Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unique Local Addresses?

    Scheduled Pinned Locked Moved IPv6
    71 Posts 6 Posters 22.5k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JKnottJ Offline
      JKnott
      last edited by

      @Napsterbater:

      I get 2 router advertisements, one on the main LAN and 1 on the VLAN.  I don't think I ever said I had 2 gateways.

      Same thing really, you shouldn't be getting 2 different RA's. It should be 1 RA from 1 pfSense interface per VLAN.

      Aren't you the one who thinks he can use an unmanaged switch to "isolate" VLANs? Is that the case here?

      It does indeed sound like there is 2 pfSense interface on 1 VLAN/Broadcast domain.

      I'm not sure where who is misunderstanding here.  There is only one, 1, count 'em one physical interface on the LAN.  On that interface is the main LAN with global addresses and ULA.  There is also VLAN 3 on that NIC with only ULA.  Also, there is another Interface connected to a Cisco router or used for testing.  It has only ULA.  All interfaces, including VLAN, have NAT IPv4 addresses, which continue to work fine.

      When I put an IPv6 alias for the ULA on the main LAN, things work fine.  I can route between ULA and global addresses.  But when I reboot, then the router stops working with IPv6 to the Internet.  When I get some time, I'll investigate further where the failure is. i.e. routing to the WAN, DNS etc..

      PfSense running on Qotom mini PC
      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
      UniFi AC-Lite access point

      I haven't lost my mind. It's around here...somewhere...

      1 Reply Last reply Reply Quote 0
      • JKnottJ Offline
        JKnott
        last edited by

        @Derelict:

        Are you using an unmanaged switch for the untagged and tagged networks in this case?

        Yes, and I see both, using Wireshark.  This is on my main desktop computer, running Linux.  As I mentioned above, the problem occurs after applying the alias and rebooting.  Having the VLAN, without the alias continues to work properly. Please note, there is no change made to the computer when I see the problem.  It has the main LAN and VLAN configured, as it has had for months.  It also gets the appropriate addresses for the global addresses, ULA and VLAN ULA.  As I said, that's been that way for months.  The alias is on the pfSense router.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • DerelictD Offline
          Derelict LAYER 8 Netgate
          last edited by

          So are the frames tagged properly or not?

          How about you post a pcap.

          You post cockamamie layer 2 recommendations then post about strange layer 2 issues. Onus is on you.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • JKnottJ Offline
            JKnott
            last edited by

            You post cockamamie layer 2 recommendations then post about strange layer 2 issues. Onus is on you.

            I'll do some more testing when I get time.  Meanwhile, I have a question for you.  You have a computer, as I do here, that you want to participate in the native LAN and also 1 or more VLANs.  Now with a managed switch, that would mean a trunk port (I'm ignoring the special situation on Cisco switches for VoIP phones) which provides native LAN and whatever VLANs are allowed on the switch.  Please explain what the difference would be, between that trunk port and an unmanaged switch.  What difference would the computer see?

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • JKnottJ Offline
              JKnott
              last edited by

              OK, I've done some testing.  I've attached 3 pcap files for before the alias is added, after the alias is added but before reboot and after reboot.  There are 3 local interfaces on the pfSense router
              Native LAN with global address and ULA fd48:1a37:2160:0::1
              VLAN 3 with ULA fd48:1a37:2160:3::1
              Test network on a separate NIC with ULA fd48:1a37:2160:4::1
              All interfaces have NAT IPv4 addresses.  IPv4 works fine.

              Desktop computer, running Linux has native LAN with global address and ULA and VLAN 3 with ULA
              The ULA is always advertised and addresses appear for both native LAN and VLAN 3
              Prior to enabling the alias fd48:1a37:2160:0::1 on the native LAN, internet access works fine, but I cannot ping a ULA address on a computer connected to the test network
              After enabling the alias, internet still works fine and I can ping the test network computer, using the IPv6 address
              After rebooting, I can still ping the computer connected to the test network, but no longer access the Internet with IPv6.  DNS also fails.
              When I ping ipv6.google.com, using the IPv6 address 2607:f8b0:400b:808::200e I can see the packets going out on VLAN 3, with an appropriate IPv6 address for the VLAN.  Of course, this will not work over the Internet.

              Through all the above, DNS lookup and IPv6 access to the Internet continue to work on the pfSense firewall.

