dhcp6c Error "transmit failed: Permission denied" getting WAN IPv6 using DHCPv6

Started by marksluser, February 18, 2025, 08:16:57 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 18, 2025, 08:16:57 PM
I am unable to get an IPv6 address on my WAN interface from my ISP using DHCPv6.
I get the following error in my System>Log Files> Log file.

Error   dhcp6c   transmit failed: Permission denied


I am running
OPNsense 25.1.1-amd64
FreeBSD 14.2-RELEASE-p1
OpenSSL 3.0.16

My WAN interface has
Prefix Delegation Size: 56
Send Prefix Hint: Yes


I am able to get an IPv6 address and prefix and the error goes away when I disable the firewall.

I have gone so far as to open the firewall up with rules to allow all incoming and outgoing IP6 traffic, but I get the same result.

What do I need to configure to fix this?

Your help is appreciated.
February 24, 2025, 08:31:57 PM #1
If you ask for this error specifically this happens when dhcp6c is forced to reload in relation to link events. This can happen during bootup and some forms of IPv6 renewal, especially on PPPoE.


Cheers,
Franco
February 25, 2025, 05:43:21 AM #2
Hi, If you are using NAT with IPv6, make sure that IPV6 link-local addresses are not included in the list of source addresses for NAT66.

Background – My setup is dual WAN (Uverse fiber and Spectrum), with load balancing and failover, and I use NAT66 (I know the reasons that I shouldn't). About a month ago, I noticed that my WAN2 (Spectrum) interface did not have a global IPv6 address (dhcpv6 client). I checked the logs and saw the "dhcp6c transmit failed: Permission denied" error, but did not know how to interpret it.
 
Over a couple of weeks, I tried everything that I could think of to resolve the issue, but nothing worked. Then, I stumbled across a post about dhcpv6 issues, in which someone suggested that the problem may be related to NAT66. I looked at my NAT66 configuration and realized that included in the source alias list "Internal_All_IPv6" that I use for NAT66 was fe80::/10 (link-local addresses). I suspected that this might be interfering with DHCPv6 (Solicit, Advertise, Request, Reply) sequence, so I removed the link-local addresses from the NAT66 source alias. As soon as I did this, the WAN2 interface obtained a global address, and I have not had the problem since.

...just a newbie's suggestion of something to try.

Will
Print
Go Up Pages1
User actions