IPv6

I am trying to get DHCPv6 running with mOnOwall. In general IPv6 is woking nicely when using router advertisements.

When set to Managed Adressing and Other I expect the PC to get an address out of the defined range - but it does not. (IPv4 works) I can see on my Win7 PC that it sends out Solicit messages but no answer. As long as RAs are sent the PC gets addresses derived from the prefixes - but no DHCP. When I skip the RAs then the PC only has a Link Local address.

The Solicit packets go to ff02::1:2 (33:33:00:01:00:02).
I created an IPv6 filter to pass UDP port 546 to 547 with logging but there is no packet seen.

The monowall runs on ESX but I already set the NIC to promiscous mode - without any success.

I set up a Linux machine with ISC DHCP 4.1.1 - there I get an address.
Anyone knows why the mOnOwall does not answer to the Solicit packets?

Thanks
Juergen

Just found that the interface has a default filter already for DHCPv6.

0 @5 pass in quick on em2 proto udp from any port = dhcpv6-client to ff02::1:2/128 port = dhcpv6-server

Does however not change my problem. Interface is Opt1 = em2.

... and I should add that I tested 1.32 and 1.33b2
Juergen

Just set the managed address flag on its own, not 'other' flag

No change leaving the O Option blank.

  After a hours of testing an searching I tried the same DHCP config on the LAN interface em1 and it worked immediately.
So to me it looks like a bug or something with the filters on the OPT1 interface.

Can someone shed some light into this.
Thanks
Juergen

I'll take a look next week, work permitting !

Let me know if I can help in any way to make your work easier.
Thanks in advance.
Juergen

m0n0wall runs seperate instances of dhcp6s for each interface, so you should see it running as a process in /status.php

you should find it's config in /var/etc/dhcp6s.{ifname}.conf
go to /exec.php and execute

Code:

ls /var/etc/dhcp6s.*

then

Code:

cat /var/etc/dhcp6s.ifname.conf

etc.

if the config looks correct and the process is running, then it is most likely a firewall problem restricting the packet, you can check this is /status.php and compare to you LAN setting when it works there ?

Looks ok so far. Both processes are running.

Code:

root   71234  0.0  0.4  1428  1056  ??  INs  11:35PM   0:00.00 /usr/local/sbin/dhcp6s -c /var/etc/dhcp6s.em1.conf -k /var/run/dhcp6sctlkey -p 64705 -P /var/run/dhcp6s.em1.pid em1
root   71237  0.0  0.4  1428  1056  ??  INs  11:35PM   0:00.00 /usr/local/sbin/dhcp6s -c /var/etc/dhcp6s.em2.conf -k /var/run/dhcp6sctlkey -p 64706 -P /var/run/dhcp6s.em2.pid em2

Here are the configs:

Code:

$ cat /var/etc/dhcp6s.em1.conf

option domain-name "*****";
option domain-name-servers 2001:4dd0:fc84:0064::1;


interface em1 {
preference 255;
address-pool poolem1 7200 86400;
};

pool poolem1 {
        range 2001:4dd0:fc84:64:0:0:1:0 to 2001:4dd0:fc84:64:0:0:1:ffff ;
};

host m0n0wall {
        duid 00:50:56:01:81:64;
        address 2001:4dd0:fc84:0064::1 infinity;
};
-------------------------------------------------------------

$ cat /var/etc/dhcp6s.em2.conf

option domain-name "*****";
option domain-name-servers 2001:4dd0:fc84:0065::1;


interface em2 {
preference 255;
address-pool poolem2 7200 86400;
};

pool poolem2 {
        range 2001:4dd0:fc84:65:0:0:1:0 to 2001:4dd0:fc84:65:0:0:1:FFFF ;
};

host m0n0wall {
        duid 00:50:56:01:81:65;
        address 2001:4dd0:fc84:0065::1 infinity;
};

One Log entry that looks as if it could have caused the issue.
mOnOwall can see the incoming DHCP Solicit on the em2 interface. When connecting to em1 this particular log message does not appear.

Code:

Feb  7 00:00:10 m0n0wall ipmon[151]: 00:00:09.390966 em2 @0:21 b fe80::4977:257a:e524:500d,546 -> ff02::1:2,547 PR udp len 40 151 IN low-ttl multicast

Ok. The solicit is being blocked. I'll fix it tomorrow.

I see, em1 has a rule for passing it, em2 not so it is dropped @21

@3 pass in quick on em1 proto udp from any port = dhcpv6-client to ff02::1:2/128 port = dhcpv6-server

@21 block in log quick on em2 from !2001:4dd0:fc84:65::/64 to any

As this is an internal rule, it does not help specifying an own pass rule, correct ?

I think I see the problem, do you have the ipv4 dhcp server not enabled on the opt interface ?

looks like i made some bad logic and instead of checking for dhcpv6 enabled to put in the rule on the opt interface, I checked for dhcpv4 server enablement.

if you enable ipv4 dhcp server it should workaround it.

True, after enabling the IPv4 there is a filter pass entry for DHCPv6 for the OPT1 interface em2. Thanks for the workaround. Guess you will fix it sometime.

@2 pass in quick on em1 from fe80::/10 to fe80::/10
@3 pass in quick on em1 proto udp from any port = dhcpv6-client to ff02::1:2/128 port = dhcpv6-server
@4 pass in quick on em2 from fe80::/10 to fe80::/10
@5 pass in quick on em2 proto udp from any port = dhcpv6-client to ff02::1:2/128 port = dhcpv6-server

Regards
Juergen