dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
28449

NetDog
Premium Member
join:2002-03-04
Hollywood, FL

1 edit

NetDog to acosgrove

Premium Member

to acosgrove

Re: [IPv6] pfSense - Anybody else having issues?

said by acosgrove:

I think I may have a Comcast issue at this point. I opened an HE tunnel account and am now happily connecting to v6 sites. Is there someone in particular I should ask to review on the Comcast end?

I would be that person on the Comcast side, what would you like me to check out?

acosgrove
join:2013-03-30
Woodstock, GA

acosgrove to graysonf

Member

to graysonf
That worked! I upgraded m0n0 to:

1.8.1b538 built on Thu Mar 21 14:35:03 CET 2013

test-ipv6.com and test-ipv6.comcast.net both are in the green. Traceroutes from mebsd.com are good too.

Now just need to be patient and wait for pfSense to catch up.

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf

MVM

So, is your System Log being flooded?

acosgrove
join:2013-03-30
Woodstock, GA

acosgrove

Member

Looks to be that way

Apr 2 20:23:42 last message repeated 180 times
Apr 2 20:33:42 last message repeated 178 times

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf

MVM

Winner, winner, chicken dinner.

I reported that more than four months ago, but still no answer.

camper
just visiting this planet
Premium Member
join:2010-03-21
Bethel, CT

1 edit

2 recommendations

camper

Premium Member

said by graysonf:

Winner, winner, chicken dinner.

I reported that more than four months ago, but still no answer.

imho, I don't think you will get a quick response to this issue.

This IPv6 stuff is so new out in the world of us unwashed masses of IPv6 ignoranti, that the powers that be are still trying to figure out how to handle it.

For those who know me here, it may seem odd that I praise Comcast [understatement], but on this narrow, specific topic of IPv6 and how Comcast have been trying to figure out what to do, I have to commend Comcast for trying and for being out in the forefront.

The people in the front are the ones who get the arrows in their backs.

And I have to give major props to Comcast for offering up Netdog as a sacrificial lamb for the benefit of getting this IPv6 stuff right and correct.

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

1 edit

graysonf

MVM

said by camper:

imho, I don't think you will get a quick response to this issue.

For now, I would settle for one of the developers acknowledging the problem and saying it will be looked into.

Edit: Below is the response I received. I have replied to it and requested a patch.

-------------------------------------------

It sounds like Comcast are sending an RA to you, and as you are a router running rtadvd, its sending this message out to notify you that its getting a message on an interface it's not advertising on.

The whole use case of dhcp-pd is a bit strange anyway, rfc6204 section w-3 for example indicates that a router should take its route from an RA, but freebsd nd6.c specifically prevents this (we had to patch this behaviour to get it to work right)

So this message can be ignored, and we would have to patch rtadvd to silence this message if using dhcp-pd etc, by adding some flags etc.

plencnerb
Premium Member
join:2000-09-25
53403-1242

plencnerb to voiptalk

Premium Member

to voiptalk
Click for full size
  
voiptalk See Profile,

I read your thread over at the pfSense forum, and wanted to ask a question.

You mention a lot about "radvd" which appears to be a service that runs on pfSense.

Now, I will fully admit I don't know much about Linux, or pfSense for that matter. So, it makes me wonder if I'm missing something in regards to this.

The screen shot above shows what services I have running. As you can see, there is not one called "radvd" listed. The 2nd picture lists all of the services that show up under the "Services" menu item. Again, nothing jumps out that would imply that its the "radvd" service, but I could just be missing it.

I don't know if I ever had one or not with past beta builds, but I do know that I in the past IPv6 was working on a build from January and I also believe the 02-13-2013 build as well.

The version that I'm currently running is below

2.1-BETA1 (i386)
built on Fri Mar 22 22:56:56 EDT 2013
FreeBSD 8.3-RELEASE-p6

Again, just wondering if I'm missing something.

Thanks,

--Brian

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf

MVM

radvd is probably part of the DHCPv6 Server/RA, the RA part.

As an aside pfsense is based on FreeBSD, not Linux.
voiptalk
join:2010-04-10
Gainesville, VA
MikroTik RB750G
Cisco DPC3941

1 edit

voiptalk to plencnerb

Member

to plencnerb
Click for full size
radvd needs to be running and should require no action on your part to enable or start it. On some of the March builds, radvd tends to die and disappear completely from the services menu. There is a mention about that on the pfsense forum thread; that problem was thought to have been fixed.

--

On a side note: I've reconfigured back to a HE tunnel until I see some activity on the bug I filed.

I don't see this as being a Comcast issue. However, I have sent the packet capture taken during the failed renewal to Netdog for his thoughts.

plencnerb
Premium Member
join:2000-09-25
53403-1242

1 recommendation

plencnerb

Premium Member

said by voiptalk:

radvd needs to be running and should require no action on your part to enable or start it. On some of the March builds, radvd tends to die and disappear completely from the services menu. There is a mention about that on the pfsense forum thread; that problem was thought to have been fixed.

