Bug #15906
closed
IPv6 delegated prefix changes upstream do not immediately update track6 interfaces
Added by Uwe Verwey 4 months ago.
Updated 10 days ago.
Category:
IPv6 Router Advertisements (radvd/rtsold)
Affected Architecture:
All
Description
After an IPv6 prefix and IP change on the WAN interface the LAN interface IPs and delegated IPv6 prefixes don’t get updated.
This mens the client devices on the LAN networks are not getting an updated IPv6 IP via SLAAC and communication stops.
This situation resolves only after 1.5 to 2 hours. Then the LAN IPs get updated. This is taking too long.
Log:
/rc.newwanipv6: Netgate pfSense Plus package system has detected an IP change or dynamic WAN reconnection - 2003:e2:8700:ae00:2e0:edff:febe:dacf -> 2003:e2:8701:3a00:2e0:edff:febe:dacf - Restarting packages.
Scenario:
IPv6 with dynamic IPv6 prefix advertised by upstream router via DCHPv6 to WAN Interface.
WAN IPv6 Configuration Type: DHCP6
DHCPv6 Prefix Delegation size: 61
Send IPv6 prefix hint: yes
Request only an IPv6 prefix: no
LAN Interfaces: Track Interface
Clients are configured "unmanaged" (Stateless Address Auto-Configuration (SLAAC)).
Steps to reproduce:
Initiate a IPv6 prefix change on the upstream router.
Same here, as already said in #12947#note-24.
For the moment I use this shell script in a cron-job every minute:
#!/bin/sh
IFACE="$1"
IFS="
"
if DEP_V6_ADDRESSES=$(/sbin/ifconfig "$IFACE" | grep 'deprecated'); then
for line in $DEP_V6_ADDRESSES; do
dep_v6_addr=$(echo "$line" | sed -E 's/.*inet6 ([0-9a-fA-F\.:]+) prefixlen ([0-9]+).*/\1\/\2/')
/usr/bin/logger -t clean_ipv6_addr.sh "Found deprecated IPv6 address ${dep_v6_addr} on ${IFACE} - deleting"
/sbin/ifconfig "$IFACE" inet6 "$dep_v6_addr" delete
done
/etc/rc.newwanipv6 "$IFACE"
fi
But this just a workaround, and should not be the "solution".
Although this does restore basic connectivity, it defeats downstream prefix invalidation.
Deprecated prefixes in the kernel serve the purpose of holding the knowledge about shortly expired prefixes, so for instance radvd can continue revoking them downstream by advertising them with a valid lifetime of 0. A prperly behaving upstream router will also do that, which will fight against the script for about 2 hours by continously adding the deprecated prefix back-in and worst case cause some route flapping and/or ddns ddos as long as pfsense (everything above the kernel) doesn't handle prefix selection properly.
This script also doesn't force the renewal of delegated prefixes (tracked interface) doesn't it? As I understand, this just restores internet connectivity to the firewall itself.
- Is duplicate of Bug #12947: Old IPv6 addresses may continue to be used after DHCP or RA changes added
- Status changed from New to Duplicate
- Is duplicate of deleted (Bug #12947: Old IPv6 addresses may continue to be used after DHCP or RA changes)
- Related to Bug #12947: Old IPv6 addresses may continue to be used after DHCP or RA changes added
- Status changed from Duplicate to New
- Subject changed from After an IPv6 prefix and IP change on the WAN interface the LAN interface IPs and delegated IPv6 prefixes don’t get updated to IPv6 prefix changes on WAN do not update track6 interfaces
- Status changed from New to Not a Bug
Tracked interfaces are handled by the renew script with link_interface_to_track6(). However the reported issue here seems to be expected behavior. For now discussion can continue on the forum:
https://forum.netgate.com/post/1211736
- Subject changed from IPv6 prefix changes on WAN do not update track6 interfaces to IPv6 delegated prefix changes upstream do not immediately update track6 interfaces
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by