IPv6 Question

johnnybinator

@stephenw10 ummm sooo….

As I’m writing this, I have a switch connected. What I was think would solve this lovely chat is if I put a host directly on the pfSense trunk.

stephenw10

Yes, that would certainly confirm if there really is something in pfSense allowing IPv6 only to leak from a VLAN to the parent.

I was just confused as to how it was connected when you were testing before. I may have misread it but I thought you had two trunk connections on the switch (presumably to another switch or an AP maybe) and were connecting the host to the other one.

Steve

johnpoz

@stephenw10 said in IPv6 Question:

allowing IPv6 only to leak from a VLAN to the parent.

But that is not what he is saying, he is saying its leaking without a tag to tagged interface..

stephenw10

Well the fact he can actually use that IP on the host implies it's going both ways which is far more unusual.

johnpoz

@stephenw10 if it was some sort of crazy leak then yeah..

But makes complete sense if the pvid on the port is vlan 11.. Other than saying its only ipv6.. But maybe the device is only requesting IPv6 because he turned ipv4 off on it, etc .etc.

What is more likely, a misconfig on the switch port with a pvid, which pretty much every switch on the planet will set, even with a trunk setting.. Normally you set this to a dead vlan in cisco land.

Or pfsense somehow saying oh look at this untagged traffic, here let my vlan 11 interface process that. Oh then let me send it out untagged so the client can get the answer ;)

But again switch is set to not allow untagged.

I have no PIVD set. No Native VLAN. Just straight Trunk

johnnybinator

@johnpoz There is no PIVD set. No native VLAN. That's the whole point of the post for the start.

Switch port that is connected to pfSense:

interface ethernet 3/26
description To PfSense
switchport mtu 9216
switchport ingress-filtering disable
switchport mode trunk
switchport trunk allowed vlan all
ipv6 nd ra suppress

Switch port connected to the host:

interface ethernet 3/20
description NFS Server
switchport mtu 9216
switchport ingress-filtering disable
switchport mode trunk
switchport trunk allowed vlan all
ipv6 nd ra suppress

Switch port configured for a different host, with PVID, that is working as expected:

nterface ethernet 3/24
description To TV Switch
no capabilities 10half
no capabilities 10full
no capabilities 100half
no capabilities 100full
switchport mtu 9216
switchport mode trunk
switchport trunk native vlan 11
switchport trunk allowed vlan all
ipv6 nd ra suppress

This is what is perplexing. In this configuration, the host connected to 3/20, booting from the install media, gets an IPv6 address from the subnet tied to VLAN 11. As of yet, still unexplained. I mentioned in another post, I can temporarily connect the same host to the pfSense port directly, eliminating the switch. That will determine whether it is my switch or not. I can most likely get to it this week, if anyone's really biting their nails over this.

johnpoz

@johnnybinator said in IPv6 Question:

switchport mode trunk
switchport trunk allowed vlan all

How do you think there is no pvid there? Cisco requires a pvid on a trunk port.. If you try and remove vlan 1, it sets 4095P.. In cisco land if you do not want pvid to be default vlan.. Then you set the native to a dead vlan..

There is some other tricks you can try with setting the port to general mode..

But best practice in ciscoland has always been to set a dead vlan as the pvid on the trunk..

johnnybinator

@johnpoz this isn’t Cisco. But I get your point. I hadn’t thought of setting native to a dead VLAN. That would solve the problem. I’m going to give it a try. Thanks.

johnpoz

@johnnybinator what switch is it exactly? I have worked with many a switches over the years. But mostly cisco for sure - but I would be curious to look at the manual for a switch that drops all untagged on trunk..

johnnybinator

@johnpoz it’s an fs.com s390024t. It’s 24port copper with 4 sfp+, fabless. I bought it for the silence.

johnpoz

@johnnybinator said in IPv6 Question:

s390024t

Well quick look over - sure seems like trunk will have a pvid to me..

Switch(config)#show interface brief ethernet 0/0/1

Can we see that for your interface, this would show the pvid and or utvlan

So unless you did something with ingress filtering like
"ingress acceptable-frame tagged" or something that would remove that.. Trunk ports always have a default pvid.. And do something with untagged. This is normally put onto the default vlan of the switch.

johnnybinator

@johnpoz
Looks like native VLAN is one when you don't specify. I did not know that. I used to do:

switchport trunk allowed vlan all and then swithport trunk remove 1 to shut down VLAN 1 as I am not using it at all.

