OPNsense Forum

English Forums => High availability => Topic started by: meschmesch on October 01, 2022, 07:21:05 pm

Title: Ipv6 and Carp
Post by: meschmesch on October 01, 2022, 07:21:05 pm
Hello,
I have a problem understanding Ipv6 and CARP and hope for a brief explanation or clarification.

For each interface (LAN etc.) there is a Carp fe80::2:1/64 virtual IP.

Thanks for the feedback!

PS: some time ago we had a discussion of forwarding IPv6 traffic in case of a HA systems. Forwarding to an fe80 address or an fd00 ULA address did not work for me. Instead I had to use the global address of the device (1a02:abcd:...). With the newly introduced feature of Alias "Dynamic IPv6 Host" that makes life so easy. Neither need of ULA nor any other dynamic host address any more. Thanks for the great job on that!!
Title: Re: Ipv6 and Carp
Post by: bimbar on October 03, 2022, 06:01:40 pm
1) It is possible for any interface not to have a GUA. It's not uncommon to have DHCPv6 only assign prefixes on WAN, and not addresses.
2) IIRC if you configure an internal interface IPv6 address as track interface, it will assign itself a prefix, and also an address out of that prefix.
3) Here is where it gets problematic. In an opnsense CARP cluster, the cluster part is only the floating IP address, so the two firewalls do not in any way talk to each other about what prefix or if any prefix has been allocated by one of the two firewalls.
So usually you would configure both firewalls as DHCPv6 clients, and they both would potentially get their own prefix pool (providing you uplink router assigns one). In that case both would then assign completely different prefixes to their LAN interfaces and also hand those out via SLAAC.
Now if the clients behaved sanely and used the one or the other with the correct source ip addresses, that would be completely fine, but they don't. They tend to sometimes use the prefix of firewall A with the gateway address of firewall B and vice versa. The only solution for me was to disable IPv6 on firewall B.

IMO HA with dynamic prefixes is completely broken, and not even because of some sort of problem with opnsense.
Title: Re: Ipv6 and Carp
Post by: Patrick M. Hausen on October 03, 2022, 06:19:12 pm
HA with dynamic addresses and/or prefixes? Who would ever come up with an idea like that?

HA is for enterprise environments. Enterprises have static address space.
Title: Re: Ipv6 and Carp
Post by: meschmesch on October 04, 2022, 01:05:25 pm
Quote
HA with dynamic addresses and/or prefixes? Who would ever come up with an idea like that?

Good question. I have a spare firewall which sits around doing nothing. By using this spare firewall as backup in a HA setup it's easy to play around with opnsense on the backup without messing up the normal provision of services in the operation of the main firewall. Another advantage is that I always have a backup system available without virtually doing anything. No manual backups (which nevertheless I do from time to time), nothing. As I said, the firewall anyhow just sits around here, so why not giving it a purpose?
Title: Re: Ipv6 and Carp
Post by: Patrick M. Hausen on October 04, 2022, 03:21:45 pm
I might have been a bit snarky - sorry for that. But these protocols and mechanisms were clearly designed with static addressing in mind. For IPv4 CARP HA you need three addresses in the same prefix. And if you want the upstream router to be redundant, too, another three for the router pair. That makes a static /29 as the smallest prefix that makes sense.

BTW: the IPv6 code has been changed some time in the last year to support a link local CARP address. Both nodes need to be in the same /64, but you get perfectly well working failover etc. with link local as the default gateway in that network. Which is the standard setup for most people, anyway - link local as gateway.
Title: Re: Ipv6 and Carp
Post by: meschmesch on October 04, 2022, 04:29:01 pm
...no problem, all fine  :)

Quote
Both nodes need to be in the same /64, but you get perfectly well working failover etc.
Is this to be realized via a virtual ULA (fd00:...) or via a real GUA (2a02:...) for each node?
Title: Re: Ipv6 and Carp
Post by: Patrick M. Hausen on October 04, 2022, 04:45:16 pm
I have only ever used GUA. While ULAs should theoretically work, the geniuses designing the "happy eyeballs" algorithm decided that ULA only means "no IPv6 connectivity at all". At least for Mac OS that is the case. You need a GUA prefix.