[SOLVED] [17.1.5] Still no working IPv6 on LAN

[Space]

Hi,

I still had some trouble with IPv6 after updating to 17.1.7 ... OPNsense was sending solicits but did not get an address. So I changed the options that only the following is set:

Code Select Expand

Request only a IPv6 prefix

Then I noticed the following line in the logfile:

Code Select Expand

May 20 09:44:14 OPNvirt dhcp6c[44695]: invalid prefix length 62 + 4 + 64

and remembered the following document:

https://avm.de/service/fritzbox/fritzbox-3270/wissensdatenbank/publication/show/1239_IPv6-Subnetz-im-FRITZ-Box-Heimnetz-einrichten/

So I set my prefix length to 62. Then I let the FritzBox reconnect (so it get's a new IP) and voila, IPv6 is running again.

I will monitor this if it really solves the issue for me again. Could it be that the FritzBox sometimes was not able to provide a /60 delegation?

Best regards,

    Jochen

[bringha]

Well,

there is another ipv6 configuration option on the fritzbox under

Internet->Zugangsdaten->ipv6

There you can configure which prefix length the fritzbox shall request

Default is /62

In my case I changed that to /60 and .... voila

br br

[Space]

Hi,

not sure if we are talking about the same ... my FritzBox does get a /56 delegation. But it seems the FritzBox itself only delegates a /62 by default.

But thanks for the hint ... I had not seen that tab in Fritzbox configuration and so far I was using IPv6 tunnel and not Dual stack ... I have changed that and it looks better now. Ping times for IPv6 addresses have improved significantly :)

Best regards,

    Jochen

[Space]

With the dual stack setting in FritzBox I am now able to request a /60 prefix ... I will monitor for some time and hope that I now have a stable configuration.

Thanks for all the support and this wonderful solution.

    Jochen

[franco]

I have a new connection based on Vodafone Cable and it brought up similar issues with FritzBox IPv6 refusing to delegate a prefix for downstream routers no matter which of the setting was used.

I'll try changing the prefix size and report back. :)


Cheers,
Franco

[Space]

Hi Franco,

I am not sure if it's the FritzBox not sending the REPLY. Since I had strange issues (Some ipv6 sites work, like test-ipv6, other's did not, like heise.de) I did further tests and at some point OPNsense did not setup the IPv6 anymore. I then did a trace and while the dhcp.log showed

Code Select Expand

Sending Solicit

The trace itself did not include the solicit messages from OPNsense but only the responses from the FritzBox which includes the prefix delegation:

Code Select Expand

    Identity Association for Prefix Delegation
        Option: Identity Association for Prefix Delegation (25)
        Length: 41
        Value: 000000000000070800000b40001a001900000e1000001c20...
        IAID: 00000000
        T1: 1800
        T2: 2880
        IA Prefix
            Option: IA Prefix (26)
            Length: 25
            Value: 00000e1000001c203c2a03f230c1825ab000000000000000...
            Preferred lifetime: 3600
            Valid lifetime: 7200
            Prefix length: 60
            Prefix address: 2a03:f230:c182:5ab0::

But this did not trigger any address configuration on OPNsense. Right now I am at work and can not check the logs.

Currently I have it running with Native IPv6 enabled on FritzBox and PD works fine. Even when the FritzBox renewed it's connection this morning the IPv6 was setup again correctly.

The connection issue towards https://www.heise.de remains though ... http connection is possible (I see the redirect to https), https connection is not possible ... the last thing I see in a trace is the "CLIENT HELLO" of ssl. If I test via curl https from OPNsense it works, from LAN only http works.

Best regards,

    Jochen

[franco]

Hi Jochen,

There is a patch here that improved the situation as you described:

https://github.com/opnsense/core/commit/b0e3ec0

Installs via:

# opnsense-patch b0e3ec0

Although it may take up to a minute for OPNsense to latch on to the reply for whatever reason, this made reliable in testing.

This is already queued up for 17.1.8, but any feedback on how this changes the picture is highly appreciated.


