Log spam: Reloading pbr wan6 interface routing due to ifupdate of wan6 (eth0.2)

egc · November 20, 2023, 3:53pm

My provider finally is handing out IPv6 addresses when the modem is in bridge mode.
So I have now full dual stack IPv4 and IPv6 with /56 PD.
Everything seems to work very well tested IPV6 etc., so no complaints about that.

However I have burst of user.notice pbr:

Mon Nov 20 11:01:01 2023 user.notice pbr: Reloading pbr wan6 interface routing due to ifupdate of wan6 (eth0.2)
Mon Nov 20 11:01:44 2023 user.notice pbr: Reloading pbr wan6 interface routing due to ifupdate of wan6 (eth0.2)
Mon Nov 20 11:11:49 2023 user.notice pbr: Reloading pbr wan6 interface routing due to ifupdate of wan6 (eth0.2)
Mon Nov 20 11:12:45 2023 user.notice pbr: Reloading pbr wan6 interface routing due to ifupdate of wan6 (eth0.2)
Mon Nov 20 11:31:24 2023 daemon.info hostapd: phy1-ap0: STA 98:b8:xx:xx:xx:xx IEEE 802.11: associated (aid 1)
Mon Nov 20 11:31:24 2023 daemon.notice hostapd: phy1-ap0: AP-STA-CONNECTED 98:b8:xx:xx:xx:xx auth_alg=sae
Mon Nov 20 11:31:24 2023 daemon.info hostapd: phy1-ap0: STA 98:b8:xx:xx:xx:xx RADIUS: starting accounting session CE537102AB5FD262
Mon Nov 20 11:31:24 2023 daemon.info hostapd: phy1-ap0: STA 98:b8:xx:xx:xx:xx WPA: pairwise key handshake completed (RSN)
Mon Nov 20 11:31:24 2023 daemon.notice hostapd: phy1-ap0: EAPOL-4WAY-HS-COMPLETED 98:b8:xx:xx:xx:xx
Mon Nov 20 11:31:25 2023 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 192.168.0.78 98:b8:xx:xx:xx:xx
Mon Nov 20 11:31:25 2023 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan) 192.168.0.78 98:b8:xx:xx:xx:xx Galaxy-S20-FE-van-E
Mon Nov 20 11:36:53 2023 user.notice pbr: Reloading pbr wan6 interface routing due to ifupdate of wan6 (eth0.2)
Mon Nov 20 11:37:05 2023 user.notice pbr: Reloading pbr wan6 interface routing due to ifupdate of wan6 (eth0.2)
Mon Nov 20 11:52:24 2023 daemon.info dnsmasq-dhcp[1]: DHCPREQUEST(br-lan) 192.168.0.59  40:b0:xx:xx:xx:xx
Mon Nov 20 11:52:24 2023 daemon.info dnsmasq-dhcp[1]: DHCPACK(br-lan) 192.168.0.59  40:b0:xx:xx:xx:xx PCGijs
Mon Nov 20 11:59:33 2023 user.notice pbr: Reloading pbr wan6 interface routing due to ifupdate of wan6 (eth0.2)
Mon Nov 20 11:59:45 2023 user.notice pbr: Reloading pbr wan6 interface routing due to ifupdate of wan6 (eth0.2)
Mon Nov 20 12:07:32 2023 user.notice pbr: Reloading pbr wan6 interface routing due to ifupdate of wan6 (eth0.2)
Mon Nov 20 12:08:26 2023 user.notice pbr: Reloading pbr wan6 interface routing due to ifupdate of wan6 (eth0.2)
Mon Nov 20 12:11:10 2023 user.notice pbr: Reloading pbr wan6 interface routing due to ifupdate of wan6 (eth0.2)
Mon Nov 20 12:11:59 2023 user.notice pbr: Reloading pbr wan6 interface routing due to ifupdate of wan6 (eth0.2)

I do have PBR compiled in but PBR is disabled.
But regardless of the log messages what could trigger an ifupdate of wan6?
Is this just normal and can I ignore this or is this an indication of wrong setup?

Of course it is possible it is my ISP, they do not have a stellar track record with IPv6 (ISP is Ziggo Cable)

Details are below, let me know if you need any other settings or information.

Thanks in advance.

My router is an R7800 running 23.0.5.2

root@R7800-2:~# ubus call system board
{
"kernel": "5.15.137",
"hostname": "R7800-2",
"system": "ARMv7 Processor rev 0 (v7l)",
"model": "Netgear Nighthawk X4S R7800",
"board_name": "netgear,r7800",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05-SNAPSHOT",
"revision": "r23633-c7b6cfac40",
"target": "ipq806x/generic",
"description": "OpenWrt 23.05-SNAPSHOT r23633-c7b6cfac40"
}
}

cat /etc/config/network

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'

config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.1'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.0.1'
option netmask '255.255.255.0'
option ip6assign '60'
list dns_search 'home'

config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
option peerdns '0'
list dns '1.0.0.1'
list dns '9.9.9.9'

config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option peerdns '0'
list dns '2606:4700::1111'
list dns '2620:fe::10'
option dns_metric '10'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'

config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 0t'

config interface 'iot'
option proto 'static'
option device 'br-iot'
option ipaddr '192.168.111.1'
option netmask '255.255.255.0'

