Multi WAN and ipv6

[marjohn56]

Can you just turn on dhcp6c debug in interfaces->settings, then filter the logs on dhcp6c and post them/.

[wget]

Can you just turn on dhcp6c debug in interfaces->settings, then filter the logs on dhcp6c and post them/.

Answered in DM as the logs were containing sensible pieces of info. I will make sure to expel the ones that are not needed afterwards, that way, this could be useful to others finding this topic in the future =)

[fryfrog]

Do you still need testers? I happen to have 3 ISPs and an extra APU2, I could test w/o killing my own internet via an extra cable and dsl, both that do dhcpv6 pd.

[wget]

Do you still need testers? I happen to have 3 ISPs and an extra APU2, I could test w/o killing my own internet via an extra cable and dsl, both that do dhcpv6 pd.

Hi there.

An additional test would be wise to have.

From my side, my xDSL and DOCIS based are both receiving an IPv6 address now.

But it appears the xDSL has issues and I need to reload the interface manually afterwards in order to be sure to have an IPv6 on it. Could you test this out? (confirming or disconfirm my issue)

[fryfrog]

Is it weird that I've always been able to get an ipv6 ip and ipv6-pd delegated from all of my interfaces? My "problem" is that all my hosts then end up with 2-3 public ipv6 addresses and I've never figured out how to control it better. I *think* I need to use a private ipv6 range on my LAN and then ... ?nat64? them 1:1? I *suck* at ipv6, so I know I'm at least a little wrong, probably a lot.

[marjohn56]

you'll usually see multiple ipv6 addresses on clients as that is a feature of ipv6, if you want to disable that then look at this.. https://www.ispcolohost.com/2013/07/06/how-to-disable-ipv6-stateless-autoconfig-on-windows-7/.


you can als change your radvd settings to managed, however if you do that then any android clients you have will not get an address.

[wget]

I have reinstalled my system under a fresh 20.7 in order to avoid issues caused from the previous development tests I performed.

Now, I'm unable to get an IPv6 address on igb1 (modem cable based).

While radvdump reports RA paquets asking me to send an IPv6 sollicit DHCP client request (cf. M flag set to on):

Code: [Select]

interface igb1
{
        AdvSendAdvert on;
        # Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump
        AdvManagedFlag on;
        AdvOtherConfigFlag on;
        AdvReachableTime 3600000;
        AdvRetransTimer 0;
        AdvCurHopLimit 64;
        AdvDefaultLifetime 9000;
        AdvHomeAgentFlag off;
        AdvDefaultPreference medium;
        AdvSourceLLAddress on;
        AdvLinkMTU 1500;
}; # End of interface definition

The DHCP request is not getting an offer:

Code: [Select]

2020-08-11T15:07:19 dhcp6c[36699]: reset a timer on igb1, state=SOLICIT, timeo=5, retrans=35350
2020-08-11T15:07:19 dhcp6c[36699]: send solicit to ff02::1:2%igb1
2020-08-11T15:07:19 dhcp6c[36699]: set IA_PD
2020-08-11T15:07:19 dhcp6c[36699]: set IA_PD prefix
2020-08-11T15:07:19 dhcp6c[36699]: set option request (len 4)
2020-08-11T15:07:19 dhcp6c[36699]: set elapsed time (len 2)
2020-08-11T15:07:19 dhcp6c[36699]: set identity association
2020-08-11T15:07:19 dhcp6c[36699]: set client ID (len 14)
2020-08-11T15:07:19 dhcp6c[36699]: Sending Solicit
2020-08-11T15:07:01 dhcp6c[36699]: reset a timer on igb1, state=SOLICIT, timeo=4, retrans=17047
2020-08-11T15:07:01 dhcp6c[36699]: send solicit to ff02::1:2%igb1
2020-08-11T15:07:01 dhcp6c[36699]: set IA_PD
2020-08-11T15:07:01 dhcp6c[36699]: set IA_PD prefix
2020-08-11T15:07:01 dhcp6c[36699]: set option request (len 4)
2020-08-11T15:07:01 dhcp6c[36699]: set elapsed time (len 2)
2020-08-11T15:07:01 dhcp6c[36699]: set identity association
2020-08-11T15:07:01 dhcp6c[36699]: set client ID (len 14)
2020-08-11T15:07:01 dhcp6c[36699]: Sending Solicit
2020-08-11T15:06:53 dhcp6c[36699]: reset a timer on igb1, state=SOLICIT, timeo=3, retrans=8494

