dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
10270
share rss forum feed


IPv6_NOT

@comcast.net
reply to plencnerb

Re: [IPv6] Issues with IPv6 and pfsense [SOLVED]

This is an update to the post I made ~20 minutes ago. That post is still in limbo, so I hope that both posts either are approved at the same time, or in the proper sequence so that this post makes sense.

The problem with my WNR1000v2-VC just occurred, so I will post some screen shots of what I see so that you can look at the similar status pages in pFsense to see if your problem is similar.


IPv6 status from several days ago



IPv6 status showing dual WAN IP addresses



IPv6 status after reboot


plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:3

That is interesting.

I'm not seeing the dual WAN IPv6 IP's like you posted in your screen shot, but I did notice that the last part is different with my IPv6 IP.

I have no idea what you call each section, but the first 4 items are the same, but the last 4 are different.

Yet, my router, and cable modem have not been rebooted since I noted what my IPv6 IP address was.

Below is what I'm talking about.

My IPv6 IP, on 12/12/2012 around 12:30 PM
2001:558:6033:ad:7d1b:4b65:f6a7:4462

PFSense is now showing this
2001:558:6033:ad:149f:8627:2f1:9d33

The part after the :ad: is what has changed.

Is that what you are talking about?

It only takes a few minutes to reboot my router, so I may go ahead and do that this morning and report back.

--Brian
--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail



IPv6_NOT

@comcast.net

said by plencnerb:

That is interesting.

I'm not seeing the dual WAN IPv6 IP's like you posted in your screen shot, but I did notice that the last part is different with my IPv6 IP.

I have no idea what you call each section, but the first 4 items are the same, but the last 4 are different.

Yet, my router, and cable modem have not been rebooted since I noted what my IPv6 IP address was.

Below is what I'm talking about.

My IPv6 IP, on 12/12/2012 around 12:30 PM
2001:558:6033:ad:7d1b:4b65:f6a7:4462

PFSense is now showing this
2001:558:6033:ad:149f:8627:2f1:9d33

The part after the :ad: is what has changed.

Is that what you are talking about?

It only takes a few minutes to reboot my router, so I may go ahead and do that this morning and report back.

--Brian

Yes, that is what I was talking about. I don't always see the dual WAN IPv6 assignments showing in the GUI status page either (but I suspect it is there but just not showing). Sometimes it also manifests itself as two LAN IPv6 addresses with the PD portion changed, but the DUID (the last part of the IPv6 address) not changed.

In either case I think what has happened is that the DHCP6 has assigned a new IP address, but the old IPv6 address is also still assigned. I think that this is happening in my Netgear router because it is getting a /64 WAN assignment when it should be getting a /128, but there is no configuration setting that I can make to change that. I noticed that in one of your pfsense screen shots that you also were getting a /64 WAN assignment, so if you can change that in the pfsense config, you may be able to prevent this from happening again.


plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:3

Click for full size
#1

#2
  
said by IPv6_NOT :

I think that this is happening in my Netgear router because it is getting a /64 WAN assignment when it should be getting a /128, but there is no configuration setting that I can make to change that. I noticed that in one of your pfsense screen shots that you also were getting a /64 WAN assignment, so if you can change that in the pfsense config, you may be able to prevent this from happening again.

Are you talking about the section that I posted above in pic #1? That section is on the WAN interface configuration.

If so, the values that I can select there are shown in pic #2. Does not look like I have the option to set that to be /128, unless I'm looking in the wrong spot.

--Brian
--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail


IPv6_NOT

@comcast.net

said by plencnerb:

Are you talking about the section that I posted above in pic #1? That section is on the WAN interface configuration.

If so, the values that I can select there are shown in pic #2. Does not look like I have the option to set that to be /128, unless I'm looking in the wrong spot.

--Brian

I am not very familiar with pfsense, but everything I have seen in this and other forums discussing how Comcast assigns IPv6 addresses has implied that a standalone PC or a router WAN interface should receive a /128 IPv6 address beginning with 2001:558:xxxx:yy.

