SLACC Bleedthrough on VLANs
-
I appreciate the personal attack. But anyways…
There is clearly something wrong with radvd in pfSense. Even if I were to use a fully managed switch and set up VLAN trunks on it properly, radvd would still be sending all the IPv6 routes information to all of the vlans on the trunk port.
-
For the record, I have 9 VLANs configured on pfSense (2.3.4) going into a L2 managed switch, radvd is running, and no SLAAC bleedthrough whatsoever.
-
One thing you can do is fire up Wireshark, to see what's actually on the wire. Failing that, you can use the pfSense packet capture, though it's not quite as convenient as Wireshark.
. -
"Even if I were to use a fully managed switch and set up VLAN trunks on it properly, radvd would still be sending all the IPv6 routes information to all of the vlans on the trunk port."
So not only are you trying to do tagging with a switch that doesn't supports them, you don't seem to understand how tags even work?
As Derelict says - good luck with that ;) heheheeh
Here - I turned on managed RA on my dmz interface vlan 600.. Did a simple capture and there you go you can see its tag with vlan 600.. Now if doing the packet capture via the gui. It might not be capturing that - you need the "-e" which we could prob put in as a feature request for the packet capture.. But when you do a packet capture on a specific interface that is a specific vlan it will only show you traffic on that vlan. But will not list in the packet capture you download.
But you can see the RA, clearly marked with the tag I have on that interface
-
"Even if I were to use a fully managed switch and set up VLAN trunks on it properly, radvd would still be sending all the IPv6 routes information to all of the vlans on the trunk port."
So not only are you trying to do tagging with a switch that doesn't supports them, you don't seem to understand how tags even work?
A switch only has to pass the VLAN tags and just about any switch will. When you configure computer NICs for VLANs, those VLANs should still behave as separate networks, as they would with a managed switch. That is, if you have a network on VLAN5, only devices also on VLAN5 should receive the traffic. Devices with VLANs are quite common, such as VoIP. A phone would be on a VLAN, but still pass other traffic from a computer that passes through the phone. Many access points (at least other than the one I have) also properly support multiple VLANs.
Where a managed switch comes in handy is when you want devices to be on a specific VLAN, without having to configure them for it.
-
Where a managed switch comes in handy is when you want devices to be on a specific VLAN, without having to configure them for it.
And when the underlying OS doesn't support VLANs properly…Windows 10 anyone?!
-
Where a managed switch comes in handy is when you want devices to be on a specific VLAN, without having to configure them for it.
And when the underlying OS doesn't support VLANs properly…Windows 10 anyone?!
Yeah, well that's from Microsoft. ;)
I haven't tried on Windows, but Linux doesn't have a problem being configured for VLANs.
-
Here - I turned on managed RA on my dmz interface vlan 600.. Did a simple capture and there you go you can see its tag with vlan 600.. Now if doing the packet capture via the gui. It might not be capturing that - you need the "-e" which we could prob put in as a feature request for the packet capture.. But when you do a packet capture on a specific interface that is a specific vlan it will only show you traffic on that vlan. But will not list in the packet capture you download.
But you can see the RA, clearly marked with the tag I have on that interface
Try with it set to unimagaged on the vlans and managed on the native interface with DHCPv6 enabled. Even when I disable VLAN support on the NIC in multiple windows 10 boxes it still gets IPs via SLAAC.
-
You have a fundamental misunderstanding about how pfSense/FreeBSD works.
There is absolutely nothing - nothing- in radvd that has anything to do with VLANs.
Look at /var/etc/radvd.conf
It is assigned interfaces. You will see interfaces such as igb0 (untagged) and igb0_vlan100 (tagged 100).
radvd has zero responsibility for tagging or untagging traffic. It is all handled by FreeBSD.
Your assertions are ludicrous and your design is flawed. You might be getting cross-"vlan" traffic from somewhere but it is not coming from pfSense.
Always willing to look at comprehensive bug reports, duplicate it in the lab and verify and even open a redmine bug myself if warranted but this is just stupid.
Post packet captures that validate your claims. Please be thorough. State exactly where the captures were taken and exactly what the circumstances and testing methodology was.
-
^ that clearly is not needed derelict, I already posted the RA coming out of pfsense with the vlan tag on it.. See my tcpdump.
"Try with it set to unimagaged on the vlans and managed on the native interface with DHCPv6 enabled."
Has ZERO to do with anything!!
And as a side note - how do you know I don't have that currently setup that way ;)
Simple enough for you to show that pfsense is not putting tags on traffic.. simple tcpdump is all that is needed you will either see the tags or you wont..
Per what Derelict stated about the conf and the interfaces in it.. You can see clearly that assigned to the vlan interface or not.
