• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

pfSense router - IPv6 client side problems

Started by lonevipr, December 11, 2013, 12:10:03 PM

Previous topic - Next topic

lonevipr

Hello fellow IPv6ers. This forum seems a bit more active than the actual pfSense IPv6 forum area is. So i'm going to try my problem here hoping for some responses. I've been using pfSense for about 3 years I would say. I just going to link to my post to save a bit of time. Answers can be posted here on HE. I will update my pfSense thread to post a solution if you guys help me figure it out.

Detailed post info here, including some screenshots of my setup:

http://forum.pfsense.org/index.php/topic,70047.0.html

Short version:HE ipv6 tunnel is up & connected on pfsense router, pfsense router can ping ipv6.google.com with success, but client, i.e. laptop on WLAN network is not receiving ipv6 address. WLAN network does have an allow all ipv6 firewall rule set.

Thanks for any help you guys could provide.

kasperd

Quote from: lonevipr on December 11, 2013, 12:10:03 PMpfsense router can ping ipv6.google.com with success, but client, i.e. laptop on WLAN network is not receiving ipv6 address.
Is the router running a router advertisement daemon?

lonevipr

#2
Quote from: kasperd on December 11, 2013, 02:50:12 PM
Quote from: lonevipr on December 11, 2013, 12:10:03 PMpfsense router can ping ipv6.google.com with success, but client, i.e. laptop on WLAN network is not receiving ipv6 address.
Is the router running a router advertisement daemon?

Yes, pfSense uses the radvd service. I have a WLAN interface. Under WLAN interface I have a static IPv6 set. A subnet of my routed /48.
2001:470:xxxx:1::

When you turn on a static IPv6 you can enable a V6 DHCP server. Then under my DHCPv6 option/tab, for WLAN interface I have DHCPv6 turned on, valid IP range set, & router advertisements set to managed. I even verified router is advertising via packet capture function of pfSense. I can upload a screenshot of that capture showing it is broadcasting.

The more reading i've done, i'm thinking it's tied to this error message in my logs.

It sounds like DHCPv6 isn't writing leases (IPs) like it needs to. I've read that DHCPv6 runs on port 547. This error message says something about an unsupported device type bound to port 547 which is what a DHCPv6 server runs on. It sounds like there may be some error with the DHCPv6 server that pfSense is currently using.

"php: /services_dhcpv6.php: The command '/usr/local/sbin/dhcpd -6 -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpdv6.conf -pf /var/run/dhcpdv6.pid em1 em0 gif0' returned exit code '1', the output was 'Internet Systems Consortium DHCP Server 4.2.5-P1 Copyright 2004-2013 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ Wrote 0 leases to leases file. Bound to *:547 Unsupported device type 240 for "gif0" If you did not get this software from ftp.isc.org, please get the latest from ftp.isc.org and install that before requesting help. If you did get this software from ftp.isc.org and have not yet read the README, please read it before requesting help. If you intend to request help from the dhcp-server@isc.org mailing list, please read the section on the README about submitting bug reports and requests for help. Please do not under any circumstances send requests for help directly to the authors of this software - please send"

Edit:Well I double checked ISC DHCP. 4.2.5-P1 is the newest stable, so not sure why it would be having issues. This error message also exists in my system logs & i'm not sure what it means or if it's a problem.

"php: rc.filter_configure_sync: Could not find IPv6 gateway for interface(wan)."

kasperd

Quote from: lonevipr on December 11, 2013, 05:20:45 PMUnsupported device type 240 for "gif0"
Ain't that the tunnel interface? You are not supposed to configure any sort of dynamic addressing on the tunnel interface. You should only use dynamic addresses on the physical Ethernet interface.

Additionally, I would stick with just router advertisements and not use DHCPv6, unless there is a very specific need for features provided by DHCPv6.

lonevipr

#4
Quote from: kasperd on December 12, 2013, 01:09:44 AM
Quote from: lonevipr on December 11, 2013, 05:20:45 PMUnsupported device type 240 for "gif0"
Ain't that the tunnel interface? You are not supposed to configure any sort of dynamic addressing on the tunnel interface. You should only use dynamic addresses on the physical Ethernet interface.

