dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
6287

whfsdude
Premium Member
join:2003-04-05
Washington, DC

whfsdude to graysonf

Premium Member

to graysonf

Re: [IPv6] Seeing two different LAN side ranges

said by graysonf:

Windows has what are called Temporary IPv6 addresses which change with every reboot or restart of the network. I find them annoying because they are the source address of your connection. I prefer a more static IPv6 address. See here if you want to disable that:


RFC 4941. Enabled by default on OS X as well. Technically you can still use the SLAAC address but traffic will be sourced via PE generated address unless an established incoming connection on SLAAC is made.
JoelC707
Premium Member
join:2002-07-09
Lanett, AL

JoelC707 to whfsdude

Premium Member

to whfsdude
I've run the ipv6 reset commands and also disabled the temp address generation and it wants a reboot. Be right back...

whfsdude
Premium Member
join:2003-04-05
Washington, DC

whfsdude to JoelC707

Premium Member

to JoelC707
said by JoelC707:

No idea how I would change the DUID (though I can certainly look it up), and even so I can't see why it would change. I am spoofing the WAN MAC to maintain my original IPv4 address after I changed hardware for the firewall a while ago. Maybe somehow the real MAC is coming though but even still, there's only one real and one spoofed MAC so I should theoretically only see two different PD prefixes? This makes the fourth PD prefix I've seen in just two days.

Or pfsense lost, gained, changed an interface and is using that interface to base the DUID. Wish you could specify a static DUID (for dhcp6.conf) in the pfsense interface.
whfsdude

whfsdude to JoelC707

Premium Member

to JoelC707
»forum.pfsense.org/index. ··· =54210.0
JoelC707
Premium Member
join:2002-07-09
Lanett, AL

JoelC707 to whfsdude

Premium Member

to whfsdude
Still have a "19" address on my desktop.

Given the Bellsouth circuit is PPPoE, doesn't pfSense "transform" or something that interface or something? After all it's "name" is "pppoe0" now, not xl0 like the actual adapter is. Maybe it's basing it off that instead?

I've run Wireshark before but it's been a while. I believe pfSense has support for mirroring an interface for packet capture and so should my switches. If you want me to capture anything let me know what you want captured, from where (what ports mirrored, if any) and what you want me to "do" while it is capturing.

whfsdude
Premium Member
join:2003-04-05
Washington, DC

whfsdude to JoelC707

Premium Member

to JoelC707
You only have 'DHCP6' set on the 'Comcast/WAN' int, correct?

You should be getting only one /64 on the LAN.
JoelC707
Premium Member
join:2002-07-09
Lanett, AL

1 recommendation

JoelC707

Premium Member

Click for full size
Yeah, DHCP6, PD 64. LAN is tracking WAN and ID is 0.

I'm only getting one /64 at a time. My desktop is actually the only place I've ever seen two different subnets show up at the same time.

whfsdude
Premium Member
join:2003-04-05
Washington, DC

whfsdude to JoelC707

Premium Member

to JoelC707
Probably not that helpful at all on my part but the screenshot you provided of the interfaces looks good.

I really think the next course of action is grab some pcaps via the web interface when you're trying to browse/access v6. Packet captures from both the WAN and LAN ints would be super helpful.

Ideally you can put them on »www.cloudshark.org/ if you don't mind a few prying eyes.
JoelC707
Premium Member
join:2002-07-09
Lanett, AL

1 recommendation

JoelC707

Premium Member

Given my desktop still has the "19" address, I can't do anything useful with v6 (and I checked other machines on my network, all still have the 19 addresses). Still, I did try to ping6 google.com while the two captures were running (it of course failed).

WAN side capture: »www.cloudshark.org/captu ··· e0c66cb1
LAN side capture: »www.cloudshark.org/captu ··· 3c9319a1

Also uploaded raw capture files.

