Syslog Error

[phantomsfbw]

Any idea what this is about?  Constantly shows up in my syslog as an error:

/usr/local/opnsense/scripts/dhcp/prefixes.php: The command '/sbin/route add -inet6 '2600:4040:b001:c1e4::/62' '2600:4040:b001:c100::1bf6'' returned exit code '1', the output was 'route: writing to routing socket: Network is unreachable add net 2600:4040:b001:c1e4::/62: gateway 2600:4040:b001:c100::1bf6 fib 0: Network is unreachable'

Thanks

[Maurice]

Some host in your LAN (probably another router) requested an IPv6 prefix delegation from OPNsense (2600:4040:b001:c1e4::/62). OPNsense attempts to add a route for this prefix, pointing to the address of the host (2600:4040:b001:c100::1bf6). But this seems to fail. "Network is unreachable" might indicate that your LAN interface doesn't actually have an address in 2600:4040:b001:c100::/64.

Could you elaborate on your LAN IPv6 configuration? Probably "Track Interface"? Did you enable "Manual configuration" in the track interface settings?

Cheers
Maurice

[phantomsfbw]

Maurice,

  Thanks for responding. I do have IPV6 set to Track Interface as system is using Verizon FIOS. No manual settings under LAN.  Under WAN the usual Verizon setup of Request Only an IPV6 Prefix, Prefix Delegation Size is 56, Send IPV6 Prefix Hint and that is it.

I did a Powershell search for the IPV6 addresses as previously posted and they do not show up.  I am still getting the same error message though, and a few others that are similar but with different IPV6 addresses in the unreachable section of the message.  None of which are on my system:

"/usr/local/opnsense/scripts/dhcp/prefixes.php: The command '/sbin/route add -inet6 '2600:4040:b001:c1f0::/62' '2600:4040:b001:c100::1a1b'' returned exit code '1', the output was 'route: writing to routing socket: Network is unreachable add net 2600:4040:b001:c1f0::/62: gateway 2600:4040:b001:c100::1a1b fib 0: Network is unreachable'"

  I do have some IPV6 Firewall rules for the WAN:  All five are ICMP related e.g. Allow ICMP, Time Exceeded, Parameter Problem, Echo Request and Echo Response.

  On the LAN side there is the auto IPV6 default Allow LAN IPV6 to any rule.

[phantomsfbw]

Maurice,

  I found an errant MTU setting that went from default to 9000.  Changed back to default, but not yet sure this is/was source of issue.

[Maurice]

The error message indicates that these DHCPv6 address leases are not in the same subnet as the current LAN interface address, for whatever reason. Does the prefix you get from Verizon frequently change? Is it currently 2600:4040:b001:c100::/56? If it isn't, maybe there are some stale DHCPv6 leases with this prefix (Services: DHCPv6: Leases)?

[phantomsfbw]

Looks like they were stale.  I have seen the FIOS IPV4 IP address change from time to time.  Will have to keep an eye out on the IPV6 side now. 

[phantomsfbw]

Maurice,

 I got around to deleting old IPV6 leases and that did not help.  My router address is different from the one previously listed as b001. They are interestingly very close though.  The new "fake" one is b009 and my actual as of last night was b00b. I know, not making that up... I did deduce that this is a two hour cycle when the debug error messages occur.  Short of a complete reinstall, not sure what else to do now.

[Maurice]

Well, it seems the prefix you get from Verizon frequently changes. Not sure how well OPNsense's downstream prefix delegation can handle this. I wouldn't be surprised if this causes some issues.

Did you enable "Prevent release" in 'Interfaces: Settings'?

Cheers
Maurice

[phantomsfbw]

Well, it seems there is no "Prevent Release" in the interface settings that I can find...  Wonder it if was deleted when they enabled the lease release capability under Interfaces?

 

[Maurice]

Prevent release is now a global setting in 'Interfaces: Settings' (/system_advanced_network.php). But this change was made a long time ago, not in 23.7.

[phantomsfbw]

Thank you! Found it and set so now will see what happens.  Will report back tomorrow.

[phantomsfbw]

No Joy  

Keep getting these:

2023-09-30T08:10:15-04:00
[Error]
opnsense   /usr/local/opnsense/scripts/dhcp/prefixes.php: The command '/sbin/route add -inet6 '2600:4040:b009:f3ec::/62' '2600:4040:b009:f300::1a1b'' returned exit code '1', the output was 'route: writing to routing socket: Network is unreachable add net 2600:4040:b009:f3ec::/62: gateway 2600:4040:b009:f300::1a1b fib 0: Network is unreachable'

None of the IPs shows up in the ARP Table. If I try to convert the IPV6 to IPV4 addresses I get an invalid IP address as well.

[Maurice]

If your ISP is enforcing frequent prefix changes, there is not a lot you can do about it. OPNsense support for dynamic prefixes has improved over the years, but issues with certain features are still expected.

IPv6 doesn't use ARP. You'll have to check the NDP table. Not sure what you mean by "convert the IPv6 to IPv4 addresses". That's not a thing (except for some transition technologies like NAT64).

Do you actually need downstream prefix delegation? If not, you can disable it by manually configuring the DHCPv6 service and not specifying a PD range. Or reduce the lease time to avoid stale leases.

[phantomsfbw]

I just changed the prefix delegation as you stated and will see what happens from there.

[phantomsfbw]

So using Wireshark, I isolated the debug errors to two Apple TVs.  I went and changed their DNS from automatic to the IP address of the router.  However, these keep showing for the two devices.

4659   109.719105   10.0.0.199   224.0.0.251   MDNS   180   Standard query response 0x0000 AAAA, cache flush fe80::89f:8d31:8766:26ae AAAA, cache flush 2600:4040:b00b:2900:1c39:dadd:666a:a53f AAAA, cache flush 2600:4040:b009:f300::1a1b NSEC, cache flush Master-Bedroom-2.local