OPNsense Forum
Archive => 21.1 Legacy Series => Topic started by: blusens on April 27, 2021, 10:01:26 am
-
I have a /56 dynamic prefix allocated from my ISP. I've configured 4 VLANs with Track interface and Manual DHCPv6 and Router advertisments. One of those VLANs (i.e. VLAN D) has both DHCPv6 server and RA disabled. RA is set to Managed on the other interfaces.
Windows Hosts on VLAN A are getting an IPv6 address from their own VLAN (Native VLAN, i.e. VLAN A) but they're also getting an IPv6 address and termporary address from VLAN D. These extra IPv6 addresses are not present in DHCPv6 leases and they're not part of the DHCPv6 range set on the interface. Windows Hosts also have the other interfaces as DNS servers.
-
If I understood this right, then that's normal.
If you have setup VLAN, static routes and "allow all" firewall rules on each vlan interface on your OpnSense, then you need to go to each interfaces DHCP settings and manually set DNS and gateway addresses.
Also, if you want to prevent all VLANs from gaining access to eachother, then you need to create reject or block rule on firewall rules.
https://www.youtube.com/watch?v=kYFNa_zpeII&t=0s <--- that's a great video explaining basic OpnSense firewall rules
-
DNS is set to auto, so it sets the interface's address.
What I don't understand is, why are devices on VLAN A getting DHCPv6 leases (or SLAAC maybe?) from VLAN D, even though DHCPv6 server and RA are disabled on VLAN D?
-
Try setting “Router Only” in the RA config (as per the help text)
-
Try setting “Router Only” in the RA config (as per the help text)
Thanks, looks like it works. I don't understand why would "Router" be better than "Disabled" in this case. The help text doesn't give details about "Disabled" so I just expected it to be ... disabled.
-
Fair enough too :)
The official docs also don't explain "Disabled". What I suspect it means and does is that manual RA configuration is disabled, leaving the configuration to whatever the default setting is (which I assume is SLAAC, given your experience).
-
Disabled is disabled, meaning it shouldn't send any RAs. Can you post /var/etc/radvd.conf with mode "Disabled" and "Router Only"?
What also doesn't make sense to me is that your clients seem to receive RAs from a VLAN which they are not actually connected to. Did I get this correctly? Or are these clients connected to multiple VLANs simultaneously?
Cheers
Maurice
-
Disabled is disabled, meaning it shouldn't send any RAs. Can you post /var/etc/radvd.conf with mode "Disabled" and "Router Only"?
What also doesn't make sense to me is that your clients seem to receive RAs from a VLAN which they are not actually connected to. Did I get this correctly? Or are these clients connected to multiple VLANs simultaneously?
Cheers
Maurice
Here's the relevant bit with RA "Disabled":
# Generated config for dhcp6 delegation from wan on opt2
interface vtnet1_vlan68 {
AdvSendAdvert on;
AdvLinkMTU 1492;
AdvManagedFlag on;
AdvOtherConfigFlag on;
prefix [IPv6 Prefix)::/64 {
AdvOnLink on;
AdvAutonomous on;
};
RDNSS [xxx:xxxx] { };
DNSSL [domain name]{ };
};
This is how it looks like in "Router" mode:
# Generated for DHCPv6 server opt2
interface vtnet1_vlan68 {
AdvSendAdvert on;
MinRtrAdvInterval 200;
MaxRtrAdvInterval 600;
AdvLinkMTU 1492;
AdvDefaultPreference medium;
AdvDefaultLifetime 0;
prefix [Ipv6 prefix]::/64 {
DeprecatePrefix on;
AdvOnLink off;
AdvAutonomous off;
};
RDNSS [xxx:xxx] {
};
DNSSL [DOMAIN NAME] {
};
};
On this VLAN I have only 1 VyOS VM.
And yes, the Windows Hosts are getting RAs (or IPv6 addressing) from an interface to which they're not connected to.
(which I assume is SLAAC, given your experience).
Yeah looks like SLAAC. I don't have much experience with IPv6 though I'm learning just now.
-
And yes, the Windows Hosts are getting RAs (or IPv6 addressing) from an interface to which they're not connected to.
I wouldn't rule out network misconfiguration here. Basically I've Proxmox Host A (1 x Opnsense VM) -> Switch -> Proxmox Host B (other VMs). It might be that somehow I've indirectly connected the 2 VLANs.
I've enabled router mode again on VLAN D and now I'm getting an IPv6 address from VLAN B.
Update: I'm attaching a netsh query. So, ::7f02:: is the interface it's currently sitting on (LAN). The other 2 are other VLANs where RAs are enabled and not shown ::7f30:: which is currently in Router mode.