I did see you mention that in the thread over at the pfSense forums. I also agree with you that this does not appear to be a Comcast issue, but an issue with pfSense.

What I will probably do is give it a week or so, and then download a Beta at that point, and see if that service is running, or if that problem has been fixed. IPv6 for me is not that critical, so not having it working is not that big of a deal. However, I do enjoy pfSense, and if there is a way for me to help test/debug/validate things along the way, I'm more then welcome to help do so.

Thanks,

--Brian

camper
just visiting this planet
Premium Member
join:2010-03-21
Bethel, CT

camper to graysonf

Premium Member

to graysonf
said by graysonf:

... we would have to patch rtadvd to silence this message if using dhcp-pd etc, by adding some flags etc.

From that it sounds like using DHCP-PD negates the need to listen for and process RA on the WAN interface.

If that is correct, then just patching out the line in the source code that logs the RA packet should suffice.

If that is not correct, then there's a problem in OpenBSD (and, from the reply you received, it sounds like FreeBSD as well). The sysctl.conf file of OpenBSD allows for packet forwarding (i.e., acting as a router) or accepting RA packets, but not both.


net.inet6.ip6.forwarding=1       # 1=Permit forwarding (routing) of IPv6 packets
net.inet6.ip6.accept_rtadv=0     # 1=Permit IPv6 autoconf (forwarding must be 0)

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf

MVM

I'm not sure which case is applicable. But if there is a sysctl.conf file on m0n0wall I am unable to find it.

camper
just visiting this planet
Premium Member
join:2010-03-21
Bethel, CT

camper

Premium Member

It would be in /etc if it existed. My FreeBSD servers do not have a /etc/sysctl.conf since most of the boot-time configuration is done via /etc/rc.conf

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf

MVM

Not in /etc and there is no /etc/rc.conf

m0n0wall is unusual as it is configured with php scripts as opposed to shell code.

camper
just visiting this planet
Premium Member
join:2010-03-21
Bethel, CT

camper to graysonf

Premium Member

to graysonf
Try running this command at the command line:

  sysctl net.inet6.ip6

That prints out all the IPv6 sysctl variables. Among them you'll see:

  net.inet6.ip6.forwarding: 0
  net.inet6.ip6.accept_rtadv: 0

Those values from my server indicate that the box does not do any routing and that it does not accept RA messages (it's IPv6 address and route are statically configured in rc.conf).

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf

MVM

$ sysctl net.inet6.ip6
net.inet6.ip6.forwarding: 1
net.inet6.ip6.redirect: 1
net.inet6.ip6.hlim: 64
net.inet6.ip6.maxfragpackets: 1872
net.inet6.ip6.accept_rtadv: 1
net.inet6.ip6.keepfaith: 0
net.inet6.ip6.log_interval: 5
net.inet6.ip6.hdrnestlimit: 15
net.inet6.ip6.dad_count: 1
net.inet6.ip6.auto_flowlabel: 1
net.inet6.ip6.defmcasthlim: 1
net.inet6.ip6.gifhlim: 30
net.inet6.ip6.kame_version: FreeBSD
net.inet6.ip6.use_deprecated: 1
net.inet6.ip6.rr_prune: 5
net.inet6.ip6.v6only: 1
net.inet6.ip6.rtexpire: 3600
net.inet6.ip6.rtminexpire: 10
net.inet6.ip6.rtmaxcache: 128
net.inet6.ip6.use_tempaddr: 0
net.inet6.ip6.temppltime: 86400
net.inet6.ip6.tempvltime: 604800
net.inet6.ip6.auto_linklocal: 1
net.inet6.ip6.prefer_tempaddr: 0
net.inet6.ip6.use_defaultzone: 0
net.inet6.ip6.maxfrags: 1872
net.inet6.ip6.mcast_pmtu: 0
net.inet6.ip6.stealth: 0
net.inet6.ip6.no_radr: 0
net.inet6.ip6.norbit_raif: 0
net.inet6.ip6.rfc6204w3: 1
net.inet6.ip6.mcast.loop: 1
net.inet6.ip6.mcast.maxsocksrc: 128
net.inet6.ip6.mcast.maxgrpsrc: 512

camper
just visiting this planet
Premium Member
join:2010-03-21
Bethel, CT

camper

Premium Member

said by graysonf:

$ sysctl net.inet6.ip6
net.inet6.ip6.forwarding: 1
net.inet6.ip6.accept_rtadv: 1

So it looks like the FreeBSD in your firewall can be a router (forwarding) and also accept RA packets.

