Bug #15906
closed
IPv6 delegated prefix changes upstream do not immediately update track6 interfaces
0%
Description
After an IPv6 prefix and IP change on the WAN interface the LAN interface IPs and delegated IPv6 prefixes don’t get updated.
This mens the client devices on the LAN networks are not getting an updated IPv6 IP via SLAAC and communication stops.
This situation resolves only after 1.5 to 2 hours. Then the LAN IPs get updated. This is taking too long.
Log:
/rc.newwanipv6: Netgate pfSense Plus package system has detected an IP change or dynamic WAN reconnection - 2003:e2:8700:ae00:2e0:edff:febe:dacf -> 2003:e2:8701:3a00:2e0:edff:febe:dacf - Restarting packages.
Scenario:
IPv6 with dynamic IPv6 prefix advertised by upstream router via DCHPv6 to WAN Interface.
WAN IPv6 Configuration Type: DHCP6
DHCPv6 Prefix Delegation size: 61
Send IPv6 prefix hint: yes
Request only an IPv6 prefix: no
LAN Interfaces: Track Interface
Clients are configured "unmanaged" (Stateless Address Auto-Configuration (SLAAC)).
Steps to reproduce:
Initiate a IPv6 prefix change on the upstream router.
Related issues
Updated by Manuel Gayer 3 months ago
Same here, as already said in #12947#note-24.
For the moment I use this shell script in a cron-job every minute:
#!/bin/sh
IFACE="$1"
IFS="
"
if DEP_V6_ADDRESSES=$(/sbin/ifconfig "$IFACE" | grep 'deprecated'); then
for line in $DEP_V6_ADDRESSES; do
dep_v6_addr=$(echo "$line" | sed -E 's/.*inet6 ([0-9a-fA-F\.:]+) prefixlen ([0-9]+).*/\1\/\2/')
/usr/bin/logger -t clean_ipv6_addr.sh "Found deprecated IPv6 address ${dep_v6_addr} on ${IFACE} - deleting"
/sbin/ifconfig "$IFACE" inet6 "$dep_v6_addr" delete
done
/etc/rc.newwanipv6 "$IFACE"
fi
But this just a workaround, and should not be the "solution".
Updated by Jan-Jonas Sämann 3 months ago
Although this does restore basic connectivity, it defeats downstream prefix invalidation.
Deprecated prefixes in the kernel serve the purpose of holding the knowledge about shortly expired prefixes, so for instance radvd can continue revoking them downstream by advertising them with a valid lifetime of 0. A prperly behaving upstream router will also do that, which will fight against the script for about 2 hours by continously adding the deprecated prefix back-in and worst case cause some route flapping and/or ddns ddos as long as pfsense (everything above the kernel) doesn't handle prefix selection properly.
This script also doesn't force the renewal of delegated prefixes (tracked interface) doesn't it? As I understand, this just restores internet connectivity to the firewall itself.
Updated by Marcos M 3 months ago
- Is duplicate of Bug #12947: Old IPv6 addresses may continue to be used after DHCP or RA changes added
Updated by Marcos M 11 days ago
- Is duplicate of deleted (Bug #12947: Old IPv6 addresses may continue to be used after DHCP or RA changes)
Updated by Marcos M 11 days ago
- Related to Bug #12947: Old IPv6 addresses may continue to be used after DHCP or RA changes added
Updated by Marcos M 10 days ago
- Status changed from New to Not a Bug
Tracked interfaces are handled by the renew script with link_interface_to_track6(). However the reported issue here seems to be expected behavior. For now discussion can continue on the forum:
https://forum.netgate.com/post/1211736