[SOLVED] [17.1.5] Still no working IPv6 on LAN

[Space]

Hi Franco,

in which logfile can I check this? Because I also have this weird issue that e.g. heise.de does not work via https if I try the connection from LAN ... wondering if the SERVER_HELLO get's dropped by Suricata ...

Best regards,

    Jochen

[franco]

Services: Intrusion Detection: Alerts tab I think.

[Space]

Hi Franco,

hm, I asked because I did not see any related entries there ... but I am not sure if everything that is dropped is logged there ...

But even when I had disabled IPS it took a long time to renew the IPv6 address.

Best regards,

    Jochen

[franco]

Hi Jochen,

Strange, I can see these block messages for checksums, which is funny, because checksumming in hardware is off. May be a loophole in the network stack where checksumming is still done in hardware in some cases...

Regarding DHCP6 not working after I've seen this too but I think there are multiple issues that span to the fritzbox as well. I can't get a prefix anymore because it says they are depleted, which is not very surprising if there is only a /62 and it does not have a lot of /64 prefixes and refuses to reassign them afterwards.

The command sequence is always the same in the dhcp6c client, so maybe we are seeing half-implemented issues in the server because normally nobody plays with their setup all the time (if it works it works).

So at least we have to assume if it works one time it should work all the time with the same sequence, no?


Cheers,
Franco

[Space]

Hi,

maybe it has something to do with the lease time? Or with network packages being discarded before they reach the dhcp6c ... Trying to do some tests now ... Have noticed that the dhcp6c recovered after some time and got an address.

So I tried to reproduce the issue and clicked SAVE on WAN interface ... after about 1m it got it's new address (Network trace is available):

Code: [Select]

Jun  2 10:12:27 OPNvirt dhcp6c[88237]: Start address release
Jun  2 10:12:27 OPNvirt dhcp6c[88237]: Sending Release
Jun  2 10:12:27 OPNvirt dhcp6c[88237]: remove an address 2a03:f580:c883:bcfc:21f:29ff:fe59:d8b5/64 on em0
Jun  2 10:12:27 OPNvirt dhcp6c[88237]: dhcp6c Received RELEASE
Jun  2 10:12:27 OPNvirt dhcp6c[88237]: status code: success
Jun  2 10:12:27 OPNvirt dhcp6c[88237]: exiting
Jun  2 10:12:27 OPNvirt dhcp6c[31202]: failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
Jun  2 10:12:27 OPNvirt dhcp6c[31202]: failed initialize control message authentication
Jun  2 10:12:27 OPNvirt dhcp6c[31202]: skip opening control port
Jun  2 10:12:28 OPNvirt dhcp6c[31503]: Sending Solicit
Jun  2 10:12:29 OPNvirt dhcp6c[31503]: Sending Solicit
Jun  2 10:12:30 OPNvirt dhcpd: Internet Systems Consortium DHCP Server 4.3.5
Jun  2 10:12:30 OPNvirt dhcpd: Copyright 2004-2016 Internet Systems Consortium.
Jun  2 10:12:30 OPNvirt dhcpd: All rights reserved.
Jun  2 10:12:30 OPNvirt dhcpd: For info, please visit https://www.isc.org/software/dhcp/
Jun  2 10:12:30 OPNvirt dhcpd: Config file: /etc/dhcpd.conf
Jun  2 10:12:30 OPNvirt dhcpd: Database file: /var/db/dhcpd.leases
Jun  2 10:12:30 OPNvirt dhcpd: PID file: /var/run/dhcpd.pid
Jun  2 10:12:30 OPNvirt dhcpd: Internet Systems Consortium DHCP Server 4.3.5
Jun  2 10:12:30 OPNvirt dhcpd: Copyright 2004-2016 Internet Systems Consortium.
Jun  2 10:12:30 OPNvirt dhcpd: All rights reserved.
Jun  2 10:12:30 OPNvirt dhcpd: For info, please visit https://www.isc.org/software/dhcp/
Jun  2 10:12:30 OPNvirt dhcpd: Wrote 0 deleted host decls to leases file.
Jun  2 10:12:30 OPNvirt dhcpd: Wrote 0 new dynamic host decls to leases file.
Jun  2 10:12:30 OPNvirt dhcpd: Wrote 4 leases to leases file.
Jun  2 10:12:30 OPNvirt dhcpd: Listening on BPF/em0/00:1f:29:59:d8:b5/192.168.42.0/24
Jun  2 10:12:30 OPNvirt dhcpd: Sending on   BPF/em0/00:1f:29:59:d8:b5/192.168.42.0/24
Jun  2 10:12:30 OPNvirt dhcpd: Sending on   Socket/fallback/fallback-net
Jun  2 10:12:30 OPNvirt dhcpd: Server starting service.
Jun  2 10:12:31 OPNvirt dhcp6c[31503]: Sending Solicit
Jun  2 10:12:35 OPNvirt dhcp6c[31503]: Sending Solicit
Jun  2 10:12:43 OPNvirt dhcp6c[31503]: Sending Solicit
Jun  2 10:13:00 OPNvirt dhcp6c[31503]: Sending Solicit
Jun  2 10:13:32 OPNvirt dhcp6c[31503]: Sending Solicit
Jun  2 10:13:32 OPNvirt dhcp6c[31503]: unknown or unexpected DHCP6 option opt_86, len 16
Jun  2 10:13:33 OPNvirt dhcp6c[31503]: Sending Request
Jun  2 10:13:33 OPNvirt dhcp6c[31503]: unknown or unexpected DHCP6 option opt_86, len 16
Jun  2 10:13:33 OPNvirt dhcp6c[31503]: dhcp6c Received REQUEST
Jun  2 10:13:33 OPNvirt dhcp6c[31503]: add an address 2a03:f580:c883:bcfd:21f:29ff:fe59:d8b5/64 on em0

