dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
5346
share rss forum feed

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
reply to whfsdude

Re: [IPv6] Seeing two different LAN side ranges

Click for full size
I've still got the tab open. Here's the tech info page.


NetDog
Premium,VIP
join:2002-03-04
Parker, CO
kudos:79

1 edit

1 recommendation

reply to JoelC707
Ping me if you need any help on this thread.. working on some other router vendor issues right now taking up a lot of my time.

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5

1 recommendation

Thanks! I've been burning a bunch of DVDs for a friend that's supposed to come over later today so that's been taking up all my time today. I'm going to try upgrading the firewall soon (probably this evening). If that doesn't solve it, I've got existing plans to take my network down for some local server maintenance over the weekend and will lump a rebuild of the firewall from scratch into that

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
OK, pfSense is now at the Dec 26 12:02:01 EST release. I have yet another IPv6 subnet again. The console still shows the old "19" address I had last (though I'm sure if I do something to make it refresh it will update). The dashboard and SSH show 2601:0:ac00:5c::1 for LAN side. My PC on the other hand, even after a reboot and release/renew is hanging on to the old "19" addresses for dear life.

So how do I get it to actually let go of the old addresses and pick up the new ones? Is it supposed to change this often?


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
What OS is your PC?

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
Windows 7 x64. I see now there's release6 and renew6 but those (like regular release/renew) only appear to work for DHCP and not RA assigned addresses. I also just tried disabling/enabling the adapter with no luck.


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to JoelC707
I'm on a mobile device at the moment so I will keep this short.

Your PD prefix should remain constant unless the DUID changes or you move to a different CMTS (unlikely). The DUID is based off the MAC address of the primary interface unless manually specified. So it's likely pfsense's internals did something and the DUID changed.

Keep in mind the DUID is usually a per OS thing (not per nic).

OT-protip: Windows admins, change DUID if you image as you don't want multiple DUIDs that are the same on the network.


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
Reviews:
·Comcast
reply to JoelC707
7x64 here too, among others.

I would reset the Windows 7 IPv6 configuration to see if that helps.

From a command prompt with admin privileges:

netsh interface ipv6 reset

Then run ipconfig /all and post the results.

Windows has what are called Temporary IPv6 addresses which change with every reboot or restart of the network. I find them annoying because they are the source address of your connection. I prefer a more static IPv6 address. See here if you want to disable that:

»blackundertone.wordpress.com/201···dresses/


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to JoelC707
said by JoelC707:

Windows 7 x64. I see now there's release6 and renew6 but those (like regular release/renew) only appear to work for DHCP and not RA assigned addresses. I also just tried disabling/enabling the adapter with no luck.

The address should depref. and then depreciate when enough time has passed after not receiving an RA. I don't know much about the Windows stack but I assume that would be once it can no longer reach the router. (Max time would be AdvDefaultLifetime)

If you are still getting RAs for that prefix, you have a problem. I recommend Wireshark.

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
reply to whfsdude
No idea how I would change the DUID (though I can certainly look it up), and even so I can't see why it would change. I am spoofing the WAN MAC to maintain my original IPv4 address after I changed hardware for the firewall a while ago. Maybe somehow the real MAC is coming though but even still, there's only one real and one spoofed MAC so I should theoretically only see two different PD prefixes? This makes the fourth PD prefix I've seen in just two days.


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to graysonf
said by graysonf:

Windows has what are called Temporary IPv6 addresses which change with every reboot or restart of the network. I find them annoying because they are the source address of your connection. I prefer a more static IPv6 address. See here if you want to disable that:


RFC 4941. Enabled by default on OS X as well. Technically you can still use the SLAAC address but traffic will be sourced via PE generated address unless an established incoming connection on SLAAC is made.

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
reply to whfsdude
I've run the ipv6 reset commands and also disabled the temp address generation and it wants a reboot. Be right back...


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to JoelC707
said by JoelC707:

No idea how I would change the DUID (though I can certainly look it up), and even so I can't see why it would change. I am spoofing the WAN MAC to maintain my original IPv4 address after I changed hardware for the firewall a while ago. Maybe somehow the real MAC is coming though but even still, there's only one real and one spoofed MAC so I should theoretically only see two different PD prefixes? This makes the fourth PD prefix I've seen in just two days.

Or pfsense lost, gained, changed an interface and is using that interface to base the DUID. Wish you could specify a static DUID (for dhcp6.conf) in the pfsense interface.


whfsdude
Premium
join:2003-04-05
Washington, DC
reply to JoelC707

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
reply to whfsdude
Still have a "19" address on my desktop.

Given the Bellsouth circuit is PPPoE, doesn't pfSense "transform" or something that interface or something? After all it's "name" is "pppoe0" now, not xl0 like the actual adapter is. Maybe it's basing it off that instead?

