Help me with IPv6 SLAAC on Android

pixielark

I am having some issue getting my Android device to work with my new pfsense setup over IPv6

I am using Shaw Cable from Canada, I believe Shaw provides a /56 prefix and it seems to be working for me on my Windows10, Apple device, but not Android
I understand Android only support SLAAC + RDNSS but my problem seem to be related to how I setup my pfsense

currrent pfsense setup

System/Advanced/Networking
Do not generate local IPv6 DNS entries for LAN interfaces checked

Interfaces/WAN (re1)
IPv6 Configuration Type: DHCP6
DHCP6 Client Configuration
DHCPv6 Prefix Delegation size 56
Send an IPv6 prefix hint to indicate the desired prefix size for delegation checked
dhcp6c will send a release to the ISP on exit, some ISPs then release the allocated address or prefix. This option prevents that signal ever being sent checked (Shaw seems having trouble to reassign /56 after release, so I enabled this option)

I have 3 vlan that I am just testing now (vlan10, vlan20 and vlan30)

all of lan + 3 vlan are using static ipv4 (192.168.1.1, 192.168.2.1, 192.168.3.1, 192.168.4.1)
all of lan + 3 vlan are using Track Interface for IPv6, with IPv6 Interface all set to Wan and IPv6 Prefix ID set to 0, 1, 2, 3

all of the security are wide open (just testing now)
wan rule

LAN rule (all the same for all vlan as well, basically allow anything)

this is what all my interfaces looks like after everything setup

all looks very good to me, until I start to check IPv6 status on my android phone (windows10, apple device all works without any issue)

basically when I look at my windows 10 (or any device), when I connect to LAN, I get ipv6 address from each prefix ID (is this even expected??)

as far as I understand for IPv4 you are only getting ip from your DHCP range, but IPV6 seems give me one IP and DNS for each prefix ID (ff00, ff01, ff02, ff03)

anyway, windows 10 and apple device have no issue with this, but Android is not happy about this
this is what my Android phone WIFI looks like when connect to VLAN20

you can see I get a IP and DNS from ff00 and ff02 (same behavior on windows10 and Mac)
but when I start to ping -6 google.com, I start to see VLAN20 firewall rule saying android is sending request by using ff00 IP (I decovered this by set firewall to deny anything and looking at the log. All of other device beside Android communicate using ff02 IP, which works and is the expected behavior) and it does not work! (obviously I guess)

I kept degging a bit more and discover that everytime, Android will first get an IP from ff02, and after about 3-5 seconds it will pickup another ip from ff00, before andoird pickup ff00, ipv6 works, after pickup ff00 android seems just use whatever it got last assigned and use that IP instead of the correct one it was assigned initially.

so here are my questions
is getting both ff00 and ff02 expected on my android phone?
if this is expected, why windows 10 and apple device have no issue but android is broken?
if not, what's wrong with my pfsense configuration?

Thanks for helping out a pfsens newbie

pixielark

just tried on my Linux box, seems the ping is not consistent, I have a feeling that there is something wrong with my pfsense setting. the ping go though sometime only

forgot to mention, all LAN+ vlan has dhcpv6 server disabled and RA set to Unmanaged with priority normal

JKnott

@pixielark said in Help me with IPv6 SLAAC on Android:

forgot to mention, all LAN+ vlan has dhcpv6 server disabled and RA set to Unmanaged with priority normal

Mine's set to Assisted. I'm on Rogers.

pixielark

@jknott said in Help me with IPv6 SLAAC on Android:

@pixielark said in Help me with IPv6 SLAAC on Android:

forgot to mention, all LAN+ vlan has dhcpv6 server disabled and RA set to Unmanaged with priority normal

Mine's set to Assisted. I'm on Rogers.

Thanks jknott,

Do you have multiple vlan with tracked interface?

I tried your suggestion but it does not work for Android still.
Which is kinda expected since assisted means dhcp6 + slaac
I have dhcp6 disabled on all lan interfaces and android is slaac only anyway, assisted won’t do much

JKnott

@pixielark said in Help me with IPv6 SLAAC on Android:

Which is kinda expected since assisted means dhcp6 + slaac

Read the help info. It means DHCP & SLAAC, provided the DHCP server is running.

pixielark

@jknott obviously I know the difference between assisted and unmanaged
I tried your setup before obviously and as what I mentioned, android is slaac only so you can turn on as many dhcp6 server as you want android simply won’t care

If you only have 1 tracked lan interface it will work because android slaac will only get ipv6 from one prefix id.
But in my case android will get ip from each prefix Id and it will try to use the last assigned one which is not the right one it’s supposed to use.

Linux box seems to be rotating between the ips so it only works intermediately
So I am curious if there is a way to let pfsense stop assigning ipv6 address not belongs to the current interface

Grimson

Seems more like your VLANS aren't seperated correctly, or you have configured the RAs wrong. We need a lot more details about your setup.

JKnott

@pixielark said in Help me with IPv6 SLAAC on Android:

But in my case android will get ip from each prefix Id and it will try to use the last assigned one which is not the right one it’s supposed to use.

You're using multiple GUA prefixes on one LAN? You can certainly do that with GUA and ULA, but why multiple GUA? Normally, you'd assign different /64s to each interface. For example, my 00 prefix is my main LAN, 04, a test LAN and ff for OpenVPN.

