whfsdude Premium Member join:2003-04-05 Washington, DC |
to graysonf
Re: [IPv6] Seeing two different LAN side rangessaid by graysonf:Windows has what are called Temporary IPv6 addresses which change with every reboot or restart of the network. I find them annoying because they are the source address of your connection. I prefer a more static IPv6 address. See here if you want to disable that: RFC 4941. Enabled by default on OS X as well. Technically you can still use the SLAAC address but traffic will be sourced via PE generated address unless an established incoming connection on SLAAC is made. |
|
JoelC707 Premium Member join:2002-07-09 Lanett, AL |
to whfsdude
I've run the ipv6 reset commands and also disabled the temp address generation and it wants a reboot. Be right back... |
|
whfsdude Premium Member join:2003-04-05 Washington, DC |
to JoelC707
said by JoelC707:No idea how I would change the DUID (though I can certainly look it up), and even so I can't see why it would change. I am spoofing the WAN MAC to maintain my original IPv4 address after I changed hardware for the firewall a while ago. Maybe somehow the real MAC is coming though but even still, there's only one real and one spoofed MAC so I should theoretically only see two different PD prefixes? This makes the fourth PD prefix I've seen in just two days. Or pfsense lost, gained, changed an interface and is using that interface to base the DUID. Wish you could specify a static DUID (for dhcp6.conf) in the pfsense interface. |
|
whfsdude |
to JoelC707
|
|
JoelC707 Premium Member join:2002-07-09 Lanett, AL |
to whfsdude
Still have a "19" address on my desktop.
Given the Bellsouth circuit is PPPoE, doesn't pfSense "transform" or something that interface or something? After all it's "name" is "pppoe0" now, not xl0 like the actual adapter is. Maybe it's basing it off that instead?
I've run Wireshark before but it's been a while. I believe pfSense has support for mirroring an interface for packet capture and so should my switches. If you want me to capture anything let me know what you want captured, from where (what ports mirrored, if any) and what you want me to "do" while it is capturing. |
|
whfsdude Premium Member join:2003-04-05 Washington, DC |
to JoelC707
You only have 'DHCP6' set on the 'Comcast/WAN' int, correct?
You should be getting only one /64 on the LAN. |
|
|
JoelC707 Premium Member join:2002-07-09 Lanett, AL
1 recommendation |
JoelC707
Premium Member
2012-Dec-26 10:59 pm
Yeah, DHCP6, PD 64. LAN is tracking WAN and ID is 0. I'm only getting one /64 at a time. My desktop is actually the only place I've ever seen two different subnets show up at the same time. |
|
whfsdude Premium Member join:2003-04-05 Washington, DC |
to JoelC707
Probably not that helpful at all on my part but the screenshot you provided of the interfaces looks good. I really think the next course of action is grab some pcaps via the web interface when you're trying to browse/access v6. Packet captures from both the WAN and LAN ints would be super helpful. Ideally you can put them on » www.cloudshark.org/ if you don't mind a few prying eyes. |
|
JoelC707 Premium Member join:2002-07-09 Lanett, AL
1 recommendation |
JoelC707
Premium Member
2012-Dec-26 11:30 pm
Given my desktop still has the "19" address, I can't do anything useful with v6 (and I checked other machines on my network, all still have the 19 addresses). Still, I did try to ping6 google.com while the two captures were running (it of course failed). WAN side capture: » www.cloudshark.org/captu ··· e0c66cb1LAN side capture: » www.cloudshark.org/captu ··· 3c9319a1Also uploaded raw capture files. Edit: just realized I had it limited to 100 packets. Want me to recapture with no limit? |
|
whfsdude Premium Member join:2003-04-05 Washington, DC |
to JoelC707
I see the problem (oh how pcaps make things easier)! See the RA, notice it has the different prefix "19" on the 48th nibble. It's coming from the LAN int so clearly there is a config not showing in the pfsense GUI that needs to be blown away. » willscorner.net/t/ra.png |
|
whfsdude |
to JoelC707
I would suggest a good way to get rid of this config.
1. Disable v6 on the LAN int, apply. 2. Reboot pfsense. 3. Re-enable v6 on LAN int (the track int, prefix id 0). 4. Reboot once more.
If that doesn't do it, not sure what will. |
|
JoelC707 Premium Member join:2002-07-09 Lanett, AL |
JoelC707
Premium Member
2012-Dec-26 11:48 pm
Will do in a few, thanks! |
|
JoelC707 |
to whfsdude
WTF? OK, did as you instructed and upon reboot the second time I'm watching the console screen behind me and I see the following address on LAN 2601:0:ac40:1d::1. I immediately refresh the web gui page and get to the console (mere seconds after successful boot), and I see a different address. The address displayed on the webgui is "1e", not "1d".
My desktop still has the old "19" address but now also has a "1d" address too. I've run a reset on it and will reboot in a minute and provide new screenshots and such of what I'm seeing now. |
|
JoelC707 |
JoelC707
Premium Member
2012-Dec-27 12:22 am
New screenshots. Desktop now has a "1d" address but that does me no good if the LAN of pfSense has changed to "1e". I even took a pic of the local console just to show I'm not crazy in seeing a "1d" address on LAN lol. |
|
JoelC707 |
JoelC707
Premium Member
2012-Dec-27 12:29 am
And packet captures. LAN: » www.cloudshark.org/captu ··· cc742aa5WAN: » www.cloudshark.org/captu ··· 764663a7I tried the same ping6 to google.com while the capture was running on each interface. I also set the packet limit to 0 instead of 100. |
|
whfsdude Premium Member join:2003-04-05 Washington, DC |
to JoelC707
Well that is no good :-/ We did manage to get somewhere tonight. We know pfsense is advertising the wrong prefix but don't know why.