Additionally, I would stick with just router advertisements and not use DHCPv6, unless there is a very specific need for features provided by DHCPv6.

Now let me explain IPv6 is very new to me, I am not a professional. I simply play around with networking stuff like pfSense & IPv6 for fun. yes gif0 is my tunnel interface. Not sure what you mean by "not suppose to configure any sort of dynamic addressing on the tunnel interface."

When you configure the tunnel interface, it only asks you for 3 items. Server IPv4 address, Server IPv6 address, & Client IPv6 address. Then you set the parent interface which is set to WAN. There is no way to set anything to dynamic under the gif interface. Please refer to this guide to see what the gif/tunnel interface setup page looks like. It's the picture with the arrows from one image to another.

http://xtropx.blogspot.cz/2012/07/pfsense.html

See if you can follow through that guide & find any problems? I've used this guide & multiple others which are all very similar in explaining how to setup IPv6. My WLAN interface is set to a static IPv6. For that static IPv6 the guide tells you to use your /64 routed. I'm actually trying to use my /48, because after I figure out my one subnet, I do need to setup IPv6 for 2 others. I did previously have IPv6 working on pfSense 2.1 dev & even wrote a guide, it was working with my /48. I updated a few months ago & it broke everything & i've been trying to fix it.

All the guides say to enable DHCPv6 & set a valid IP range. DHCPv6 did work previously under 2.1 dev when I had IPv6 running successfully. This is where i'm confused. If I was to shut off DHCPv6 how would clients get IPs? DHCP servers assign/hand out/serve IPs, correct? I'm thinking that router advertisements & link local addressing can somehow serve IPs to clients, is what your trying to tell me? But then wouldn't addressing be random?

I've tried playing with damn near every combination of settings to try & get it to work. I will try turning off DHCPv6 & playing around with that until I hear back. Thanks for the help so far.

ETA:Here is what I see from the packet capture function. I also tried this from another network JUST INCASE my wireless router may have caused problems, but nothing has changed on that wireless router since it previously worked. I also have a DMZ setup with a wired connection. Started packet capture & ran "ipconfig /renew6" on that pc (Win 08 Server). ipconfig /renew6 fails. Packet cap data looks same even with DHCPv6 running. This cap was done with DHCPv6 disabled.

Of note, the ":d0a8" address is the link local ipv6 on the server trying to request an ipv6. Looks like no reply back mabye? It's talking to the router advertisement link local it appears & port 547. Possible problem with that port? Because that error message seems to hint at that as well. I did check. No programs or port forwarding is setup for that port, so nothing should be using it.

