dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
19907
share rss forum feed


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
reply to darkcrucible

Re: [IPv6] pfSense - Anybody else having issues?

FWIW, m0n0wall, the basis for pfsense works fine with Comcast IPv6 with the exception of some log flooding.


voiptalk

join:2010-04-10
Gainesville, VA
reply to voiptalk

I took a closer look at the packet capture at the time the lease expired. Comcast appears to be replying properly, but pfSense is not binding.

I have filed bug: »redmine.pfsense.org/issues/2919



acosgrove

join:2013-03-30
Woodstock, GA
reply to voiptalk

said by voiptalk:

I'm currently on:

2.1-BETA1 (amd64)
built on Thu Mar 28 00:48:35 EDT 2013

I think I found my issue... the radvd process is not running. I can make the config file by hand (which says is auto-generated but is not) and start the daemon. I get my prefix handed to my network but the default route seems to be wrong/missing.

I've downloaded the 2g nanobsd image dated Mar 30

2.1-BETA1 (amd64)
built on Sat Mar 30 03:13:18 EDT 2013
FreeBSD 8.3-RELEASE-p6

Going to try a regular hdd install

voiptalk

join:2010-04-10
Gainesville, VA

Ya, that radvd bug was introduced about 2 weeks ago. I always have to start it manually.

I have never seen radvd.conf come up empty, but others have reported it.

pfSense 2.1 Beta is supposed to be close to RC status, but IPv6 is still very much a problem.



plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:3

I will agree that PFSense 2.1 beta builds back in December and January were stable (as far as a beta release go) in regards to IPv6.

Then, sometime in Feb / March, things took a bit of a dive so to speak, and now we have these issues.

So, now I'm trying to figure out what beta version I should go with...the one that voiptalk See Profile is running, which is from 3/28, or the one that acosgrove See Profile just downloaded and will be installing, which is from 03/30.

Just trying to get on the same page as everyone else, again to see if this is a PFSense issue, or a Comcast issue. Of course, based on what voiptalk See Profile said, it appears to be a pfSense issue, and not a Comcast one.

--Brian
--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail



acosgrove

join:2013-03-30
Woodstock, GA

1 edit
reply to graysonf

I switched over to m0n0wall and everything except v6 routing was working properly.

I think I may have a Comcast issue at this point. I opened an HE tunnel account and am now happily connecting to v6 sites. Is there someone in particular I should ask to review on the Comcast end?

I'll keep an eye out for an RC since I like the additional features and packages pfSense supports. Until then I'm sticking with m0n0.


voiptalk

join:2010-04-10
Gainesville, VA
reply to plencnerb

said by plencnerb:

Then, sometime in Feb / March, things took a bit of a dive so to speak, and now we have these issues.

I've been trying to piece that aspect together. pfSense developers were using the WIDE DHCP client, then changed [back] to ISC. I wasn't using it while WIDE was in use.

said by acosgrove:

I opened an HE tunnel account and am now happily connecting to v6 sites.

I am very very close to going back to HE. I've invested way too much time on issue.


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2
reply to acosgrove

Are you using m0n0 1.34 or 1.8.1?

I know 1.8.8 works with Comcast native IPv6. If it doesn't for you then it's misconfigured on your end, misconfigured on Comcast's end, or not deployed in your area yet.

There is someone from Comcast here can help you. I don't recall his name but he will probably see see this and add to the thread. He will want your cable modem MAC address first, so have that available.



acosgrove

join:2013-03-30
Woodstock, GA

I'm using 1.3.4 -- I'm pretty sure it's deployed in my area, the CMTS does hand me a /128 and a /64. Configuration-wise I'm willing to bet 90% my fault.



graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2

You could post screenshots of your configuration pages.

But upgrading to 1.8.1 if possible would be a good idea since there are more users of that version.



NetDog
Premium,VIP
join:2002-03-04
Parker, CO
kudos:79

1 edit
reply to acosgrove

said by acosgrove:

I think I may have a Comcast issue at this point. I opened an HE tunnel account and am now happily connecting to v6 sites. Is there someone in particular I should ask to review on the Comcast end?

I would be that person on the Comcast side, what would you like me to check out?
--
Comcaster.. Network Engineer with NETO


acosgrove

join:2013-03-30
Woodstock, GA
reply to graysonf

That worked! I upgraded m0n0 to:

1.8.1b538 built on Thu Mar 21 14:35:03 CET 2013

test-ipv6.com and test-ipv6.comcast.net both are in the green. Traceroutes from mebsd.com are good too.