Edit: just realized I had it limited to 100 packets. Want me to recapture with no limit?

whfsdude
Premium Member
join:2003-04-05
Washington, DC

whfsdude to JoelC707

Premium Member

to JoelC707
I see the problem (oh how pcaps make things easier)! See the RA, notice it has the different prefix "19" on the 48th nibble. It's coming from the LAN int so clearly there is a config not showing in the pfsense GUI that needs to be blown away.

»willscorner.net/t/ra.png
whfsdude

whfsdude to JoelC707

Premium Member

to JoelC707
I would suggest a good way to get rid of this config.

1. Disable v6 on the LAN int, apply.
2. Reboot pfsense.
3. Re-enable v6 on LAN int (the track int, prefix id 0).
4. Reboot once more.

If that doesn't do it, not sure what will.
JoelC707
Premium Member
join:2002-07-09
Lanett, AL

JoelC707

Premium Member

Will do in a few, thanks!
JoelC707

JoelC707 to whfsdude

Premium Member

to whfsdude
WTF? OK, did as you instructed and upon reboot the second time I'm watching the console screen behind me and I see the following address on LAN 2601:0:ac40:1d::1. I immediately refresh the web gui page and get to the console (mere seconds after successful boot), and I see a different address. The address displayed on the webgui is "1e", not "1d".

My desktop still has the old "19" address but now also has a "1d" address too. I've run a reset on it and will reboot in a minute and provide new screenshots and such of what I'm seeing now.
JoelC707

JoelC707

Premium Member

 
Click for full size
Click for full size
New screenshots. Desktop now has a "1d" address but that does me no good if the LAN of pfSense has changed to "1e". I even took a pic of the local console just to show I'm not crazy in seeing a "1d" address on LAN lol.
JoelC707

JoelC707

Premium Member

And packet captures.

LAN: »www.cloudshark.org/captu ··· cc742aa5
WAN: »www.cloudshark.org/captu ··· 764663a7

I tried the same ping6 to google.com while the capture was running on each interface. I also set the packet limit to 0 instead of 100.

whfsdude
Premium Member
join:2003-04-05
Washington, DC

whfsdude to JoelC707

Premium Member

to JoelC707
Well that is no good :-/ We did manage to get somewhere tonight. We know pfsense is advertising the wrong prefix but don't know why.

Next thing is to look at the raw config files and see what pfsense is really doing. I will dig up those locations for you tomorrow (need to catch some sleep).

If anyone else wants to jump in - dhcp6 config locations and rtavd or radvd config location on pfsense would be awesome.
whfsdude

whfsdude to JoelC707

Premium Member

to JoelC707
You might want to pm NetDog as well to get a second opinion. He'll love the pcaps.
JoelC707
Premium Member
join:2002-07-09
Lanett, AL

JoelC707 to whfsdude

Premium Member

to whfsdude
I suspect it might have something to do with the changing prefix. It's advertising the first prefix and whatever does that advertising doesn't realize it's changing. This of course wouldn't be an issue if it didn't change lol. Yeah, I'm heading to bed too. Thanks for your help.

Extide
join:2000-06-11
Salt Lake City, UT

Extide to whfsdude

Member

to whfsdude
I think most of the configs in pfsense are in /var/etc
JoelC707
Premium Member
join:2002-07-09
Lanett, AL

1 edit

JoelC707 to whfsdude

Premium Member

to whfsdude
Click for full size
dhclient6-script 1
Click for full size
dhclient6-script 2
Click for full size
dhclient6-script 3
Click for full size
dhclient6-script 4
Click for full size
radvd-conf
Click for full size
pfSense ifconfig
OK I found radvd.conf in /var/etc/ and WAN side dhcp6 config files. The dhcp/dhcp6 files basically just define what interface it's on and call a script in /sbin/. I took screen shots of the radvd.conf file and the script file.

Scanning through the script file, I was looking for where it defines things like "old_IPv6" and "new_ipv6" and it references files in /var/db/ so I went and took a look. There are two files of note: bge1_ipv6 and bge1_pd_ipv6. The first file has the 2001: address in it, the second file has the 2601: "1e" address in it.

