NetDog Premium Member join:2002-03-04 Hollywood, FL 1 edit |
to acosgrove
Re: [IPv6] pfSense - Anybody else having issues?said by acosgrove:I think I may have a Comcast issue at this point. I opened an HE tunnel account and am now happily connecting to v6 sites. Is there someone in particular I should ask to review on the Comcast end? I would be that person on the Comcast side, what would you like me to check out? |
|
|
to graysonf
That worked! I upgraded m0n0 to:
1.8.1b538 built on Thu Mar 21 14:35:03 CET 2013
test-ipv6.com and test-ipv6.comcast.net both are in the green. Traceroutes from mebsd.com are good too.
Now just need to be patient and wait for pfSense to catch up. |
|
graysonf MVM join:1999-07-16 Fort Lauderdale, FL |
So, is your System Log being flooded? |
|
|
Looks to be that way
Apr 2 20:23:42 last message repeated 180 times Apr 2 20:33:42 last message repeated 178 times |
|
graysonf MVM join:1999-07-16 Fort Lauderdale, FL |
Winner, winner, chicken dinner.
I reported that more than four months ago, but still no answer. |
|
camperjust visiting this planet Premium Member join:2010-03-21 Bethel, CT 1 edit
2 recommendations |
camper
Premium Member
2013-Apr-2 11:12 pm
said by graysonf:Winner, winner, chicken dinner.
I reported that more than four months ago, but still no answer. imho, I don't think you will get a quick response to this issue. This IPv6 stuff is so new out in the world of us unwashed masses of IPv6 ignoranti, that the powers that be are still trying to figure out how to handle it. For those who know me here, it may seem odd that I praise Comcast [understatement], but on this narrow, specific topic of IPv6 and how Comcast have been trying to figure out what to do, I have to commend Comcast for trying and for being out in the forefront. The people in the front are the ones who get the arrows in their backs. And I have to give major props to Comcast for offering up Netdog as a sacrificial lamb for the benefit of getting this IPv6 stuff right and correct. |
|
graysonf MVM join:1999-07-16 Fort Lauderdale, FL 1 edit |
said by camper:imho, I don't think you will get a quick response to this issue.
For now, I would settle for one of the developers acknowledging the problem and saying it will be looked into. Edit: Below is the response I received. I have replied to it and requested a patch. ------------------------------------------- It sounds like Comcast are sending an RA to you, and as you are a router running rtadvd, its sending this message out to notify you that its getting a message on an interface it's not advertising on. The whole use case of dhcp-pd is a bit strange anyway, rfc6204 section w-3 for example indicates that a router should take its route from an RA, but freebsd nd6.c specifically prevents this (we had to patch this behaviour to get it to work right) So this message can be ignored, and we would have to patch rtadvd to silence this message if using dhcp-pd etc, by adding some flags etc. |
|
plencnerb Premium Member join:2000-09-25 53403-1242 |
to voiptalk
voiptalk , I read your thread over at the pfSense forum, and wanted to ask a question. You mention a lot about "radvd" which appears to be a service that runs on pfSense. Now, I will fully admit I don't know much about Linux, or pfSense for that matter. So, it makes me wonder if I'm missing something in regards to this. The screen shot above shows what services I have running. As you can see, there is not one called "radvd" listed. The 2nd picture lists all of the services that show up under the "Services" menu item. Again, nothing jumps out that would imply that its the "radvd" service, but I could just be missing it. I don't know if I ever had one or not with past beta builds, but I do know that I in the past IPv6 was working on a build from January and I also believe the 02-13-2013 build as well. The version that I'm currently running is below 2.1-BETA1 (i386) built on Fri Mar 22 22:56:56 EDT 2013 FreeBSD 8.3-RELEASE-p6 Again, just wondering if I'm missing something. Thanks, --Brian |
|
graysonf MVM join:1999-07-16 Fort Lauderdale, FL |
radvd is probably part of the DHCPv6 Server/RA, the RA part.