09:59:02.395087 IP6 fe80::b5e8:eb2c:47d1:d0a8 > ff02::2: ICMP6, router solicitation, length 16
09:59:02.395296 IP6 fe80::20e:4ff:feb7:6c77 > ff02::1: ICMP6, router advertisement, length 120
09:59:02.414326 IP6 fe80::b5e8:eb2c:47d1:d0a8.546 > ff02::1:2.547: UDP, length 86
09:59:03.413791 IP6 fe80::b5e8:eb2c:47d1:d0a8.546 > ff02::1:2.547: UDP, length 86
09:59:05.413737 IP6 fe80::b5e8:eb2c:47d1:d0a8.546 > ff02::1:2.547: UDP, length 86
09:59:09.030341 IP6 fe80::20e:4ff:feb7:6c77 > ff02::1: ICMP6, router advertisement, length 120
09:59:09.413743 IP6 fe80::b5e8:eb2c:47d1:d0a8.546 > ff02::1:2.547: UDP, length 86
09:59:14.740678 IP6 fe80::20e:4ff:feb7:6c77 > ff02::1: ICMP6, router advertisement, length 120
09:59:17.419506 IP6 fe80::b5e8:eb2c:47d1:d0a8.546 > ff02::1:2.547: UDP, length 86
09:59:23.399642 IP6 fe80::20e:4ff:feb7:6c77 > ff02::1: ICMP6, router advertisement, length 120
09:59:33.423158 IP6 fe80::b5e8:eb2c:47d1:d0a8.546 > ff02::1:2.547: UDP, length 86
09:59:35.516024 IP6 fe80::20e:4ff:feb7:6c77 > ff02::1: ICMP6, router advertisement, length 120
09:59:45.561251 IP6 fe80::20e:4ff:feb7:6c77 > ff02::1: ICMP6, router advertisement, length 120
10:00:05.152375 IP6 fe80::20e:4ff:feb7:6c77 > ff02::1: ICMP6, router advertisement, length 120
10:00:05.422338 IP6 fe80::b5e8:eb2c:47d1:d0a8.546 > ff02::1:2.547: UDP, length 86
10:00:20.486835 IP6 fe80::20e:4ff:feb7:6c77 > ff02::1: ICMP6, router advertisement, length 120
10:00:36.010342 IP6 fe80::20e:4ff:feb7:6c77 > ff02::1: ICMP6, router advertisement, length 120
10:00:48.593356 IP6 fe80::20e:4ff:feb7:6c77 > ff02::1: ICMP6, router advertisement, length 120
10:01:00.057210 IP6 fe80::20e:4ff:feb7:6c77 > ff02::1: ICMP6, router advertisement, length 120


ETA2:Well crap. Double checked a packet cap of my WLAN network. It is doing router advertisements but no responses from my clients link local like I can see on the server packet cap. The server does have a IPv6 default gateway of fe80, which is link local. The WLAN client does not have the link local IPv6 default gateway. Any idea why WLAN client isn't able to get as far. All settings are identical that I can tell other than the physical setup. Server is connected to switch then to pfsense nic. Wireless router is connected to powerline networking adapter. powerline networking input is connected to pfsense nic.

Going to chock this part up to equipment. I THINK that both the wireless router & powerline networking were hooked up when I had IPv6 working. But it's possible mabye the powerline networking wasn't. I plugged laptop directly into a switch & could get the link local gateway. So it must have something to do with the router or powerline networking. I will try to use just the router & not the powerline networking adapter & see if that fixes the WLAN but issue still stands with the server machine not being able to pull IPv6 for some reason.

Yup, just pulled up past purchases off of newegg. Started reading reviews & these are a TPlink TL-PA210KIT. These are known not to support IPv6 correctly. TPlink says to upgrade to TP-LINK TL-PA2010KIT. Notice the extra zero. 2010 instead of 210.

So that fixes one issue. Now still need to know why my wired server isn't getting IPv6.

I did read one person state, not about my particular switches, but his switch wouldn't pass any IPv6 traffic. Now I do know for 100% fact the same switches now used were used when IPv6 worked previously. However pfSense could have changed something & some reason my switches aren't doing IPv6 like they should. I don't have a crossover cable to use to test nic to nic from pfsense router to sever right now. Everything looks correct, that's the only thing I could think of, because I haven't tested that. Or would talking of link local address from pfSense to server be proof that IPv6 is working fine on the switches?

lonevipr

Well, No idea what just happened. My server magically all of a sudden had IPv6. I went to the status of my network adapter (wired) & it said IPv6 Connectivity - Internet. I was like WTF. I been trying different things & ipconfig /renew6 but the command just errors out.

