Unique Local Addresses?
-
"Routing ULAs is completely appropriate, other than onto the Internet. "
Completely agree.. But your posts sounds like your issue with devices on the same layer 2..
""I'm just trying to connect between 2 devices on the same LAN.""
""Wireshark shows the neighbor solicitation going out, but no response.""So your saying your not getting answer from pfsense for its ULA you placed on the interface as a neighbor to your device as its gateway? So it can get to other ULA /64's on your local network.. I can try and fire up ULA addresses on pfsense interfaces and see if I can route between them. If that is the case.. But maybe I just needed more coffee, but sounded like you were talking about devices talking to each other on the same L2 which pfsense would give 2 shits about..
-
I guess I should have clarified. ULA works fine, except for the LAN interface on the pfSense firewall. I have no problem connecting from my desktop computer to notebook, etc. It's just I can't access the firewall. While it won't impact me in my situation, pfSense is also sold for use in corporate environments, where it may be an issue.
BTW, I'm doing a lot of this stuff to learn and it's frustrating to come across problems such as this, where poor design keeps things from working.
-
I just tested this..
So gave pfsense a VIP ipv6 ULA of fd31:8d49:5cc9:5133::1
I then gave my PC a ipv6 ula address of fd31:8d49:5cc9:5133::100
I can ping pfsense just fine
ping fd31:8d49:5cc9:5133::1
Pinging fd31:8d49:5cc9:5133::1 with 32 bytes of data:
Reply from fd31:8d49:5cc9:5133::1: time<1ms
Reply from fd31:8d49:5cc9:5133::1: time<1ms
Reply from fd31:8d49:5cc9:5133::1: time<1ms
Reply from fd31:8d49:5cc9:5133::1: time<1msPing statistics for fd31:8d49:5cc9:5133::1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0msNow I had to edit the lan firewall rule on pfsense to not be "lan net" for ipv6 since the ULA is not the actual lan net its a vip sitting on the lan interface..
-
Did you use an alias to create that address on pfSense? When I did that and rebooted, I lost my GUA on the LAN interface. I had no problem setting RA to provide the ULA prefix.
I then gave my PC a ipv6 ula address of fd31:8d49:5cc9:5133::100
I didn't have to do that. With RA configured for the ULA, all my devices got an address automagically.
-
That is fine I did not go that route for a simple test, this is not something I would setup on my network. I just use my global IPs I get from HE that fall under my /48
Its quite possible you have problems with creating an alias if your using tracking for your IPv6 on your lan side interfaces and your prefix changes from your ISP. Wouldn't a simple solution to just be create an alias for your ULA only. Then just create multiple rules 1 for your global that you get from tracking "lan net" "optX net" etc.. and your alias with your ULA network(s) in them.
The scenarios where you want want the same rules for your global and your ula would be rare that you would want them in the same alias isn't it? Why not just use ANY on your lan side for your source if that is the case that you just want to allow IPv6..
Other than play/learning - what exactly are you looking to accomplish?
-
Regardless of rules etc., it shouldn't be difficult/impossible to set up an alias, along with RA for the ULA prefix. Also, setting up an alias shouldn't kill the GUA on the LAN interface. As I mentioned, RA works fine for ULA, but an address is not assigned to the LAN interface and creating an alias kills the router for IPv6. A business user may have reasons for routing ULA between sites via VPN. PfSense won't allow that, as far as I can see.
-
"A business user may have reasons for routing ULA between sites via VPN. PfSense won't allow that, as far as I can see."
Why is that.. I just created a gateway to my ULA box the 5133::100 address, I then created a route saying hey if you want to go to 5134::/64 talk to the gateway… I then did a sniff and pinged from pfsense to a 5134::100 address and it sent the traffic from its vip 5133::1 address to 5134:100 to the mac of my 5133:100 box.. So sure looks like that is routing to me.
If it was via a vpn connection, then would have its own vpn interface, etc. any could for sure create routes that go down that tunnel to get to a ULA range.
So I am still confused as to what is not working, or then trying to create some alias that has both your Global address that you got via a TRACK interface network? And this is changing on you?? Are you saying you can not create a alias with your IPv6 global address and your ULA..
Sorry not seeing what your issue is.
-
So I am still confused as to what is not working
Have a look at https://redmine.pfsense.org/issues/5999, that is just the tip of the iceberg.
But more specifically having a virtual IP set on an interface that is also tracking the WAN. Similarly if an interface is a DHCP client and also needs a VIP we get into the same situation.Basically, as has been discussed before, IPv6 is fundamentally different than IPv4 in some of the basic principles, starting with the fact that an interface can and does have more than one IP address, this is defined in the RFCs. It can have a mixture of any number of ULAs, GUAs and a link-local addresses. Consequently, the software needs to be aware of this and make intelligent choices, or allow the user to dictate, based on this fact.
