Help me with IPv6 SLAAC on Android

pixielark

just tried on my Linux box, seems the ping is not consistent, I have a feeling that there is something wrong with my pfsense setting. the ping go though sometime only

forgot to mention, all LAN+ vlan has dhcpv6 server disabled and RA set to Unmanaged with priority normal

JKnott

@pixielark said in Help me with IPv6 SLAAC on Android:

forgot to mention, all LAN+ vlan has dhcpv6 server disabled and RA set to Unmanaged with priority normal

Mine's set to Assisted. I'm on Rogers.

pixielark

@jknott said in Help me with IPv6 SLAAC on Android:

@pixielark said in Help me with IPv6 SLAAC on Android:

forgot to mention, all LAN+ vlan has dhcpv6 server disabled and RA set to Unmanaged with priority normal

Mine's set to Assisted. I'm on Rogers.

Thanks jknott,

Do you have multiple vlan with tracked interface?

I tried your suggestion but it does not work for Android still.
Which is kinda expected since assisted means dhcp6 + slaac
I have dhcp6 disabled on all lan interfaces and android is slaac only anyway, assisted won’t do much

JKnott

@pixielark said in Help me with IPv6 SLAAC on Android:

Which is kinda expected since assisted means dhcp6 + slaac

Read the help info. It means DHCP & SLAAC, provided the DHCP server is running.

pixielark

@jknott obviously I know the difference between assisted and unmanaged
I tried your setup before obviously and as what I mentioned, android is slaac only so you can turn on as many dhcp6 server as you want android simply won’t care

If you only have 1 tracked lan interface it will work because android slaac will only get ipv6 from one prefix id.
But in my case android will get ip from each prefix Id and it will try to use the last assigned one which is not the right one it’s supposed to use.

Linux box seems to be rotating between the ips so it only works intermediately
So I am curious if there is a way to let pfsense stop assigning ipv6 address not belongs to the current interface

Grimson

Seems more like your VLANS aren't seperated correctly, or you have configured the RAs wrong. We need a lot more details about your setup.

JKnott

@pixielark said in Help me with IPv6 SLAAC on Android:

But in my case android will get ip from each prefix Id and it will try to use the last assigned one which is not the right one it’s supposed to use.

You're using multiple GUA prefixes on one LAN? You can certainly do that with GUA and ULA, but why multiple GUA? Normally, you'd assign different /64s to each interface. For example, my 00 prefix is my main LAN, 04, a test LAN and ff for OpenVPN.

Derelict

I'd say @grimson is correct and the android device is seeing RAs from all VLANs instead of just one. Is this a managed switch with VLANs properly defined?

pixielark

@grimson I think you might have a point, I am not 100% seperating my vlan and that might explain the reason i will explain in the later post, thanks a lot for pointing this out

pixielark

@jknott
I don't think I have multiple GUA prefix on each LAN interface
If you see my above picture
LAN: 2604:3d08:6b80:ff00:4262:31ff:fe02:ad6f
VLAN10: 2604:3d08:6b80:ff01:4262:31ff:fe02:ad6f
VLAN20: 2604:3d08:6b80:ff02:4262:31ff:fe02:ad6f
VLAN30: 2604:3d08:6b80:ff03:4262:31ff:fe02:ad6f
so obviously my ISP gave me prefix 2604:3d08:6b80::/56 and pfsense were able to give me a 2604:3d08:6b80:ff00-03::/64 on each LAN interface
The reason might be as what others pointed out, flooded RA message on LAN and VLAN
Thanks for your help anyway

JKnott

@pixielark said in Help me with IPv6 SLAAC on Android:

I am not 100% seperating my vlan and that might explain the reason

Any chance you have a cheap TP-Link switch? That's a known "feature" with them.

pixielark

@derelict said in Help me with IPv6 SLAAC on Android:

I'd say @grimson is correct and the android device is seeing RAs from all VLANs instead of just one. Is this a managed switch with VLANs properly defined?

@jknott said in Help me with IPv6 SLAAC on Android:

Any chance you have a cheap TP-Link switch? That's a known "feature" with them.

