DHCPv6 not working anymore

[open]

Hello,

I had DHCPv6 running for a while. That also worked well. A few days ago I noticed that no v6 address was being distributed. I don't have the exact cause or time.

Opnsense gets an IPv6 from the provider via Fritzbox on the interface DMZ. IF1 and IF4 track the interface DMZ and distribute a prefix ID 1 and 4 respectively.

When I noticed the problem, interface 1 and interface 4 did not get a v6 address as long as DHCPv6 was active. If I deactivated DHCPv6, the assignment of the v6 address worked. I found the entry no suitable address several times in the log.
I then deactivated DHCPv6, removed the v6 assignment from interface 1 and 4 and rebooted. Then reactivated the v6 addresses, rebooted - reactivated prefix ID for v6, reactivated DHCPv6 manual adjustment - rebooted, reactivated DHCPv6 - rebooted
;D

The current status is that both interfaces 1 and 4 now have a clean Ipv6 address with the correct prefix ID. DHCPv6 is running according to the GUI, range is available, I no longer see any errors in the log.

But - no IPv6 is being distributed. It seems as if the DHCPv6 server simply does nothing.
PID exists and according to ps the DHCPv6 is running

Does anyone have any tips?

[stefan00]

In general, OPNsense IPv6 router chain behind a FritzBox works fine. I run it with the previous  OPNsense release (24.7.9_1-amd64) on 2 different locations.

Although I can not present you simple solution, a few things to check:

Assuming "DMZ" is your uplink / gateway ("WAN") interface at OPNsense.

(1) you get a prefix delegated large enough on DMZ

(2) increase logging level of DHCP to see what actually happens (interfaces->settings->IPv6 DHCP)

(3) did anything change in the FritzBox itself? Firmware / settings? (Have seen this before breaking correct downstream delegation)

(4) Do you have Router Advertisements enabled? Try playing with that. When enabled, there are almost no devices at all using the DCHPv6 anyway and you won't see leases.

Maybe post some screenshots of your config and / or DHCP related log stuff?

best & good luck,
Stefan

[Melroy vd Berg]

I tried to setup IPv6 myself. While everything works on the OPNsense itself, I mean I can ping IPv6 addresses and domains on IPv6 (like ping6 www.google.com) without any issues...

I tried setup DHCPv6 on OPNsense as well, but came to the conclusion DHCPv6 was not working as well.

Since when I assign manually a IPV6 address/prefix + gateway on my devices, I actually do have a working IPv6 setup (https://test-ipv6.com/ then gives me 10/10 score!). So DHCPv6 is just not giving me an address....


OK.. Problem found.. I needed to select/check "Enable link-local address" at  Link-local address on my bridge network at: Interfaces -> Other types -> Bridge -> 'my bridge network'.

See also: https://forum.opnsense.org/index.php?topic=28181.msg136875#msg136875

[franco]

There's a larger document with some trouble shooting steps here:

https://docs.opnsense.org/manual/ipv6.html#basic-setup-and-troubleshooting

A lot can go wrong with IPv6. Most of the time it seems to be at the root: DHCPv6 on WAN not responding for several reasons. One of those was said to be a particular intrusion detection rule. It isually helps to inspect the debug logs and packet captures, but it's also time consuming and differs from ISP to ISP.


Cheers,
Franco

[Melroy vd Berg]

In my case the LAN bridge was the root-cause since by default  Enable link-local address is not checked. Could this information please be added to: https://docs.opnsense.org/manual/how-tos/lan_bridge.html#lan-bridge ?

The same issue was reported back in 2022 as well: https://forum.opnsense.org/index.php?topic=28181.msg136875#msg136875

[open]

(1) you get a prefix delegated large enough on DMZ

Yes, I get a /56 from ISP an delegated a /64 to DMZ Interface

(2) increase logging level of DHCP to see what actually happens (interfaces->settings->IPv6 DHCP)

On which log is that working? System? dhcp?
I don't see more output wich increase log level

(3) did anything change in the FritzBox itself? Firmware / settings? (Have seen this before breaking correct downstream delegation)

Yes, some weeks ago new firmware was coming from AVM
Not sure if this a reason but I get anymore my IPv6 delegation on OPNsense

(4) Do you have Router Advertisements enabled? Try playing with that. When enabled, there are almost no devices at all using the DCHPv6 anyway and you won't see leases.

Yes, it is active as managed
Have tried it to disable but doesn't change the behavior for DHCPv6 so far

Maybe post some screenshots of your config and / or DHCP related log stuff?

I can do that. but what you want to see?
Inside the log, systems and/or dhcp, I don't see any problems.
Last entry after restart dhcpv6 is:
Sending on Socket/8/em0/xxxx:xxxx:xxxx:a8f1::/64
listening on Socket/8/em0/xxxx:xxxx:xxxx:a8f1::/64
Sending on Socket/8/em0/xxxx:xxxx:xxxx:a8f4::/64
listening on Socket/8/em0/xxxx:xxxx:xxxx:a8f4::/64
Bound to *:547

Looks fine for me.

I tried setup DHCPv6 on OPNsense as well, but came to the conclusion DHCPv6 is broken as well!!?

the implemantion of DHPCv6 and OPNsense is tricky. I have need some days for my first setup to. But it was working like a charm for long time. I was able to give each VLAN a separate network inside the IPv6 from ISP. After each change the IPv6 for my network was changed to. That was working very well.

