I am trying to (elegantly) enable IPv6 with a 10g fiber connection. I have gotten it working with Prefix Delegation (PD) across a number of my interfaces. I am using a pfSense based firewall+router, which is connected to the AdTran 822v ONT.
I have unfortunately had to hard-code the default IPv6 gateway. My router sends a Router Solicitation (RS), resulting in the firewall's WAN interface receiving 2 Router Advertisements (RAs), see the tcpdumps below. The RAs are appropriately tagged with the preference.
The "low" preference RA is from MAC 00:24:45:fb:53:cf and "medium" preference RA is from MAC 5c:45:27:67:4e:80. The 00:24:45:* OUI is an AdTran MAC and the 5c:45:27:* OUI is a Juniper MAC. I am therefore assuming 00:24:45:fb:53:cf is the ONT and 5c:45:27:67:4e:80 is somewhere upstream on the OLT side.
The RA from 5c:45:27:67:4e:80 is the one that is needed for proper routing, otherwise IPv6 traffic gets dropped. While multiple RAs is valid, pfSense does not seem to handle it well. At least not as a client device on the WAN interface. It always ends up with the gateway from 00:24:45:fb:53:cf, not 5c:45:27:67:4e:80.
I tested with this my Linux+NetworkManager based PC directly connected to the ONT. It also receives the multiple RAs, but it receives the RA from 5c:45:27:67:4e:80 first. pfSense receives the RA from 00:24:45:fb:53:cf first. This behavior for both devices is consistent. I am not yet sure why it differs.
There might be something I can do on the pfSense side to better account for this. I need to explore this more. But I am wondering if I can just avoid the seemingly useless RA from the ONT (00:24:45:fb:53:cf) altogether?
Router Solicitation (from tcpdump):
Router Advertisements (from tcpdump):
I have unfortunately had to hard-code the default IPv6 gateway. My router sends a Router Solicitation (RS), resulting in the firewall's WAN interface receiving 2 Router Advertisements (RAs), see the tcpdumps below. The RAs are appropriately tagged with the preference.
The "low" preference RA is from MAC 00:24:45:fb:53:cf and "medium" preference RA is from MAC 5c:45:27:67:4e:80. The 00:24:45:* OUI is an AdTran MAC and the 5c:45:27:* OUI is a Juniper MAC. I am therefore assuming 00:24:45:fb:53:cf is the ONT and 5c:45:27:67:4e:80 is somewhere upstream on the OLT side.
The RA from 5c:45:27:67:4e:80 is the one that is needed for proper routing, otherwise IPv6 traffic gets dropped. While multiple RAs is valid, pfSense does not seem to handle it well. At least not as a client device on the WAN interface. It always ends up with the gateway from 00:24:45:fb:53:cf, not 5c:45:27:67:4e:80.
I tested with this my Linux+NetworkManager based PC directly connected to the ONT. It also receives the multiple RAs, but it receives the RA from 5c:45:27:67:4e:80 first. pfSense receives the RA from 00:24:45:fb:53:cf first. This behavior for both devices is consistent. I am not yet sure why it differs.
There might be something I can do on the pfSense side to better account for this. I need to explore this more. But I am wondering if I can just avoid the seemingly useless RA from the ONT (00:24:45:fb:53:cf) altogether?
Router Solicitation (from tcpdump):
Code: Select all
03:01:12.833032 xx:xx:xx:xx:xx:xx > 33:33:00:00:00:02, ethertype IPv6 (0x86dd), length 70: (hlim 255, next-header ICMPv6 (58) payload length: 16) fe80::3eec:efff:fe42:760 > ff02::2: [icmp6 sum ok] ICMP6, router solicitation, length 16
source link-address option (1), length 8 (1): xx:xx:xx:xx:xx:xx
0x0000: xxxx xxxx xxxx
Code: Select all
03:01:12.834313 00:24:45:fb:53:cf > 33:33:00:00:00:01, ethertype IPv6 (0x86dd), length 78: (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::224:45ff:fefb:53cf > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 24
hop limit 64, Flags [other stateful], pref low, router lifetime 0s, reachable time 0ms, retrans timer 0ms
source link-address option (1), length 8 (1): 00:24:45:fb:53:cf
0x0000: 0024 45fb 53cf
03:01:12.848009 5c:45:27:67:4e:80 > 33:33:00:00:00:01, ethertype IPv6 (0x86dd), length 78: (class 0xc0, hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::5e45:27ff:fe67:4e80 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 24
hop limit 64, Flags [managed], pref medium, router lifetime 1800s, reachable time 0ms, retrans timer 0ms
source link-address option (1), length 8 (1): 5c:45:27:67:4e:80
0x0000: 5c45 2767 4e80