Since I could not match the timestamp in the trace to the logfile I wanted to do the same thing again with a specific action done at a specific time (to know the relative time in the trace) ... but now it's running for 15m without new address ...

Code: [Select]

[Jun  2 10:22:46 OPNvirt dhcp6c[31503]: Start address release
Jun  2 10:22:46 OPNvirt dhcp6c[31503]: Sending Release
Jun  2 10:22:46 OPNvirt dhcp6c[31503]: remove an address 2a03:f580:c883:bcfd:21f:29ff:fe59:d8b5/64 on em0
Jun  2 10:22:46 OPNvirt dhcp6c[31503]: dhcp6c Received RELEASE
Jun  2 10:22:46 OPNvirt dhcp6c[31503]: status code: success
Jun  2 10:22:46 OPNvirt dhcp6c[31503]: exiting
Jun  2 10:22:46 OPNvirt dhcp6c[84727]: failed to open /usr/local/etc/dhcp6cctlkey: No such file or directory
Jun  2 10:22:46 OPNvirt dhcp6c[84727]: failed initialize control message authentication
Jun  2 10:22:46 OPNvirt dhcp6c[84727]: skip opening control port
Jun  2 10:22:47 OPNvirt dhcp6c[84913]: Sending Solicit
Jun  2 10:22:48 OPNvirt dhcp6c[84913]: Sending Solicit
Jun  2 10:22:49 OPNvirt dhcpd: Internet Systems Consortium DHCP Server 4.3.5
Jun  2 10:22:49 OPNvirt dhcpd: Copyright 2004-2016 Internet Systems Consortium.
Jun  2 10:22:49 OPNvirt dhcpd: All rights reserved.
Jun  2 10:22:49 OPNvirt dhcpd: For info, please visit https://www.isc.org/software/dhcp/
Jun  2 10:22:49 OPNvirt dhcpd: Config file: /etc/dhcpd.conf
Jun  2 10:22:49 OPNvirt dhcpd: Database file: /var/db/dhcpd.leases
Jun  2 10:22:49 OPNvirt dhcpd: PID file: /var/run/dhcpd.pid
Jun  2 10:22:49 OPNvirt dhcpd: Internet Systems Consortium DHCP Server 4.3.5
Jun  2 10:22:49 OPNvirt dhcpd: Copyright 2004-2016 Internet Systems Consortium.
Jun  2 10:22:49 OPNvirt dhcpd: All rights reserved.
Jun  2 10:22:49 OPNvirt dhcpd: For info, please visit https://www.isc.org/software/dhcp/
Jun  2 10:22:49 OPNvirt dhcpd: Wrote 0 deleted host decls to leases file.
Jun  2 10:22:49 OPNvirt dhcpd: Wrote 0 new dynamic host decls to leases file.
Jun  2 10:22:49 OPNvirt dhcpd: Wrote 4 leases to leases file.
Jun  2 10:22:49 OPNvirt dhcpd: Listening on BPF/em0/00:1f:29:59:d8:b5/192.168.42.0/24
Jun  2 10:22:49 OPNvirt dhcpd: Sending on   BPF/em0/00:1f:29:59:d8:b5/192.168.42.0/24
Jun  2 10:22:49 OPNvirt dhcpd: Sending on   Socket/fallback/fallback-net
Jun  2 10:22:49 OPNvirt dhcpd: Server starting service.
Jun  2 10:22:50 OPNvirt dhcp6c[84913]: Sending Solicit
Jun  2 10:22:54 OPNvirt dhcp6c[84913]: Sending Solicit
Jun  2 10:23:02 OPNvirt dhcp6c[84913]: Sending Solicit
Jun  2 10:23:19 OPNvirt dhcp6c[84913]: Sending Solicit
Jun  2 10:23:51 OPNvirt dhcp6c[84913]: Sending Solicit
Jun  2 10:24:55 OPNvirt dhcp6c[84913]: Sending Solicit
Jun  2 10:26:54 OPNvirt dhcp6c[84913]: Sending Solicit
Jun  2 10:28:47 OPNvirt dhcp6c[84913]: Sending Solicit
Jun  2 10:30:50 OPNvirt dhcp6c[84913]: Sending Solicit
Jun  2 10:32:41 OPNvirt dhcp6c[84913]: Sending Solicit
Jun  2 10:34:42 OPNvirt dhcp6c[84913]: Sending Solicit
Jun  2 10:36:30 OPNvirt dhcp6c[84913]: Sending Solicit