I don't have access to the hidden OpenWRT configuration in my Comcast supplied Netgear router and the only workable WAN options I have available are "Auto Detect" and "DHCP", and both give me a /64 IP address assignment. I know someone with a D-Link router, and that router does not explicitly have a selection choice for the WAN IP address allocation size either, but his router does get a /128 from Comcast, and his router's WAN IPv6 address is stable.

If you can't manually select a /128 preference for the WAN allocation size in pfsense, perhaps selecting "None" might work?


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
reply to plencnerb

Any relation with what is going on here to this thread?

»[IPv6] Seeing two different LAN side ranges



plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:3

I've seen that thread, but I do need to take the time to sit down and read it fully to see if I'm having the same issues.

The one thing I did see so far in that thread appears to be a disagreement on the WAN DHCPv6 Prefix Delegation size. whfsdude See Profile indicates that it should be set as /64 to work correctly. Which, for me that is what I had, and it did work.

However, you ( graysonf See Profile) have a different view, in that the setting should be set to "None", which would imply that it will pull a /128 from Comcast. You have it set that way (I'm guessing) and it also appears to work. I have to step out for a few hours, but when I get home, I'll play with that and see if it makes a difference.

In the meantime, if I look at my dashboard, something has gone south, as the status of the gateway "WAN_DHCP6" is now showing "Unknown". I know when everything was working, it did show "Online", with a proper IPv6 IP in the gateway box.

--Brian
--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2

I suggested "None" because /128 is not a choice. I don't run pfsense here, I run m0n0wall instead. And I get a /128 on WAN and there is nothing to specify other than DHCP on WAN - there is no list of subnet mask choices.

I may flash a copy of pfsense to a spare CF and try it here to see what happens.

I do recall another thread along these lines and the way it turned out NetDog (I think) got involved and solved it. The cause was some type of misconfiguration by Comcast for that particular customer.



IPv6_NOT

@comcast.net

said by graysonf:

I suggested "None" because /128 is not a choice. I don't run pfsense here, I run m0n0wall instead. And I get a /128 on WAN and there is nothing to specify other than DHCP on WAN - there is no list of subnet mask choices.

I may flash a copy of pfsense to a spare CF and try it here to see what happens.

I do recall another thread along these lines and the way it turned out NetDog (I think) got involved and solved it. The cause was some type of misconfiguration by Comcast for that particular customer.

In NetDog's sticky thread: »[IPv6] Troubleshooting Comcast IPv6 (Start Here) he seems to agree that a router's WAN should get a /128 allocation:




Since NetDog does IPv6 support for Comcast, one would hope that his opinion is based on facts.


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast

1 edit

said by IPv6_NOT :

»[IPv6] Troubleshooting Comcast IPv6 (Start Here) he seems to agree that a router's WAN should get a /128 allocation

He's talking about allocation, not subnet. If you had a /128 subnet, you wouldn't be able to reach the gateway (it's just a single addressed network).

pfsense very clearly asks for the subnet which is why you give it a "/64."

If you do not believe that it's in a /64, pcap the RA.

fwiw, I ran pfsense on Comcast's network using '64' on-link and '64' for the PD prefix up until I had my new service installed (which is static).

Edit: Clearly failed to read "allocation" IPv6_NOT is correct and we're pretty much saying the same thing.


IPv6_NOT

@comcast.net

said by whfsdude:

said by IPv6_NOT :

»[IPv6] Troubleshooting Comcast IPv6 (Start Here) he seems to agree that a router's WAN should get a /128 allocation

He's talking about allocation, not subnet. If you had a /128 subnet, you wouldn't be able to reach the gateway (it's just a single addressed network).

pfsense very clearly asks for the subnet which is why you give it a "/64."

If you do not believe that it's in a /64, pcap the RA.

fwiw, I ran pfsense on Comcast's network using '64' on-link and '64' for the PD prefix up until I had my new service installed (which is static).

You may want to find your reading glasses and look at my posts in this thread again. I don't think you will find that I have used the phrase "/128 subnet" in any of those posts. In fact the portion of my last post that you quoted clearly says "/128 allocation"

I don't know if the current beta release(s) of pfsense has a configuration option to specify a requested allocation size for the WAN interface, but if it receives a /64 allocation, I think that the problem the OP is seeing will continue (just as it continues to happen on my Netgear router which also receives a /64 allocation on its WAN interface). We are talking about the router's WAN interface, not its LAn interface which indeed should have a /64 allocation and subnet.


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast

said by IPv6_NOT :

I don't know if the current beta release(s) of pfsense has a configuration option to specify a requested allocation size for the WAN interface, but if it receives a /64 allocation, I think that the problem the OP is seeing will continue (just as it continues to happen on my Netgear router which also receives a /64 allocation on its WAN interface). We are talking about the router's WAN interface, not its LAn interface which indeed should have a /64 allocation and subnet.

When set to DHCP6, pfsenses assumes asking for a /128 allocation. The question in the LAN thread (»[IPv6] Seeing two different LAN side ranges) was addressed that it is showing /64 for the WAN subnet, which is correct.

The PD size was asked again in this thread, but yes that should be set to /64 as well. In pfsense you specify the PD size on the WAN page. LAN interfaces are then set as track interfaces.


plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:3

All,

Thanks for the clarification. As I'm still learning about IPv6, I got confused when I saw the note about /128. Seeing in pfsense I could only configure the size to be /64, I thought they were the same thing.

So, is it safe to assume that my configuration, as it was setup back in December, is still valid?

If it is, then how do we go about getting it to work again? I could reboot the modem, and my pfsense box, and that will probably fix things. However, how long will that fix last? Is there something else that is not configured correctly on my end that caused this? Or, is it something on Comcast's end that has broke, and someone who works for Comcast needs to fix something.

I'm willing to post any configuration, screen shot, or test anything I need to try to figure out what has stopped working. Just let me know what someone needs me to do, I'll do it.

Thanks in advance for any help that can be offered.

--Brian
--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail



graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
reply to plencnerb

I flashed the latest pfsense snapshot (pfSense-2.1-BETA1-512mb-i386-nanobsd-20130103-0639) to CF and tried it.

I left it entirely in the default configuration which aligns with the configuration others have tried here. It would not assign an IPv6 address to my Windows 7 machine which is set for DHCPv6.

The only way I could get IPv6 working was to statically assign an IPv6 address, gateway, and DNS server to my Windows 7 machine.

I'm back on m0n0wall which works fine with Comcast IPv6 DHCP-PD. The only odd thing is that its system log is flooded with RAs on the WAN interface.



whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast

I left it entirely in the default configuration which aligns with the configuration others have tried here. It would not assign an IPv6 address to my Windows 7 machine which is set for DHCPv6.

Huh? The default config won't do PD. You need to set a track int on the LAN.


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2

1 recommendation

That's the way it came up here.



whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast

said by graysonf:

That's the way it came up here.

Oh awesome! Clearly there are some major code changes underway. Last time I tossed on a blank config was August.


plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:3

Ok, so any thoughts on my issue? Should I reboot and see what happens?

Or, should I download and install the latest build, and see what that does?

Or, is there a setting that I need to modify?

--Brian
--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail



graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2

See: »forum.pfsense.org/index.php/topi···sg306484



plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:3

1 edit

Thanks!

Looks like I need to get a updated beta build of the 2.1 client.

I'll work on doing that this afternoon.

Once everything has been done, I'll test again and report back.

Edit: The post over there says to get one with a date of Jan 6th or later. Today is only the 5th! So, I have to wait a day I guess. No big deal. Now I have a project for tomorrow.

--Brian
--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail


JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5

Yeah that was my thought as well. I'm actually here with my system today (I actually moved on the 1st and haven't really had a chance to mess with this) and thought "great, I'll do an update while I'm here, wait what day is today, damn only the 5th?" I'm heading out of town in the morning so it'll be at least a week before I can get to it now. I'm liking what I'm seeing though, looks promising.



plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:3
reply to plencnerb

Click for full size
Well, I went and downloaded the file indicated by the arrow in the above picture.

Later today I'll burn that to CD, and install clean and see how things go.

I do have my notes about what I changed before to get things working. I'll make any new notes if those same changes need to be made, or if they are already configured by default.

