Getting IPV6 address and DNS from multiple VLANs?

[ajeun]

I am using comcast and setup my router using vlans I am seeing a strange problem with ipv6 connections timing out from my windows computer. I think the cause is a strange scenario where my computer is getting assigned multiple different IPv6 addresses (6 in my last repro), each one from a different VLAN. Also it gets 3 different DNS servers from different VLANs. If I `ping -6` the DNS server of the VLAN it is on, then it works. But pinging the other vlans do not work as expected.

Now the question is why it is getting the ips from all the vlans? Also note this does not always happen. It usually happens after I restart the router advertisement service, and generally doesn't happen when I disable and re-enable my network connection. Saying generally, because I have seen it happen again in maybe 2 of 30 tries. Also no problems with ipv4 address, only ipv6.

Interfaces > [WAN] Config

Generic configuration
IPv6 Configuration Type: DHCPv6

DHCPv6 client configuration
Use VLAN priority: Disabled
Configuration Mode: Basic
Prefix delegation size: 60
Request prefix only: false
Send prefix hint: true
Optional prefix ID: <Blank>
Optional interface ID: <Blank>



There are 8 VLANS using prefixes from 0-7. Config from one of them

Interfaces > [User] Config

Generic configuration
IPv6 Configuration Type: Track Interface

Track IPv6 Interface
Parent Interface: WAN
Assign prefix ID: 5
Optional interface ID: <Blank>
Manual Configuration:
  Allow manual adjustmeent of DHCPv6 and Router Advertisements: true



Services > ISC DHCPv6 [User] Config

Enable:
  Enable DHCPv6 server on User interface: true
Subnet: 2601:x:x:6a25::
Subnet mask: 64 bits
Available range: 2601:x:x:6a25:: - 2601:x:x:6a25:ffff:ffff:ffff:ffff
Range: ::1:1 to ::1:ffff
Available prefix delegation size: 61 bits
Prefix Delegation Range: <blank>
DNS servers: <blank>
Domain search list: <blank>
Default lease time (seconds): <blank>
Maximumlease time (seconds): <blank>
Response delay (seconds): <blank>
Time format change:
  Change DHCPv6 display lease time from UTC to local time: false



Services > Router Advertisements [User] Config

Router Advertisements: Assisted
Router Priority: Normal
Source Address: Automatic
Advertise Default Gateway: true
Advertise Routes: <blank>
DNS options:
  Use the DNS configuration of the DHCPv6 server: true
  Do not send any DNS configuration to clients: false
Minimum Interval: 200
Maximum Interval: 600



Some variations I have tried, but still encountered the problem after Router Advertisement service restart:
* Disable DHCPv6 for User VLAN and set "Allow manual adjustment of DHCPv6 and Router Advertisements" to false
* Set Router Advertisements to Managed for User VLAN
* Set Router Advertisements "Use the DNS configuration of the DHCPv6 server" to false for User VLAN

[meyergru]

It looks as if you are doing everything correctly and you also probably do not have any untagged VLAN on the same parent interface as the VLANs, do you? Generally, OpnSense handles VLANs quite well.

Sometimes, it is the network hardware that does things incorrectly. See this for a current, still unfixed example. In that specific case, all VLANs are visible, when 802.1x is used. Also, when the switch starts up, all ports behave as trunk ports.

In your specific case, it might be that the switch ports are incorrectly set up as trunks (or your switch is not VLAN-capable at all) and your network interface ignores VLAN tags, potentially only for IPv6 traffic. On some NICs, you can configure VLAN handling in the advanced settings in Windows.

[ajeun]

Thanks for quick reply. I do have an untagged VLAN on a network interface, but I didn't think that should affect things, since I thought only VLAN 1 traffic would be handled and other tagged traffic ignored.

How my router is setup I have two network interfaces:
* vtnet0 (WAN)
* vtnet1 (LAN)

From vtnet1 (LAN) I created a bunch of vlans and interfaces for different VLAN tags like 10, 20, 30, etc. Then I also assigned vtnet1 to an interface intending it to handle traffic with vlan tag 1. I could create a separate vlan for 1 but my understanding is that should act the same. I did try changing it to this setup but seeing the same result.



My switch is TL-SG1016PE and is configurable with 802.1Q VLAN and 802.1Q PVID settings. I have it configured like
You cannot view this attachment.

My computer is on port 9, the PVID (default vlan) is set to 50 and VLAN 50 is set to be tagged on all ports and untagged on the computer's port. From my understanding then, it should tag all the traffic from my computer as VLAN 50.

The connections are configured kind of like trunks in that all other vlans are tagged on port 9. But I didn't think that should cause problems since only the vlan 50 tagged traffic should be sent to my computer right?

[meyergru]

See? Basically, all of your ports are trunked (i.e. they carry all the VLANs), only that one of the VLANs is put through as untagged, like with port 9 for your PC. If the NIC on your PC does not differentiate betwwen VLAN tags or it they are tagged at all, it sees all of them at once. As I said, some NIC drivers have special settings to configure that.

The better way to do it is to have just one untagged VLAN per port, so port 9 would be a member of VLAN 50 only. Exceptions to this rule are ports where a trunk is actually needed, like an uplink to another switch, the router or APs that can carry multiple VLANs/SSIDs.

Also, it is generally recommended to not mix tagged and untagged VLANs, although it mostly works.

[ajeun]

Ah thank you! Changing port 9 to be just in VLAN 50 fixed the issue.

I think I naively assumed that for devices that do not support VLANs they would just ignore a packet if it is VLAN tagged.