Next thing is to look at the raw config files and see what pfsense is really doing. I will dig up those locations for you tomorrow (need to catch some sleep).
If anyone else wants to jump in - dhcp6 config locations and rtavd or radvd config location on pfsense would be awesome. |
|
whfsdude |
to JoelC707
You might want to pm NetDog as well to get a second opinion. He'll love the pcaps. |
|
JoelC707 Premium Member join:2002-07-09 Lanett, AL |
to whfsdude
I suspect it might have something to do with the changing prefix. It's advertising the first prefix and whatever does that advertising doesn't realize it's changing. This of course wouldn't be an issue if it didn't change lol. Yeah, I'm heading to bed too. Thanks for your help. |
|
Extide join:2000-06-11 Salt Lake City, UT |
to whfsdude
I think most of the configs in pfsense are in /var/etc |
|
JoelC707 Premium Member join:2002-07-09 Lanett, AL 1 edit |
to whfsdude
|
|
JoelC707 |
JoelC707
Premium Member
2012-Dec-27 7:19 pm
Adding DHCP6 WAN side leases per request (at least what I think is the requested file). I found this file in the same /var/etc/ that the radvd.conf file is in. I appear to have also found the DUID in this file too. default-duid "\000\001\000\001\030n\223\263\000\024\"\020\366\233"; |
|
JoelC707 |
JoelC707
Premium Member
2012-Dec-28 10:43 pm
Alright update time. I've spent nearly the entire day renumbering my LAN and getting all of my local servers to cooperate again. I noticed something interesting though during this process. I discovered I only had the "1e" address on several systems, not both "1e" and "1d". Sure enough, a few systems could obtain 10/10 on test-ipv6.com. It's been flaky though, like right now I'm done with everything but my desktop won't pass the test yet I can ping whfsdude 's server just fine. For clarification, I have done nothing regarding this issue since grabbing the config file screenshots on the 27th. All the renumbering today was IPv4 and was local only. And even then it wasn't technically renumbering because I didn't change the subnet, just reordered everything into a logical order and logged it all in Excel instead of having stuff on random addresses. I have not talked with NetDog since then either so I do not know if they uncovered something or maybe the old PD finally expired and I'll be back at square one next time I reboot the firewall. Either way, it looks like I'm making some progress somehow lol. And for now, I am going to head to bed. |
|
whfsdude Premium Member join:2003-04-05 Washington, DC |
to JoelC707
I will be around for most of tomorrow. If you're free we can hammer through this. |
|
NetDog Premium Member join:2002-03-04 Hollywood, FL |
NetDog
Premium Member
2012-Dec-31 12:23 pm
Quick update, asked JoelC707 via email for the device and firmware version. I need to recreate this in the LAB we are seeing odd things in the sniffer traces. |
|
whfsdude Premium Member join:2003-04-05 Washington, DC |
whfsdude
Premium Member
2012-Dec-31 5:10 pm
said by NetDog:Quick update, asked JoelC707 via email for the device and firmware version. I need to recreate this in the LAB we are seeing odd things in the sniffer traces. I worked with JoelC707 last week. I was able to get it working but not post reboot. 1. Turn off v6 on track int (lan int). 2. Turn off dhcp6 on wan. 3. rm the v6 lease file, touch a new one. 4. Enable dhcp6 on wan. 5. Enable PD on track int. The dhcp6 lease file will now be correct and ra is announced correctly. However, this does not hold across reboot. I am guessing a new DUID is getting created every reboot which is odd. I haven't had time to investigate further. |
|
graysonf MVM join:1999-07-16 Fort Lauderdale, FL |
|
|
JoelC707 Premium Member join:2002-07-09 Lanett, AL |
JoelC707
Premium Member
2013-Jan-12 11:58 pm
Alright update time. Finally able to update to a newer release (I'm on Jan 12 00:36:42 release) and see what I get. I'm seeing a /128 on the WAN side now (not that I think that really mattered). I'm seeing a different PD subnet on LAN and somewhat annoyingly it didn't assign itself the ::1 address, it assigned one based on the MAC address. whfsdude if you want to login to SSH/web and poke around, everything is still up and running as before. One of my VM workstations is seeing the new and old subnet but has the old pfsense address for DNS. I haven't rebooted it yet or anything but it's looking better. Gonna reboot that VM system again and see what happens. If I can get it to go online with an IPv6 address I'll reboot pfsense and see what happens there. |
|
JoelC707
1 recommendation |
JoelC707
Premium Member
2013-Jan-13 12:43 am
Rebooted VM workstation and I see only the new subnet: 2601:0:ac00:3e:: and can get 10/10 on testipv6.com. Reboot pfsense and I maintained the same PD subnet, the LAN address has gone to ::1 (not that big of a deal, it's just easier to remember) and I still am able to surf and get 10/10 using IPv6 on the VM workstation. So far so good. I dare say it might be solved Anyone want screenshots of anything? |
|