As an aside pfsense is based on FreeBSD, not Linux. |
|
MikroTik RB750G Cisco DPC3941
1 edit |
to plencnerb
radvd needs to be running and should require no action on your part to enable or start it. On some of the March builds, radvd tends to die and disappear completely from the services menu. There is a mention about that on the pfsense forum thread; that problem was thought to have been fixed. -- On a side note: I've reconfigured back to a HE tunnel until I see some activity on the bug I filed. I don't see this as being a Comcast issue. However, I have sent the packet capture taken during the failed renewal to Netdog for his thoughts. |
|
plencnerb Premium Member join:2000-09-25 53403-1242
1 recommendation |
said by voiptalk:radvd needs to be running and should require no action on your part to enable or start it. On some of the March builds, radvd tends to die and disappear completely from the services menu. There is a mention about that on the pfsense forum thread; that problem was thought to have been fixed. I did see you mention that in the thread over at the pfSense forums. I also agree with you that this does not appear to be a Comcast issue, but an issue with pfSense. What I will probably do is give it a week or so, and then download a Beta at that point, and see if that service is running, or if that problem has been fixed. IPv6 for me is not that critical, so not having it working is not that big of a deal. However, I do enjoy pfSense, and if there is a way for me to help test/debug/validate things along the way, I'm more then welcome to help do so. Thanks, --Brian |
|
camperjust visiting this planet Premium Member join:2010-03-21 Bethel, CT |
to graysonf
said by graysonf:... we would have to patch rtadvd to silence this message if using dhcp-pd etc, by adding some flags etc. From that it sounds like using DHCP-PD negates the need to listen for and process RA on the WAN interface. If that is correct, then just patching out the line in the source code that logs the RA packet should suffice. If that is not correct, then there's a problem in OpenBSD (and, from the reply you received, it sounds like FreeBSD as well). The sysctl.conf file of OpenBSD allows for packet forwarding (i.e., acting as a router) or accepting RA packets, but not both. net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of IPv6 packets net.inet6.ip6.accept_rtadv=0 # 1=Permit IPv6 autoconf (forwarding must be 0)
|
|
graysonf MVM join:1999-07-16 Fort Lauderdale, FL |
I'm not sure which case is applicable. But if there is a sysctl.conf file on m0n0wall I am unable to find it. |
|
camperjust visiting this planet Premium Member join:2010-03-21 Bethel, CT |
camper
Premium Member
2013-Apr-3 1:11 pm
It would be in /etc if it existed. My FreeBSD servers do not have a /etc/sysctl.conf since most of the boot-time configuration is done via /etc/rc.conf |
|
graysonf MVM join:1999-07-16 Fort Lauderdale, FL |
Not in /etc and there is no /etc/rc.conf
m0n0wall is unusual as it is configured with php scripts as opposed to shell code. |
|
camperjust visiting this planet Premium Member join:2010-03-21 Bethel, CT |
to graysonf
Try running this command at the command line:
sysctl net.inet6.ip6
That prints out all the IPv6 sysctl variables. Among them you'll see:
net.inet6.ip6.forwarding: 0 net.inet6.ip6.accept_rtadv: 0
Those values from my server indicate that the box does not do any routing and that it does not accept RA messages (it's IPv6 address and route are statically configured in rc.conf). |
|
graysonf MVM join:1999-07-16 Fort Lauderdale, FL |
$ sysctl net.inet6.ip6 net.inet6.ip6.forwarding: 1 net.inet6.ip6.redirect: 1 net.inet6.ip6.hlim: 64 net.inet6.ip6.maxfragpackets: 1872 net.inet6.ip6.accept_rtadv: 1 net.inet6.ip6.keepfaith: 0 net.inet6.ip6.log_interval: 5 net.inet6.ip6.hdrnestlimit: 15 net.inet6.ip6.dad_count: 1 net.inet6.ip6.auto_flowlabel: 1 net.inet6.ip6.defmcasthlim: 1 net.inet6.ip6.gifhlim: 30 net.inet6.ip6.kame_version: FreeBSD net.inet6.ip6.use_deprecated: 1 net.inet6.ip6.rr_prune: 5 net.inet6.ip6.v6only: 1 net.inet6.ip6.rtexpire: 3600 net.inet6.ip6.rtminexpire: 10 net.inet6.ip6.rtmaxcache: 128 net.inet6.ip6.use_tempaddr: 0 net.inet6.ip6.temppltime: 86400 net.inet6.ip6.tempvltime: 604800 net.inet6.ip6.auto_linklocal: 1 net.inet6.ip6.prefer_tempaddr: 0 net.inet6.ip6.use_defaultzone: 0 net.inet6.ip6.maxfrags: 1872 net.inet6.ip6.mcast_pmtu: 0 net.inet6.ip6.stealth: 0 net.inet6.ip6.no_radr: 0 net.inet6.ip6.norbit_raif: 0 net.inet6.ip6.rfc6204w3: 1 net.inet6.ip6.mcast.loop: 1 net.inet6.ip6.mcast.maxsocksrc: 128 net.inet6.ip6.mcast.maxgrpsrc: 512 |
|
|
camperjust visiting this planet Premium Member join:2010-03-21 Bethel, CT |
camper
Premium Member
2013-Apr-3 2:22 pm
said by graysonf:$ sysctl net.inet6.ip6 net.inet6.ip6.forwarding: 1 net.inet6.ip6.accept_rtadv: 1 So it looks like the FreeBSD in your firewall can be a router (forwarding) and also accept RA packets. |
