CARP with IPv6 > Link local default gateway

[tomstephens89]

Hi all,

I have IPv6 deployed and working in a few VLAN's. RA managed mode + DHCPv6.

All works great except for the failover test I just performed to my second OpnSense box.

I am aware that when using dynamic addressing via RA/DHCP, clients typically get a link local gateway advertised to them, rather than the routable address. However on failover, anything using link local as its GW lost IP6 connectivity. Whereas static clients using my CARP v6 VIP for the respective VLAN GW worked fine.

What's the solution for this? I see no way to pass a gateway via DHCPv6 as this isn't how v6 works. But in that case, whats my option?

[Patrick M. Hausen]

Please vote for this issue to be implemented and shipped:
https://github.com/opnsense/core/pull/5185


Patrick

[tomstephens89]

Please vote for this issue to be implemented and shipped:
https://github.com/opnsense/core/pull/5185


Patrick

So what are we saying here? I have noticed setting my CARP VIP in the RA options does nothing. I'd sort of expect RADVD to be started on the master and stopped on slave. However it is started on both.

Should I select the static interface instead, and run both master and slave with different priorities? Which is not CARP at all?

What is the expected behaviour of RADVD currently, when the RA is set to a CARP VIP?

[Patrick M. Hausen]

When you set the RA interface to the VIP, that changes nothing. Both HA nodes announce their own link local address.

This github issue is about fixing the broken behavior and configuring radvd to announce the CARP address.

Unless the measures discussed in this issue are implemented there is simply no way to make it work in OPNsense at the moment. I disabled RA on the backup node. I hope this gets fixed soon.

[tomstephens89]

When you set the RA interface to the VIP, that changes nothing. Both HA nodes announce their own link local address.

This github issue is about fixing the broken behavior and configuring radvd to announce the CARP address.

Unless the measures discussed in this issue are implemented there is simply no way to make it work in OPNsense at the moment. I disabled RA on the backup node. I hope this gets fixed soon.

Thanks for confirming. So, to facilitate auto failover in the event of a master crash. The best way to do this would be disable the sync of RA/DHCPv6 settings under HA. Then run the radvd daemon on both master & slave, with master set as a higher priority?

Clients should discover two default routes, one with a better metric this way? However it won't 'statefully' fail with CARP maintenance mode. The RADVD daemon must be stopped as well on the node in maintenance to force all clients to learn only the surviving route?

How to a vote for your git request?

[Patrick M. Hausen]

Thanks for confirming. So, to facilitate auto failover in the event of a master crash. The best way to do this would be disable the sync of RA/DHCPv6 settings under HA. Then run the radvd daemon on both master & slave, with master set as a higher priority?

At least in my experiments that did not work. The Linux systems we run in that DMZ install both gateways with the same metric. This leads to out of state packets arriving at the "wrong" node and TCP connections being killed.
I thought pfsync should take care of that but at least in our tests it wasn't sufficient.

So I disabled radvd completely on the backup and documented that an operator needs to restore IPv6 in case of a failure of the primary.

See https://forum.opnsense.org/index.php?topic=25158 for my initial discussion of the topic. We really need to get that fixed.

[tomstephens89]

Thanks for confirming. So, to facilitate auto failover in the event of a master crash. The best way to do this would be disable the sync of RA/DHCPv6 settings under HA. Then run the radvd daemon on both master & slave, with master set as a higher priority?

At least in my experiments that did not work. The Linux systems we run in that DMZ install both gateways with the same metric. This leads to out of state packets arriving at the "wrong" node and TCP connections being killed.
I thought pfsync should take care of that but at least in our tests it wasn't sufficient.

So I disabled radvd completely on the backup and documented that an operator needs to restore IPv6 in case of a failure of the primary.

See https://forum.opnsense.org/index.php?topic=25158 for my initial discussion of the topic. We really need to get that fixed.

I have tested and confirmed that I see the same.

The only way this works right now is to keep radvd STOPPED on the BACKUP. A manual note to IT/Network engineers that when failing over, the router advertisement daemon must ONLY be running on the CARP MASTER. Config sync for it can still be left enabled to keep config changes in check, but you just need to ensure radvd is stopped on the backup.

Would be real good if we can specify the source address in radvd.