              Bottom line, for some reason, after the alias is enabled, the Linux computer decides it has to use VLAN 3 to reach the Internet.  Deleting the alias and rebooting pfSense restores Internet access to the Linux computer.  I expect DNS fails due to IPv6 being used to access it.

              The files were captured on the Linux computer with Wireshark.

              [RA without alias.pcap](/public/imported_attachments/1/RA without alias.pcap)
              [RA with alias before reboot.pcap](/public/imported_attachments/1/RA with alias before reboot.pcap)
              [RA with alias after reboot.pcap](/public/imported_attachments/1/RA with alias after reboot.pcap)

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              1 Reply Last reply Reply Quote 0
              • DerelictD Offline
                Derelict LAYER 8 Netgate
                last edited by

                What network is the linux computer supposed to be on?

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • JKnottJ Offline
                  JKnott
                  last edited by

                  It's on the native LAN and VLAN 3.  As mentioned above, the native LAN has both global and ULA addresses.  VLAN 3 is ULA only.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  1 Reply Last reply Reply Quote 0
                  • K Offline
                    kpa
                    last edited by

                    What's the point of connecting the client to two different segments like that? You could easily have any number of different IPv6 prefixes on the main LAN, some of the globally routable, some of them ULA. IPv6 is designed with that in mind.

                    1 Reply Last reply Reply Quote 0
                    • JKnottJ Offline
                      JKnott
                      last edited by

                      @kpa:

                      What's the point of connecting the client to two different segments like that? You could easily have any number of different IPv6 prefixes on the main LAN, some of the globally routable, some of them ULA. IPv6 is designed with that in mind.

                      Experimenting.  I like to try different things.  But the question remains, why does adding an alias on the native LAN cause the Linux computer to start using the VLAN ULA for it's source on traffic for the Internet?

                      BTW, I have a /56 prefix from my ISP and use the 0 /64 on the native LAN, 4 on the other NIC and ff on the OpenVPN VPN, so I know all about lots of prefixes.  I started experimenting with ULAs a while ago, as I read that IoT gear should be using them for security reasons.

                      PfSense running on Qotom mini PC
                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                      UniFi AC-Lite access point

                      I haven't lost my mind. It's around here...somewhere...

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ Online
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        "as I read that IoT gear should be using them for security reasons."

                        What scenario does your iot device even need to use IPv6 to talk to local stuff, but not be allowed global?  Are you running a ipv6 only network?  Why go through all the extra hassle when you could just block the iot from going outbound at the firewall.. No matter what IP it has v4 or v6, public or rfc1918, etc. etc.

                        ULA would make sense if you only had a /64 to play with and you have multiple segments.. And you want these segments to talk ipv6 to each other.

                        Clearly is this not the case since you state you have /56 to work with.

                        "the native LAN has both global and ULA addresses"

                        This comes down to running multiple layer 3 on the same layer 2 plain and simple.. Never a good idea!!  You going to dual stack ipv4 and ipv6 which are completely different protocols then ok… But running either multiple v4 or v6 layer 3 on the same layer 2 is bad juju!  And yeah its going to cause you grief and pain..

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                        1 Reply Last reply Reply Quote 0
                        • JKnottJ Offline
                          JKnott
                          last edited by

                          As I've mentioned a few times, I like to experiment, to learn.  I said quite a while back, there's no IoT here.  I just decided to try ULA after reading an article about IoT.  Regardless, I don't understand why a computer should start sending Internet traffic out a VLAN with only ULA on it, after an alias is placed on the pfSense native LAN interface.  Everything works fine after enabling that alias, until I reboot.  Also, the first time I noticed the problem was the next morning after enabling the alias and I no longer had access to the Internet.  So, it appears it doesn't even need a reboot, if left sitting long enough.

                          So, the situation is this. at the moment I have Internet access.  If I put the alias on that interface, everything will intially work as expected.  But if I then reboot pfSense, my Linux computer will then try to access the Internet via VLAN 3, using a ULA.  Why is that happening.  Nothing has changed on the computer.  I have even set the RAs on VLAN 3 to have low priortiy.

                          PfSense running on Qotom mini PC
                          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                          UniFi AC-Lite access point

                          I haven't lost my mind. It's around here...somewhere...

                          1 Reply Last reply Reply Quote 0
                          • DerelictD Offline
                            Derelict LAYER 8 Netgate
                            last edited by

                            If you look at the different packet captures you posted earlier, you will notice the RAs in a different order.

