IPv6 Router Advertisement 22.x

Started by skywalker, March 03, 2022, 05:57:19 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 03, 2022, 05:57:19 PM
Pre 22.x release it was possible to use a specific virtual ip address (carp) as source address for router advertisements. Now the only option is "Automatic".

In a HA setup you could use an IPv6 carp address for router advertisements so clients would use that carp address as default gateway and routing is fixed to a single node.
Now opnsense uses the link local address for advertisement and as such the clients get multiple ipv6 default gateways assigned (one for each HA node).
This can introduce routing issues when the return path of packets differs. Clients may discard packets when the return packet is received from a different ip than the original packet was sent to.

What is the correct way to setup router advertisement in HA setup with 22.x?
March 03, 2022, 06:28:46 PM #1
Use a link local address as CARP address? That's what we run in 21.7.8 and it was just introduced rather late in the 21.7 train, so I'd be rather surprised if it was not carried over to 22.1. The explicit goal was to avoid the dual default gateway advertisements. Most IPv6 stacks seem to ignore router priorities, at least Linux does in my environment, so a different solution was needed - and delivered.

I don't have a 22.1 cluster installation with router advertisements, yet - but you might want to try. Create a CARP address of fe80::1 or fe80::<vlan-id> (what we use) and please tell me how that works out. I will have to upgrade my 21.7.8 cluster sooner or later.

Kind regards,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
March 03, 2022, 08:14:25 PM #2
You probably had an IPv4 CARP address selected there which really did not work at least as far as address use in IPv6 goes. The limitation is as stated: you need a link local IPv6 alias (with VHID or without) or a primary CARP link-local address. The whole modelling of these VIP types is a bit arcane and dates back to simpler times when IPv6 wasn't around in the software to begin with.


Cheers,
Franco
March 04, 2022, 02:30:51 PM #3
Quote from: pmhausen on March 03, 2022, 06:28:46 PMCreate a CARP address of fe80::1 or fe80::<vlan-id> (what we use) and please tell me how that works out. I will have to upgrade my 21.7.8 cluster sooner or later.

Thanks. After creating fe80::1 as CARP address you can select it as source address for router advertisement and only this address is then assigned to the clients as gateway.

Quote from: franco on March 03, 2022, 08:14:25 PM
You probably had an IPv4 CARP address selected there which really did not work at least as far as address use in IPv6 goes. The limitation is as stated: you need a link local IPv6 alias (with VHID or without) or a primary CARP link-local address. The whole modelling of these VIP types is a bit arcane and dates back to simpler times when IPv6 wasn't around in the software to begin with.

I am pretty sure that I had a global unique ipv6 address as carp address (2001:x:x... ) and had that same address selected as source address for router advertisements before.
April 13, 2025, 06:30:23 PM #4
Thanks for this, I was wondering why I couldn't set my carp ip as source address, also had to create another one in the fe80:: and use it.
I don't see why using a carp VIP in the 2001:... shouldn't be possible but it isn't.
April 15, 2025, 08:11:13 AM #5
> I don't see why using a carp VIP in the 2001:

Because you are implying it's anywhere in the world but it needs to be link-local to function in the same broadcast domain. By design these addresses are not meant to be immutable either.

Normally you don't do CARP IPv4 over the Internet. ;)


Cheers,
Franco
Print
Go Up Pages1
User actions