Issue with radvd

Started by bringha, December 06, 2015, 10:50:35 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 06, 2015, 10:50:35 PM
Hello together

Recently I noticed that my DMZ clients get advertised TWO IPV6 ADresses by Router Advertising.

May /var/etc/radvd.conf foresees
Code Select

# Automatically Generated, do not edit
# Generated config for dhcp6 delegation from wan on lan
interface xn0 {
        AdvSendAdvert on;
        MinRtrAdvInterval 3;
        MaxRtrAdvInterval 10;
        AdvLinkMTU 0;
        AdvOtherConfigFlag on;
                prefix 2003:xx:yyyy:7bf0::/64 {
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr on;
        };
        RDNSS 2001:470:20::2 { };
        DNSSL zuhause.xx { };
};
# Generated config for dhcp6 delegation from wan on opt1
interface xn2 {
        AdvSendAdvert on;
        MinRtrAdvInterval 3;
        MaxRtrAdvInterval 10;
        AdvLinkMTU 0;
        AdvOtherConfigFlag on;
                prefix 2003:xx:yyyy:7bf2::/64 {
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr on;
        };
        RDNSS 2001:470:20::2 { };
        DNSSL zuhause.xx { };
};
# Generated config for dhcp6 delegation from wan on opt2
interface xn3 {
        AdvSendAdvert on;
        MinRtrAdvInterval 3;
        MaxRtrAdvInterval 10;
        AdvLinkMTU 0;
        AdvOtherConfigFlag on;
                prefix 2003:xx:yyyy:7bf1::/64 {
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr on;
        };
        RDNSS 2001:470:20::2 { };
        DNSSL zuhause.xx { };
};

xn0 is my LAN interface, xn3 my DMZ. But what happens on interface xn3 being documented by radvdump is

Code Select

[Dec 06 20:29:41] radvdump: recvmsg len=104
[Dec 06 20:29:41] radvdump: receiver if_index: 8
#
# radvd configuration generated by radvdump 1.15
# based on Router Advertisement from fe80::1:1
# received by interface xn3
#

interface xn3
{
        AdvSendAdvert on;
        # Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump
        AdvManagedFlag off;
        AdvOtherConfigFlag on;
        AdvReachableTime 0;
        AdvRetransTimer 0;
        AdvCurHopLimit 64;
        AdvDefaultLifetime 30;
        AdvHomeAgentFlag off;
        AdvDefaultPreference medium;
        AdvSourceLLAddress on;

        prefix 2003:xx:yyyy:7bf1::/64
        {
                AdvValidLifetime 86400;
                AdvPreferredLifetime 14400;
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr on;
        }; # End of prefix definition


        RDNSS 2001:470:20::2
        {
                AdvRDNSSLifetime 10;
        }; # End of RDNSS definition


        DNSSL zuhause.xx
        {
                AdvDNSSLLifetime 10;
        }; # End of DNSSL definition

}; # End of interface definition

(...)

[Dec 06 20:29:46] radvdump: recvmsg len=104
[Dec 06 20:29:46] radvdump: receiver if_index: 8
#
# radvd configuration generated by radvdump 1.15
# based on Router Advertisement from fe80::1:1
# received by interface xn3
#

interface xn3
{
        AdvSendAdvert on;
        # Note: {Min,Max}RtrAdvInterval cannot be obtained with radvdump
        AdvManagedFlag off;
        AdvOtherConfigFlag on;
        AdvReachableTime 0;
        AdvRetransTimer 0;
        AdvCurHopLimit 64;
        AdvDefaultLifetime 30;
        AdvHomeAgentFlag off;
        AdvDefaultPreference medium;
        AdvSourceLLAddress on;

        prefix 2003:xx:yyyy:7bf1::/64
        {
                AdvValidLifetime 86400;
                AdvPreferredLifetime 14400;
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr on;
        }; # End of prefix definition


        RDNSS 2001:470:20::2
        {
                AdvRDNSSLifetime 10;
        }; # End of RDNSS definition


        DNSSL zuhause.xx
        {
                AdvDNSSLLifetime 10;
        }; # End of DNSSL definition

This result that my DMZ has now TWO global IP v6 addresses: one of  LAN and one of DMZ - which is not desired.

What could trigger/cause radvd to do 'more' than configured? There ist no DHCPv6 Server running, the prefix is obtained from my fritzbox with an dhcpv6 client as suggested.

Br br
December 12, 2015, 04:48:14 PM #1 Last Edit: December 12, 2015, 04:57:02 PM by bringha
Dear all

... still not solved the issue: After tracing the dmz network I can see that opnsense sends router advertising ICMP packages

Code Select

16:16:55.715445 00:17:3e:be:a2:1b > 33:33:00:00:00:01, ethertype IPv6 (0x86dd), length 158: (hlim 255, next-header ICMPv6 (58) payload length: 104) fe80::1:1 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 104
hop limit 64, Flags [other stateful], pref medium, router lifetime 30s, reachable time 0s, retrans time 0s
  prefix info option (3), length 32 (4): xxxx:yy:zzz:7bf1::/64, Flags [onlink, auto, router], valid time 86400s, pref. time 14400s
    0x0000:  40e0 0001 5180 0000 3840 0000 0000 xxxx
    0x0010:  00yy zzzz 7bf1 0000 0000 0000 0000
  rdnss option (25), length 24 (3):  lifetime 10s, addr: 2001:470:20::2
    0x0000:  0000 0000 000a 2001 0470 0020 0000 0000
    0x0010:  0000 0000 0002
  dnssl option (31), length 24 (3):  lifetime 10s, domain(s): zuhause.xx.
    0x0000:  0000 0000 000a 077a 7568 6175 7365 0278
    0x0010:  7800 0000 0000
  source link-address option (1), length 8 (1): 00:17:3e:be:a2:1b
    0x0000:  0017 3ebe a21b
16:16:58.753703 00:17:3e:be:a2:1a > 33:33:00:00:00:01, ethertype IPv6 (0x86dd), length 158: (hlim 255, next-header ICMPv6 (58) payload length: 104) fe80::1:1 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 104
hop limit 64, Flags [other stateful], pref medium, router lifetime 30s, reachable time 0s, retrans time 0s
  prefix info option (3), length 32 (4): xxxx:yy:zzzz:7bf0::/64, Flags [onlink, auto, router], valid time 86400s, pref. time 14400s
    0x0000:  40e0 0001 5180 0000 3840 0000 0000 xxxx
    0x0010:  00yy zzzz 7bf0 0000 0000 0000 0000
  rdnss option (25), length 24 (3):  lifetime 10s, addr: 2001:470:20::2
    0x0000:  0000 0000 000a 2001 0470 0020 0000 0000
    0x0010:  0000 0000 0002
  dnssl option (31), length 24 (3):  lifetime 10s, domain(s): zuhause.xx.
    0x0000:  0000 0000 000a 077a 7568 6175 7365 0278
    0x0010:  7800 0000 0000
  source link-address option (1), length 8 (1): 00:17:3e:be:a2:1a
    0x0000:  0017 3ebe a21a

According to my understanding, the second package is also sent by opnsense although it SHOULD NOT send the prefix of the LAN to the DMZ. Or do I have a misunderstanding here?

Who else except radvd may send RA ICMPv6 packets?

Looking forward to your reply

Br br
January 10, 2016, 07:39:23 PM #2
Hi Br br,

I've filed a bug report here: https://github.com/opnsense/core/issues/636

Can't say much more at this point, we'll look into this for sure. :)


Cheers,
Franco
Print
Go Up Pages1
User actions