Edit: adding a SS of ifconfig from SSH. It's showing both the "1d" and "1e" prefixes on bge0 (LAN).
JoelC707

JoelC707

Premium Member

Click for full size
Adding DHCP6 WAN side leases per request (at least what I think is the requested file). I found this file in the same /var/etc/ that the radvd.conf file is in.

I appear to have also found the DUID in this file too. default-duid "\000\001\000\001\030n\223\263\000\024\"\020\366\233";
JoelC707

JoelC707

Premium Member

Alright update time. I've spent nearly the entire day renumbering my LAN and getting all of my local servers to cooperate again. I noticed something interesting though during this process. I discovered I only had the "1e" address on several systems, not both "1e" and "1d". Sure enough, a few systems could obtain 10/10 on test-ipv6.com. It's been flaky though, like right now I'm done with everything but my desktop won't pass the test yet I can ping whfsdude See Profile's server just fine.

For clarification, I have done nothing regarding this issue since grabbing the config file screenshots on the 27th. All the renumbering today was IPv4 and was local only. And even then it wasn't technically renumbering because I didn't change the subnet, just reordered everything into a logical order and logged it all in Excel instead of having stuff on random addresses.

I have not talked with NetDog See Profile since then either so I do not know if they uncovered something or maybe the old PD finally expired and I'll be back at square one next time I reboot the firewall. Either way, it looks like I'm making some progress somehow lol. And for now, I am going to head to bed.

whfsdude
Premium Member
join:2003-04-05
Washington, DC

whfsdude to JoelC707

Premium Member

to JoelC707
I will be around for most of tomorrow. If you're free we can hammer through this.

NetDog
Premium Member
join:2002-03-04
Hollywood, FL

NetDog

Premium Member

Quick update, asked JoelC707 See Profile via email for the device and firmware version. I need to recreate this in the LAB we are seeing odd things in the sniffer traces.

whfsdude
Premium Member
join:2003-04-05
Washington, DC

whfsdude

Premium Member

said by NetDog:

Quick update, asked JoelC707 See Profile via email for the device and firmware version. I need to recreate this in the LAB we are seeing odd things in the sniffer traces.

I worked with JoelC707 See Profile last week. I was able to get it working but not post reboot.

1. Turn off v6 on track int (lan int).
2. Turn off dhcp6 on wan.
3. rm the v6 lease file, touch a new one.
4. Enable dhcp6 on wan.
5. Enable PD on track int.

The dhcp6 lease file will now be correct and ra is announced correctly. However, this does not hold across reboot. I am guessing a new DUID is getting created every reboot which is odd. I haven't had time to investigate further.

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf

MVM

See this on the pfsense forum: »forum.pfsense.org/index. ··· sg306484
JoelC707
Premium Member
join:2002-07-09
Lanett, AL

JoelC707

Premium Member

Alright update time. Finally able to update to a newer release (I'm on Jan 12 00:36:42 release) and see what I get. I'm seeing a /128 on the WAN side now (not that I think that really mattered). I'm seeing a different PD subnet on LAN and somewhat annoyingly it didn't assign itself the ::1 address, it assigned one based on the MAC address.

whfsdude See Profile if you want to login to SSH/web and poke around, everything is still up and running as before.

One of my VM workstations is seeing the new and old subnet but has the old pfsense address for DNS. I haven't rebooted it yet or anything but it's looking better. Gonna reboot that VM system again and see what happens. If I can get it to go online with an IPv6 address I'll reboot pfsense and see what happens there.
JoelC707

1 recommendation

JoelC707

Premium Member

Rebooted VM workstation and I see only the new subnet: 2601:0:ac00:3e:: and can get 10/10 on testipv6.com. Reboot pfsense and I maintained the same PD subnet, the LAN address has gone to ::1 (not that big of a deal, it's just easier to remember) and I still am able to surf and get 10/10 using IPv6 on the VM workstation. So far so good. I dare say it might be solved

Anyone want screenshots of anything?