Derelict

I'd say @grimson is correct and the android device is seeing RAs from all VLANs instead of just one. Is this a managed switch with VLANs properly defined?

pixielark

@grimson I think you might have a point, I am not 100% seperating my vlan and that might explain the reason i will explain in the later post, thanks a lot for pointing this out

pixielark

@jknott
I don't think I have multiple GUA prefix on each LAN interface
If you see my above picture
LAN: 2604:3d08:6b80:ff00:4262:31ff:fe02:ad6f
VLAN10: 2604:3d08:6b80:ff01:4262:31ff:fe02:ad6f
VLAN20: 2604:3d08:6b80:ff02:4262:31ff:fe02:ad6f
VLAN30: 2604:3d08:6b80:ff03:4262:31ff:fe02:ad6f
so obviously my ISP gave me prefix 2604:3d08:6b80::/56 and pfsense were able to give me a 2604:3d08:6b80:ff00-03::/64 on each LAN interface
The reason might be as what others pointed out, flooded RA message on LAN and VLAN
Thanks for your help anyway

JKnott

@pixielark said in Help me with IPv6 SLAAC on Android:

I am not 100% seperating my vlan and that might explain the reason

Any chance you have a cheap TP-Link switch? That's a known "feature" with them.

pixielark

@derelict said in Help me with IPv6 SLAAC on Android:

I'd say @grimson is correct and the android device is seeing RAs from all VLANs instead of just one. Is this a managed switch with VLANs properly defined?

@jknott said in Help me with IPv6 SLAAC on Android:

Any chance you have a cheap TP-Link switch? That's a known "feature" with them.

I do have a TP-link switch but I won't call it a cheap one, model number T1500G-10MPS (fully L2 managed I believe) and it cost almost same as a ubiquiti managed switch (price wise at least )

I got this switch because I am using some TP-Link EAP access point so just got the switch at the same time

but it might be just me being stupid (looking back to my JIRA board at work)

so here is my WIFI setup, I have 4 SSID and 4 AP at home
8 port TP-Link switch
port 1 connect to my pfsense, port 5-8 to each AP

test-LAN(SSID) without any wirelss VLAN ID
test-vlan10(SSID) with wireless VLAN ID 10
test-vlan20(SSID) with wireless VLAN ID 20
test-vlan30(SSID) with wireless VLAN ID 30

on my TP-Link switch
I have 4 vlan
VLAN ID 1 System-VLAN with port 1-8 untagged
VLAN ID 10 VLAN10 with port 1-8 tagged
VLAN ID 20 VLAN20 with port 1-8 tagged
VLAN ID 30 VLAN30 with port 1-8 tagged

but it seems like the System-VLAN leaks RA message to all VLAN10-30 therefore when device connect to test-vlan10-30 if will receive RA from System-VLAN and get a IPv6 address from ff00 on top of the interface it belongs to

and System-VLAN will receive RA message from all VLAN10-30 so I am getting IPv6 from all prefix ID (ff00-ff03)

is this some "feature" of the TP-Link switch? or I was using my switch wrong with misconfiged VLAN?
Thanks a lot for eveyones help

Derelict

That looks OK. I would say that TP-Link switch leaks IPv6 multicast/ICMP6 across VLANs when it shouldn't.

One more reason to simply discard TP-Link from the list of considered manufacturers.

pixielark

@derelict said in Help me with IPv6 SLAAC on Android:

That looks OK. I would say that TP-Link switch leaks IPv6 multicast/ICMP6 across VLANs when it shouldn't.

One more reason to simply discard TP-Link from the list of considered manufacturers.

I am looking at tp-link official docs about how to setup vlan https://www.tp-link.com/us/faq-788.html
will report back after I do more digging
thanks a lot

Derelict

It could also be the APs doing it.

johnpoz

I know @JKnott had problems with tplink AP that they sucked at vlans just like their cheap switches.

pixielark

@derelict said in Help me with IPv6 SLAAC on Android:

It could also be the APs doing it.

So I have it fixed, as what you mentioned, I cannot figure out what's wrong with my switch config, so I looked at my AP config, remember my default SSID test-LAN does not have vlan tag enabled, but after I read tp-link switch doc my understanding is that the switch always operate under vlan1 (I don't even think it supports untagged operation at all base on their document), so it makes no sense for AP to operate at untagged (or vlan disabled as what they called), and I think their solution to deal with this is to pollute all vlan so you will receive package on your AP regardless of you AP is set to be untagged but switch is operating at vlan1
I put my test-lan SSID onto vlan1 and boom , no more pollution, everything is working as expected now, I only receive the IPv6 address based on the interface(vlan) I am connecting to now

@johnpoz said in Help me with IPv6 SLAAC on Android:

I know @JKnott had problems with tplink AP that they sucked at vlans just like their cheap switches.

I'd recommand him to put his AP onto vlan1 and try it again, but I agree whatever tp-link implemented does not make sense at all
but for the price I won't complain too much, hope they will improve their software or my wifi6 upgrade will be full ubiquiti in the future

pixielark

ok, so after a few tries, it seems my main lan (vlan1) is not getting pollution anymore, but RA still leaks to vlan10-30, so I am still seeing unnecessary IP at all of my vlan, time to file a bug tp tp-link i guess

johnpoz

@pixielark said in Help me with IPv6 SLAAC on Android:

time to file a bug tp tp-link i guess

Good luck with that - if you read the history of the complaints of their sg105e and 108e switches took them forever to even admit they were doing anything wrong.. There is a post on their forums where they say it was like that by design to not remove vlan 1 from all ports.. They just don't get it!

They finally released a fix for v3+ of their hardware but 1 and 2 got left hanging...

I wouldn't recommend buying their switches or AP no matter how cheap they are.. Unless you want is dumb device with no vlan support.