Messages

1

High availability / Re: [SOLVED] Router advertisements on CARP not advertising IPv6 prefix

« on: April 16, 2024, 05:15:25 pm »

Ok keep in mind to do this on both master and backup and check if your prefix is really static (unless you are sure by contract that it is).

Yeah it's one of those 'you get your prefix and it really should never change, but we cannot promise anything'. So far it has been stable, though.

2

High availability / Re: Router advertisements on CARP not advertising IPv6 prefix

« on: April 16, 2024, 02:36:27 pm »

Thanks a lot, this seems to work!

3

High availability / Re: Router advertisements on CARP not advertising IPv6 prefix

« on: April 16, 2024, 01:00:11 pm »

IMO this only works relatively well with static IPv6 prefix and manual IPv6 assignments on the LAN side.

Thanks! I know how to set static IPv6 assignments on the LAN side, but how can I configure the static IPv6 prefix? Would I need to enable DHCPv6 on the LAN?

4

High availability / [SOLVED] Router advertisements on CARP not advertising IPv6 prefix

« on: April 16, 2024, 12:20:47 pm »

Hi,

I have a CARP setup with a single public IPv4 and a /48 prefix, received over PPPoE. Everything on the v4 side is working well, including failover. On the IPv6 side, I have created a VIP interface using fe80:: as address, and I am advertising that address as the source for router advertisements - as recommend in the CARP IPv6 setup documentation.

My problem however is that only the master will include my IPv6 prefix in the router advertisements; the backup presumably does not announce it, because I only have a single IPv4 address, and so the backup itself does not have an active IPv6 connection (or a prefix), until it takes over as master. This means that IPv6 clients tend to get confused when the last RA is from the backup, since it does not contain any prefix. When the next RA is sent by the master, clients will work correctly again.

Since my prefix is (in theory) static, is there a way to manually configure radvd to just always announce this prefix, regardless of the state of the WAN interface? Or are there better ways of solving this?

5

22.7 Legacy Series / IPv6 MLD listener report sent to wrong interface?

« on: January 15, 2023, 09:08:12 pm »

Hello,

I'm running opnsense virtualized inside proxmox; LAN/WAN are both virtio interfaces, which are each mapped to a bridge in proxmox, and the bridges map to two physical interfaces. My network has several unifi switches, and I have IGMP snooping configured on several VLANs on the internal LAN. This results in one of the switches to send out MLD queries for IPv6, to determine what multicast addresses a host/port is interested in. I confirmed that these multicast queries arrive correctly at the bridge in proxmox, and in turn in the virtio interface in opnsense. This is captured on the vtnet1_vlan100 interface, which corresponds to vlan100 on the LAN:

Code: [Select]

9:47:15.748139 IP6 fe80::f692:bfff:fe81:337c > ff02::1: HBH ICMP6, multicast listener querymax resp delay: 10000 addr: ::, length 24

this interface has IPv6 configured; my ISP gives out a prefix over pppoe, and I use "track interface" with WAN as upstream.

Interestingly, when pppoe is disconnected, everything looks fine, and the mld listener reports are sent back (:9380 is the vtnet1_vlan100 interface) correctly:

Code: [Select]

19:47:18.462474 IP6 fe80::9ca3:3dff:fea4:9380 > ff05::1:3: HBH ICMP6, multicast listener reportmax resp delay: 0 addr: ff05::1:3, length 24
19:47:19.071261 IP6 fe80::9ca3:3dff:fea4:9380 > ff02::2:ff49:d8be: HBH ICMP6, multicast listener reportmax resp delay: 0 addr: ff02::2:ff49:d8be, length 24
19:47:19.271584 IP6 fe80::9ca3:3dff:fea4:9380 > ff02::1:ffa4:9380: HBH ICMP6, multicast listener reportmax resp delay: 0 addr: ff02::1:ffa4:9380, length 24
19:47:19.683804 IP6 fe80::9ca3:3dff:fea4:9380 > ff02::2:49d8:bec6: HBH ICMP6, multicast listener reportmax resp delay: 0 addr: ff02::2:49d8:bec6, length 24
19:47:22.090143 IP6 fe80::9ca3:3dff:fea4:9380 > ff02::1:2: HBH ICMP6, multicast listener reportmax resp delay: 0 addr: ff02::1:2, length 24

but when I setup a connection to my ISP over pppoe, the queries still arrive on vtnet1_vlan100, but suddenly, the reports go out over the pppoe0 interface, instead of the vtnet1_vlan100 interface.

Code: [Select]

# tcpdump -i pppoe0 | grep -i multi
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pppoe0, link-type NULL (BSD loopback), capture size 262144 bytes
19:54:20.570018 IP6 fe80::9ca3:3dff:fea4:9380 > ff02::2:49d8:bec6: HBH ICMP6, multicast listener reportmax resp delay: 0 addr: ff02::2:49d8:bec6, length 24
19:54:21.370026 IP6 fe80::9ca3:3dff:fea4:9380 > ff05::1:3: HBH ICMP6, multicast listener reportmax resp delay: 0 addr: ff05::1:3, length 24
19:54:21.576229 IP6 fe80::9ca3:3dff:fea4:9380 > ff02::1:ffa4:9380: HBH ICMP6, multicast listener reportmax resp delay: 0 addr: ff02::1:ffa4:9380, length 24
...

I think this probably happens because, as soon as PPPoE is connected, a default route for the pppoe0 interface is added to the routing table, and the MLD report goes over the default route. That seems wrong though - I think the report should at least go back over the interface where it came from (eg, vtnet1_vlan100) in this case.

Anyway, the result of this is that the linux bridge doesn't know that opnsense is interested in the "all routers" multicast address at ff02::2, and so when a client on the LAN sends an IPv6 router solicitation, that doesn't end up at my opnsense box, and things break.

I'm not sure if this is an opnsense problem, a freebsd problem, or user error, but any help would be much appreciated!