IPv6 VLAN RA bug
-
I have IPv6 using Track Interface with my provider, and today my router rebooted because of a power failure and I found that my PC could not reach IPv6 sites anymore and to my surprise my PC received 3 IPv6 address one from each of my VLAN… But my PC is on VLAN 1 it should not have gain an IPv6 address from the other two VLAN...
My PC was up and running way before pfSense had rebooted, maybe the RA is presented too early, before VLAN are initialized?
My iPhone only got one IPv6 on the right VLAN though...
pfSense v2.3.1
-
I assume that you get /56 from the ISP and it looks like pf has received the prefix and carved it up accordingly. If you are getting multiple addresses from different RAs then I think your VLANs are leaking!
What is between your PC and pfSense? I assume a switch of some sort - what is it?
Please confirm the following:
pfsense em1 is in a trunk port with a default VLAN 1 and the remaining VLANs tagged
Your PC is in an access port with only one VLAN enabled, untagged, which corresponds to its PVID
Your PC is not using tagging of any sortRemember VLANs happen at layer 2 and the IPv6 stuff is layer 3. It doesn't matter when pfSense fires up the RA thing, your switch will (should - ahem) filter out the traffic that is not valid for your PC.
Finally, most switches need their config saving as you go along. If you have had a power out it may have dropped changes since the last save (or reverted to defaults)
Cheers
Jon -
Almost certainly not a bug in anything to do with the firewall. In one such past case I saw with someone, investigation proved the firewall sent them correctly, and their switch leaked the RAs across all the VLANs. Also quite possible something along the lines of what Jon mentioned with a switch losing some or all of its config, ending up combining multiple VLANs on the same broadcast domain. You can packet capture on the VLANs filtering for RAs, and verify each has its own only. That'll confirm the problem is elsewhere.
-
Yes that what I think too…
My pfSense run in an ESXi host and it receives 4 interfaces WAN, LAN, KIDS and LABO. In the Virtualk Switch of ESXi I have 1 switch with the following network (vlan) setup: LAN, KIDS (20) and LABO (30).
pfSense is unaware of the VLAN ids... Maybe that's my problem?
All the ports in the switch are member of every VLAN and it untagPvidOnly which is 1 for all ports. The odd thing is that I have no problem with DHCP on IPv4, only IPv6 create that problem on hard wired connections only; WiFi is ok...
Meanwhile I have to disable IPv6 on my computer because it slow down browsing a lot since it tries to send packets to VLAN my computer is not tagging for.
-
So I did what I should have done… I removed every VLAN membership on all the ports that where not supposed to have access to those VLAN and left the membership to my ESXi trunk and access point...
It work now, but why did I have a bleed like that and only on IPv6? It it because of the way DHCP works on IPv4 vs IPv6...
Thanks for your insight.
-
This is a known bug in Windows. If is not a PFSense bug - and there is nothing you can do in PFSense to fix it.
The windows NIC driver will deliver layer-2 broadcast traffic (which includes RAs) from any VLAN, tagged or untagged, to the untagged VLAN. So the IPv6 driver sees the RAs and sets up the routes. Stupid.
MS, foolishly, refuses to recognize that this is a bug. They claim working by design, partly because they use it in some configuration for SMB (aks Samba) file sharing.
Best advice: don't ever mix tagged and untagged traffic on a link terminating to a MS Windows or MS Server box. If you don't need the tagged traffic in the Windows box you may be able to block the tagged VLANs in your Switch.
Linux systems used to have this fault too - but the Linux community recognized and fixed the bug in their NIC handling. Your phone (whether Android or iPhone) never suffered from this bug.