[franco]

In my case the LAN bridge was the root-cause since by default  Enable link-local address is not checked. Could this information please be added to: https://docs.opnsense.org/manual/how-tos/lan_bridge.html#lan-bridge ?

The same issue was reported back in 2022 as well: https://forum.opnsense.org/index.php?topic=28181.msg136875#msg136875

Fair point. The LAN bridge document was written before we even had to add the link-local option it seems. :)

[open]

I think the point for me is the hint for the link local addresses. Or?

All my interfaces have got a fe80: address.
But thanks for your hint.

[stefan00]

Seems like topics get mixed up here. First, congrats to Melroy vd Berg for solving the bridge based issue  :)

@open:

(1)

Yes, I get a /56 from ISP an delegated a /64 to DMZ Interface

I'm having a bit of trouble understanding your setup due to naming stuff. Assuming your interface named "DMZ" is your WAN interface on OPNsense, you say it only gets a /64 prefix delegated from the FritzBox to OPNsense?

(2) error logs

It's very strange that there are no dhcp6c errors / warnings at all in system->Log Files->General. You should check if there are any dhcp related errors right after you reboot OPNsense.

FYI: attached is a current screenshot of one if my FritzBoxes v6 downwards delegation, /57 to OPNsense in this case (screenshot is German though). But since you have no dhcp6c errors at all and say all prefixes are correctly delegated, this should look similar at your side.

[Melroy vd Berg]

In my case the LAN bridge was the root-cause since by default  Enable link-local address is not checked. Could this information please be added to: https://docs.opnsense.org/manual/how-tos/lan_bridge.html#lan-bridge ?

The same issue was reported back in 2022 as well: https://forum.opnsense.org/index.php?topic=28181.msg136875#msg136875

Fair point. The LAN bridge document was written before we even had to add the link-local option it seems. :)

Thanks for documenting this in advance  :) This took me 2 days to figure out this missing setting.

[open]

I'm having a bit of trouble understanding your setup due to naming stuff. Assuming your interface named "DMZ" is your WAN interface on OPNsense,

Right, my Interface DMZ is heading to Fritzbox.

you say it only gets a /64 prefix delegated from the FritzBox to OPNsense?

I have checked this. Now I get a /64 from ISP. Is like the same as you showing in your screenshot.
Two differences -

I have configured the Fritzbox to IA_PD only
Delegated size is /60

That is the size that is configured under Interface DMZ - Prefix Delegation Size
Inside OPNSense under ISC_DHCPv6 - Interface 1 / Interface 4 i see a subnetmask of 64 bit

(2) error logs

It's very strange that there are no dhcp6c errors / warnings at all in system->Log Files->General. You should check if there are any dhcp related errors right after you reboot OPNsense.

After the last reboot I see a lot more messages from dhcp6c. Switching log level need reboot?

I see only two messages that can be a error:
unknown or unexpected DHCP6 option opt_86, len 16
XID mismatch

[open]

The only error, that is as error marked, inside the System - general log ist this:

/services_dhcpv6.php: The command '/usr/sbin/daemon -f -p '/var/run/dhcpleases6.pid' '/usr/local/opnsense/scripts/dhcp/prefixes.sh'' returned exit code '3', the output was 'daemon: process already running, pid: 37530'

This occurs every time I changed the config of the dhcp6 or restart the dhcpv6.
All other ist notice

[stefan00]

/services_dhcpv6.php: The command '/usr/sbin/daemon -f -p '/var/run/dhcpleases6.pid' '/usr/local/opnsense/scripts/dhcp/prefixes.sh'' returned exit code '3', the output was 'daemon: process already running, pid: 37530'

That's OK, I get that too restarting DHCPv6

unknown or unexpected DHCP6 option opt_86, len 16

That's OK, I get that too.

XID mismatch

I do NOT see this error.

---

Since you configured your FritzBox for IA_PD only, what are your v6 related DMZ interface settings (request prefix only etc)?

However, except for the xid error (which I'm unaware of) things look good.

Below is a screenshot of my interfaces->overview->WAN->details listing for comparison.

some more ideas:

(1) did you try restarting radvd?

(2) sure not firewall / vlan related?

[stefan00]

forgot to ask: what is your router advertisement mode setting on your client (LAN) interfaces?

[open]

Since you configured your FritzBox for IA_PD only, what are your v6 related DMZ interface settings (request prefix only etc)?

The DMZ Interface ist configured as DHCP6.
Configuration mode Basic
Prefix only and Prefix hint is active

The interface getting each time the same IP

xxxx:xxxx:xxxx:xxxx:xxxx:5054:ff:febc:b9b6/64

x = ISP IPv6

However, except for the xid error (which I'm unaware of) things look good.

Below is a screenshot of my interfaces->overview->WAN->details listing for comparison.

Thank's - my Details looks different

some more ideas:

(1) did you try restarting radvd?

yes
For now - I got the problem that the radvd crashes. To much reconfigured - I think....
I have had this problem long time ago. I hope I find again the command to rest the damon.

(2) sure not firewall / vlan related?

I think yes, but not sure any more ;)


The detail, that the Fritzbox says delegated prefix xxxx.xxxx.xxxx.xxxx/60 and opnsense says /64 with same address make me crazy