Text only | Text with Images

OPNsense Forum

English Forums => 24.7, 24.10 Legacy Series => Topic started by: crazyducky on August 25, 2024, 09:11:05 PM

Title: Client in VLAN gets 2 public ipv6 adresses
Post by: crazyducky on August 25, 2024, 09:11:05 PM
Hi,
I am using "Track Interface"(from WAN Interface) on my VLAN Interface.

A client in my VLan gets 2 public ipv6 adresses, one from the VLAN (with "Assign prefix ID") and one from my main LAN. Unless the prefix they are equal.

As I am facing ipv6 issues right now, I am curious if this is a correct behavior.

- Opnsense 24.7.1
- ipv6 Dual Stack (Dt. Telekom FTTH)
Title: Re: Client in VLAN gets 2 public ipv6 adresses
Post by: Patrick M. Hausen on August 25, 2024, 09:12:39 PM
Are you using the same physical interface for the untagged LAN and the VLAN? Don't. Tagged only or untagged only is the recommended way.
Title: Re: Client in VLAN gets 2 public ipv6 adresses
Post by: dseven on August 25, 2024, 09:58:21 PM
What is "A client in my VLan"?

You're probably running into an unfortunate situation where Windows [network drivers] blindly strip VLAN tags from all incoming frames, and forward them into the network stack, instead of discarding them (when VLAN support is not enabled).

It doesn't really matter how they leave the OPNsense box, but (unless you have a proper VLAN-aware NIC), you want to avoid sending *any* VLAN-tagged traffic to Windows.....
Title: Re: Client in VLAN gets 2 public ipv6 adresses
Post by: crazyducky on August 25, 2024, 10:03:47 PM
The configuration I am talking is a LXC inside a proxmox host. All Linux debian based.

The switch port connected to the host is tagged to this VLAN.

The client is a debian 12 LXC running on a proxmox host. The LXC has no VLAN settings applied, the dhcp ipv4 is from correct VLAN.

The Proxmox host uses ipv4 only but the linux bridge should route everything to the physical port.

No Client in this Proxmox host is using the untagged LAN.

Title: Re: Client in VLAN gets 2 public ipv6 adresses
Post by: dseven on August 25, 2024, 10:11:47 PM
I'm not sure what "The switch port connected to the host is tagged to this VLAN." means either - is the switch configured to send that VLAN, and only that VLAN, *untagged* on that port?

If the LXC shows a SLAAC addresses from a prefix associated with another network, it must have received a Router Advertisement broadcast from that network, somehow....
Title: Re: Client in VLAN gets 2 public ipv6 adresses
Post by: dseven on August 25, 2024, 10:20:24 PM
This might be interesting: https://forum.proxmox.com/threads/7-x-vlan-leaking-on-bridge.108296/
Title: Re: Client in VLAN gets 2 public ipv6 adresses
Post by: dseven on August 25, 2024, 10:25:53 PM
Or this, if you're trying to use VLAN 1... https://forum.proxmox.com/threads/vlan-aware-bridges-and-vlan-1.70315/
Title: Re: Client in VLAN gets 2 public ipv6 adresses
Post by: crazyducky on August 25, 2024, 11:16:10 PM
First of all thank you for your inputs.

I changed the Port tagging setting in my unifi switch.
Was previously set to "Allow all VLANs", now I reduced the allowed VLANs to the few needed and excluded the untagged LAN from this port.

My LXC now get 1 public IP only (from the desired VLAN prefix).

Text only | Text with Images