config device
option type 'bridge'
option name 'br-iot'
option bridge_empty '1'

cat /etc/config/firewall

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config redirect
option dest 'lan'
option target 'DNAT'
option name 'Remote SSH'
option src 'wan'
option src_dport '22'
option dest_port '22'
option dest_ip '192.168.0.1'
option enabled '0'

config redirect
option dest 'lan'
option target 'DNAT'
option name 'Remote admin'
option src 'wan'
option src_dport '8080'
option dest_port '80'
option dest_ip '192.168.0.1'
option enabled '0'

config zone
option name 'iot'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'iot'

config forwarding
option src 'iot'
option dest 'wan'

config rule
option name 'allow-iot-dns'
option src 'iot'
option dest_port '53'
option target 'ACCEPT'

config rule
option name 'allow-iot-dhcp'
list proto 'udp'
option src 'iot'
option dest_port '67'
option target 'ACCEPT'

config redirect
option dest 'lan'
option target 'DNAT'
option name 'WG-server6'
list proto 'udp'
option src 'wan'
option src_dport '51810'
option dest_ip '192.168.0.6'
option dest_port '51810'

config redirect
option dest 'lan'
option target 'DNAT'
option name 'WG-server2'
list proto 'udp'
option src 'wan'
option src_dport '51811'
option dest_ip '192.168.0.2'
option dest_port '51811'

config redirect
option dest 'lan'
option target 'DNAT'
option name 'OVPN-server6'
option src 'wan'
option src_dport '1194'
option dest_ip '192.168.0.6'
option dest_port '1194'

config redirect
option dest 'lan'
option target 'DNAT'
option name 'OVPN-server2'
option src 'wan'
option src_dport '1195'
option dest_ip '192.168.0.2'
option dest_port '1195'

config redirect
option dest 'lan'
option target 'DNAT'
option name 'QNAP-telnet'
option src 'wan'
option src_dport '13131'
option dest_ip '192.168.0.91'
option dest_port '13131'
option enabled '0'

config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'

config include 'bcp38'
option type 'script'
option path '/usr/lib/bcp38/run.sh'

config redirect
option dest 'lan'
option target 'DNAT'
option name 'OVPN-server3'
option src 'wan'
option src_dport '1196'
option dest_ip '192.168.0.4'
option dest_port '1196'

cat /etc/config/pbr

config pbr 'config'
option enabled '0'
option verbosity '2'
option strict_enforcement '1'
option resolver_set 'none'
option ipv6_enabled '0'
list ignored_interface 'vpnserver'
list ignored_interface 'wgserver'
option boot_timeout '30'
option rule_create_option 'add'
option procd_reload_delay '1'
option webui_show_ignore_target '0'
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'

config include
option path '/usr/share/pbr/pbr.user.aws'
option enabled 0

config include
option path '/usr/share/pbr/pbr.user.netflix'
option enabled 0

config policy
option name 'Plex/Emby Local Server'
option interface 'wan'
option src_port '8096 8920 32400'
option enabled '0'

config policy
option name 'Plex/Emby Remote Servers'
option interface 'wan'
option dest_addr 'plex.tv my.plexapp.com emby.media app.emby.media tv.emby.media'
option enabled '0'

vgaetera · November 20, 2023, 9:53pm

Events related to DHCPv6 and RA:
https://github.com/openwrt/odhcp6c/blob/master/README#L54-L61

To stop those messages, you need to actually disable the service:
https://github.com/openwrt/packages/blob/master/net/pbr/files/etc/hotplug.d/iface/70-pbr#L3

Probably yes, since IPv6 can be quite chatty.
You might want to investigate the detailed odhcpd log:
https://openwrt.org/docs/guide-user/network/protocol.dhcp#dhcp_client_scripts1

stangri · November 21, 2023, 1:56am

I've been previously advised by @hnyman that there could be phantom interface renewal events for IPv6 WAN and I've implemented an option to ignore IPv6 events for https-dns-proxy. If you're willing to test it (and its side-effects) in action @egc I can make a build with such an option for pbr.

egc · November 21, 2023, 6:46am

Thanks @stangri I certainly want to test it, I make my own builds so if possible can you send me the patch so that I can incorporate it in my own builds?

Will be later this week though

Edit:
I did add a client script for a short time, boy IPv6 is chatty indeed thanks @vgaetera for the tip

I replaced the first line of https://github.com/openwrt/packages/blob/master/net/pbr/files/etc/hotplug.d/iface/70-pbr#L3 with:
if [ -x /etc/init.d/pbr ] && [ $(uci get pbr.config.enabled) = 1 ] ; then

Now everything seems quiet but need to test further.
If it works it is a quick and dirty fix and probably there is a smarter way.

egc · November 21, 2023, 11:36am

Some further investigations

Although PBR is stopped and disabled under Service > PBR it still shows as Enabled under System > Startup > Initscripts and that is why /etc/init.d/pbr enabled still outputs 0
After Disabling it outputs 1 and there is no more log spamming.

Problem solved, Thanks @stangri and @vgaetera.

Stan let me know if you want me to test anything

stangri · November 21, 2023, 6:10pm

There's a difference between enabling the service and enabling service startup on boot.

PS. Updated the luci apps to properly enable/disable services so that the old iface hotplug and @egc modified iface hotplug both work.

system · December 1, 2023, 6:11pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.