core: interfaces: autoconf IPv6 addresses are not being deprecated on PPPoE interface on link down

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• I have searched the existing issues and I am convinced that mine is new.

Describe the bug In case your ISP provides Internet via a PPPoE connection and the connection drops due to failures (e.g. DSL resync, PPP connection issues etc.) it can happen that IPv6 ist not working anymore when the connection comes up again. Some ISP dynamically assign IPv6 prefixes only. When the PPPoE connection drops and Opnsense reconnects to the ISP the latter assigns you a new prefix and the old one becomes outdated.

The Opnsense recognizes the new offered prefix and itself assigns new IPv6 addresses based on this prefix. The problem is that IPv6 addresses based on the outdated prefix are still assigned to the PPPoE interface. And the Opnsense still tries to use these addresses as source addresses of IPv6 packets. The ISP correctly block packets with invalid source address.

Before the PPPoE connection comes up again, old addresses must be removed from the PPPoE interface.

To Reproduce Steps to reproduce the behavior:

1. Choose an ISP which dynamically assigns IPv6 prefixes via PPPoE
2. Configure your PPPoE connection to use IPv6 with the following parameters:

• IPv6 Configuration Type: SLAAC
• Use IPv4 connectivity: yes

1. Check whether the ISP assigns you an IPv6 prefix (via SSH and ifconfig)
2. Force re-eastablishing a PPPoeE connection (e.g. DSL resync, interrupting the connection between DSL modem and Opnsense in such a way the ethernet link does not get down).
3. Re-check whether the ISP assigns you a new IPv6 prefix (via SSH and ifconfig)

• The PPPoE interface should now contain IPv6 addresses with two different prefixes and IPv6 connections to the internet get stuck.

Expected behavior All IPv6 addresses with the outdated prefix should be removed from the PPPoE interface after connection goes down. This should be Ok because nobody can guarantee that the prefix will still be valid after the connection comes up again. Even if it’s still valid the ISP will reassign the same prefix again.

Describe alternatives you considered I have read the documentation of the mpd5 daemon which is responsible to control the PPPoE connection but I have no clue why the IPv4 address will be removed when the link goes down but the IPv6 addresses will not. I guess the mpd5 daemon only removes addresses from the interface it itself has assigned to it. But in my configuration the provider assigns the IPv6 prefix to the interface (by sending router advertisement messages) without knowledge of the mpd5 daemon. Presumably, this is the cause the daemon is not able to remove unknown addresses from that interface.

It should be easy to solve this problem. We need to add some code to mpd5’s linkdown script (/usr/local/opnsense/scripts/interfaces/ppp-linkdown.sh) to remove all IPv6 addresses from the interface. I have tested it with the following code snipped added to the script, which works well. Maybe somebody can optimize the code because it looks a little bit cobbled.

By the way we should consider that the interface could have multiple valid IPv6 addresses in case IPv6 Privacy Extensions (RFC 4941) are enabled. This scenario is also covered by the code snippet.

/usr/local/opnsense/scripts/interfaces/ppp-linkdown.sh:

[…]
elif [ "${AF}" = "inet6" ]; then
[…]
	# Do not remove gateway used during filter reload.
	rm -f /tmp/${IF}_routerv6 /tmp/${IF}upv6 /tmp/${IF}_ipv6

# <--- new inserted code - start --->
while i="`ifconfig ${IF} | grep inet6 | grep -m 1 -v '%' | cut -f2 -d ' ' | tr -d '[:space:]'`"; do
 if [ -n "$i" ] 
  then
   #echo "IPv6 Address found"
   ifconfig ${IF} inet6 $i delete
  else
   #echo "NO IPv6"
   break
 fi
done
# <--- new inserted code - end --->
fi

Software version used and hardware type if relevant, e.g.: OPNsense 21.1.4-amd64