[RFC] IPv6 MLD packets erroneously sent out over pppoe0 interface

Started by shadowlaw, May 22, 2025, 10:54:20 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 22, 2025, 10:54:20 AM Last Edit: May 22, 2025, 11:01:17 AM by shadowlaw
I have had this issue for a really long time, and originally created this issue for it. TLDR, IPv6 MLD packets erroneously get sent out on the pppoe interface, whereas they should have been sent out on the local LAN interface. I had kind of given up on it and considered it user error, until another user reported running into the same issue.

So, I took a journey through the FreeBSD kernel, pf, the mpd PPP daemon, and this is what I found:

The kernel correctly sends out the MLD report on the LAN interface. However, OPNSense has a default firewall rule present that forces packets that have a source address of a gateway, to also go out over said gateway. By itself this seems totally fine - why would these MLD packets on the LAN have the same source address as the pppoe interface? Well, it turns out that the mpd5 ppp daemon just picks a random interface to determine its own link-local address, and in my case that happened to be the LAN interface. So:

Code Select
root@opnsense:/tmp # ifconfig vtnet1_vlan100 | grep fe80
        inet6 fe80::9ca3:3dff:fea4:9380%vtnet1_vlan100 prefixlen 64 scopeid 0x12
root@opnsense:/tmp # ifconfig pppoe0 | grep fe80
        inet6 fe80::9ca3:3dff:fea4:9380%pppoe0 prefixlen 64 scopeid 0x18

Both pppoe and vtnet1_vlan100 (the LAN interface) have the same IPv6 link-local address. By itself, that seems fine, too - these are separate links and therefore having the same link-local address doesn't really matter. But, in combination with the firewall rule I mentioned earlier, these MLD packets, which originate from fe80::9ca3:3dff:fea4:9380, now wrongly get sent out over the pppoe0 interface instead.

I found that enabling 'Firewall -> Settings -> Advanced -> Disable automatic rules which force local services to use the assigned interface gateway' removes these rules, and indeed that fixes the issue, both for me and the other user that reported it.

I'm not a network expert so I'm not sure what actually the real proper fix is. My intuition is that it is fine for OPNSense to give out the same LLA to two different interfaces, but if it does, it should not add firewall rules that act on that ambiguity.

Can we reopen the issue I linked to track a solution?
May 22, 2025, 01:47:08 PM #1
Hi shadowlaw, could you open an issue on github to report it?

https://github.com/opnsense/core/issues
May 22, 2025, 01:49:48 PM #2
Quote from: muchacha_grande on May 22, 2025, 01:47:08 PMHi shadowlaw, could you open an issue on github to report it?

https://github.com/opnsense/core/issues
I was thinking maybe the admins could reopen the existing one because that already has some context:

https://github.com/opnsense/core/issues/6247

But if that is not possible, I'll happily open a new one.
Print
Go Up Pages1
User actions