                            I have not had time to try to duplicate it, but it seems about equally likely that Linux is doing the wrong thing there as pfSense.

                            Or, as John said earlier, you are just asking for trouble and receiving it.

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ Online
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              "I like to experiment, to learn"

                              So do I.. But your playing with shit that makes no sense… In what real world scenario would this sort of setup happen?  Please give a real world use case that doesn't have a easier to manage, implement and clear design and I will be all over trying to duplicate it and make it work.

                              But so far its just nonsense - sorry!  I can not see a valid use case for doing such a thing.. Just because you can doesn't mean you should ;)

                              You have created a multihomed setup.  How the OS determines which IP to use has multiple variables... In windows there is the interface metric.. There is a setting to if a specific IP should be used as source, etc.  I am not as familiar with how linux does it.. But have real world experience this sort of borked up configuration and mess with windows.  And had to fix it.. And these were even on different interfaces.. Different binding orders, etc.. But windows like to use the wrong IP for itself, etc..

                              Multihoming is asking for grief, multiple layer3 on the same interface - asking for trouble.. Especially when you setup a gateway for that interface so it can get to other networks, etc.

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                              1 Reply Last reply Reply Quote 0
                              • JKnottJ Offline
                                JKnott
                                last edited by

                                Linux also uses metrics, as does everything that supports routing.  IPv6 also has a priority for RAs, which allows for fallback routers etc..  What I have to find out is what is causing the computer to choose the VLAN when sending to the Internet.  Routing also uses longest match, when selecting the route.  There's no way that a route starting with fd can be a longest match for a global address.  Again, this initially works, until I reboot pfSense.  I'll have to do some more testing, when I have time.

                                Also, as for multihomed, every router is, otherwise they wouldn't work.  Linux is often used as a router and, in fact, I used it as my firewall/router for about 15 years or so, before I switched to pfSense, about 1.5 years ago.  Linux is also often used in commercial gear.  In fact, there were some Cisco models that ran Linux, along with many other makes.  It seems the 'net runs largely on Linux or BSD.

                                PfSense running on Qotom mini PC
                                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                                UniFi AC-Lite access point

                                I haven't lost my mind. It's around here...somewhere...

                                1 Reply Last reply Reply Quote 0
                                • JKnottJ Offline
                                  JKnott
                                  last edited by

                                  I've just been going through the Wireshark captures, with alias, both before and after reboot.  I have notice there are differences in the RAs that may be causing the problem.  The differences appear in frames 2 & 4, which are for the native LAN.  For example, the first ICMPv6 Option (Prefix information…) has my global address prefix before reboot, but ULA prefix after reboot.  Also, the recursive DNS Servers change from global to ULA prefix.  So, the question becomes why is pfSense sending the wrong info after reboot?

                                  Perhaps someone else can try this.  I have global and ULA addresses on the native network and ULA only on a VLAN.  My computer is running OpenSUSE 42.3 and has both native LAN and VLAN 3 configured.  PfSense is configured the same.  Perhaps someone can try with Windows too.  I don't have a Windows system capable of supporting VLANs.

                                  Here is frame 4, before reboot:

                                  No.    Time              Source                Destination          Protocol Length Info
                                        4 20:59:52.493110    fe80::1:1            ff02::1              ICMPv6  262    Router Advertisement from 00:16:17:a7:f2:d3

                                  Frame 4: 262 bytes on wire (2096 bits), 262 bytes captured (2096 bits)
                                  Ethernet II, Src: Msi_a7:f2:d3 (00:16:17:a7:f2:d3), Dst: IPv6mcast_01 (33:33:00:00:00:01)
                                  Internet Protocol Version 6, Src: fe80::1:1, Dst: ff02::1
                                  Internet Control Message Protocol v6
                                      Type: Router Advertisement (134)
                                      Code: 0
                                      Checksum: 0x950c [correct]
                                      [Checksum Status: Good]
                                      Cur hop limit: 64
                                      Flags: 0xc8
                                      Router lifetime (s): 60
                                      Reachable time (ms): 0
                                      Retrans timer (ms): 0
                                      ICMPv6 Option (Prefix information : 2607:fea8:abcd:ef00::/64)
                                      ICMPv6 Option (Prefix information : 2607:fea8:abcd:ef00::/64)
                                      ICMPv6 Option (Prefix information : fd48:1a37:2160::/64)
                                      ICMPv6 Option (Route Information : Medium ::/0)
                                      ICMPv6 Option (Recursive DNS Server 2607:fea8:abcd:ef00:216:17ff:fea7:f2d3)
                                      ICMPv6 Option (DNS Search List Option jknott.net jknott.net)
                                      ICMPv6 Option (MTU : 1500)
                                      ICMPv6 Option (Source link-layer address : 00:16:17:a7:f2:d3)

