Clients use wrong IPv6 Gateway MAC in multi-instance OPNsense setup

Started by simonmicro, January 01, 2026, 11:23:52 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
January 05, 2026, 03:00:28 PM #15
Quote from: Patrick M. Hausen on January 02, 2026, 01:32:52 AM
Quote from: Maurice on January 02, 2026, 01:27:15 AMThis is simply unsupported in the real world. You can't have multiple default routers which advertise different SLAAC prefixes in the same LAN.

I noticed that "in the real world" but still this comes as quite the surprise to me. Because all the IPng/IPv6 fundamentals textbooks I read more than a decade ago said that is how it's supposed to work. Multihoming - solved. An arbitrary number of addresses/prefixes on every host interface plus router advertisements will just do the right thing.

So like the OP I took it as a given that this setup should "just work".

But then again at some point in time host to host IPsec was mandatory for any compliant IPv6 implementation, too ...

Yes, I tread that path, but there's a slight problem in the RFCs.

IIRC routing works like this:

- client has destination ip
- client selects gateway for that ip
  - there is more than one gateway with default route
  - those gateways are identified by link-local addresses
  - selection is pretty much random, since all are default and same metric and so on
- client selects a source address for that gateway
  - this source address selection is not guaranteed to be the right one, since routing information is not bound to addresses
- client sends packet to the gateway with the selected source ip
- gateway forwards packet, if rules allow it
- if the source address was the right one for the gateway, the same gateway receives the return packet and everything is fine
- if the source address was the one for the other gateway's network, then the other gateway receives the return packet and drops it

Worse, even if that scheme worked (which it does if the gateways in question are stateless, which firewalls are not), the routing decision is left to the client, which can not always know if the chosen gateway is right now capable of forwarding packets to the destination. This decision should be left to the gateways themselves, which necessitates the CARP solution.
But even then, you need a static ipv6 network you can configure on both firewalls, which is probably not possible using the fritzbox.

There is no good solution for this, I'm afraid. The google keyword is "ipv6 small site multihoming". There is also a candidate RFC for all the ways in which it doesn't work.
Print
Go Up Pages 1 2
User actions