Yet another IPv6 prefix delegation problem

I’ve looked through this forum and also general web searches. Even though there are many reports of similar problems, I’ve tried just about all the suggestions of “what worked” (if shown) without success. I started on the 1.2.9-S1 release, then tried a build based on 1.3.3, and have ended up on vyos-1.4-rolling-202306210317-amd64. The 1.3.3 and 1.4 appear to behave identically.

The behavior as follows. When I pretest the configuration by plugging the VyOS WAN port into a LAN port of my production router (pfSense with dual IPv4/IPv6 stack), the VyOS WAN port gets a routable IPv6 address, a PC plugged into the VyOS router gets a routable IPv6 address (and other information that I configured into the Router Advertisement), and a ping to an IPv6 address on the router works fine. The main failing is that a similar ping on the PC just gets time outs (notably, NOT unreachable). No IPv6 prefixes are shown, but none are expected (as far as I know, since the WAN is connected to my router, not the ISP).

Then, when I connect the VyOS router WAN directly to the ISP (port on the OTN), essentially nothing works. The WAN port shows only a link local IPv6 address, but nothing routable. The PC also shows only the link local, not a routable IPv6 address. No IPv6 prefixes are shown.

One is brought to the conclusion that the ISP’s IPv6 support doesn’t get along with my VyOS IPv6 configuration at all. This ISP always supplies a /56 prefix. The ISP appears robust in that my previous Cisco RV340x router worked fine, a test RouterOS stack worked fine, and the pfSense-based router worked fine - all three working IPv6 with this ISP mostly by leaving their default settings alone.

Here are my interface settings with boilerplate defaults removed:

ethernet eth2 {
address dhcp
address dhcpv6
description OUTSIDE
dhcpv6-options {
pd 0 {
interface eth3 {
address 1
sla-id 0
}
length 56
}
}
ipv6 {
address {
}
}
}
ethernet eth3 {
address 192.168.0.1/24
description INSIDE
ipv6 {
address {
}
}
}

Here is my Router Advertisement setup (extra junk is there from one of the web postings, but probably not relevant for this problem):

router-advert {
interface eth3 {
default-lifetime 3600
default-preference high
hop-limit 64
interval {
max 30
}
link-mtu 1500
name-server 2001:4860:4860::8888
name-server 2001:4860:4860::8844
prefix ::/64 {
preferred-lifetime 3600
valid-lifetime 7200
}
reachable-time 900000
retrans-timer 100
}
}

The IPv6 firewall rules are minimal for safety. For full disclosure, these are the only other IPv6 settings in the configuration file:

ipv6-receive-redirects disable
ipv6-src-route disable

I make this posting because I’ve sort of run out of things to try. I’ve tried many variations on the above config without any effect. I’ve tried three fairly far apart VyOS versions. What else should I be looking at?

In Vyos 1.4 rolling, IPv6 not enable and working.

Below my config, IPv6 working.

image653×824 12.8 KB

image824×140 4.44 KB

image774×677 38.1 KB

Thank you for your rapid response. I adjusted my configuration along the lines of yours (except for pppoe vs. ethernet). Unfortunately, connecting the VyOS router WAN to the ISP produces exactly the same results - no routable IPv6 addresses for anybody. I even temporarily removed the IPv6 firewall rules from the WAN interface and that made no difference. (All testing is on vyos-1.4-rolling-202306210317-amd64)

I have uploaded my entire config commands file for any suggestions. Interface eth2 = WAN and eth3 = LAN (all other interfaces are unused and removed from the posted config).

config24-commands.txt (6.0 KB)

Thanks in advance for any further suggestions.

Yes, Vyos 1.4 rolling, i try ipv6 but it’s not work and revert back Vyos 1.3.3 LTS.

Thanks for this tip about 1.4 rolling. I have reverted to the Vyos 1.3.3 LTS build and tried again with my “cleaned up” configuration.

The results unfortunately are unchanged. With the Vyos router WAN plugged into a LAN port of my pfSense router, the Vyos WAN port gets a routable IPv6 address (two, if fact, since I left in both the 'address dhcpv6" and the ‘ipv6 address autoconf’ on the port, not knowing which would work). Running ping to an IPv6 address on the Vyos router works. A PC plugged into the Vyos router gets a routable IPv6 address but its pings to an IPv6 address just time out.The IPv6 route table looks decent:

WIth the Vyos router WAN port plugged into the ISP, Looking on the router the WAN interface only gets a link local IPv6 address, not a routable one. The PC gets nothing. Its not worth trying any ping operations.

Here is the config commands file that I used for this test (unused interfaces deleted for conciseness):
config25-commands-edit.txt (5.9 KB)

Any other suggestions or pointers to working configs (especially with an ISP giving /56 prefixes)?

Something what’s wrong.

set interfaces ethernet eth2 dhcpv6-options pd 0 interface eth3 address ‘1’
set interfaces ethernet eth2 dhcpv6-options pd 0 length ‘56’

and here

set service router-advert interface eth3 default-lifetime ‘3600’
set service router-advert interface eth3 default-preference ‘high’
set service router-advert interface eth3 hop-limit ‘64’
set service router-advert interface eth3 interval max ‘30’
set service router-advert interface eth3 link-mtu ‘1500’
set service router-advert interface eth3 name-server ‘2001:4860:4860::8888’
set service router-advert interface eth3 name-server ‘2001:4860:4860::8844’
set service router-advert interface eth3 prefix ::/64 preferred-lifetime ‘3600’
set service router-advert interface eth3 prefix ::/64 valid-lifetime ‘7200’
set service router-advert interface eth3 reachable-time ‘900000’
set service router-advert interface eth3 retrans-timer ‘100’

Thank you. I agree, the two sections of the config are the critical sections. The first section gets the prefix from the ISP, and the other tunes the Router Advertisement that passes it along to the LAN.

So the solution will probably involve changes to these. I’ve already tried lots of variations. Any ideas or examples of known working config that I could try next?

Does VyOS have any built-in packet logging function that I can use to examine the interplay between the ISP and VyOS when I connect it up? I would like to avoid an external packet sniffer since it needs to tap onto the raw internet feed.

Tcpdump is included with the install. Be sure to run with sudo in case you need to look at ports below 1025.

The “monitor traffic interface eth2” command appears to do what I need here.
This packet capture is with the VyOS WAN port (eth2) connected directly to the ISP.
I redirected the output to a file. I removed all of the IPv4-only chatter and here is what is left:
mon5 - eth2 to ISP - IPv6 only.txt (1.2 KB)

If I am reading this correctly, the ICMPv6 router solicitation messages appears to be ignored by the VyOS stack. Therefore prefix and address assignment never occurs. Checking the WAN-IN firewall rules, the intention anyway is to allow all ICMPv6.

Anyone recognize any familiar syndromes here? Suggestions for additional troubleshooting steps to narrow it down? Thanks in advance.

i managed something similar