But I stopped doing that in some troubleshooting step I was doing a while back and have not put it back. This problem with a host with a trunk port getting an IPv6 address from VLAN11 persisted through that change. I'm going to create a dead VLAN and set the native VLAN to that and see what happens. I'm pretty confident that will fix this problem.

s3900l.johnnyb.dev-1#show int configuration eth 3/26
Name : To PfSense
Port Admin : Up
Speed-duplex Capabilities : 10Gfull
Nego-Speed-duplex : 10Gfull
Flow Control : Disabled
VLAN Trunking : Disabled
MAC Learning : Enabled
Link-Status Trap : Disabled
Media Type : None
MTU : 9216
Broadcast Threshold : Disabled
Multicast Threshold : Disabled
Unknown Unicast Threshold : Disabled
Broadcast Block : Disabled
Unknown Multicast Block : Disabled
Unknown Unicast Block : Disabled
Ingress Rate Limit : Disabled, 10000000 kbits/second
Egress Rate Limit : Disabled, 10000000 kbits/second
VLAN Mode : Trunk
Vlan Ingress filtering : Disabled
Native VLAN : 1
GVRP Status : Disabled
VLAN : 1(u), 6(t), 7(t), 8(t), 10(t)
11(t), 12(t), 13(t), 14(t), 20(t)
30(t), 40(t), 41(t), 50(t), 60(t)
70(t), 80(t), 82(t), 90(t), 100(t)
110(t), 120(t), 121(t), 122(t), 130(t)
140(t), 150(t), 151(t), 152(t), 160(t)
170(t), 180(t), 190(t), 200(t), 210(t)
300(t), 400(t), 500(t), 600(t), 700(t)
800(t), 900(t), 999(t)
Forbidden VLAN :
QinQ Status : Disabled
QinQ Mode : Normal
QinQ TPID : 8100 (Hex)

stephenw10

What does eth 3/20 show, where the host was connected?

johnpoz

@johnnybinator said in IPv6 Question:

Native VLAN : 1
VLAN : 1(u), 6(t), 7(t), 8(t), 10(t)
11(t), 12(t), 13(t), 14(t), 20(t)

So that looks like switch default vlan to me..

Could you please just do the command I asked for on the interface connect to your device your saying is getting IPv6 address from your vlan 11.

Or the above output on the port connected to your devicel. But your command above clearly shows there is an untagged vlan on that port, even though you say your trunked.. And that your trunk had no pvid.

stephenw10

I blame Cisco! Using their own terminology for everything....

johnpoz

@stephenw10 not sure if I would say that ;) But what I will say is I like this output from cli?

VLAN : 1(u), 6(t), 7(t), 8(t), 10(t)
11(t), 12(t), 13(t), 14(t), 20(t)
30(t), 40(t), 41(t), 50(t), 60(t)
70(t), 80(t), 82(t), 90(t), 100(t)
110(t), 120(t), 121(t), 122(t), 130(t)
140(t), 150(t), 151(t), 152(t), 160(t)
170(t), 180(t), 190(t), 200(t), 210(t)
300(t), 400(t), 500(t), 600(t), 700(t)
800(t), 900(t), 999(t)

Or did copy that from some gui and paste.. That is easy way to show what is allowed, that is tagged what is untagged.. But I am thinking that might be copy paste from a gui?

I keep seeing these fs.com switches mentioned all over the place.. I should try and pick up one to play with..

johnnybinator

@johnpoz s3900l.johnnyb.dev-1#show int config eth 3/20
Name : to NFS Server
Port Admin : Up
Speed-duplex Capabilities : 1000full
Nego-Speed-duplex : Auto
Flow Control : Disabled
VLAN Trunking : Disabled
MAC Learning : Enabled
Link-Status Trap : Disabled
Media Type : None
MTU : 9216
Broadcast Threshold : Disabled
Multicast Threshold : Disabled
Unknown Unicast Threshold : Disabled
Broadcast Block : Disabled
Unknown Multicast Block : Disabled
Unknown Unicast Block : Disabled
Ingress Rate Limit : Disabled, 1000000 kbits/second
Egress Rate Limit : Disabled, 1000000 kbits/second
VLAN Mode : Trunk
Vlan Ingress filtering : Enabled
Native VLAN : 1
GVRP Status : Disabled
VLAN : 1(u), 6(t), 7(t), 8(t), 10(t)
11(t), 12(t), 13(t), 14(t), 20(t)
30(t), 40(t), 41(t), 50(t), 60(t)
70(t), 80(t), 82(t), 90(t), 100(t)
110(t), 120(t), 121(t), 122(t), 130(t)
140(t), 150(t), 151(t), 152(t), 160(t)
170(t), 180(t), 190(t), 200(t), 210(t)
300(t), 400(t), 500(t), 600(t), 700(t)
800(t), 900(t), 999(t)
Forbidden VLAN :
QinQ Status : Disabled
QinQ Mode : Normal
QinQ TPID : 8100 (Hex)

stephenw10

Hmm, well I wouldn't expect a client on that port to see anything on VLAN11. Even if the client is stripping the tags it would (should) be unable to reply.
Something odd at play here.

I guess wait for the results of testing the client connected to pfSense directly.

Steve

johnnybinator

@stephenw10 Will be later today or tomorrow, I will report back.

johnpoz

@johnnybinator So from that config, if untagged traffic when into port 3/20 is would come out 3/26 untagged.

I just find it impossible that would be seen by vlan 11 interface in pfsense..

Now it would be seen by an ix0 if that is what is connected to port 3/26.. But how would ix0.11 see it, why wouldn't ix0.6 or .7 or .10 see it?