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf

MVM

Yes it's pretty flexible.

camper
just visiting this planet
Premium Member
join:2010-03-21
Bethel, CT

camper

Premium Member

If OpenBSD continues to have issues with concurrent rtadvd and routing , I'll switch over to FreeBSD for the firewall / router here.

plencnerb
Premium Member
join:2000-09-25
53403-1242

plencnerb to voiptalk

Premium Member

to voiptalk
voiptalk See Profile,

I wanted to update this thread to see if you had any more information from the pfSense team about the issue and bug that you reported to them.

In looking at your post at the pfSense forum
»forum.pfsense.org/index. ··· 6.0.html
it has been at least 12 days since the last update to the thread.

So, just looking to see if there is any updates. I'm still running the following version

2.1-BETA1 (i386)
built on Fri Mar 22 22:56:56 EDT 2013
FreeBSD 8.3-RELEASE-p6

With the issues that you had reported, I did not see a need to update to a newer beta, unless the problems has been resolved.

Thanks in advance,

--Brian
voiptalk
join:2010-04-10
Gainesville, VA
MikroTik RB750G
Cisco DPC3941

1 edit

voiptalk

Member

said by plencnerb:

voiptalk See Profile,

I wanted to update this thread to see if you had any more information from the pfSense team about the issue and bug that you reported to them.

No. I watch the changes checked in daily and there hasn't been a single one related to this. As you can see in the bug, others have confirmed that this is an issue.

For myself, I have reverted back to a Hurricane Electric tunnel. Not only is it rock-solid with lower latency than native IPv6 from Comcast (the HE tunnel end point is right there with Akamai and Google in Ashburn, VA) , but it comes with static IPv6 addressing. With Comcast I get a new LAN prefix each time I reboot. So, taking a break until the pfSense dev's check in something worthwhile.

plencnerb
Premium Member
join:2000-09-25
53403-1242

plencnerb

Premium Member

Thanks for the update. I'll just continue to run what I have until an update comes from pfSense as well.

I like the product, and it has a ton of features in it. So, I'm not ready to switch it out for something else at this point yet.

--Brian

camper
just visiting this planet
Premium Member
join:2010-03-21
Bethel, CT

camper to voiptalk

Premium Member

to voiptalk
said by voiptalk:

...With Comcast I get a new LAN prefix each time I reboot. ...

 
Oh well... looks like I'll need to write an IPv6 dynamic DNS script.....
voiptalk
join:2010-04-10
Gainesville, VA
MikroTik RB750G
Cisco DPC3941

voiptalk to plencnerb

Member

to plencnerb
said by plencnerb:

voiptalk See Profile,

I wanted to update this thread to see if you had any more information from the pfSense team about the issue and bug that you reported to them.

Development has requested that we test with tomorrow's (May 9) snapshot.

I'm won't be able to upgrade to that for a while, so hopefully Brian or somebody can and report back.

plencnerb
Premium Member
join:2000-09-25
53403-1242

plencnerb

Premium Member

Click for full size
said by voiptalk:

said by plencnerb:

voiptalk See Profile,

I wanted to update this thread to see if you had any more information from the pfSense team about the issue and bug that you reported to them.

Development has requested that we test with tomorrow's (May 9) snapshot.

I'm won't be able to upgrade to that for a while, so hopefully Brian or somebody can and report back.

I should be able to upgrade to that snapshot tomorrow night.

My question is, which May 9th snapshot do I want? When I look at the list, there is one that comes out early (5 AM), and one that comes out later (5 PM).

If you look at the above picture, the red arrows show the two ISO Live installer Images for today.

Just asking, as I want to make sure I grab the right build.

Thanks,

--Brian
voiptalk
join:2010-04-10
Gainesville, VA

voiptalk

Member


Based on the commit time of the changes, they should be in the May 9th AM build.

plencnerb
Premium Member
join:2000-09-25
53403-1242

plencnerb

Premium Member

Sounds good. I'll download it tomorrow, and install that and then report how things go.

If there are any special things I should look for, let me know. I'll see what I can do and post screen shots if there is something special that you (or anyone else) would be interested in seeing.

--Brian
plencnerb

plencnerb

Premium Member

Just wanted to give a quick update. I have downloaded and burned to CD the following file

pfSense-LiveCD-2.1-BETA1-i386-20130509-0705.iso.gz

Date/time stamp: 09-May-2013 07:34
File Size: 85M

At some point today, I'll be doing a fresh install of that version of pfSense and pass along any information that I can.

Again, if there is something specific that you would like to see, let me know.

Thanks,

--Brian
voiptalk
join:2010-04-10
Gainesville, VA
MikroTik RB750G
Cisco DPC3941

voiptalk

Member

said by plencnerb:

Again, if there is something specific that you would like to see, let me know.

Thanks. Main things to watch for:

1) Does radvd start by itself. There had been an issue where it had to be started manually, after initial boot.

2) More important ... Is the LAN IPv6 address still there at the 2-day and 4-day uptime mark. pfSense had not been renewing properly (DHCP-PD) and the LAN IPv6 address was removed.