dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
5196
share rss forum feed


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to JoelC707

Re: [IPv6] Seeing two different LAN side ranges

said by JoelC707:

I assume you mean Netflix? Funny you mention that though, they had some funky outage last night. Our 4 year old fell asleep at 8-9 or so and woke up at about 11. Couldn't get her to go back to sleep till after 2 (and we didn't want to go to sleep until she did, just in case lol). Netflix on the TV kept failing to connect.

Yeah - bit me as I was trying to watch Arrested Development last night. It was related to the Amazon AWS' elastic load balancer. Netflix uses Amazon for everything but the actual streaming part of their service. Browsing and selecting movies is done via AWS instances.

»gigaom.com/video/netflix-down-xmas-eve/

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5

1 recommendation

reply to whfsdude

It scrolls past at a pretty good rate so I'm not sure if I could catch anything in a screen shot. I think what I'll do then is reboot pfSense as soon as I can and see if that solves it now that we have everything else squared away.


JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
reply to whfsdude

Interesting info. I never knew Netflix used Amazon's services for their infrastructure. Makes sense the actual streaming would still come from Netflix since Amazon has a competing product but there's nothing stopping Netflix or another provider from leveraging Amazon's massive server infrastructure.


JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
reply to whfsdude

Rebooted pfSense. No change

Here's something. What snapshot are you or anyone else running? I'm on the latest (Dec 19th) snap, but you or someone mentioned in another thread I read that a regression is always possible. Maybe I need to downgrade. It'll mean recreating a bunch of firewall rules but I could just blow away and recreate it from scratch (might have to do that anyway if I downgrade as I don't know what importing config settings would do).

I'm really at a loss here. I don't know if it's pfSense or my network. I've used IPv6 before via a HE tunnel so nothing funky in the switches or anything should be messing with it. They are web managed switches (one D-Link, one Dell) but I haven't seen anything IPv6 related in them.



whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to JoelC707

2.1-BETA1 (amd64)
built on Wed Dec 19 15:46:29 EST 2012
FreeBSD 8.3-RELEASE-p5

But I'm not running PD anymore as I've got all static ranges

The only other suggestion I can think of is when you allowed any traffic on the "Comcast" firewall rule, was it also set to IPv4+IPv6?



graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
reply to JoelC707

There are more recent snapshots here:

»snapshots.pfsense.org/FreeBSD_RE···?C=M;O=D


JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
reply to whfsdude

I started with that image you're using, another got released a few hours later (mine has 19:19:47 as the time stamp) and I upgraded to it. For that matter, would an upgrade have broken this?

The Comcast "any any" rule was IPv6 only. I have re-enabled it and it made no difference.


JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
reply to graysonf

Aha it was set to check against the release server not the snapshots server. I just assumed they took a break from updates for Christmas or something. Before I contemplate blowing this away and starting fresh, I'm gonna try an update and see what I can make it do with a newer snapshot (at least with an update I don't have to recreate a bunch of rules and such lol).



graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2

You can save your current configuration file at any time and restore it later into your next install. No need to recreate anything from scratch.


JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5

Yeah but I'm worried there might be something hidden that is messing this up and restoring the config would restore the fault too. I guess I don't really see what that might be since everything else says it should be working but I'm stumped at this point.



graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2

Maybe you should consider a simpler product just to see if it will configure IPv6 correctly for you. If it won't, then the problem lies on Comcast's side and you are spinning your wheels.

I run m0n0wall here, the product that was forked to form pfsense.

It might take you ten minutes to try it. I can paste screenshots of the configuration for you if you want them.

Tell me more about what type of pfsense install you are running and I'll point you to the right m0n0wall image.


JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5

Good point. This could all be some bug in pfSense that has come up. The IPv6 forum at pfSense.com is filled with Comcast IPv6 questions I haven't even connected it direct to my desktop to test it direct (though considering I can ping from the firewall I suspect it will work connected direct to my desktop).

I've considered Untangle as well and have seen m0n0wall though I've never used either. I have two WAN circuits, one being PPPoE DSL, the other Comcast. It's being used for just a basic internet router/firewall. I have used HAVP (inline virus scanner) and played around with snort but do not use either currently. Nothing special really



graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2

m0n0wall doesn't handle multi-WAN. But it still would be worth trying on your Comcast circuit.

I suggest the Live-CD with a floppy or USB stick to store the configuration. Nothing to install, just try it and see what happens.



plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:3
reply to JoelC707

said by JoelC707:

I haven't even connected it direct to my desktop to test it direct (though considering I can ping from the firewall I suspect it will work connected direct to my desktop).

I would highly suggest doing that. It should only take a few minutes to pull your pfsense box out of the mix, and plug a device (desktop or laptop) directly into your modem and verify that IPv6 is fully working in your area.

That will help rule out any issues on Comcast's side.

For me, that was the first thing I did. Once I knew I was getting a real IPv6 IP from Comcast, and could doing pings, trace routes, and the IPv6 test sites came back with a 10/10 score, I knew it was time to configure pfsense.

--Brian
--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
reply to graysonf

It's certainly worth a try, just with the Comcast circuit but yeah if no support for multi-wan then that's a no-go for me as a permanent solution. That may be why I went with pfSense instead of m0n0 at first because I've been using pfSense since the 1.2.1 days lol.


JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
reply to plencnerb

I confirmed with NetDog See Profile that my CMTS was IPv6 enabled before beginning this adventure but alas what should work what that actually happens are sometimes two entirely different things LOL. Regardless, I should try that and see what happens.

Though I did note in the thread you pointed me to, your IPv6 IP shown was a 2001: address. If the PD provided 2601: address is the source of the issue, I may very well be able to connect the modem direct to my computer and get IPv6 connectivity and then turn around and still not get it to work with pfSense.



whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to JoelC707

If it were an issue of the PD not being routed properly, we wouldn't be able to ping it (we can ping both WAN and PD addresses).

I'm 99% certain the issue lies with pfsense.

Might also want to grab the active rules pfsense is using.

via CLI
cat /tmp/rules.debug

Edit:
Also post an traceroute6 from both the router and the client computer.

You can use one of my boxes as the target.
v6.znc.0x1a4.com


JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5

Click for full size
Click for full size
Click for full size
Rules.debug is too large for the window in putty, I won't be able to SS all of it. What's an easy way to download a copy of that file and I'll just post it here?

Side note, I discovered my subnet changed again. Now I'm on "19" yet my desktop (which was JUST rebooted thanks to an accidental brush of the power button) still has the "9" subnet. What's up with that?

Woah. I'll be damned. I can tracert to you from my desktop. This, despite my desktop still having a "9" IPv6 address and thinking "9::1" is it's gateway. WTH? Oh and I think traceroute6 is broken in pfSense. Even from the shell it's apparently "stuck" and not going anywhere.

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5

Click for full size
Click for full size
Hmmm.... progress? Somewhat good, somewhat bad.

I appear to have SOME connectivity now but it's still kinda broken (it's more than I've had before).

I can also ping6 you from my desktop but still can't ping6 Google's IPv6 DNS.


whfsdude
Premium
join:2003-04-05
Washington, DC

Can you re-run the IPv6 test page and bring up technical info?

The large packet indicates path mtu problems still.


JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5

Click for full size
I've still got the tab open. Here's the tech info page.


NetDog
Premium,VIP
join:2002-03-04
Parker, CO
kudos:77

1 edit

1 recommendation

reply to JoelC707

Ping me if you need any help on this thread.. working on some other router vendor issues right now taking up a lot of my time.


JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5

1 recommendation

Thanks! I've been burning a bunch of DVDs for a friend that's supposed to come over later today so that's been taking up all my time today. I'm going to try upgrading the firewall soon (probably this evening). If that doesn't solve it, I've got existing plans to take my network down for some local server maintenance over the weekend and will lump a rebuild of the firewall from scratch into that


JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5

OK, pfSense is now at the Dec 26 12:02:01 EST release. I have yet another IPv6 subnet again. The console still shows the old "19" address I had last (though I'm sure if I do something to make it refresh it will update). The dashboard and SSH show 2601:0:ac00:5c::1 for LAN side. My PC on the other hand, even after a reboot and release/renew is hanging on to the old "19" addresses for dear life.

So how do I get it to actually let go of the old addresses and pick up the new ones? Is it supposed to change this often?



graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2

What OS is your PC?


JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5

Windows 7 x64. I see now there's release6 and renew6 but those (like regular release/renew) only appear to work for DHCP and not RA assigned addresses. I also just tried disabling/enabling the adapter with no luck.



whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to JoelC707

I'm on a mobile device at the moment so I will keep this short.

Your PD prefix should remain constant unless the DUID changes or you move to a different CMTS (unlikely). The DUID is based off the MAC address of the primary interface unless manually specified. So it's likely pfsense's internals did something and the DUID changed.

Keep in mind the DUID is usually a per OS thing (not per nic).

OT-protip: Windows admins, change DUID if you image as you don't want multiple DUIDs that are the same on the network.



graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
reply to JoelC707

7x64 here too, among others.

I would reset the Windows 7 IPv6 configuration to see if that helps.

From a command prompt with admin privileges:

netsh interface ipv6 reset

Then run ipconfig /all and post the results.

Windows has what are called Temporary IPv6 addresses which change with every reboot or restart of the network. I find them annoying because they are the source address of your connection. I prefer a more static IPv6 address. See here if you want to disable that:

»blackundertone.wordpress.com/201···dresses/



whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to JoelC707

said by JoelC707:

Windows 7 x64. I see now there's release6 and renew6 but those (like regular release/renew) only appear to work for DHCP and not RA assigned addresses. I also just tried disabling/enabling the adapter with no luck.

The address should depref. and then depreciate when enough time has passed after not receiving an RA. I don't know much about the Windows stack but I assume that would be once it can no longer reach the router. (Max time would be AdvDefaultLifetime)

If you are still getting RAs for that prefix, you have a problem. I recommend Wireshark.

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
reply to whfsdude

No idea how I would change the DUID (though I can certainly look it up), and even so I can't see why it would change. I am spoofing the WAN MAC to maintain my original IPv4 address after I changed hardware for the firewall a while ago. Maybe somehow the real MAC is coming though but even still, there's only one real and one spoofed MAC so I should theoretically only see two different PD prefixes? This makes the fourth PD prefix I've seen in just two days.