IPv6 Question

johnnybinator

@johnpoz
Looks like native VLAN is one when you don't specify. I did not know that. I used to do:

switchport trunk allowed vlan all and then swithport trunk remove 1 to shut down VLAN 1 as I am not using it at all.

But I stopped doing that in some troubleshooting step I was doing a while back and have not put it back. This problem with a host with a trunk port getting an IPv6 address from VLAN11 persisted through that change. I'm going to create a dead VLAN and set the native VLAN to that and see what happens. I'm pretty confident that will fix this problem.

s3900l.johnnyb.dev-1#show int configuration eth 3/26
Name : To PfSense
Port Admin : Up
Speed-duplex Capabilities : 10Gfull
Nego-Speed-duplex : 10Gfull
Flow Control : Disabled
VLAN Trunking : Disabled
MAC Learning : Enabled
Link-Status Trap : Disabled
Media Type : None
MTU : 9216
Broadcast Threshold : Disabled
Multicast Threshold : Disabled
Unknown Unicast Threshold : Disabled
Broadcast Block : Disabled
Unknown Multicast Block : Disabled
Unknown Unicast Block : Disabled
Ingress Rate Limit : Disabled, 10000000 kbits/second
Egress Rate Limit : Disabled, 10000000 kbits/second
VLAN Mode : Trunk
Vlan Ingress filtering : Disabled
Native VLAN : 1
GVRP Status : Disabled
VLAN : 1(u), 6(t), 7(t), 8(t), 10(t)
11(t), 12(t), 13(t), 14(t), 20(t)
30(t), 40(t), 41(t), 50(t), 60(t)
70(t), 80(t), 82(t), 90(t), 100(t)
110(t), 120(t), 121(t), 122(t), 130(t)
140(t), 150(t), 151(t), 152(t), 160(t)
170(t), 180(t), 190(t), 200(t), 210(t)
300(t), 400(t), 500(t), 600(t), 700(t)
800(t), 900(t), 999(t)
Forbidden VLAN :
QinQ Status : Disabled
QinQ Mode : Normal
QinQ TPID : 8100 (Hex)

stephenw10

What does eth 3/20 show, where the host was connected?

johnpoz

@johnnybinator said in IPv6 Question:

Native VLAN : 1
VLAN : 1(u), 6(t), 7(t), 8(t), 10(t)
11(t), 12(t), 13(t), 14(t), 20(t)

So that looks like switch default vlan to me..

Could you please just do the command I asked for on the interface connect to your device your saying is getting IPv6 address from your vlan 11.

Or the above output on the port connected to your devicel. But your command above clearly shows there is an untagged vlan on that port, even though you say your trunked.. And that your trunk had no pvid.

stephenw10

I blame Cisco! Using their own terminology for everything....

johnpoz

@stephenw10 not sure if I would say that ;) But what I will say is I like this output from cli?

VLAN : 1(u), 6(t), 7(t), 8(t), 10(t)
11(t), 12(t), 13(t), 14(t), 20(t)
30(t), 40(t), 41(t), 50(t), 60(t)
70(t), 80(t), 82(t), 90(t), 100(t)
110(t), 120(t), 121(t), 122(t), 130(t)
140(t), 150(t), 151(t), 152(t), 160(t)
170(t), 180(t), 190(t), 200(t), 210(t)
300(t), 400(t), 500(t), 600(t), 700(t)
800(t), 900(t), 999(t)

Or did copy that from some gui and paste.. That is easy way to show what is allowed, that is tagged what is untagged.. But I am thinking that might be copy paste from a gui?

I keep seeing these fs.com switches mentioned all over the place.. I should try and pick up one to play with..

johnnybinator

@johnpoz s3900l.johnnyb.dev-1#show int config eth 3/20
Name : to NFS Server
Port Admin : Up
Speed-duplex Capabilities : 1000full
Nego-Speed-duplex : Auto
Flow Control : Disabled
VLAN Trunking : Disabled
MAC Learning : Enabled
Link-Status Trap : Disabled
Media Type : None
MTU : 9216
Broadcast Threshold : Disabled
Multicast Threshold : Disabled
Unknown Unicast Threshold : Disabled
Broadcast Block : Disabled
Unknown Multicast Block : Disabled
Unknown Unicast Block : Disabled
Ingress Rate Limit : Disabled, 1000000 kbits/second
Egress Rate Limit : Disabled, 1000000 kbits/second
VLAN Mode : Trunk
Vlan Ingress filtering : Enabled
Native VLAN : 1
GVRP Status : Disabled
VLAN : 1(u), 6(t), 7(t), 8(t), 10(t)
11(t), 12(t), 13(t), 14(t), 20(t)
30(t), 40(t), 41(t), 50(t), 60(t)
70(t), 80(t), 82(t), 90(t), 100(t)
110(t), 120(t), 121(t), 122(t), 130(t)
140(t), 150(t), 151(t), 152(t), 160(t)
170(t), 180(t), 190(t), 200(t), 210(t)
300(t), 400(t), 500(t), 600(t), 700(t)
800(t), 900(t), 999(t)
Forbidden VLAN :
QinQ Status : Disabled
QinQ Mode : Normal
QinQ TPID : 8100 (Hex)

stephenw10

Hmm, well I wouldn't expect a client on that port to see anything on VLAN11. Even if the client is stripping the tags it would (should) be unable to reply.
Something odd at play here.

I guess wait for the results of testing the client connected to pfSense directly.

Steve

johnnybinator

@stephenw10 Will be later today or tomorrow, I will report back.

johnpoz

@johnnybinator So from that config, if untagged traffic when into port 3/20 is would come out 3/26 untagged.

I just find it impossible that would be seen by vlan 11 interface in pfsense..

Now it would be seen by an ix0 if that is what is connected to port 3/26.. But how would ix0.11 see it, why wouldn't ix0.6 or .7 or .10 see it?

johnnybinator

@johnpoz I agree 100%. A Clue now that you've had me thinking more about the switch than the pfsense appliance: The switch itself is setup to have an IP (v4) on VLAN 11. but the way I added an IPv6 address put it on VLAN 1:

interface vlan 11
ip address 10.200.0.247 255.255.255.0

interface vlan 1
ipv6 address xxxx:xxxx:xxxx:xxxx::247/64

Perhaps I should put the ipv6 address on VLAN11.

stephenw10

Hmm, is that IPv6 address in any of the pfSense interface subnets?

Since pfSense doesn't have an interface on the untagged ix0 NIC I don't expect it to be.

johnnybinator

@stephenw10 yes, that's the LAN /64. (VLAN11). I changed it so that the IPv6 address is on VLAN 11 instead of VLAN 1. I belive that is going to fix all this crap. Cannot verify until later.

johnpoz

@johnnybinator if your switch as an IPv6 on its vlan1 - maybe it handing out address via slaac? Since clearly untagged traffic coming into that port would be on vlan 1.

That seems logical to be honest.. While somehow pfsense seeing untagged traffic on its vlan 11 does not.

johnnybinator

@johnpoz Yeah. I was thinking the same. Odd thing is, the switch is not providing any IPv6 services. Somehow the pfsense box is doing the RA on VLAN11, but the switch is seeing that on VLAN 1, because I had accidentally put an IPv6 address on VLAN 1.

I put the IPv6 address on the switch via the GUI. It mentions nothing about the VLAN it is assigning the address to. I should have just done it via CLI.

stephenw10

I would expect it to be on the switch native VLAN unless you specifically set it otherwise.

I still wouldn't expect it to allow traffic between that and VLAN 11 though.

This is a curious situation you have discovered!

johnpoz

@stephenw10 said in IPv6 Question:

This is a curious situation you have discovered!

For sure... there has to be a piece of the puzzle we are missing. Since it makes zero sense that untagged traffic coming into 3/20 on his switch could somehow make it to pfsense tagged vlan 11. When clearly on his port connected to ix0 on pfsense also shows untagged as 1..

From his 2 switch port configs, the untagged or native vlan is clearly shown as vlan 1

Is there any other ports connected to this server.. That could somehow put untagged traffic on vlan 11 on the switch?

johnnybinator

@johnpoz Not that I'm aware of.

stephenw10

It's the fact you have two way traffic that is most confusing. It's relatively common to see something incorrectly stripping tags. Some misbehaving switch or hardware offloading on a NIC for example. But that would only ever expose an untagged host to traffic that should be on a VLAN. It would not re-tag it the other way.
You could try running packet captures on the interfaces in question to see if that traffic is in fact tagged or untagged as expected.

Steve

johnnybinator

@stephenw10 I will do some testing later. I cannot do it now.

johnnybinator

@johnnybinator Actually I was able to spin up a VM & everything now works as intended. I appreciate you sticking with me and helping to eliminate possibilities.