OPNsense Forum
Archive => 15.7 Legacy Series => Topic started by: bringha on December 06, 2015, 10:50:35 pm
-
Hello together
Recently I noticed that my DMZ clients get advertised TWO IPV6 ADresses by Router Advertising.
May /var/etc/radvd.conf foresees
# Automatically Generated, do not edit
# Generated config for dhcp6 delegation from wan on lan
interface xn0 {
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
AdvLinkMTU 0;
AdvOtherConfigFlag on;
prefix 2003:xx:yyyy:7bf0::/64 {
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
RDNSS 2001:470:20::2 { };
DNSSL zuhause.xx { };
};
# Generated config for dhcp6 delegation from wan on opt1
interface xn2 {
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
AdvLinkMTU 0;
AdvOtherConfigFlag on;
prefix 2003:xx:yyyy:7bf2::/64 {
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
RDNSS 2001:470:20::2 { };
DNSSL zuhause.xx { };
};
# Generated config for dhcp6 delegation from wan on opt2
interface xn3 {
AdvSendAdvert on;
MinRtrAdvInterval 3;
MaxRtrAdvInterval 10;
AdvLinkMTU 0;
AdvOtherConfigFlag on;
prefix 2003:xx:yyyy:7bf1::/64 {
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
};
RDNSS 2001:470:20::2 { };
DNSSL zuhause.xx { };
};
xn0 is my LAN interface, xn3 my DMZ. But what happens on interface xn3 being documented by radvdump is
[Dec 06 20:29:41] radvdump: recvmsg len=104
[Dec 06 20:29:41] radvdump: receiver if_index: 8
#
# radvd configuration generated by radvdump 1.15
# based on Router Advertisement from fe80::1:1
# received by interface xn3
#
interface xn3
{
AdvSendAdvert on;
# Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump
AdvManagedFlag off;
AdvOtherConfigFlag on;
AdvReachableTime 0;
AdvRetransTimer 0;
AdvCurHopLimit 64;
AdvDefaultLifetime 30;
AdvHomeAgentFlag off;
AdvDefaultPreference medium;
AdvSourceLLAddress on;
prefix 2003:xx:yyyy:7bf1::/64
{
AdvValidLifetime 86400;
AdvPreferredLifetime 14400;
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
}; # End of prefix definition
RDNSS 2001:470:20::2
{
AdvRDNSSLifetime 10;
}; # End of RDNSS definition
DNSSL zuhause.xx
{
AdvDNSSLLifetime 10;
}; # End of DNSSL definition
}; # End of interface definition
(...)
[Dec 06 20:29:46] radvdump: recvmsg len=104
[Dec 06 20:29:46] radvdump: receiver if_index: 8
#
# radvd configuration generated by radvdump 1.15
# based on Router Advertisement from fe80::1:1
# received by interface xn3
#
interface xn3
{
AdvSendAdvert on;
# Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump
AdvManagedFlag off;
AdvOtherConfigFlag on;
AdvReachableTime 0;
AdvRetransTimer 0;
AdvCurHopLimit 64;
AdvDefaultLifetime 30;
AdvHomeAgentFlag off;
AdvDefaultPreference medium;
AdvSourceLLAddress on;
prefix 2003:xx:yyyy:7bf1::/64
{
AdvValidLifetime 86400;
AdvPreferredLifetime 14400;
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr on;
}; # End of prefix definition
RDNSS 2001:470:20::2
{
AdvRDNSSLifetime 10;
}; # End of RDNSS definition
DNSSL zuhause.xx
{
AdvDNSSLLifetime 10;
}; # End of DNSSL definition
This result that my DMZ has now TWO global IP v6 addresses: one of LAN and one of DMZ - which is not desired.
What could trigger/cause radvd to do 'more' than configured? There ist no DHCPv6 Server running, the prefix is obtained from my fritzbox with an dhcpv6 client as suggested.
Br br
-
Dear all
... still not solved the issue: After tracing the dmz network I can see that opnsense sends router advertising ICMP packages
16:16:55.715445 00:17:3e:be:a2:1b > 33:33:00:00:00:01, ethertype IPv6 (0x86dd), length 158: (hlim 255, next-header ICMPv6 (58) payload length: 104) fe80::1:1 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 104
hop limit 64, Flags [other stateful], pref medium, router lifetime 30s, reachable time 0s, retrans time 0s
prefix info option (3), length 32 (4): xxxx:yy:zzz:7bf1::/64, Flags [onlink, auto, router], valid time 86400s, pref. time 14400s
0x0000: 40e0 0001 5180 0000 3840 0000 0000 xxxx
0x0010: 00yy zzzz 7bf1 0000 0000 0000 0000
rdnss option (25), length 24 (3): lifetime 10s, addr: 2001:470:20::2
0x0000: 0000 0000 000a 2001 0470 0020 0000 0000
0x0010: 0000 0000 0002
dnssl option (31), length 24 (3): lifetime 10s, domain(s): zuhause.xx.
0x0000: 0000 0000 000a 077a 7568 6175 7365 0278
0x0010: 7800 0000 0000
source link-address option (1), length 8 (1): 00:17:3e:be:a2:1b
0x0000: 0017 3ebe a21b
16:16:58.753703 00:17:3e:be:a2:1a > 33:33:00:00:00:01, ethertype IPv6 (0x86dd), length 158: (hlim 255, next-header ICMPv6 (58) payload length: 104) fe80::1:1 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 104
hop limit 64, Flags [other stateful], pref medium, router lifetime 30s, reachable time 0s, retrans time 0s
prefix info option (3), length 32 (4): xxxx:yy:zzzz:7bf0::/64, Flags [onlink, auto, router], valid time 86400s, pref. time 14400s
0x0000: 40e0 0001 5180 0000 3840 0000 0000 xxxx
0x0010: 00yy zzzz 7bf0 0000 0000 0000 0000
rdnss option (25), length 24 (3): lifetime 10s, addr: 2001:470:20::2
0x0000: 0000 0000 000a 2001 0470 0020 0000 0000
0x0010: 0000 0000 0002
dnssl option (31), length 24 (3): lifetime 10s, domain(s): zuhause.xx.
0x0000: 0000 0000 000a 077a 7568 6175 7365 0278
0x0010: 7800 0000 0000
source link-address option (1), length 8 (1): 00:17:3e:be:a2:1a
0x0000: 0017 3ebe a21a
According to my understanding, the second package is also sent by opnsense although it SHOULD NOT send the prefix of the LAN to the DMZ. Or do I have a misunderstanding here?
Who else except radvd may send RA ICMPv6 packets?
Looking forward to your reply
Br br
-
Hi Br br,
I've filed a bug report here: https://github.com/opnsense/core/issues/636
Can't say much more at this point, we'll look into this for sure. :)
Cheers,
Franco