Went to the ipv6 test website & it was success. I installed Windows Updates earlier today on the server & went to restart it to finish the install of that. IPv6 has died. No IPv6 when box came up but I do have additional packet capture chatter

15:14:25.745596 IP6 fe80::b5e8:eb2c:47d1:d0a8 > ff02::2: ICMP6, router solicitation, length 16
15:14:25.745789 IP6 fe80::20e:4ff:feb7:6c77 > ff02::1: ICMP6, router advertisement, length 120
15:14:25.939987 IP6 fe80::b5e8:eb2c:47d1:d0a8.546 > ff02::1:2.547: UDP, length 86
15:14:26.745573 IP6 fe80::b5e8:eb2c:47d1:d0a8 > ff02::1: ICMP6, neighbor advertisement, tgt is fe80::b5e8:eb2c:47d1:d0a8, length 32
15:14:26.836142 IP6 fe80::b5e8:eb2c:47d1:d0a8 > ff02::1:ffb7:6c77: ICMP6, neighbor solicitation, who has fe80::20e:4ff:feb7:6c77, length 32
15:14:26.836219 IP6 fe80::20e:4ff:feb7:6c77 > fe80::b5e8:eb2c:47d1:d0a8: ICMP6, neighbor advertisement, tgt is fe80::20e:4ff:feb7:6c77, length 32
15:14:26.971450 IP6 fe80::b5e8:eb2c:47d1:d0a8.546 > ff02::1:2.547: UDP, length 86
15:14:28.974889 IP6 fe80::b5e8:eb2c:47d1:d0a8.546 > ff02::1:2.547: UDP, length 86
15:14:31.836946 IP6 fe80::20e:4ff:feb7:6c77 > fe80::b5e8:eb2c:47d1:d0a8: ICMP6, neighbor solicitation, who has fe80::b5e8:eb2c:47d1:d0a8, length 32
15:14:31.837137 IP6 fe80::b5e8:eb2c:47d1:d0a8 > fe80::20e:4ff:feb7:6c77: ICMP6, neighbor advertisement, tgt is fe80::b5e8:eb2c:47d1:d0a8, length 32
15:14:32.978543 IP6 fe80::b5e8:eb2c:47d1:d0a8.546 > ff02::1:2.547: UDP, length 86
15:14:37.844206 IP6 fe80::20e:4ff:feb7:6c77 > ff02::1: ICMP6, router advertisement, length 120

lonevipr

Alright finally got it stable. Works both with & without DHCPv6 enabled. I changed my router advertisements from managed to assisted & that's when I guess it started working originally. Before reboot I did change router advertisements back to managed but it was still connected to ipv6 & that broke it when it rebooted.


kasperd

Quote from: lonevipr on December 12, 2013, 06:44:45 AMAll the guides say to enable DHCPv6 & set a valid IP range.
Clients can use either RA, DHCPv6, or a combination of the two. I think using just RA is the most common behaviour on the clients, which is why I was suggesting to focus on the router advertisement daemon, and not enable DHCPv6.

The error message you mentioned did suggest DHCPv6 was misconfigured. The error message might be harmless, I don't know for sure.

If you do enable both DHCPv6 and router advertisement on a segment, and both are properly configured, then that will support the widest range of clients. So if you are sure your DHCPv6 server is giving correct information to clients, then there is no point in turning it off.

Quote from: lonevipr on December 12, 2013, 06:44:45 AMThis is where i'm confused. If I was to shut off DHCPv6 how would clients get IPs?
Most systems would get their IPv6 address by using router advertisements and SLAAC. That part works without any DHCPv6 server. There is only a problem, if you need additional parameters to be configured. It is mainly DNS configuration, which would be a problem. Clients can get their own address using SLAAC and a DNS server address using DHCPv6. A DNS server address in the router advertisement is also possible, but was not in the first version and might not yet be supported by all clients. If you are running your own DNS cache, there is no problem in using IPv4 for communicating with that over your LAN, the DNS cache can still use both IPv4 and IPv6 for communicating with the rest of the world.

lonevipr

Thanks for the info. That helps me understand a little better. Now I had it up & decided to add a static address for the ipv6 that was assigned to my server successfully. pfSense let me make a static mapping. After I left everything alone for about 20 minutes all of my ipv4 connections died. According to NDP Tables all my IPv6 stuff was still up. As soon as I disabled IPv6 on my various subnets my IPv4 stuff came back instantly.

This is probably a pfSense related problem, but i'm glad I got it working. Now onto the next problem.