|
graysonf MVM join:1999-07-16 Fort Lauderdale, FL |
Yes it's pretty flexible. |
|
camperjust visiting this planet Premium Member join:2010-03-21 Bethel, CT |
camper
Premium Member
2013-Apr-3 3:44 pm
If OpenBSD continues to have issues with concurrent rtadvd and routing , I'll switch over to FreeBSD for the firewall / router here. |
|
plencnerb Premium Member join:2000-09-25 53403-1242 |
to voiptalk
voiptalk , I wanted to update this thread to see if you had any more information from the pfSense team about the issue and bug that you reported to them. In looking at your post at the pfSense forum » forum.pfsense.org/index. ··· 6.0.htmlit has been at least 12 days since the last update to the thread. So, just looking to see if there is any updates. I'm still running the following version 2.1-BETA1 (i386) built on Fri Mar 22 22:56:56 EDT 2013 FreeBSD 8.3-RELEASE-p6 With the issues that you had reported, I did not see a need to update to a newer beta, unless the problems has been resolved. Thanks in advance, --Brian |
|
MikroTik RB750G Cisco DPC3941
1 edit |
said by plencnerb:voiptalk ,
I wanted to update this thread to see if you had any more information from the pfSense team about the issue and bug that you reported to them. No. I watch the changes checked in daily and there hasn't been a single one related to this. As you can see in the bug, others have confirmed that this is an issue. For myself, I have reverted back to a Hurricane Electric tunnel. Not only is it rock-solid with lower latency than native IPv6 from Comcast (the HE tunnel end point is right there with Akamai and Google in Ashburn, VA) , but it comes with static IPv6 addressing. With Comcast I get a new LAN prefix each time I reboot. So, taking a break until the pfSense dev's check in something worthwhile. |
|
plencnerb Premium Member join:2000-09-25 53403-1242 |
plencnerb
Premium Member
2013-Apr-24 10:16 pm
Thanks for the update. I'll just continue to run what I have until an update comes from pfSense as well.
I like the product, and it has a ton of features in it. So, I'm not ready to switch it out for something else at this point yet.
--Brian |
|
camperjust visiting this planet Premium Member join:2010-03-21 Bethel, CT |
to voiptalk
said by voiptalk:...With Comcast I get a new LAN prefix each time I reboot. ...   Oh well... looks like I'll need to write an IPv6 dynamic DNS script..... |
|
MikroTik RB750G Cisco DPC3941
|
to plencnerb
said by plencnerb:voiptalk ,
I wanted to update this thread to see if you had any more information from the pfSense team about the issue and bug that you reported to them. Development has requested that we test with tomorrow's (May 9) snapshot. I'm won't be able to upgrade to that for a while, so hopefully Brian or somebody can and report back. |
|
plencnerb Premium Member join:2000-09-25 53403-1242 |
said by voiptalk:said by plencnerb:voiptalk ,
I wanted to update this thread to see if you had any more information from the pfSense team about the issue and bug that you reported to them. Development has requested that we test with tomorrow's (May 9) snapshot. I'm won't be able to upgrade to that for a while, so hopefully Brian or somebody can and report back. I should be able to upgrade to that snapshot tomorrow night. My question is, which May 9th snapshot do I want? When I look at the list, there is one that comes out early (5 AM), and one that comes out later (5 PM). If you look at the above picture, the red arrows show the two ISO Live installer Images for today. Just asking, as I want to make sure I grab the right build. Thanks, --Brian |
|
|
Based on the commit time of the changes, they should be in the May 9th AM build.
|
|
plencnerb Premium Member join:2000-09-25 53403-1242 |
Sounds good. I'll download it tomorrow, and install that and then report how things go.
If there are any special things I should look for, let me know. I'll see what I can do and post screen shots if there is something special that you (or anyone else) would be interested in seeing.
--Brian |
|
plencnerb |
Just wanted to give a quick update. I have downloaded and burned to CD the following file
pfSense-LiveCD-2.1-BETA1-i386-20130509-0705.iso.gz
Date/time stamp: 09-May-2013 07:34 File Size: 85M
At some point today, I'll be doing a fresh install of that version of pfSense and pass along any information that I can.
Again, if there is something specific that you would like to see, let me know.
Thanks,
--Brian |
|
MikroTik RB750G Cisco DPC3941
|
said by plencnerb:Again, if there is something specific that you would like to see, let me know. Thanks. Main things to watch for: 1) Does radvd start by itself. There had been an issue where it had to be started manually, after initial boot. 2) More important ... Is the LAN IPv6 address still there at the 2-day and 4-day uptime mark. pfSense had not been renewing properly (DHCP-PD) and the LAN IPv6 address was removed. |
|