Products Firewalla Gold Firewalla Purple Firewalla Blue Plus Firewalla Red Firewalla Blue

IPv6 instability

Follow
Avatar
Alan Baird

Hi,

I just got my new Firewalla Gold and have been working on trying to set it up. One of the first advanced features that I am trying is the IPv6 feature.

I noticed that when enabling it, it would start to pin the CPU a bit. The load average exceeded 4 and the system told me that upon ssh login. As well, the box would become unstable and keep freezing or dropping ssh connections. I noticed that the box only got IPv6 from my ISP once and it hasn't since despite multiple reboots and reconfigurations of IPv6. I am wondering if it is related to this from my ISP about how they assign IPv6:

 


We (TELUS) are using dhcp6-pd to assign an IPv6 Prefix to the requesting router (usually an Actiontec RG). As you have noticed the prefix is /56 is size and the Actiontec is using two /64 prefixes out of that at this time (In theory those prefixes don't have to be a /64, they could be anything within that /56). The Actiontec "owns" the entire /56 prefix, so you can't just arbitrarily pick say a /64 out of that and start using it. The only way that could work is if the Actiontec in turn delegated a prefix to a requesting router on the LAN side (a feature that currently is not supported on it).

Now if you want to use your own router, you can do what you mentioned by using the port 1 bridge mode on the Actiontec and connecting your device into this. It will work fine, however there are a few issues with a majority of 3rd party devices. In order for it to work your device must:

1. Only request a dhcp6-pd (So only send IA-PD in the dhcp6 solicit message). This is what the Actiontecs actually do.

2. If the device does request both an IA-NA, and an IA-PD in the solicit message, then it must conform to RFC 7550. We are not using IA-NA so in our dhcp Advertise message there will be a NoAddrAvail message for the IA-NA, and a prefix for the IA-PD.

#2 is where most of the 3rd party devices have issues. They don't handle this case and will usually reject the dhcp advertise message that is sent down and just go into and endless solicit loop.

1

Comments

1 comment

Sort by Date Votes
  • Avatar
    Firewalla

    Hi,

    this may require us to look inside the box and see what's going on.   I just created a ticket and someone will follow up with you on this. 

     

     

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post