The stripped down version of dhcp6c.conf:

Code: [Select]

root@portal:/home/wget # cat /var/etc/dhcp6c.conf
interface igb1 {
  send ia-na 2; # request stateful address
  send ia-pd 2; # request prefix delegation
  request domain-name-servers;
  request domain-name;
  script "/var/etc/dhcp6c_opt1_script.sh"; # we'd like some nameservers please
};
id-assoc na 2 { };
id-assoc pd 2 {
  prefix ::/64 infinity;
};

This time I ensured the MTU + MSS were correct, so I don't think this comes from this side. Any direction would be great to have.

[franco]

May this be a problem with the previous lease still active or a MAC address mismatch?


Cheers,
Franco

[wget]

Well, it's true that up to now I have been spoofing the MACs from my WANs, but it has always worked like this before since I have this APU2 (end of 2017).

I have just unset the spoofing, rebooted. Even if the NIC is now using the real HW MAC address, I still don't get any IPv6 DHCP answer.

Also, for the record, previously in the 20.7.x dev config I had, the "prevent release" DHCPv6 setting was set. I unset it as well without much results :/

How can I see if this could come from a pending existing DHCPv6 lease that hasn't expired?

[wget]

Back. I have retested my APU2 board on OpenWRT and the problem was similar.

I then debugged the issue directly on my laptop. I contacted the core network team of my ISP. It appeared this was indeed a problem on their side. Problem fixed =)

I confirm that with the 20.7 release (not in dev mode any more) that dhcp6c is working for both of my connections (DOCSIS and xDSL PPPoE).

Retested again with my trick:

Code: [Select]

$ curl -6 --interface 2a02:[IPv6 address of the PPPoE] -k -L google.com
[...]
$ curl -6 --interface 2a02:[IPv6 address of the DOCIS modem bridge] -k -L google.com
[...]

and both replied correctly.

Enforcing the MTU override for the DOCSIS based connection at VOO (Belgium) is still required though otherwise OPNsense was still setting the MTU to 516 that breaks the IPv6 minimum requirements.

[franco]

Happy to hear

MTU should be advertised as 1280, not sure where 516 is coming from. Or is the OPNsense itself violating the MTU constraint?


Cheers,
Franco

[wget]

Happy to hear

MTU should be advertised as 1280, not sure where 516 is coming from. Or is the OPNsense itself violating the MTU constraint?


Cheers,
Franco

I think this is indeed OPNsense (or at least the FreeBSD driver) violating this MTU constraint because the issue doesn't happen with OpenWRT on that same device.

How do you know this should be 1280? It was indeed the value that was sometimes displayed as ifconfig output when 516 wasn't.

Is 1280 the default value for Ethernet reported by DOSCIS cable modems? On my Ethernet link from my xDSL modem, the MTU was 1500.

[wget]

[...]

I then debugged the issue directly on my laptop. I contacted the core network team of my ISP. It appeared this was indeed a problem on their side. Problem fixed =)

[...]

Actually nothing is 100 % correct when I said this was 100% working. After a reboot, I have a race condition and the IPv6 doesn't immediately show up on the xDSL link. I need to manually go in Interfaces > Overview and Reload the xDSL link in order to have an IPv6 address. Any idea to avoid this manual step at each reboot?

[Zlapped24]

Btw, since I'm still figuring out how the fallback method is working
I wonder how LAN devices tracking the IPv6 PD address range prefix from WAN1
(Global Unicast IPv6 address i.e. 2a02::/8) ข่าวกีฬาออนไลน์
will fallback to WAN2 (the backup WAN) when WAN1 is down.

[wget]

Btw, since I'm still figuring out how the fallback method is working
I wonder how LAN devices tracking the IPv6 PD address range prefix from WAN1
(Global Unicast IPv6 address i.e. 2a02::/8) ข่าวกีฬาออนไลน์
will fallback to WAN2 (the backup WAN) when WAN1 is down.

@Zlapped24 They won't. The gateway won't be magically changing and devices won't be getting the new IPv6 address.

The current patch described in this thread was only the first step: supporting a merged dhcpv6 client config with different interfaces. That's only what the fixes (implemented in 20.7) are doing for now.

Gateway changing and IPv6 address changing will still need to be implemented.