I've run Wireshark before but it's been a while. I believe pfSense has support for mirroring an interface for packet capture and so should my switches. If you want me to capture anything let me know what you want captured, from where (what ports mirrored, if any) and what you want me to "do" while it is capturing.


whfsdude
Premium
join:2003-04-05
Washington, DC
reply to JoelC707
You only have 'DHCP6' set on the 'Comcast/WAN' int, correct?

You should be getting only one /64 on the LAN.

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5

1 recommendation

Click for full size
Yeah, DHCP6, PD 64. LAN is tracking WAN and ID is 0.

I'm only getting one /64 at a time. My desktop is actually the only place I've ever seen two different subnets show up at the same time.


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to JoelC707
Probably not that helpful at all on my part but the screenshot you provided of the interfaces looks good.

I really think the next course of action is grab some pcaps via the web interface when you're trying to browse/access v6. Packet captures from both the WAN and LAN ints would be super helpful.

Ideally you can put them on »www.cloudshark.org/ if you don't mind a few prying eyes.

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5

1 recommendation

Given my desktop still has the "19" address, I can't do anything useful with v6 (and I checked other machines on my network, all still have the 19 addresses). Still, I did try to ping6 google.com while the two captures were running (it of course failed).

WAN side capture: »www.cloudshark.org/captures/81dbe0c66cb1
LAN side capture: »www.cloudshark.org/captures/da873c9319a1

Also uploaded raw capture files.

Edit: just realized I had it limited to 100 packets. Want me to recapture with no limit?


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to JoelC707
I see the problem (oh how pcaps make things easier)! See the RA, notice it has the different prefix "19" on the 48th nibble. It's coming from the LAN int so clearly there is a config not showing in the pfsense GUI that needs to be blown away.

»willscorner.net/t/ra.png


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to JoelC707
I would suggest a good way to get rid of this config.

1. Disable v6 on the LAN int, apply.
2. Reboot pfsense.
3. Re-enable v6 on LAN int (the track int, prefix id 0).
4. Reboot once more.

If that doesn't do it, not sure what will.

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
Will do in a few, thanks!

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
reply to whfsdude
WTF? OK, did as you instructed and upon reboot the second time I'm watching the console screen behind me and I see the following address on LAN 2601:0:ac40:1d::1. I immediately refresh the web gui page and get to the console (mere seconds after successful boot), and I see a different address. The address displayed on the webgui is "1e", not "1d".

My desktop still has the old "19" address but now also has a "1d" address too. I've run a reset on it and will reboot in a minute and provide new screenshots and such of what I'm seeing now.

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
 
Click for full size
Click for full size
New screenshots. Desktop now has a "1d" address but that does me no good if the LAN of pfSense has changed to "1e". I even took a pic of the local console just to show I'm not crazy in seeing a "1d" address on LAN lol.

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
And packet captures.

LAN: »www.cloudshark.org/captures/5f18cc742aa5
WAN: »www.cloudshark.org/captures/b2bf764663a7

I tried the same ping6 to google.com while the capture was running on each interface. I also set the packet limit to 0 instead of 100.


whfsdude
Premium
join:2003-04-05
Washington, DC
Reviews:
·Comcast
reply to JoelC707
Well that is no good :-/ We did manage to get somewhere tonight. We know pfsense is advertising the wrong prefix but don't know why.

Next thing is to look at the raw config files and see what pfsense is really doing. I will dig up those locations for you tomorrow (need to catch some sleep).

If anyone else wants to jump in - dhcp6 config locations and rtavd or radvd config location on pfsense would be awesome.


whfsdude
Premium
join:2003-04-05
Washington, DC
reply to JoelC707
You might want to pm NetDog as well to get a second opinion. He'll love the pcaps.

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5
reply to whfsdude
I suspect it might have something to do with the changing prefix. It's advertising the first prefix and whatever does that advertising doesn't realize it's changing. This of course wouldn't be an issue if it didn't change lol. Yeah, I'm heading to bed too. Thanks for your help.

Extide

join:2000-06-11
84129
reply to whfsdude
I think most of the configs in pfsense are in /var/etc

JoelC707
Premium
join:2002-07-09
Lanett, AL
kudos:5

1 edit
reply to whfsdude
Click for full size
dhclient6-script 1
Click for full size
dhclient6-script 2
Click for full size
dhclient6-script 3
Click for full size
dhclient6-script 4
Click for full size
radvd-conf
Click for full size
pfSense ifconfig
OK I found radvd.conf in /var/etc/ and WAN side dhcp6 config files. The dhcp/dhcp6 files basically just define what interface it's on and call a script in /sbin/. I took screen shots of the radvd.conf file and the script file.

Scanning through the script file, I was looking for where it defines things like "old_IPv6" and "new_ipv6" and it references files in /var/db/ so I went and took a look. There are two files of note: bge1_ipv6 and bge1_pd_ipv6. The first file has the 2001: address in it, the second file has the 2601: "1e" address in it.

Edit: adding a SS of ifconfig from SSH. It's showing both the "1d" and "1e" prefixes on bge0 (LAN).