DHCPv6 Server not starting following most recent firmware update

[RobLatour]

I just applied the latest update as follows:

2021-06-26T14:26:35   pkg-static[7325]   os-ntopng-enterprise upgraded: 4.3.210622 -> 4.3.210626   
2021-06-26T14:26:28   pkg-static[7325]   ntopng upgraded: 4.3.210622 -> 4.3.210626

and now the DHCPv6 Server is not starting (where it was before the update).

When I check for updates the system says there are no more.

I tried rebooting the machine, still no love.

Any ideas on what is required to get this working again?

[RobLatour]

Awoke to another set of updates this morning, I applied them, but the DHCPv6 Server is still not starting.

[opnfwb]

Are you using a delegated prefix received from the ISP, or are you running a static DHCPv6 address range for the LAN clients?

[RobLatour]

My network's external IP address is assigned by the ISP; as far as I can see it doesn't change very often but does change - if that is what your asking?

[opnfwb]

If you try to start the service, does it stay running? Is IPv6 currently working on the network?

My network uses a delegated prefix from the ISP and I use a separate monitoring IP for the dhcpv6 "status" due to some weirdness with dhcp6c in BSD.

[RobLatour]

If I try to start the service, it will not start.

when I visit https://test-ipv6.com/  this is what I get:

Test with IPv4 DNS record -    
ok (0.105s) using ipv4

Test with IPv6 DNS record       
bad (0.007s)

Test with Dual Stack DNS record       
ok (0.107s) using ipv4

Test for Dual Stack DNS and large packet       
ok (0.100s) using ipv4

Test IPv6 large packet       
bad (0.005s)

Test if your ISP's DNS server uses IPv6       
ok (0.101s) using ipv4

Find IPv4 Service Provider       
ok (0.106s) using ipv4 ASN 812

Find IPv6 Service Provider       
bad (0.006s)


When I sign on to my router, the only thing I can see related to ipv4 vs ipv6 is

Router Mode - and its set to dual (meaning both ipv4 and ipv6).

[RobLatour]

Also, for testing purposes, I just plugged my pc into my router directly (bypassing my opnsense box).

Here are the differening results when I visit https://test-ipv6.com/ bypassing the opnsense box:

Test with IPv4 DNS record       
ok (0.362s) using ipv4

Test with IPv6 DNS record       
ok (0.399s) using ipv6

Test with Dual Stack DNS record       
ok (0.423s) using ipv6

Test for Dual Stack DNS and large packet       
ok (0.363s) using ipv6

Test IPv6 large packet       
ok (0.594s) using ipv6

Test if your ISP's DNS server uses IPv6       
ok (0.516s) using ipv6

Find IPv4 Service Provider       
ok (0.387s) using ipv4 ASN 812

Find IPv6 Service Provider       
ok (0.412s) using ipv6 ASN 812

[opnfwb]

Ah, so there's another router upstream from OPNsense? Within the OPNsense UI, if you go to Interfaces/Overview, do you see IPv6 addresses present on the WAN and LAN interfaces?

If you do see IPv6 addresses listed, you can go to Interfaces/Diagnostics/Ping and try to run an ipv6 ping to an external source (youtube.com or some other ipv6 enabled domain). Verify that OPNsense can actually ping out on ipv6. If not, then it probably isn't getting an IPv6 address from that upstream router.

[RobLatour]

The upstream box, is my ISP's router.  It connects directly to the opnsense box.

As mentioned above, the only reference to an ipv6 on the ISP router's windows is the one that says that is working in dual mode (i.e. supporting both ipv4 and ipv6).

I have now reconnected my computer to the opnsense box.  So ISP router > opnsense box > my computer.

Having done that, as requested I went to http://www.ipv6now.com.au/pingme.php and pinged google.com, here are the results:

The response for 'google.com' using IPv4 is:
PING google.com (172.217.5.110) 56(84) bytes of data.
64 bytes from sfo03s07-in-f110.1e100.net (172.217.5.110): icmp_seq=1 ttl=121 time=1.34 ms
64 bytes from sfo03s07-in-f110.1e100.net (172.217.5.110): icmp_seq=2 ttl=121 time=1.41 ms
64 bytes from sfo03s07-in-f110.1e100.net (172.217.5.110): icmp_seq=3 ttl=121 time=1.44 ms
64 bytes from sfo03s07-in-f110.1e100.net (172.217.5.110): icmp_seq=4 ttl=121 time=1.40 ms
64 bytes from sfo03s07-in-f110.1e100.net (172.217.5.110): icmp_seq=5 ttl=121 time=1.50 ms

--- google.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 1.342/1.422/1.503/0.062 ms

