Deutsche Telekom VDSL IPv6 having issues after upgrade to 24.7

[beisser]

im using slaac on the lan. the router advertisement service is set to unmanaged.

my proxmox host (PVE) doesnt use ipv6, the proxmox backup server (PBS) does and that one is a seperate physical machine from the PVE host.

the proxmox firewall is globally off on all levels (datacenter, host and vm).

this setup worked for 2 years without any issues and only started acting up with the upgrade to 24.7.

so you would recommend setting the router advertisement to statless instead of unmanaged?
what about the intervals?
does it make sense to lower the values there?

[meyergru]

The difference between "stateless" and "unmanaged" is simply that "unmanaged" only sets the IPv6 adress, but nothing else - thus, the default gateway is not distributed via RA, neither are the DNS domains nor the DNS servers.

[beisser]

so additional testing with the win10 laptop revealed nothing new. it has the same issue as the other physical devices with the exception of the PBS, which is completely unbothered.

i set the router advertisement to stateless which made no visible difference.

does it make sense to lower the intervals?

[beisser]

i have set the min interval to 3 now and the max interval to 4.

on first glance it seems to be better now.
the laptop occasionally loses a ping (which might be wifi related).
the wired windows clients seem to be stable now as well, even though i have only implemented this like 5 min ago, so its too early to tell if it really improves things.

do such low value have any negative effect that i should be aware of?

[meyergru]

I doubt that RA intervals of 3 seconds should be neccessary. It wounds more like you have another source of RAs sent to your network which interfere with your OpnSense RAs. It would explain why sending RAs at a smaller interval helps...

Are you sure that there is no other instance running? You already wrote that your OpnSense is a VM.

[Patrick M. Hausen]

The difference between "stateless" and "unmanaged" is simply that "unmanaged" only sets the IPv6 adress, but nothing else - thus, the default gateway is not distributed via RA, neither are the DNS domains nor the DNS servers.

The default gateway definitely is in my installations - I do have "Advertise Default Gateway" checked, though.

[beisser]

I doubt that RA intervals of 3 seconds should be neccessary. It wounds more like you have another source of RAs sent to your network which interfere with your OpnSense RAs. It would explain why sending RAs at a smaller interval helps...

Are you sure that there is no other instance running? You already wrote that your OpnSense is a VM.

there is only one device which i have added to the network lately and thats an netgear orbi wifi mesh system in AP mode (other option would be router mode, which i dont want).
the ipv6 functionality is turned off in ap-mode and cant be turned on (greyed out).

i have no virtual machines or devices on my network that would act as a router otherwise.
but i will run a wireshark trace to see if there are any weird router advertisements coming in.

[tokade]

I use unmanaged RA on all my VLANs for different devices (Linux, Android, MS Windows) and advertise the default gateway too. Works for me before and after the upgrade without problems.

[beisser]

there does not seem to be any router advertisement besides the ones coming from my opnsense.

i filtered wireshark with icmpv6.type == 134 and see only opnsense advertisements.

[Baender]

I just noticed, that my IPv6 DHCP service crashes on a regular basis. I get a dynamic IPv6 via 6to4 tunnel from my Versatel provider. Up until the update from 24.1 to 24.7 it worked with "prevent release". How can I apply the patch?

[beisser]

different provider but the patch gets applied in the shell (ssh for example) with the command provided by franco in his post further up.

edit: the command is "opnsense-patch 287c13beb"

[beisser]

after 20 minutes of running wireshark i havent seen any RA from anything other than opnsense.

so no idea whats wrong.

edit: i have set the intervals back to 200 and 600 to check if i can reproduce/fix this issue at will by changing the values. will report with findings later

[beisser]

setting the values back to defaults did not bring back the issue.
rebooting the firewall also did not bring back the issue.
ipv6 keeps working for now.
wireshark still doesnt show any RA from anything other than opnsense.

i am at a loss here.
if anyone has any additional ideas what might be the cause of this i would be quite happy to hear them.

i will continue to monitor and we will see if the issue returns tomorrow, just like it returned today after working all afternoon/evening yesterday.

[beisser]

this morning the same issue is present again.
clients get ipv6 addresses, but no forwarding.
wireshark sees the RA only from opnsense again
i had to manually restart router advertisement to get the forwarding to start.
are there any specific logs i can look at to see if/how this part is misbehaving?
the general log in the gui doesnt give me anything useful.

[meyergru]

You can look at the radvd config file (/var/etc/radvd.conf) and it its creation date and at the start times of radvd.

If a radvd restart fixes the problem and you see RAs at all, it does not seem to be that it stops sendings RAs, but its content. If the ISP changes the prefix (which I doubt they should within a running connection), radvd should get restarted automatically and thus the clients get the new prefix. All of this should be in the general log file.

Also, it you continually dump RAs on a client, you should see if/what differs in the RAs before/after a restart.

BTW: Telekom once did a "Zwangstrennung", which is now obsolete. Could it be the problem that it is still configured for your (old) account or that you somewhere have a mechanism that forces it in order to have that at a given time (when I still was with Telekom, I sure had that).