Many of the functionalities in pfSense, and quite possibly the underlying FreeBSD OS, are just "enhanced" versions of their IPv4 counterpart and haven't necessarily taken this requirement to heart. As the redmine ticket indicates, there is much work to be done to bring the code base up-to full to par so that expected IPv6 behavior works.I'm thinking that a work-around in JKnott's case might be to assign the ULA range to a separate interface and plug it into the same L2 as the LAN interface.
-
So I am still confused as to what is not working, or then trying to create some alias that has both your Global address that you got via a TRACK interface network? And this is changing on you?? Are you saying you can not create a alias with your IPv6 global address and your ULA..
Once again. I can set up ULA with RA, no problem, but the pfSense LAN interface doesn't get an IPv6 address. When I create an alias on the pfSense LAN port, for the ULA, I cannot even ping it. It simply doesn't respond. Worse, when I reboot the firewall, I lose the GUA address on the WAN port. Up the thread, someone else posted some links that showed problems with alias addresses on pfSense.
So, what I'm trying to do is
a) create the ULA with RA - this works
b) get a working ULA address on the LAN interface. This doesn't work.Can you ping from a device on a ULA only to the firewall? And to the VPN?
I spent all yesterday afternoon, trying to just be able to ping a ULA address on the pfSense LAN interface, without success. This is decribed further up the list.
However, I'll try again and see what happens.
-
I just tried it and the same thing happens. I cannot even ping the firewall ULA and after rebooting it, I lose IPv6 to my network. PfSense is busted!!!
-
One thing I just thought of. It may not be necessary for pfSense to have a ULA to route from the ULA prefix. Routing is still done via the link local address. I'll have to see if I can figure out some way to test this. I may have to dust off my Cisco 2600 router.
-
" just tried it and the same thing happens. I cannot even ping the firewall ULA and after rebooting it, I lose IPv6 to my network. PfSense is busted!!!"
Maybe your pfsense is busted.. But this is not the case with mine.. Add ULA address as VIP.. Works as it should - can ping it to that address (if firewall rules allow it) and routes just fine..
What your saying makes ZERO sense - how would adding a vip cause such an issue?? Be it a ula or another global, etc..
-
I don't know why it's happening, but it happened twice. Also, as mentioned in other posts, there apparently is a problem. And I created the alias by clicking on Firewall > Virtual IPs.
-
And what did you pick for the type of VIP?
-
-
With pfSense 2.4.0, I can now add a ULA alias on my LAN interface, without losing Internet access. It appears there was a problem with the previous version.
-
^^^^
Looks like I spoke too soon. As before, after a reboot, the problem returns. However, one thing I noticed is the default route on my computer changes, from the main LAN to a VLAN interface on my pfSense router. I'm not sure what causes this, as the VLAN has a different prefix from the ULA on the main LAN.Why would the default route change? I checked the router.priority for each RA and the VLAN is set to low and main LAN set to normal.
-
It's currently working, with the ULA alias. I have no idea why it's working now and not before.
I set the mail RA priority to high, but IP -6 route show shows both the main LAN and VLAN to have medium preference:
default via fe80::1:1 dev eth0 proto ra metric 1024 expires 58sec hoplimit 64 pref medium
default via fe80::216:17ff:fea7:f2d3 dev vlan3 proto ra metric 1024 expires 51sec hoplimit 64 pref mediumShouldn't that reflect the router priority setting, which is high for main LAN and low for VLAN3?
My computer is running OpenSUSE Linux.
-
Once it is added in, you can then setup the prefix in the RA config to advertise each prefix defined on the interface. Note that clients on that L2 will get an address for EACH advertised prefix (if listening to RAs). Keep in mind they will also get more than 1 gateway this way.
Just one correction, It will still be only one Gateway no matter how many prefixes are advertised. You would only get a 2nd Gateway if you had a 2nd box broadcasting RAs. 1 box broadcasting many prefixes = 1 Gateway.
And that gateway is a Link Local address, not a ULA or GUA.
-
^^^^
It shows both gateways, but whatever happens, I lose Internet access. I can ping local addresses, including ULA, so routing still appears to be functioning at least that far, but I cannot get out to the Internet. Also, sometimes it works OK after rebooting, Sometimes it doesn't. I have no idea why it's failing. I agree it shouldn't matter which is default route, as both are to a link local address on the same interface.