The response for 'google.com' using IPv6 is:
PING google.com(sfo03s18-in-x0e.1e100.net) 56 data bytes
64 bytes from sfo03s18-in-x0e.1e100.net: icmp_seq=1 ttl=121 time=1.49 ms
64 bytes from sfo03s18-in-x0e.1e100.net: icmp_seq=2 ttl=121 time=1.50 ms
64 bytes from sfo03s18-in-x0e.1e100.net: icmp_seq=3 ttl=121 time=1.58 ms
64 bytes from sfo03s18-in-x0e.1e100.net: icmp_seq=4 ttl=121 time=1.50 ms
64 bytes from sfo03s18-in-x0e.1e100.net: icmp_seq=5 ttl=121 time=1.53 ms

--- google.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 1.495/1.523/1.587/0.060 ms

[RobLatour]

also, for clarity this is what I am seeing on my lobby dashboard:
https://ibb.co/5jFRK0D

[opnfwb]

That's a good sign, it looks like an ipv6 prefix is still being delegated to OPNsense, and that is being handed out to clients on the LAN side.

If you're still see a red status for the DHCPv6 server, it's likely due to the gateway monitoring not able to ping the upstream router that is assigning the prefix. Can you try setting a different ipv6 gateway monitor IP as shown in the screenshot and check if the dhcpv6 service will stay started?

[RobLatour]

First, thank you for all your help.

Second, I'm not exactly sure how this should be set up; and there is already an entry that exists ...

(I've masked out the actual address in red)

https://ibb.co/vxFGLXy

[opnfwb]

So right now it seems to be working so I would suggest just waiting and see if the service stays online.

However, if it goes back offline after some time, what I have seen in the past is that some configurations need to use an external IP to ping and keep the gateway status 'online'. If you find that this goes offline after some time, you can click the edit button on the DHCP6 gateway and specify a different ipv6 address as shown in the screenshot. I've found that this helps stabilize the status of the dhcp6 service and it's an easily reversible change if it doesn't end up working for your environment.

[RobLatour]

I guess I still don't get it. 

If it is working why is the lobby dashboard still showing a red square instead of a green triangle?

Also, as noted above, https://test-ipv6.com/ only works for ipv6 when the opnsense box is taken out of the equation.

Regarding,  ... specify a different ipv6 address as shown in the screenshot ...
a specific address is not entered - it says dynamic on the opnsense window as shown here:
https://ibb.co/cQp6yLQ

If I need to enter a specific address, where would I get that from?

Again, thank you for your help.

[opnfwb]

Also, as noted above, https://test-ipv6.com/ only works for ipv6 when the opnsense box is taken out of the equation.

The upstream box, is my ISP's router.  It connects directly to the opnsense box.

As mentioned above, the only reference to an ipv6 on the ISP router's windows is the one that says that is working in dual mode (i.e. supporting both ipv4 and ipv6).

I have now reconnected my computer to the opnsense box.  So ISP router > opnsense box > my computer.

Having done that, as requested I went to http://www.ipv6now.com.au/pingme.php and pinged google.com, here are the results:

The response for 'google.com' using IPv4 is:
PING google.com (172.217.5.110) 56(84) bytes of data.
64 bytes from sfo03s07-in-f110.1e100.net (172.217.5.110): icmp_seq=1 ttl=121 time=1.34 ms
64 bytes from sfo03s07-in-f110.1e100.net (172.217.5.110): icmp_seq=2 ttl=121 time=1.41 ms
64 bytes from sfo03s07-in-f110.1e100.net (172.217.5.110): icmp_seq=3 ttl=121 time=1.44 ms
64 bytes from sfo03s07-in-f110.1e100.net (172.217.5.110): icmp_seq=4 ttl=121 time=1.40 ms
64 bytes from sfo03s07-in-f110.1e100.net (172.217.5.110): icmp_seq=5 ttl=121 time=1.50 ms

--- google.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 1.342/1.422/1.503/0.062 ms

The response for 'google.com' using IPv6 is:
PING google.com(sfo03s18-in-x0e.1e100.net) 56 data bytes
64 bytes from sfo03s18-in-x0e.1e100.net: icmp_seq=1 ttl=121 time=1.49 ms
64 bytes from sfo03s18-in-x0e.1e100.net: icmp_seq=2 ttl=121 time=1.50 ms
64 bytes from sfo03s18-in-x0e.1e100.net: icmp_seq=3 ttl=121 time=1.58 ms
64 bytes from sfo03s18-in-x0e.1e100.net: icmp_seq=4 ttl=121 time=1.50 ms
64 bytes from sfo03s18-in-x0e.1e100.net: icmp_seq=5 ttl=121 time=1.53 ms

--- google.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 1.495/1.523/1.587/0.060 ms

I'm confused by these two? I thought you said you plugged OPNsense back in and the PC behind OPNsense was able to ping both IPv4 and IPv6 addresses?

Can you login to OPNsense and navigate to Interfaces/Overview on the left hand side of the screen. Then expand the WAN and LAN interfaces. Do you see an IPv6 address listed on those interfaces?