IPv6 on PPPoE - experiences requested
Hi all, I'm writing here to understand if anyone had successfully setup a FWG in router mode for a dual stack IPv4/IPv6 PPPoE connection.
My IPS offers PPPoE connection (small ISP in Italy, 1gb fiber with planned upgrade to 2.5gb). On top of this, my ISP offers a dual stack connection, so IPv4 and IPv6 are on different stacks (if for any reason IPv6 goes off, I can continue using the IPv4, and viceversa).
Now, setting up the FWG in router mode in this scenario was a pain in the a.. since the beginning, mainly due to the fact that FWG keeps waiting for the RA while this would never happen due to the PPPoE itself, resulting in having to manually (via ssh) set the route to the pppoe interface to local ipv6 address, otherwise none of the clients would receive a correct ipv6 address. Downside of this is that if, for any reason, the PPPoE session goes down, I have to re-set the route, entering ssh etc. There should be another thread on this, but anyway, this is something I can afford all in all (even if with a very fast research on the web, made by a complete dummy like me, I found some interesting posts/guide on how to correctly setup an IPv6 PPPoE connection on Ubuntu...).
But yesterday my ISP completely disabled my IPv6 due to the fact that their logs are full (flooded...) by an event named "Can't add dual-stack queue: DUID contains no mac". These events are coming from my FWG, and it seems like there's been a consistent amount of that, so high that my ISP had some trouble in managing their log systems. On top of this, seems like there's another FWG user using the same ISP, and the 2 of us were the responsible of this flooding. The other user ended up by disabling IPv6 which for me, sincerely, is not an option in 2022. I made a quick research on the web, trying to understand what can cause that specific message, finding anything but some generic explanation about DUID etc. This, and the fact that there's at least another user running into this issue, made me think that the problem is on FWG side. I already opened a ticket to support yesterday, enabling them to remote access, but the first answer didn't make me "safe", being told to ask details (meaning and root cause) to my ISP. They of course can't know what that message means and of course they can't know the root cause, so know I'm waiting for some magic to happen. Benefits of having such a "small" ISP (even though their main business is DDoS protection layer for large companies) is that I can talk directly with their technician, but I can't (and don't want to) cause any problems due to a misconfiguration or something else of my network.
Is there anyone in this forum who is using ipv4 AND ipv6, on a dual stack PPPoE connection with their FWG?
I placed the order for the FWG+ 'cause I love Firewalla, but if I have to choose between this and a consistent IPv6 support provided by simply any other CPE manufacturer, I'd choose the latter...
-
It is absolutely not possible for FWG to send logs to your ISP ... Did you configure any Syslog to them? or they did do something to your FWG? or is it their own system that's acting up? <= I assume it is this they are talking about
If it is their own system printing out the messages to their own servers, then we need to know exactly why the logs are there. That is the reason that our staff is asking for details, only them or their vendors knows why the message is getting printed out.
-
I'm not saying that FWG sends log of course, but it generates some kind of error which are printed in their system. Error is about DHCP, and occurs every 30 seconds (i sent the exact message to your support, i can't write it here because it contains my ipv6). So imagine an error printed in a log system every 30 sec... I just asked ISP to understand if those errors were present since the beginning or started later from a specific date
-
guys, I don't want to accuse anyone. All the information I have are available to your support team, which is amazing since they helped me with the previous issue with IPv6. Everything that is known by my ISP is (and will be) shared. If my ISP says that there is something on my config which is causing this, then I ask you what can it be, given the fact that the current implementation of IPv6 with PPPoE is not so smooth and the error seems to be not "common", at least there is no trace on similar issues on the web...
I just want to be sure that someone is looking into this. even if it's not a problem itself (my connection works good on both the stacks) it's causing problems to isp log system
many thanks
-
Some update. While fw support is looking into dhcpv6, I managed to get ipv6 partially working. Given the fact that my isp provides a static /56, I set static instead of dhcp in the wan setup, using as ip address the provided class ending in ::2, prefix 56. Gateway has been manually set with a link-local address, as per PPPoE standard. With this setup, ISP does not log any error: also looking at /var/log/dhcpcd.log there is no error event recorded (while using dhcpv6 instead of static generates errors every 30 sec, visible on said log...).
So, first evidence is that dhcpv6 on wan is somehow not working so good.
Here comes the tricky part: if I enable ipv6 on my main LAN (eth port #2), i have to set the exact class ending in ::2, prefix 56 and dhcp enabled (on LAN). Doing this, devices in that Lan correctly receive a valid ipv6 address (also a link-local address as it should), all ipv6 test are passed (test-ipv6.com and similar). Doing the same on a VLAN (i got 3 vlan, all in eth port#2), keeping the lan config as above, results in:
1) VLAN devices are not receiving a valid ipv6 address, using ::1, ::3, ::4 etc. No test are passed (easy to check for me, xbox connects only in ipv4)
2) The entire connection drops, even the ipv4 (and i have a dual stack...) for every device in the entire network, setting ::2 (same as LAN and WAN)
So, until now, seems like I'm able to have ipv6 working, without errors or other, only on 1 LAN/VLAN at my choice.
All the above has been already shared with FW support, I'm writing here to mainly ask for some help/advice from anyone in this forum, as long as IPV6 for me is both a blessing and a curse :D
-
Guys, an important update.
First of all, let me say sorry. Sorry to Firewalla team. The above problem wasn't due to FWG or anything else on that side, but my crappy (previous) ISP.
Today I finalized the switch to a new one (2.5gb by the way). Same connection protocol (PPPoE), IPv6 enabled on wan and lan. Perfectly working, no workaround needed (like the manual setting of the gateway etc). All my devices obtain a valid IPv6 address, all test passed, and all without a manual setting or other.
On "hardware" side, I just put on the Ubuntu 22 image, but I guess it's not a reason for everything working now.
Again, sorry
Please sign in to leave a comment.
Comments
7 comments