Can I provide you the traces in some way?

Best regards,

    Jochen

[Space]

I have compared the Advertise packages sent by the Fritzbox in the working and non-working case. The only difference (except of timestamps and stream IDs of Wireshark) is the transaction ID ...

So the Fritzbox sends the same response ... sometimes the dhcp6c answers with a REQUEST and sometimes not ...

How can we trace the packages that dhcp6c sees. Is there something like strace available to trace the dhcp6c client?

Best regards,

    Jochen

[Space]

Ok, you can use something like truss ... so I traced it dhcp6c. It opens the following sockets / files

Code: [Select]

Following sockets/files are opened:

55890: socket(PF_LOCAL,SOCK_DGRAM|SOCK_CLOEXEC,0) = 3 (0x3)
55890: connect(3,{ AF_UNIX "/var/run/logpriv" },106) = 0 (0x0)

55890: socket(PF_INET6,SOCK_DGRAM,17)            = 4 (0x4)
55890: fcntl(4,F_GETFL,)                         = 2 (0x2)
55890: fcntl(4,F_SETFL,0x3)                      = 0 (0x0)
55890: bind(4,{ AF_INET6 [::]:546 },28)          = 0 (0x0)

55890: open("/var/etc/dhcp6c_wan.conf",O_RDONLY,0666) = 5 (0x5)
55890: ioctl(5,TIOCGETA,0x53dce490)              ERR#25 'Inappropriate ioctl for device'
And then you can see the following repeating all the time:

Code: [Select]

55959: clock_gettime(13,{ 1496394429.000000000 }) = 0 (0x0)
55959: getpid()                                  = 55959 (0xda97)
55959: sendto(3,"<30>Jun  2 11:07:09 dhcp6c[55959"...,50,0x0,NULL,0x0) = 50 (0x32)
55959: gettimeofday({ 1496394429.744324 },0x0)   = 0 (0x0)
55959: sendto(4,"\^A*a]\0\^A\0\^N\0\^A\0\^A\^_u"...,81,0x0,{ AF_INET6 [ff02::1:2]:547 },0x1c) = 81 (0x51)
55959: __sysctl(0x6a0c53dcdce0,0x6,0x0,0x6a0c53dcdcd8,0x0,0x0) = 0 (0x0)
55959: __sysctl(0x6a0c53dcdce0,0x6,0x46583c3d400,0x6a0c53dcdcd8,0x0,0x0) = 0 (0x0)
55959: gettimeofday({ 1496394429.744816 },0x0)   = 0 (0x0)
55959: select(5,{ 4 },0x0,0x0,{ 123.337096 })    = 0 (0x0)
55959: gettimeofday({ 1496394553.093143 },0x0)   = 0 (0x0)
55959: clock_gettime(13,{ 1496394553.000000000 }) = 0 (0x0)
Shouldn't it read sometimes from 4 as well if it did receive the Advertise packet? Maybe the advertise package really does not reach the dhcp6c.