                                  And after reboot:

                                  No.    Time              Source                Destination          Protocol Length Info
                                        4 21:09:52.818342    fe80::1:1            ff02::1              ICMPv6  262    Router Advertisement from 00:16:17:a7:f2:d3

                                  Frame 4: 262 bytes on wire (2096 bits), 262 bytes captured (2096 bits)
                                  Ethernet II, Src: Msi_a7:f2:d3 (00:16:17:a7:f2:d3), Dst: IPv6mcast_01 (33:33:00:00:00:01)
                                  Internet Protocol Version 6, Src: fe80::1:1, Dst: ff02::1
                                  Internet Control Message Protocol v6
                                      Type: Router Advertisement (134)
                                      Code: 0
                                      Checksum: 0xeffc [correct]
                                      [Checksum Status: Good]
                                      Cur hop limit: 64
                                      Flags: 0xc8
                                      Router lifetime (s): 60
                                      Reachable time (ms): 0
                                      Retrans timer (ms): 0
                                      ICMPv6 Option (Prefix information : fd48:1a37:2160::/64)
                                      ICMPv6 Option (Prefix information : 2607:fea8:abcd:ef00::/64)
                                      ICMPv6 Option (Prefix information : fd48:1a37:2160::/64)
                                      ICMPv6 Option (Route Information : Medium ::/0)
                                      ICMPv6 Option (Recursive DNS Server fd48:1a37:2160::1)
                                      ICMPv6 Option (DNS Search List Option jknott.net jknott.net)
                                      ICMPv6 Option (MTU : 1500)
                                      ICMPv6 Option (Source link-layer address : 00:16:17:a7:f2:d3)

                                  Differences are in bold.

                                  PfSense running on Qotom mini PC
                                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                                  UniFi AC-Lite access point

                                  I haven't lost my mind. It's around here...somewhere...

                                  1 Reply Last reply Reply Quote 0
                                  • JKnottJ Offline
                                    JKnott
                                    last edited by

                                    One other thing I've noticed is that the default route entries get reversed:

                                    Before reboot:

                                    $ ip -6 route
                                    2607:fea8:abcd:ef00::/64 dev eth0  proto kernel  metric 256  expires 86385sec pref medium
                                    fd48:1a37:2160::/64 dev eth0  proto kernel  metric 256  expires 86385sec pref medium
                                    fd48:1a37:2160:3::/64 dev vlan3  proto kernel  metric 256  expires 86391sec pref medium
                                    fe80::/64 dev eth0  proto kernel  metric 256  pref medium
                                    fe80::/64 dev vlan3  proto kernel  metric 256  pref medium
                                    default via fe80::1:1 dev eth0  proto ra  metric 1024  expires 45sec hoplimit 64 pref medium
                                    default via fe80::216:17ff:fea7:f2d3 dev vlan3  proto ra  metric 1024  expires 51sec hoplimit 64 pref medium

                                    After:

                                    $ ip -6 route
                                    2607:fea8:abcd:ef00::/64 dev eth0  proto kernel  metric 256  expires 86387sec pref medium
                                    fd48:1a37:2160::/64 dev eth0  proto kernel  metric 256  expires 86387sec pref medium
                                    fd48:1a37:2160:3::/64 dev vlan3  proto kernel  metric 256  expires 86387sec pref medium
                                    fe80::/64 dev eth0  proto kernel  metric 256  pref medium
                                    fe80::/64 dev vlan3  proto kernel  metric 256  pref medium
                                    default via fe80::216:17ff:fea7:f2d3 dev vlan3  proto ra  metric 1024  expires 47sec hoplimit 64 pref medium
                                    default via fe80::1:1 dev eth0  proto ra  metric 1024  expires 47sec hoplimit 64 pref medium

                                    PfSense running on Qotom mini PC
                                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel 1 Gb Ethernet ports.
                                    UniFi AC-Lite access point

                                    I haven't lost my mind. It's around here...somewhere...

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.