I do have a TP-link switch but I won't call it a cheap one, model number T1500G-10MPS (fully L2 managed I believe) and it cost almost same as a ubiquiti managed switch (price wise at least )

I got this switch because I am using some TP-Link EAP access point so just got the switch at the same time

but it might be just me being stupid (looking back to my JIRA board at work)

so here is my WIFI setup, I have 4 SSID and 4 AP at home
8 port TP-Link switch
port 1 connect to my pfsense, port 5-8 to each AP

test-LAN(SSID) without any wirelss VLAN ID
test-vlan10(SSID) with wireless VLAN ID 10
test-vlan20(SSID) with wireless VLAN ID 20
test-vlan30(SSID) with wireless VLAN ID 30

on my TP-Link switch
I have 4 vlan
VLAN ID 1 System-VLAN with port 1-8 untagged
VLAN ID 10 VLAN10 with port 1-8 tagged
VLAN ID 20 VLAN20 with port 1-8 tagged
VLAN ID 30 VLAN30 with port 1-8 tagged

but it seems like the System-VLAN leaks RA message to all VLAN10-30 therefore when device connect to test-vlan10-30 if will receive RA from System-VLAN and get a IPv6 address from ff00 on top of the interface it belongs to

and System-VLAN will receive RA message from all VLAN10-30 so I am getting IPv6 from all prefix ID (ff00-ff03)

is this some "feature" of the TP-Link switch? or I was using my switch wrong with misconfiged VLAN?
Thanks a lot for eveyones help

Derelict

That looks OK. I would say that TP-Link switch leaks IPv6 multicast/ICMP6 across VLANs when it shouldn't.

One more reason to simply discard TP-Link from the list of considered manufacturers.

pixielark

@derelict said in Help me with IPv6 SLAAC on Android:

That looks OK. I would say that TP-Link switch leaks IPv6 multicast/ICMP6 across VLANs when it shouldn't.

One more reason to simply discard TP-Link from the list of considered manufacturers.

I am looking at tp-link official docs about how to setup vlan https://www.tp-link.com/us/faq-788.html
will report back after I do more digging
thanks a lot

Derelict

It could also be the APs doing it.

johnpoz

I know @JKnott had problems with tplink AP that they sucked at vlans just like their cheap switches.

pixielark

@derelict said in Help me with IPv6 SLAAC on Android:

It could also be the APs doing it.

So I have it fixed, as what you mentioned, I cannot figure out what's wrong with my switch config, so I looked at my AP config, remember my default SSID test-LAN does not have vlan tag enabled, but after I read tp-link switch doc my understanding is that the switch always operate under vlan1 (I don't even think it supports untagged operation at all base on their document), so it makes no sense for AP to operate at untagged (or vlan disabled as what they called), and I think their solution to deal with this is to pollute all vlan so you will receive package on your AP regardless of you AP is set to be untagged but switch is operating at vlan1
I put my test-lan SSID onto vlan1 and boom , no more pollution, everything is working as expected now, I only receive the IPv6 address based on the interface(vlan) I am connecting to now

@johnpoz said in Help me with IPv6 SLAAC on Android:

I know @JKnott had problems with tplink AP that they sucked at vlans just like their cheap switches.

I'd recommand him to put his AP onto vlan1 and try it again, but I agree whatever tp-link implemented does not make sense at all
but for the price I won't complain too much, hope they will improve their software or my wifi6 upgrade will be full ubiquiti in the future

pixielark

ok, so after a few tries, it seems my main lan (vlan1) is not getting pollution anymore, but RA still leaks to vlan10-30, so I am still seeing unnecessary IP at all of my vlan, time to file a bug tp tp-link i guess

johnpoz

@pixielark said in Help me with IPv6 SLAAC on Android:

time to file a bug tp tp-link i guess

Good luck with that - if you read the history of the complaints of their sg105e and 108e switches took them forever to even admit they were doing anything wrong.. There is a post on their forums where they say it was like that by design to not remove vlan 1 from all ports.. They just don't get it!

They finally released a fix for v3+ of their hardware but 1 and 2 got left hanging...

I wouldn't recommend buying their switches or AP no matter how cheap they are.. Unless you want is dumb device with no vlan support.

JKnott

@pixielark said in Help me with IPv6 SLAAC on Android:

but it seems like the System-VLAN leaks RA message to all VLAN10-30 therefore when device connect to test-vlan10-30 if will receive RA from System-VLAN and get a IPv6 address from ff00 on top of the interface it belongs to

That sounds just like the problem I had with my TP-Link access point. It made having a guest WiFi impossible.