Best regards,

     Jochen

[Space]

The firewall logs show both packets as PASS:

Code: [Select]

Jun  2 11:24:28 OPNvirt filterlog: 53,,,0,em1,match,pass,out,6,0x00,0x00000,1,UDP,17,89,fe80::21f:29ff:fe59:d8b4,ff02::1:2,546,547,89
Jun  2 11:24:28 OPNvirt filterlog: 69,,,0,lo0,match,pass,in,6,0x00,0x00000,1,UDP,17,89,fe80::21f:29ff:fe59:d8b4,ff02::1:2,546,547,89
Jun  2 11:24:28 OPNvirt filterlog: 52,,,0,em1,match,pass,in,6,0x00,0x00000,64,UDP,17,134,fe80::2665:11ff:fe6c:3714,fe80::21f:29ff:fe59:d8b4,547,546,134
Best regards,

    Jochen

[Space]

Hm, could the issue be caused by OpenVPN also listening on 546?

Code: [Select]

root@OPNvirt:/var/log # sockstat -l | grep :546
root     dhcp6c     33878 5  udp6   *:546                 *:*
root     openvpn    22884 5  udp6   *:546                 *:*
EDIT: yes! I stopped OpenVPN and after next solicit IP address was immediately set!

Best regards,

    Jochen

[Space]

Funny thing is: after OpenVPN was disabled and the interface got the IP from the Fritzbox ... there are lot's more processes listening on port 546:

Code: [Select]

root@OPNvirt:~ # sockstat -l -6 | grep :546
root     sleep      89181 8  udp6   *:546                 *:*
root     sh         47212 8  udp6   *:546                 *:*
root     radvd      30324 8  udp6   *:546                 *:*
dhcpd    dhcpd      26396 8  udp6   *:546                 *:*
root     dhcp6c     91012 8  udp6   *:546                 *:*

sleep and sh belong to this one:

Code: [Select]

root   47212   0.0  0.1 1078840   3168  -  Ss   14:01    0:00.06 |-- /bin/sh /var/db/rrd/updaterrd.sh
root   89181   0.0  0.1 1073972   2376  -  S    14:10    0:00.00 | `-- sleep 60

Not sure if all of them should be listening to :546 as well

Best regards,

    Jochen

[gothbert]

Just a brief update on my potentially related issue (no prefix delegation from cable model to OPNSense box and LAN does not track WAN IPv6):
- ISP support is poor: helpline told me that prefix delegation may work or may not work.
- That information is consistent with what other clients of the ISP experience according to forum posts across the internet: for some it works and for some it doesn't.
- My neighbor uses a Fritzbox with same ISP but has a IPv4-only line; I have DSlite (dual stack lite), i.e. IPv6-only and IPv4 via CGN (carrier grade NAT); thus no chance to cross-check.
- I will buy a Fritzbox, try it and report back.

Cheers,
Boris

[Space]

The connection issue towards https://www.heise.de remains though ... http connection is possible (I see the redirect to https), https connection is not possible ... the last thing I see in a trace is the "CLIENT HELLO" of ssl. If I test via curl https from OPNsense it works, from LAN only http works.

To follow up on this as well ... I have found out why https connection was not possible to some sites ... once I had reduced the MTU on my Linux system to 1486 even the https connection works without issues. So I guess the PMTU discovery fails at some point ... since it works fine if I run the curl on the OPNsense box, could this be an issue in OPNsense?

Thanks and best regards,

    Space

[gothbert]

- I will buy a Fritzbox, try it and report back.

Got my Fritzbox and got IPV6 on LAN working, finally. Only because of the additional insights and configuration options the Fritzbox provides in addition with a Ubuntu box added in parallel to the OPNSense box to make sure that the Fritzbox really can delegate prefixes (dhclient, wireshark, ...).

It still took quite some time to get it done. I ended up with the configuration that I have been trying out for weeks, in accordance with what Jochen proposed. Seemingly, the only difference is that I turned Intrusion Detection off. Please let me know if you like me to investigate if there is an issue with suricata.

Best regards
Boris

[zitlo]

Hey,

do someone have a working configuration with a ppoe over modem connection? I still have a problem with ipv6 and opnsense:

- ISP Deutsche Telekom
- opnsense 17.1.9
- Vigor 130 modem only (vlan7)
- Unifi AC PRO Access Point
I configured my opnsense in this way: https://moerbst.wordpress.com/2016/07/31/ipv6mit-pfsense-an-dsl-der-telekom/

I got a ipv6 address for my opnsense (working) but my clients are still without ipv6 address :-(

maybe someone can help me!

thank you

[franco]

Hmm, check if radvd is running (services: diagnostics), from the console see the config has a prefix:

# cat /var/etc/radvd.conf

Without a delegated prefix, your clients won't receive an IPv6.