Selective RA advertising?
-
Yes, VPN is on pfSense. Routing tables in pfsense and router are set up to use the shortest routes. My question is how the routes can be influenced on the end-user computers.
I'll try to draw…
===================== LAN1 ================== computers pfSense router --+------ IPv4 Internet I +------ tunnelbroker.net ---- IPv6 Internet I I I OpenVpn site-to-site (through v4 internet) I I computers pfSense router --+------ tunnelbroker.net ---- IPv6 Internet +------ IPv4 Internet ===================== LAN2 ==================Option 1) If I turn on RA in pfsense, computers see two default routes:
- pfsense
- router
Option 2) If I turn off RA in pfsense, computers see one default route:
- router
In case of option1, my computers going to the v6 internet might use the pfsense->router->tunnelbroker->v6internet route which is one more hop than router->tunnelbroker->v6internet. Also, when going to LAN2, they might go through router->pfsense->openvpn->lan2 which is again one more hop than pfsense->openvpn->LAN2.
In case of option1, my computers going to the LAN2 will use the router->pfsense->openvpn->lan2 which is again one more hop than pfsense->openvpn->LAN2 would be.
I hope it's easier to see my dilemma now. I emphasize, I am able to do what I want using persistent routes on the computers but would want to have the v6 routes deployed to the computers in an automatic fashion if this is possible (I am using DHCP on v4).
-
Yes, VPN is on pfSense. Routing tables in pfsense and router are set up to use the shortest routes. My question is how the routes can be influenced on the end-user computers.
It doesn't matter what you draw. If the only way off your LAN is through pfSense, then it can only advertise itself. If it announced another route, local devices would have no way to reach it. This situation can only be resolved by configuring the routing in pfSense. Then your LAN clients will send traffic to pfSense. PfSense will then in turn forward appropriately.
The only reason for advertising a different route would be if there's another router on the LAN that could be used. Even then, that router would be expected to advertise itself.
-
The only reason for advertising a different route would be if there's another router on the LAN that could be used. Even then, that router would be expected to advertise itself.
If you read my post carefully and have a short peek on the diagram, you will see that this is exactly my case. pfSense is NOT my deafult router to the internet.
-
Here's it in even clearer picture.
===================== LAN1 ================== I I I I I I computers pfSense router --+----------------------------> IPv4 Internet I +------ tunnelbroker.net ----> IPv6 Internet I I OpenVpn site-to-site I I computers pfSense router --+------ tunnelbroker.net ----> IPv6 Internet I I I +----------------------------> IPv4 Internet I I I ===================== LAN2 ================== -
OK, so you have 2 routers on the LAN. Does the other router not also provide RAs? If you have that situation, then you should set one to have a higher priority than the other. In pfSense, that is done on the Router Advertisement page.
Why do you have 2 routers? You're making things difficult. You could manually add routes to the devices on the LAN. But RAs are not intended to do what you want. They only advertise themselves. If you had multiple routers, you could use a routing protocol, such as RIP or OSPF to advertise routes to other routers, but individual computers generally don't support that. What is the other router? Does it support VPNs? Why not put it in bridge mode.
From http://www.networksorcery.com/enp/protocol/icmp/msg9.htm
Each router periodically multicasts a Router Advertisement from each of its multicast interfaces, announcing the IP address(es) of that interface.
As you can see, an RA can only advertise the router it's from.
Perhaps you should rethink what you're trying to do.
-
Why do you have 2 routers? You're making things difficult. You could manually add routes to the devices on the LAN. But RAs are not intended to do what you want. They only advertise themselves. If you had multiple routers, you could use a routing protocol, such as RIP or OSPF to advertise routes to other routers, but individual computers generally don't support that. What is the other router? Does it support VPNs? Why not put it in bridge mode.
Thanks, this answers my original question.
The other router is a dumb ISP router. On a longer run I will migrate all routing to pfSense and eliminate the two routers. This will make the current issue obsolete.
-
Can you put those ISP's routers into bridge mode? That's all you need to do and let pfSense handle routing etc..
-
Yup, that's exactly what I am trying on a third site.
-
Yet another "let's just put another router on the LAN" design.
Don't do that.
Create a transit network between your edge routers and the pfSense nodes.
Then the edge routers will have the static routes to pfsense for addresses on the other side of the VPN and will know what to do with the traffic without hairpinning in and out the same interface.
===================== LAN1 ================== I I I I computers router –+----------------------------> IPv4 Internet pfSense-----/ +------ tunnelbroker.net ----> IPv6 Internet I I OpenVpn s2s I pfSense-----\ computers router --+------ tunnelbroker.net ----> IPv6 Internet I I +----------------------------> IPv4 Internet I I ===================== LAN2 ==================ETA oh. Dumb ISP routers. OK. I'll leave that there anyway…
-
Thanks everyone for your answers!