-
It seems you hit two unrelated issues at once:
1. Disabling RAs indeed only works for static interfaces, but not for 'Track' interfaces. If you set the RA mode to 'Disabled' on a 'Track' interface, it does instead get configured with default RA settings (which is 'Assisted'). That's a bug, you might want to open an issue on GitHub. Should be a simple fix.
2. The VLAN mixup issue is most likely unrelated. As you mentioned, could be any kind of network misconfiguration. Switch, Proxmox, ...
Cheers
Maurice
-
I have a /56 dynamic prefix allocated from my ISP. I've configured 4 VLANs with Track interface and Manual DHCPv6 and Router advertisments. One of those VLANs (i.e. VLAN D) has both DHCPv6 server and RA disabled. RA is set to Managed on the other interfaces.
Windows Hosts on VLAN A are getting an IPv6 address from their own VLAN (Native VLAN, i.e. VLAN A) but they're also getting an IPv6 address and termporary address from VLAN D. These extra IPv6 addresses are not present in DHCPv6 leases and they're not part of the DHCPv6 range set on the interface. Windows Hosts also have the other interfaces as DNS servers.
Make sure the Windows host and any non VLAN aware host are not on ports that send tagged VLAN traffic, those ports for end devices should ONLY have untagged packets for a single VLAN.
-
I have a /56 dynamic prefix allocated from my ISP. I've configured 4 VLANs with Track interface and Manual DHCPv6 and Router advertisments. One of those VLANs (i.e. VLAN D) has both DHCPv6 server and RA disabled. RA is set to Managed on the other interfaces.
Windows Hosts on VLAN A are getting an IPv6 address from their own VLAN (Native VLAN, i.e. VLAN A) but they're also getting an IPv6 address and termporary address from VLAN D. These extra IPv6 addresses are not present in DHCPv6 leases and they're not part of the DHCPv6 range set on the interface. Windows Hosts also have the other interfaces as DNS servers.
Make sure the Windows host and any non VLAN aware host are not on ports that send tagged VLAN traffic, those ports for end devices should ONLY have untagged packets for a single VLAN.
Yeah, so you were right. My Windows VM was sitting on the default vmbr0 bridge in Proxmox. When I've set VLAN tag 1 in Proxmox or within the Windows VM, I stopped getting IPv6 addresses from the other interfaces. I've tried researching this a bit to understand and ran a wireshark packet capture, but I'm lacking some fundamental networking knowledge that prevents me from understanding.
Is it because RAs are sent over ICMP to all VLANs? Or is it that the RA is sent via tagged VLAN and Windows simply picks up that packet? I saw that there's something called SLAAC snooping that should prevent this behavior.
-
I am experiencing the exact same behavior as described by blusens.
I am using several VLANs on the opnsense LAN interface. Two of them have IPv6 assigned by RA (in assisted mode) and DHCPv6 (WAN interface is getting DHCPv6 address from WAN, WAN interface is tracked by the VLANs). My Windows 10 computer is connected directly to a D-link DSG-1210-08P managed switch, which is connected to the LAN of the opnsense router.
On the switch port on which my computer is connected, I observe the following behavior:
1. If VLAN 81 is untagged and VLAN 89 tagged, I get 2 IPv6 in Windows (even after blocking all IPv6 traffic in the opnsense firewall)
2. If VLAN 81 is untagged and VLAN 89 is configured as "not member" (instead of "tagged") in the D-link switch, then I get the right and only the expected IPv6 address.
Is this behavior really the expected behavior? I thought that only the untagged VLAN should be "Undersood" by the Windows PC, ignoring all the tagged VLANs. Apparently, my supposition was wrong...
-
Windows will indeed pick up an address from both the VLANs and parent LAN if there is an advertisement there. The solution if you do not have a managed switch to correctly separate the VLANs is to set the VLAN on the windows NIC itself. If you cannot see the option to set the VLAN ID in the NIC advanced options then for Realtek NICs there is the Realtek Ethernet Diagnostic Utility, if it's an Intel NIC then there is the equivalent Intel tool Intel Advanced Network (Intel® ANS) VLAN. Of course, if you have correctly configured switches in place then you don't need to use these tools.
-
Thank you marjohn56, for your detailed explanation. Since it is a business laptop on which I do only have very limited rights (no admin), the solution was to add a managed switch and separate it there, properly. Now it is clean, and only a single (untagged) VLAN is set for the port on which my laptop is connected to (no more tagged VLAN in this port anymore). Problem solved "Properly" :-). Thank you.