Once everything is working (crosses fingers! ), I'll post back here with all the information.

--Brian
--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail


plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:3

1 edit
reply to plencnerb

Click for full size
Dashboard Prior to upgrade
Click for full size
Interfaces Prior to upgrade
Click for full size
Dashboard After upgrade
Click for full size
Interfaces After upgrade
I went ahead and did a clean install of pfsense. The version information is below

2.1-BETA1 (i386)
built on Sun Jan 6 05:42:27 EST 2013
FreeBSD 8.3-RELEASE-p5

Good news is that everything is now working!

I also want to point out the difference in the WAN Interface screens. If you look at the one before the upgrade, the WAN Interface showed a Subnet mask IPv6 of "64". After moving to the new version, that value is now showing as "128", as indicated by the red arrows.

At this point, I have made ZERO changes to the configuration of pfSense (outside of changing the default admin password). Both IPv6 test sites now return 10/10, and the Comcast IPv6 Speed test site is working as well. I did some ping tests to known IPv6 sites, and they work. I also did a nslookup to that site, and returned both the IP and the name (depending on how I did the lookup) and that also worked without issue.

For reference, the changes that I made in the last version are below.

Add a WAN Rule for IPv6
Firewall --> Rules --> WAN
Action: Pass
Disabled: unchecked
Interface: WAN
TCP/IP Version: IPv6
Protocol: TCP
Source: No changes
Destination: No changes
Destination port range: No changes
Log: Unchecked
Description: Added to allow IPv6

Modify the IPv6 Configuration Type
Interfaces --> WAN
IPv6 Configuration Type: DHCP6

Again, I did not have to do either change. In regards to the IPv6 configuration type, it was already set as DHCP6. I also did not add the firewall rule on the WAN side as noted above, as things "appear" to be working without it.

If anyone has any questions, or needs to see any additional screens, let me know and I'll be happy to post them.

Interesting I just noticed that I "lost" the following two ISP DNS Servers
2001:558:feed::1
2001:558:feed::2

They were present under the WAN Interface prior to the install, and now they do not show up.

As I said, things "appear" to work without them, so I don't know if they are needed or not. However, I did want to point that out just in case I need to modify something to get them to show up again on the WAN Interface screen.

--Brian
--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to plencnerb

There are some GUI issues with quickly back-porting to WIDE from ISC's DHCP6 client.

FWIW, I always shove the v6 DNS servers under System > General Setup.

2001:558:feed::1
2001:558:feed::2

I'd rather push v6 traffic over Comcast's network than v4 (but that's just me being a v6 nerd).



graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
reply to plencnerb

This now agrees with what I have here on working m0n0wall 1.8b, including the /128 WAN netmask and having a local link address for the IPv6 gateway.



plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:3

Good deal.

I also went ahead and added the two IPv6 DNS's under the General Setup so they now show up as well.

--Brian



PGHammer

join:2003-06-09
Accokeek, MD

1 recommendation

reply to plencnerb

Glad to hear.

Oddly enough, the SAME settings work with some routers *known* to support IPv6 (WNR1000v2 and WNDR37xx v3 and later - this may apply to Netgear's WNDR4xxx as well), because of issues with Auto-Detect/Auto-Config vs. explicit DHCP; I don't know whether it's a bug on Netgear's end or possibly the router is, in fact, doing what it's supposed to.

I have a WNDR3700 v4 (which replaced a Comcast-supplied WNR3500v1) due to router timeouts (on the WIRED side - utterly inexcusable) which I initially setup with Auto-Detect (first for IPv4, then for IPv6) - for IPv6, I got the 6to4 tunnel that is the default for routers that don't support either DHCP6-PD or 6RD (neither of which is listed on the WNDR3700's spec sheet or documentation). However, there IS a setting for DHCP under Advanced Setup->IPv6 - just for grinz/lulz, I used it. *Bang.* I now have the *correct* IPv6 range, and I'm no longer using a tunnel.

Add this router to the explicit support list with the following note: DHCPv6 must be turned on via Advanced Setup->IPv6 - this is disabled by default.