Now just need to be patient and wait for pfSense to catch up.



graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2

So, is your System Log being flooded?



acosgrove

join:2013-03-30
Woodstock, GA

Looks to be that way

Apr 2 20:23:42 last message repeated 180 times
Apr 2 20:33:42 last message repeated 178 times



graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2

Winner, winner, chicken dinner.

I reported that more than four months ago, but still no answer.



camper
Premium
join:2010-03-21
Bethel, CT
kudos:1
Reviews:
·Comcast

1 edit

2 recommendations

said by graysonf:

Winner, winner, chicken dinner.

I reported that more than four months ago, but still no answer.

imho, I don't think you will get a quick response to this issue.

This IPv6 stuff is so new out in the world of us unwashed masses of IPv6 ignoranti, that the powers that be are still trying to figure out how to handle it.

For those who know me here, it may seem odd that I praise Comcast [understatement], but on this narrow, specific topic of IPv6 and how Comcast have been trying to figure out what to do, I have to commend Comcast for trying and for being out in the forefront.

The people in the front are the ones who get the arrows in their backs.

And I have to give major props to Comcast for offering up Netdog as a sacrificial lamb for the benefit of getting this IPv6 stuff right and correct.


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2

1 edit

said by camper:

imho, I don't think you will get a quick response to this issue.

For now, I would settle for one of the developers acknowledging the problem and saying it will be looked into.

Edit: Below is the response I received. I have replied to it and requested a patch.

-------------------------------------------

It sounds like Comcast are sending an RA to you, and as you are a router running rtadvd, its sending this message out to notify you that its getting a message on an interface it's not advertising on.

The whole use case of dhcp-pd is a bit strange anyway, rfc6204 section w-3 for example indicates that a router should take its route from an RA, but freebsd nd6.c specifically prevents this (we had to patch this behaviour to get it to work right)

So this message can be ignored, and we would have to patch rtadvd to silence this message if using dhcp-pd etc, by adding some flags etc.


plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:3
reply to voiptalk

Click for full size
  
voiptalk See Profile,

I read your thread over at the pfSense forum, and wanted to ask a question.

You mention a lot about "radvd" which appears to be a service that runs on pfSense.

Now, I will fully admit I don't know much about Linux, or pfSense for that matter. So, it makes me wonder if I'm missing something in regards to this.

The screen shot above shows what services I have running. As you can see, there is not one called "radvd" listed. The 2nd picture lists all of the services that show up under the "Services" menu item. Again, nothing jumps out that would imply that its the "radvd" service, but I could just be missing it.

I don't know if I ever had one or not with past beta builds, but I do know that I in the past IPv6 was working on a build from January and I also believe the 02-13-2013 build as well.

The version that I'm currently running is below

2.1-BETA1 (i386)
built on Fri Mar 22 22:56:56 EDT 2013
FreeBSD 8.3-RELEASE-p6

Again, just wondering if I'm missing something.

Thanks,

--Brian
--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2

radvd is probably part of the DHCPv6 Server/RA, the RA part.

As an aside pfsense is based on FreeBSD, not Linux.


voiptalk

join:2010-04-10
Gainesville, VA

1 edit
reply to plencnerb

Click for full size
radvd needs to be running and should require no action on your part to enable or start it. On some of the March builds, radvd tends to die and disappear completely from the services menu. There is a mention about that on the pfsense forum thread; that problem was thought to have been fixed.

--

On a side note: I've reconfigured back to a HE tunnel until I see some activity on the bug I filed.

I don't see this as being a Comcast issue. However, I have sent the packet capture taken during the failed renewal to Netdog for his thoughts.


plencnerb
Premium
join:2000-09-25
Carpentersville, IL
kudos:3

1 recommendation

said by voiptalk:

radvd needs to be running and should require no action on your part to enable or start it. On some of the March builds, radvd tends to die and disappear completely from the services menu. There is a mention about that on the pfsense forum thread; that problem was thought to have been fixed.

I did see you mention that in the thread over at the pfSense forums. I also agree with you that this does not appear to be a Comcast issue, but an issue with pfSense.

What I will probably do is give it a week or so, and then download a Beta at that point, and see if that service is running, or if that problem has been fixed. IPv6 for me is not that critical, so not having it working is not that big of a deal. However, I do enjoy pfSense, and if there is a way for me to help test/debug/validate things along the way, I'm more then welcome to help do so.

