24ff:fe5b:e4db%vtnet0, icmp_seq=4 hlim=64 time=1.427 ms
16 bytes from fe80::d666:24ff:fe5b:e4db%vtnet0, icmp_seq=5 hlim=64 time=1.464 ms

February 11, 2025, 06:48:25 PM #13
Are you still not seeing any DHCPv6 responses from your ISP?  I wonder if it's worth copying the DUID from your working ISP router into OPNsense > Interfaces > Settings in case their DHCP server restricts to 'known' DUIDs only somehow.  That assumes the ISP router lets you find out what the DUID is of course.
February 11, 2025, 10:45:45 PM #14
Yea still no responses :(

I can have a try at getting the DUID but the software on the router is pretty lack luster to say the least.
Print
Go Up Pages1
User actions