Cheers,
Franco

[Space]

Hi,

I have not done any tracing ... but I wanted to test and did click save on the WAN interface before applying the patch ... took about a minute and it got a new IPv6 IP ...

Then I applied the patch, did click on save again on the WAN interface .... and it runs for several minutes already without getting an IPv6 IP address ...

I will reboot now and see if it is better after reboot.

Best regards,

    Jochen

[Space]

Reboot did not help but renewal on FritzBox did work.

Best regards,

    Jochen

[franco]

It's still a bit shaky, but getting better. What I could see is that on reconfigure it may end up with more dhcp6c processes, which is less than ideal because of "XID mismatch" in the log.

I couldn't get off the /62 prefix for the Fritzbox (the setting just isn't there), but this is what works on the Vodafone Cable for me:

Check: Auch IPv6-Präfixe zulassen, die andere IPv6-Router im Heimnetzwerk bekanntgeben
Check: DNS-Server und IPv6-Präfix (IA_PD) zuweisen

And on the OPNsense:

Check: Nur einen IPv6-Präfix anfordern   
Check: Sende SOLICIT direkt   
Set: DHCPv6 Prefix Delegation Größe   63 
Check: Sende einen IPv6-Präfixhinweis

It tiptoes around /63 and /64 and I can't make no sense of it yet, but the following gives 10/10 score:

http://test-ipv6.com/

So it's a good baseline for further work. :)


Cheers,
Franco

[Space]

Hi Franco,

I get a 10/10 at that site as well but strangely enough heise is not working over https and some other sites as well. But so far I have not found out which FW blocks the traffic. Because ping and access over http work towards that site.

Best regards,

    Jochen

[Space]

I noted the following today:

Code Select Expand

May 23 05:28:19 OPNvirt dhcp6c[27959]: Sending Renew
May 23 05:28:19 OPNvirt dhcp6c[27959]: dhcp6c Received INFO
May 23 05:28:19 OPNvirt dhcp6c[27959]: status code: no binding
May 23 05:46:19 OPNvirt dhcp6c[27959]: Sending Rebind
May 23 05:46:19 OPNvirt dhcp6c[27959]: dhcp6c Received REBIND
May 23 05:46:19 OPNvirt dhcp6c[27959]: status code: no binding
May 23 06:58:19 OPNvirt dhcp6c[27959]: remove an address 2a03:f580:c882:9bfe:21f:29ff:fe59:d8b5/64 on em0
May 23 06:58:20 OPNvirt dhcp6c[27959]: Sending Solicit
May 23 06:58:20 OPNvirt dhcp6c[27959]: unknown or unexpected DHCP6 option opt_86, len 16
May 23 06:58:21 OPNvirt dhcp6c[27959]: Sending Request
May 23 06:58:21 OPNvirt dhcp6c[27959]: unknown or unexpected DHCP6 option opt_86, len 16
May 23 06:58:21 OPNvirt dhcp6c[27959]: dhcp6c Received REQUEST
May 23 06:58:21 OPNvirt dhcp6c[27959]: add an address 2a03:f580:c882:abfe:21f:29ff:fe59:d8b5/64 on em0


It seems that OPNsense does not request a new address if the rebind fails (because the FritzBox got a new IP) ... it took  >1h this morning until the new prefix got requested ...

Best regards,

    Jochen

[Space]

Hi,

sorry for bothering again ... today I wanted to rule out that IPS has something to do with my issue (no connection to https://heise.de via IPv6) and disabled IPS ... when I changed that setting the IPv6 IPs were lost and since that time (>1h) it did not accept a new PD ...

I did a trace on the WAN interface (and sent sighup to dhcp6c) and I can see the both solicit and advertise in the trace on WAN ... but somehow dhcp6c does not pick these up ...

Best regards,

    Jochen

[Space]

Should I open an issue for this on github?

Thanks and best regards,

    Jochen

[franco]

Hi Jochen,

Yes, please open an issue. I saw this too, Suricata drops UDP6 packets because of a bad checksum, even though checksum offloading is off.


Cheers,
Franco