IPv6 Track Interface problems after PPPoE reconnect

[TheDJ]

Hi there,

following up on several discussions in the German forum (e.g. https://forum.opnsense.org/index.php?topic=21682.msg124693#msg124693 and https://forum.opnsense.org/index.php?topic=19241.msg151600#msg151600), I wanted to enquire if the following is a known behavior:

When using DHCPv6 with a /56 prefix request on the WAN together with v4 PPPoE and a local interface in track interface mode, opnsense sometimes looses the prefix, making it impossible for the other interfaces to generate GUAs. Currently, all the cases that I could find/observe are based on Deutsche Telekom as ISP with full Dual Stack.

The behavior happens as follows:
1. Set the WAN exactly according to https://docs.opnsense.org/manual/how-tos/ipv6_dsl.html with a /56 prefix.

2. Set one (or multiple) interfaces to "Track Interface - WAN", correctly generating GUAs for the interfaces as well as the hosts in there (everything fine so far)

3. Trigger a WAN reconnect (either via Overview or e.g. via a Cron)

4. Sometimes(!): Loose basically all IPv6 connectivity for the hosts
4.1: See that the live view FW log is filling up with default denys from the LAN (probably the old IPv6 addresses with invalid states on that interface)
4.2 See that the line with "prefix" on the WAN interface in the overview is missing (i.e. probable root cause: no prefix is assigned)
4.3 See that the Interface overview on the Dashboard only shows "track6" instead of GUAs
4.4 See that the DHCPv6 service is down and cannot be restarted (probably due to not being able to generate GUAs)

5. Trigger another reconnect with the same settings on the WAN or reboot FW and usually regain connectivity

Unfortunately, this issue seems to be hard to reproduce as in many cases, there are no problems. However, if you have a daily cron for a reconnect, you can probably observe the behavior about 2 times a week (I would estimate). As mentioned, the issue seems to be related to the fact that no prefix on the WAN is obtained after the PPPoE reconnect and therefore basically everything relying on v6 GUAs breaks in the process. Currently, it seems hard to tell if it's an Opnsense issue, but to be honest I have been running a pfsense on the same line up until a few weeks ago with no such behavior.
As a workaround: maybe, it would be possible to implement a check in the newwanip script to see if a prefix has been obtained (when DHCPv6 is active on WAN and prefix request is ticked) and if not, trigger another reconnect until a prefix is assigned? I'm not sure if that is a feasible idea (e.g. I don't know if some ISPs enforce a rate limiting etc.).

What are the options from here?

Thank you and regards,
TheDJ

[TheDJ]

This happend again last night (based on my Cron).

Is there anything else that I can to do troubleshoot?
Logs don't look very promising (also not very different from the stuff that has been posted here: https://forum.opnsense.org/index.php?topic=21682.msg148182#msg148182)

[robgnu]

The last days I was also affected by this behaviour on several DSL/Telekom lines. I have no ideas how to get futher to a solution.
If anyone has any idea, I would love to do some testing.

Robert.

[TheDJ]

Not that I was expecting it (from a changelog perspective) but also the upgrade to 22.7.10_2 did not change the situation.
The VDSL connection (negotiated via a Zyxel Modem on bridge mode in front of it) has also been changed to supervectoring. However, this also did not change anything for the situation described in this thread.

[b0rZ]

Hi Guys,

I'm also experiencing this behavior here in Hungary with a Telekom (subsidiary of DT, also full dual stack) 2/1Gbps GPON line (PPPoE). I tried with pfSense 2.6.0 and the situation is similar, or even worse. Almost never getting ipv6 address for the LAN interface & clients, only for WAN.
I'm no longer sure if the problem is related to the router OS..
Saving this thread if anything comes up.

[b0rZ]

Not that I was expecting it (from a changelog perspective) but also the upgrade to 22.7.10_2 did not change the situation.
The VDSL connection (negotiated via a Zyxel Modem on bridge mode in front of it) has also been changed to supervectoring. However, this also did not change anything for the situation described in this thread.

In pfSense the Do not wait for a RA option in DHCP6 Client Configuration seem to solve the issue. Now the LAN interface and all the clients are getting ipv6 addresses instantaneously after the PPPoE connection established.
If you have this option in OPNsense, could you please try if it makes any difference?

[Cyberturtle]

Hi there,

I'm new to this forum and just setup my OPNsense two weeks ago. So far I'm really satisfied. Sadly there is one point (bug) that's a bit annoying. I'm using Deutsche Telekom as ISP with PPPoE. Sometimes at night when ASSIA optimizes my line or there is maintenance my clients are losing their IPv6 connection. Seems I'm experiencing the same behavior like you. Does the mentioned option ,,Do not wait for RA" work reliable? Working IPv6 could be the only point using pfSense instead.
Or would updating from 23.1.6 to 23.1.7 improve it?

Thanks in advance for your reply.

[b0rZ]

Hi there,

I'm new to this forum and just setup my OPNsense two weeks ago. So far I'm really satisfied. Sadly there is one point (bug) that's a bit annoying. I'm using Deutsche Telekom as ISP with PPPoE. Sometimes at night when ASSIA optimizes my line or there is maintenance my clients are losing their IPv6 connection. Seems I'm experiencing the same behavior like you. Does the mentioned option ,,Do not wait for RA" work reliable? Working IPv6 could be the only point using pfSense instead.
Or would updating from 23.1.6 to 23.1.7 improve it?

Thanks in advance for your reply.

I had no issues with IPv6 connectivity since using this function.

[Cyberturtle]

Thanks for your quick reply. So did I get it right your IPv6 is now working even when a PPPoE reconnect occurs (nightly or any time during the day) without restarting your router or manually release IPv6? One question is left after thinking more about switching to pfsense. Do they support IPv6 dynamic host aliases like OPNsense does?
Yesterday I have had a look in the forum of them and some are still reporting problems with IPv6 and track interfaces. My favorite solution would be a similiar option in OPNsense.

Sorry for that many question, but I want to be sure as setting up OPNsense took some time for me getting all the stuff right and as pfsense interface is a bit different I'll have to spend a lot of time again, I think.

Thanks again in advance  :)

[b0rZ]

Thanks for your quick reply.
1. So did I get it right your IPv6 is now working even when a PPPoE reconnect occurs (nightly or any time during the day) without restarting your router or manually release IPv6?
2. One question is left after thinking more about switching to pfsense. Do they support IPv6 dynamic host aliases like OPNsense does?

Yesterday I have had a look in the forum of them and some are still reporting problems with IPv6 and track interfaces. My favorite solution would be a similiar option in OPNsense.

Sorry for that many question, but I want to be sure as setting up OPNsense took some time for me getting all the stuff right and as pfsense interface is a bit different I'll have to spend a lot of time again, I think.

Thanks again in advance  :)

1. Yes, exactly. It takes a few seconds to get the v6 addresses after reconnecting though.
2. Never used this function, so I'm not sure. Check out the documentation: https://docs.netgate.com/pfsense/en/latest/firewall/aliases.html

[franco]

Perhaps https://github.com/opnsense/core/issues/6223#issuecomment-1542005368


Cheers,
Franco