Netgate SG-1000 microFirewall

Author Topic: IPv6 DHCPv6 Lease Giving Bad Route to Gateway  (Read 211 times)

0 Members and 1 Guest are viewing this topic.

Offline davidg1982

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
IPv6 DHCPv6 Lease Giving Bad Route to Gateway
« on: January 15, 2018, 10:18:16 am »
Sorry if this a repost.

Problem: PFSense Router is giving out bad routing information via DHCPv6 to LAN clients.

Description: When I reboot my router, Ipv6 works. Client, Router, etc. All works.
But as soon as I refresh my connection on a LAN client, it gives a bad default router and Ipv6 stops working. I am not having any issues with Ipv4.

I have no issues getting an global ipv6 and local-link address on the router or LAN clients. Ping/traceroute/etc all works on the router.
With WAN and LAN, I get the right prefix delegation local-link and global, but for some reason, my clients on the LAN side get a bad default gateway when it is issued from the router. On a LAN client, when I try to ping ipv6.google.com or any other global address, it does not work; local-link works.

If I do static on on a LAN client and route it properly via ipv6-link to the router address, it works fine, but anything coming from the router via dhcpv6 gives me a bad default gateway.   

Why? I do not understand. What am I doing wrong? What am I missing. Been at this for hours. Thanks in advance.

I am running PFSense 2.4.2-RELEASE-p1.

Online JKnott

  • Hero Member
  • *****
  • Posts: 1198
  • Karma: +53/-11
    • View Profile
Re: IPv6 DHCPv6 Lease Giving Bad Route to Gateway
« Reply #1 on: January 15, 2018, 10:25:49 am »
What router address are you getting, vs what you expect?

On IPv6, the router link local address is generally used for the default route and is passed to the devices via router advertisements.

Offline davidg1982

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: IPv6 DHCPv6 Lease Giving Bad Route to Gateway
« Reply #2 on: January 15, 2018, 10:44:41 am »
The 'right' gateway address is fe80::1:1, however, I get fe80::285e:6cff:fe74:4f18. I have no idea what that is. I am having trouble finding what piece of hardware is that address; granted my networking skills are limited.

Online JKnott

  • Hero Member
  • *****
  • Posts: 1198
  • Karma: +53/-11
    • View Profile
Re: IPv6 DHCPv6 Lease Giving Bad Route to Gateway
« Reply #3 on: January 15, 2018, 11:17:57 am »
The 'right' gateway address is fe80::1:1, however, I get fe80::285e:6cff:fe74:4f18. I have no idea what that is. I am having trouble finding what piece of hardware is that address; granted my networking skills are limited.

The least significant 64 bits are determined by the MAC address, with the 7th bit inverted, with fffe inserted in the middle..  Do you have anything with a matching MAC address?  You can click on Status > DHCP Leases to see what IPv4 address has that MAC.  You can also often check hardware labels for a MAC address.

That link local address is fe80::285e:6cff:fe74:4f18, so
Least significant 64 bits - 285e:6cff:fe74:4f18
Invert bit 7 and remove fffe - 2a5e:6c74:4f18, which is the MAC address of the device.  However, there appears to be something strange.  That bit that was toggled was originally the one to indicate a locally assigned MAC address and with or without it toggled, that MAC does not appear to be assigned to a manufacturer.  Does something on your network have a locally assigned MAC address?

Offline davidg1982

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: IPv6 DHCPv6 Lease Giving Bad Route to Gateway
« Reply #4 on: January 15, 2018, 11:20:49 am »
Let's see what happens when I do different router advertisements.

Managed: Local-Link only, but the right default gateway.

Assisted: Local-link and Global, but not the right default gateway.

Unmanaged:  Local-link and Global, but not the right default gateway.

Stateless: Local-link and Global, but not the right default gateway.

Router Only: Local-Link Only, but the wrong default gateway.

Disabled: Local-Link Only, but the wrong default gateway.

Offline davidg1982

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: IPv6 DHCPv6 Lease Giving Bad Route to Gateway
« Reply #5 on: January 15, 2018, 11:35:03 am »
That link local address is fe80::285e:6cff:fe74:4f18, so
Least significant 64 bits - 285e:6cff:fe74:4f18
Invert bit 7 and remove fffe - 2a5e:6c74:4f18, which is the MAC address of the device.  However, there appears to be something strange.  That bit that was toggled was originally the one to indicate a locally assigned MAC address and with or without it toggled, that MAC does not appear to be assigned to a manufacturer.  Does something on your network have a locally assigned MAC address?

I've checked the ARP and NDP tables, nothing even remotely close with that MAC address. Checked nmap, and nothing.

Online JKnott

  • Hero Member
  • *****
  • Posts: 1198
  • Karma: +53/-11
    • View Profile
Re: IPv6 DHCPv6 Lease Giving Bad Route to Gateway
« Reply #6 on: January 15, 2018, 11:44:34 am »
You could also use Packet Capture or Wireshark to see if pfSense is actually sending out RAs with the wrong gateway, or if they're coming from elsewhere.  You have to filter on ICMP6 to capture them.  If you use Packet Capture, you may want to download the capture file and use Wireshark to examine it, as Wireshark provides more info than the list shown in Packet Capture.


Offline davidg1982

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: IPv6 DHCPv6 Lease Giving Bad Route to Gateway
« Reply #7 on: January 15, 2018, 12:51:07 pm »
You could also use Packet Capture or Wireshark to see if pfSense is actually sending out RAs with the wrong gateway, or if they're coming from elsewhere.  You have to filter on ICMP6 to capture them.  If you use Packet Capture, you may want to download the capture file and use Wireshark to examine it, as Wireshark provides more info than the list shown in Packet Capture.

You were right. I wiresharked it and found out that my old EdgeMax router was sending out router advertisements. Factory reset the darn thing and all is right on the network. At least, it wasn't DNS.  Thank you for you help.
« Last Edit: January 15, 2018, 12:56:43 pm by davidg1982 »