Thanks,

--Brian
--
============================
--Brian Plencner

E-Mail: CoasterBrian72Cancer@gmail.com
Note: Kill Cancer to Reply via e-mail


camper
Premium
join:2010-03-21
Bethel, CT
kudos:1
Reviews:
·Comcast
reply to graysonf

said by graysonf:

... we would have to patch rtadvd to silence this message if using dhcp-pd etc, by adding some flags etc.

From that it sounds like using DHCP-PD negates the need to listen for and process RA on the WAN interface.

If that is correct, then just patching out the line in the source code that logs the RA packet should suffice.

If that is not correct, then there's a problem in OpenBSD (and, from the reply you received, it sounds like FreeBSD as well). The sysctl.conf file of OpenBSD allows for packet forwarding (i.e., acting as a router) or accepting RA packets, but not both.


net.inet6.ip6.forwarding=1       # 1=Permit forwarding (routing) of IPv6 packets
net.inet6.ip6.accept_rtadv=0     # 1=Permit IPv6 autoconf (forwarding must be 0)


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2

I'm not sure which case is applicable. But if there is a sysctl.conf file on m0n0wall I am unable to find it.



camper
Premium
join:2010-03-21
Bethel, CT
kudos:1

It would be in /etc if it existed. My FreeBSD servers do not have a /etc/sysctl.conf since most of the boot-time configuration is done via /etc/rc.conf



graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2

Not in /etc and there is no /etc/rc.conf

m0n0wall is unusual as it is configured with php scripts as opposed to shell code.



camper
Premium
join:2010-03-21
Bethel, CT
kudos:1
Reviews:
·Comcast
reply to graysonf

Try running this command at the command line:

  sysctl net.inet6.ip6

That prints out all the IPv6 sysctl variables. Among them you'll see:

  net.inet6.ip6.forwarding: 0
  net.inet6.ip6.accept_rtadv: 0

Those values from my server indicate that the box does not do any routing and that it does not accept RA messages (it's IPv6 address and route are statically configured in rc.conf).



graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2

$ sysctl net.inet6.ip6
net.inet6.ip6.forwarding: 1
net.inet6.ip6.redirect: 1
net.inet6.ip6.hlim: 64
net.inet6.ip6.maxfragpackets: 1872
net.inet6.ip6.accept_rtadv: 1
net.inet6.ip6.keepfaith: 0
net.inet6.ip6.log_interval: 5
net.inet6.ip6.hdrnestlimit: 15
net.inet6.ip6.dad_count: 1
net.inet6.ip6.auto_flowlabel: 1
net.inet6.ip6.defmcasthlim: 1
net.inet6.ip6.gifhlim: 30
net.inet6.ip6.kame_version: FreeBSD
net.inet6.ip6.use_deprecated: 1
net.inet6.ip6.rr_prune: 5
net.inet6.ip6.v6only: 1
net.inet6.ip6.rtexpire: 3600
net.inet6.ip6.rtminexpire: 10
net.inet6.ip6.rtmaxcache: 128
net.inet6.ip6.use_tempaddr: 0
net.inet6.ip6.temppltime: 86400
net.inet6.ip6.tempvltime: 604800
net.inet6.ip6.auto_linklocal: 1
net.inet6.ip6.prefer_tempaddr: 0
net.inet6.ip6.use_defaultzone: 0
net.inet6.ip6.maxfrags: 1872
net.inet6.ip6.mcast_pmtu: 0
net.inet6.ip6.stealth: 0
net.inet6.ip6.no_radr: 0
net.inet6.ip6.norbit_raif: 0
net.inet6.ip6.rfc6204w3: 1
net.inet6.ip6.mcast.loop: 1
net.inet6.ip6.mcast.maxsocksrc: 128
net.inet6.ip6.mcast.maxgrpsrc: 512



camper
Premium
join:2010-03-21
Bethel, CT
kudos:1
Reviews:
·Comcast

said by graysonf:

$ sysctl net.inet6.ip6
net.inet6.ip6.forwarding: 1
net.inet6.ip6.accept_rtadv: 1

So it looks like the FreeBSD in your firewall can be a router (forwarding) and also accept RA packets.


graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
kudos:2

Yes it's pretty flexible.



camper
Premium
join:2010-03-21
Bethel, CT
kudos:1

If OpenBSD continues to have issues with concurrent rtadvd and routing , I'll switch over to FreeBSD for the firewall / router here.