IPv6 link local on a Bridge Network !

Started by karl047, July 27, 2018, 09:43:23 AM

Previous topic - Next topic
Print
Go Down Pages1 2 3
User actions
July 27, 2018, 09:43:23 AM Last Edit: September 15, 2018, 09:25:31 PM by karl047
Hi Forum,

I have posted my question on the german section, but I'd like to ask you too for helping me how I can solve this problem with IPv6 link local on a Bridge Network :-)

After a succeful configuration of a Bridge Interface with a static IPv4 & IPv6 Addresses, I noticed that this Interface has no IPv6 link local, I could ping IPv6 internet sites from this Interface, but the Clients behind it don't get an IPv6 Address (the IPv6 configuration of this Interface goes with unmanaged RADV).

It is a known BUG or an error with the configuration? maybe can I solve this Problem when I enter the IPv6 link local of this Interface but how and where?!

Thanks...
July 27, 2018, 10:18:00 AM #1
Are you allowing icmp6? Does radvdump show the beacon information you are expecting? Have you packet traced the NDP traffic? Any host firewalls getting in the way?

Bart...
July 27, 2018, 12:01:37 PM #2
ICMPv6 is allowed, and it looks like the Bridge Interface missed the auto-configuration of IPv6 link local, I made some Research & found this issue:

https://github.com/opnsense/core/issues/926

I can tell you that everywhere on my Network is configured the same & works fine except the Bridge Network but only with IPv6, everything else is perfect.

Overview of my whole Interfaces shows that the Bridge Interface "only"  has no IPv6 link local, and there is no Firewall behind my OPNsense that blocks this way.
July 27, 2018, 10:32:44 PM #3
I found this Mail too... it describes the problem about Bridge Network & IPv6 link-local & how he solved it. It looks like the problem is known about 10 years ago!!!

https://lists.freebsd.org/pipermail/freebsd-net/2009-April/021675.html

Ok... it could be solved when I enter manually the inet6 fe80::blablabla depends to MAC-address, but how can I do it? where is the rc.conf in OPNsense? or anything else where I can do something about this entry? or command line?

I need your help... & please can a developer notice this problem as BUG? probably can somebody solve it with the new release?! it will be nice! Thanks
July 28, 2018, 06:24:58 PM #4
As I made a simple command over SSH with "ifconfig", I noticed that the Bridge Network has no IPv6 link-local like the another Interfaces that I have on OPNsense:


igb1_vlanxx: flags=xxxx<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
   options=400000<TXCSUM_IPV6>
   ether xx:xx:xx:xx:xx:xx
   inet6 fe80::xxxx:xxxx:xxxx:xxxx%igbx_vlanxxxx prefixlen 64 scopeid 0x11
   nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
   media: Ethernet 1000baseT <full-duplex>
   status: active
   vlan: xxxx vlanpcp: 0 parent interface: igbx
   groups: vlan
bridge0: flags=xxxx<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,STATICARP> metric 0 mtu 1500
   ether xx:xx:xx:xx:xx:xz
   inet xx.xx.xx.xx netmask 0xfffffe00 broadcast xx.xx.xx.xx
   nd6 options=1<PERFORMNUD>
   groups: bridge
   id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15

The Bridge Network get a MAC-Address but no IPv6 link-local is possible, nd6 options set by 1 & the another Interface by 21, & no "AUTO_LINKLOCAL", it is exactly what the Mail in the last post described.

but how can I enter the missed option manually? or is there an another way?

Thank you all...
August 10, 2018, 02:06:12 PM #5 Last Edit: August 10, 2018, 02:37:51 PM by karl047
after a big research in freeBSD tutorial & commands, I could enter the IPv6 link local manually:

when I add the Bridge Interface, it will have automatically a generated MAC-Address (like 00:45:d8:a1:cc:67), converted into IPv6 will give this Address (fe80::245:d8ff:fea1:cc67)

login in SSH & enter this command:

ifconifg bridge0 inet6 fe80::245:d8ff:fea1:cc67%bridge0 prefixlen 64

again ifconfig command, & the Bridge Interface has now a IPv6 link local :-)  BUT UNTIL THE REBOOT :-(

The solution for that in pfsense forum a 5 years ago (pfsense has the problem too, I tried the last version & I became no IPv6 link local too)! but as I said the solution was (thanks pendi from pfsense forum) to edit the file: interfaces.inc (in OPNsense is in /usr/local/etc/inc/ )

what he wrote:

To fix this I added (copied) the following lines into /etc/inc/interfaces.inc to the function "interface_bridge_configure" just before the line " if (isset($bridge['enablestp'])) {":

        /* Create link local address for bridges */
   $mac = get_interface_mac($bridge['bridgeif']);
     $v6address = generate_ipv6_from_mac($mac);
       mwexec("/sbin/ifconfig {$bridge['bridgeif']} inet6 {$v6address}");

it works fine under OPNsense without any problem, in pfsense works too but after every reboot get the Bridge Interface a new mac address.

I hope that it will help somebody, & I hope that a fix comes in the near future for that from OPNsense Developers.
August 10, 2018, 05:25:45 PM #6 Last Edit: August 10, 2018, 05:29:07 PM by marjohn56
karl047 - Nice fix, do you want to issue a PR for that or raise an issue on Github and we'll see if it can be added, probably not in time for 18.7.1 though.


I have to tell you,  I just did an ifconfig on my bridge and this is there:


inet6 fe80::277:70ff:fecd:1e00%bridge0 prefixlen 64 scopeid 0xb
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
August 11, 2018, 06:14:19 PM #7
Quote from: marjohn56 on August 10, 2018, 05:25:45 PM
do you want to issue a PR for that or raise an issue on Github and we'll see if it can be added, probably not in time for 18.7.1 though.

@marjohn56: can you do that for us? I havn't report an issue yet, & I don't know how I will :p
August 11, 2018, 06:17:49 PM #8 Last Edit: August 11, 2018, 06:32:29 PM by marjohn56
I can do but as you see from my last message, my bridge IS getting a mac address. How is your bridge interface being used?


Sorry.. wife was talking, I meant a link-local address.
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
August 11, 2018, 06:37:21 PM #9
What are the members of your bridge?


As I say, mine works so there's something else going on.
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
August 11, 2018, 06:44:30 PM #10 Last Edit: August 11, 2018, 06:50:47 PM by marjohn56
I've just created a bridge of my test Qotom, bridging the 2 spare ports onto the LAN so now I have three LAN ports. Here's the ifconfig output.


Code Select
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 02:73:82:ed:48:00
        inet 192.168.1.254 netmask 0xffffff00 broadcast 192.168.1.255
        inet6 fe80::1:1%bridge0 prefixlen 64 scopeid 0xa
        nd6 options=1<PERFORMNUD>
        groups: bridge
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: igb1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 2 priority 128 path cost 55
        member: igb3 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 4 priority 128 path cost 55
        member: igb2 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 3 priority 128 path cost 2000000


As you can see, I have a link-local address...


Edit.. No I don't.. well how come I have one on my live unit... off to investigate.


But, after a reboot. I do


Code Select
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 02:73:82:ed:48:00
        inet 192.168.1.254 netmask 0xffffff00 broadcast 192.168.1.255
        inet6 2a02:8010:6228:dd00:73:82ff:feed:4800 prefixlen 64
        inet6 fe80::1:1%bridge0 prefixlen 64 scopeid 0xa
        inet6 fe80::273:82ff:feed:4800%bridge0 prefixlen 64 scopeid 0xa
        nd6 options=1<PERFORMNUD>
        groups: bridge
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: igb1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 2 priority 128 path cost 2000000
        member: igb3 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 4 priority 128 path cost 55
        member: igb2 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
                ifmaxaddr 0 port 3 priority 128 path cost 2000000
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
August 11, 2018, 11:51:05 PM #11
you have to wait a moment please... you have a IPv6 link local on your Bridge Network (fe80::1:1%bridge0) because you have configured the IPv6 Address on your Bridge as Track Interface over WAN ! is it right?

Quote from: karl047 on July 27, 2018, 09:43:23 AM
After a succeful configuration of a Bridge Interface with a static IPv4 & IPv6 Addresses, I noticed that this Interface has no IPv6 link local, I could ping IPv6 internet sites from this Interface, but the Clients behind it don't get an IPv6 Address (the IPv6 configuration of this Interface goes with unmanaged RADV).

That what I mean, the configuration that I made was with a static IPv4 & IPv6 !!! after that you get no IPv6 link local on your Bridge Interface therefore you should configure it over ssh command with ifconfig or to copy the lines what I posted (thanks pendi from pfsense forum) in interfaces.inc

I hope that I clearly explained this point.
August 12, 2018, 10:47:35 AM #12
There is already a call to put a link local address on the LAN interface, I found it yesterday. It gets done when dhcpdv6 is setting up. So your system SHOULD work without your patch. We need to work out why it isn't.


The code in question is at around line 1417 in interfaces.inc and calls the function  generate_ipv6_from_mac($mac)

OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
August 12, 2018, 12:10:30 PM #13
I hope so...
I will tell you what I did & why I had to do with this patch:
firstly I have static IPv4 & IPv6 Addresses from my ISP, OPNsense firmware let you configure IPv6 on your Interfaces with the Option Track Interface over WAN with different IDs (depends to your prefix delegation), but you have 2 Problems with it: the first one: the prefix behind my fritzbox is 60 (from ISP is 56), it is OK too, you can setup with it 16 Networks, but you cannot configure your Interfaces because they aren't be configured with a static IPv6 Address! and that is the second problem.
then, I had to setup my WAN interface as static IPv6 Address with a customized IPv6 address match with the IPv6 Address of my fritzbox (like SLAAC, "the same prefix", but it is configured as static IPv6 Address), & I had the same with the another Interfaces but with a new prefix depends to the prefix delegation (/56), that means I have 256 Networks to setup & not only 16! AND I can configure my IPv6 on those Interfaces because they are configured with a static IPv6 Address!.
the only thing what I had to do: setup a IPv6 static route on my fritzbox for every Interface (except WAN Interface).
The Bridge Interface (in OPNsense or in pfSense) has no IPv6 link local when it will be added, but it will become one when it is configured as Track Interface (like the another Interfaces fe80::1:1), as static IPv6 Address it won't work (why? I don't know ! then I had to setup this patch & everything is fine after that, works, without any problem).

I'm really curious how the problem will be solved.
August 12, 2018, 03:51:21 PM #14
The point is that the bridge interface, when dhcp6d is being configured, whether it's tracking or static, SHOULD automatically configure the link-local address on the bridge interface.


Actually I mislead you, the bit of the code that does this is actually in services.inc and in 18.7 it's at line 1313 >
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member
Print
Go Up Pages1 2 3
User actions