Ipv6 and Carp

Started by meschmesch, October 01, 2022, 07:21:05 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 01, 2022, 07:21:05 PM
Hello,
I have a problem understanding Ipv6 and CARP and hope for a brief explanation or clarification.

For each interface (LAN etc.) there is a Carp fe80::2:1/64 virtual IP.

  • Question 1) for the WAN is it also possible to have such an fe80 virtual IP or is it inevitable to have a global IPv6 address for CARP (e.g. 1a02:800b:d12f:fe20::100/64)?
  • Question 2) I know that the local IPv6 of the interface itself (Interfaces->LAN) can be a global IPv6 address. However, is it also possible that it can be an IP "self-assigned" by the interface via IPv6 Configuration Type Track Interface WAN?
  • Question 3) in case the answer to 2) is positive, i.e. track interface ist possible, shall the IPv6 Prefix ID different for the same interface on the master node and backup node?

Thanks for the feedback!

PS: some time ago we had a discussion of forwarding IPv6 traffic in case of a HA systems. Forwarding to an fe80 address or an fd00 ULA address did not work for me. Instead I had to use the global address of the device (1a02:abcd:...). With the newly introduced feature of Alias "Dynamic IPv6 Host" that makes life so easy. Neither need of ULA nor any other dynamic host address any more. Thanks for the great job on that!!
October 03, 2022, 06:01:40 PM #1
1) It is possible for any interface not to have a GUA. It's not uncommon to have DHCPv6 only assign prefixes on WAN, and not addresses.
2) IIRC if you configure an internal interface IPv6 address as track interface, it will assign itself a prefix, and also an address out of that prefix.
3) Here is where it gets problematic. In an opnsense CARP cluster, the cluster part is only the floating IP address, so the two firewalls do not in any way talk to each other about what prefix or if any prefix has been allocated by one of the two firewalls.
So usually you would configure both firewalls as DHCPv6 clients, and they both would potentially get their own prefix pool (providing you uplink router assigns one). In that case both would then assign completely different prefixes to their LAN interfaces and also hand those out via SLAAC.
Now if the clients behaved sanely and used the one or the other with the correct source ip addresses, that would be completely fine, but they don't. They tend to sometimes use the prefix of firewall A with the gateway address of firewall B and vice versa. The only solution for me was to disable IPv6 on firewall B.

IMO HA with dynamic prefixes is completely broken, and not even because of some sort of problem with opnsense.
October 03, 2022, 06:19:12 PM #2
HA with dynamic addresses and/or prefixes? Who would ever come up with an idea like that?

HA is for enterprise environments. Enterprises have static address space.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 04, 2022, 01:05:25 PM #3
QuoteHA with dynamic addresses and/or prefixes? Who would ever come up with an idea like that?

Good question. I have a spare firewall which sits around doing nothing. By using this spare firewall as backup in a HA setup it's easy to play around with opnsense on the backup without messing up the normal provision of services in the operation of the main firewall. Another advantage is that I always have a backup system available without virtually doing anything. No manual backups (which nevertheless I do from time to time), nothing. As I said, the firewall anyhow just sits around here, so why not giving it a purpose?
October 04, 2022, 03:21:45 PM #4
I might have been a bit snarky - sorry for that. But these protocols and mechanisms were clearly designed with static addressing in mind. For IPv4 CARP HA you need three addresses in the same prefix. And if you want the upstream router to be redundant, too, another three for the router pair. That makes a static /29 as the smallest prefix that makes sense.

BTW: the IPv6 code has been changed some time in the last year to support a link local CARP address. Both nodes need to be in the same /64, but you get perfectly well working failover etc. with link local as the default gateway in that network. Which is the standard setup for most people, anyway - link local as gateway.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 04, 2022, 04:29:01 PM #5
...no problem, all fine  :)

QuoteBoth nodes need to be in the same /64, but you get perfectly well working failover etc.
Is this to be realized via a virtual ULA (fd00:...) or via a real GUA (2a02:...) for each node?
October 04, 2022, 04:45:16 PM #6
I have only ever used GUA. While ULAs should theoretically work, the geniuses designing the "happy eyeballs" algorithm decided that ULA only means "no IPv6 connectivity at all". At least for Mac OS that is the case. You need a GUA prefix.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions