IPv6 Question

johnpoz

@johnnybinator said in IPv6 Question:

LAN is VLAN 11. I'm positive of it. That is why I'm so perplexed.

That might be on your switch, my lan on my switch is vlan ID 9, but this is the default vlan on the switch and untagged.

Your saying your lan interface is a vlan, there is no IP set on the native interface?

stephenw10

@johnnybinator said in IPv6 Question:

@stephenw10 LAN is VLAN 11. I'm positive of it. That is why I'm so perplexed.

Mmm, sounds like something is leaking then or just misconfigured.

Can the host actually use the address it gets on the trunk port?

johnnybinator

My LAN interface is on VLAN 11. I promise you. I do not have an interface that is not tied to a VLAN, besides WAN & NORD VPN on ipsec.

Keyboard-interactive authentication prompts from server:
End of keyboard-interactive prompts from server
Netgate 6100 - Serial: 2051210048 - Netgate Device ID: e6b7e9a44cc68a2e2e29

*** Welcome to Netgate pfSense Plus 22.05-RELEASE (amd64) on pfSense ***

WAN (wan) -> igc1 -> v4/DHCP4: xx.xx.xx.xx/23
v6/DHCP6: xxxx:xxx:xxxx:xccx:711b:386f:1bc7:69c6/128
LAN (lan) -> ix0.11 -> v4: 10.200.0.254/24
v6/t6: xxxx:xxxx:xxxx:xxxx:0:92ec:77ff:fe21:2eba/64
VLAN6 (opt1) -> ix0.6 -> v4: 10.0.6.254/24
VLAN7 (opt2) -> ix0.7 -> v4: 10.0.7.254/24
VLAN8 (opt3) -> ix0.8 -> v4: 10.0.8.254/24
VLAN10 (opt4) -> ix0.10 -> v4: 10.0.10.254/24
v6/t6: xxxx:xxxx:xxxx:xxxx::92ec:77ff:fe21:2eba/64
VLAN20 (opt5) -> ix0.20 -> v4: 10.0.20.254/24
v6/t6: xxxx:xxxx:xxxx:xxxx:2:92ec:77ff:fe21:2eba/64
VLAN30 (opt6) -> ix0.30 -> v4: 10.0.30.254/24
v6/t6: xxxx:xxxx:xxxx:xxxx:3:92ec:77ff:fe21:2eba/64
VLAN40 (opt7) -> ix0.40 -> v4: 10.0.40.254/24
v6/t6: xxxx:xxxx:xxxx:xxxx:4:92ec:77ff:fe21:2eba/64
VLAN50 (opt8) -> ix0.50 -> v4: 10.0.50.254/24
v6/t6: xxxx:xxxx:xxxx:xxxx:5:92ec:77ff:fe21:2eba/64
VLAN60 (opt9) -> ix0.60 -> v4: 10.0.60.254/24
v6/t6: xxxx:xxxx:xxxx:xxxx:6:92ec:77ff:fe21:2eba/64
VLAN70 (opt10) -> ix0.70 -> v4: 10.0.70.254/24
v6/t6: xxxx:xxxx:xxxx:xxxx:7:92ec:77ff:fe21:2eba/64
VLAN80 (opt11) -> ix0.80 -> v4: 10.0.80.254/24
v6/t6: xxxx:xxxx:xxxx:xxxx:8:92ec:77ff:fe21:2eba/64
VLAN90 (opt12) -> ix0.90 -> v4: 10.0.90.254/24
v6/t6: xxxx:xxxx:xxxx:xxxx:9:92ec:77ff:fe21:2eba/64
VLAN100 (opt13) -> ix0.100 -> v4: 10.0.100.254/24
v6/t6: xxxx:xxxx:xxxx:xxxx:a:92ec:77ff:fe21:2eba/64
VLAN110 (opt14) -> ix0.110 -> v4: 10.0.110.254/24
v6/t6: xxxx:xxxx:xxxx:xxxx:b:92ec:77ff:fe21:2eba/64
VLAN120 (opt15) -> ix0.120 -> v4: 10.0.120.254/25
v6/t6: xxxx:xxxx:xxxx:xxxx:c:92ec:77ff:fe21:2eba/64
VLAN130 (opt16) -> ix0.130 -> v4: 10.0.130.254/24
v6/t6: xxxx:xxxx:xxxx:xxxx:d:92ec:77ff:fe21:2eba/64
VLAN140 (opt17) -> ix0.140 -> v4: 10.0.140.254/24
v6/t6: xxxx:xxxx:xxxx:xxxx:e:92ec:77ff:fe21:2eba/64
VLAN150 (opt18) -> ix0.150 -> v4: 10.0.150.254/24
v6/t6: xxxx:xxxx:xxxx:xxxx:f:92ec:77ff:fe21:2eba/64
VLAN160 (opt19) -> ix0.160 -> v4: 10.0.160.254/24
VLAN170 (opt20) -> ix0.170 -> v4: 10.0.170.254/24
VLAN180 (opt21) -> ix0.180 -> v4: 10.0.180.254/24
VLAN190 (opt22) -> ix0.190 -> v4: 10.0.190.254/24
VLAN200 (opt23) -> ix0.200 -> v4: 10.0.200.254/24
VLAN210 (opt24) -> ix0.210 -> v4: 192.168.250.254/24
DLVLAN (opt25) -> ix0.151 -> v4: 10.0.151.254/24
NORD_VPN (opt26) -> ovpnc1 -> v4: 10.8.3.4/24

0. Logout (SSH only) 9) pfTop
1. Assign Interfaces 10) Filter Logs
2. Set interface(s) IP address 11) Restart webConfigurator
3. Reset webConfigurator password 12) PHP shell + Netgate pfSense Plus tools
4. Reset to factory defaults 13) Update from console
5. Reboot system 14) Disable Secure Shell (sshd)
6. Halt system 15) Restore recent configuration
7. Ping host 16) Restart PHP-FPM
8. Shell

johnnybinator

@stephenw10 yes. the host can ping6 on that interface to 2600:: but if I give the same interface an IPv4 address without tagging, I cannot ping out on IPv4.

johnpoz

@johnnybinator well that is odd..

I could see if the pvid on the port connected to your device was your lan vlan id, that could get to pfsense tagged as it leaves the port connected to pfsense.

But if that was what was happening then ipv4 should work as well, unless your rules on the lan interface didn't allow IPv4?

If the traffic was actually coming to pfsense untagged, and pfsense has nothing set on the native interface.. Then it shouldn't be able to get anything.

johnnybinator

@johnpoz Yeah. Exactly.

stephenw10

So to be clear this happens when you connect a host to ix0 directly? Or some other down stream trunk link?

If it's something other than actually on ix0 on the firewall I'd guess there's something else bridging to it. It's all too easy to leak tagged traffic to untagged but much less likely to go the other way. And that would be required for ping6 to work obviously.

Steve

johnnybinator

@stephenw10 This is through a switch that has a trunk port set up on the 6100 - 10Gb.

stephenw10

So you're connecting to a trunk port on the switch and there is a separate trunk to the 6100?

That sounds like a switch config problem then. That trunk port is untagged on VLAN11 somehow?
Doesn't explain how 6 works and v4 doesn't though.

johnpoz

@stephenw10 exactly common config actually - pvid on a trunk is vlan X... As traffic enters the port untagged it gets put in vlan X.. Now when it leaves the switch to say the router it is tagged on vlan X.

But my same question that could explain what is happening - but doesn't explain why it doesn't work on ipv4.. Unless the firewall rules on lan on pfsense do not allow ipv4?

johnnybinator

@johnpoz I have no PIVD set. No Native VLAN. Just straight Trunk. on the switch or the Host. I'm sure of it.

interface ethernet 1/25
description sm3_10G
switchport mtu 9216
switchport mode trunk
switchport trunk allowed vlan all
ipv6 nd ra suppress

johnpoz

@johnnybinator said in IPv6 Question:

Just straight Trunk

And what switch allows that? If there was no native, then any untagged traffic wouldn't go anywhere - so clearly that is not what is happening.

johnnybinator

@johnpoz Clearly there's nothing clear about it.

johnpoz

@johnnybinator if pfsense is handing you IPv6 address on vlan 11

LAN (lan) -> ix0.11 -> v4: 10.200.0.254/24

Then the traffic is coming to pfsense on vlan 11, how it got there would be a switch config thing. Or a client config thing.. Pfsense isn't going to say oh untagged traffic, let me put that on my ix0.11 interface..

stephenw10

@johnnybinator

Is that the trunk port that connects to pfSense or where you're connecting the client?
Or is that the same port somehow?

johnnybinator

@stephenw10 that’s the switch port that connects to pfSense. I think what I’m going to do next is plug a host directly into the PF sense interface.

stephenw10

Um.... so how are you connecting a client to it now?

The problem is almost certainly in the switch config for the port the client is on.

Steve

johnnybinator

@stephenw10 ummm sooo….

As I’m writing this, I have a switch connected. What I was think would solve this lovely chat is if I put a host directly on the pfSense trunk.

stephenw10

Yes, that would certainly confirm if there really is something in pfSense allowing IPv6 only to leak from a VLAN to the parent.

I was just confused as to how it was connected when you were testing before. I may have misread it but I thought you had two trunk connections on the switch (presumably to another switch or an AP maybe) and were connecting the host to the other one.

Steve

johnpoz

@stephenw10 said in IPv6 Question:

allowing IPv6 only to leak from a VLAN to the parent.

But that is not what he is saying, he is saying its leaking without a tag to tagged interface..