Help me with IPv6 SLAAC on Android
-
@jknott
I don't think I have multiple GUA prefix on each LAN interface
If you see my above picture
LAN: 2604:3d08:6b80:ff00:4262:31ff:fe02:ad6f
VLAN10: 2604:3d08:6b80:ff01:4262:31ff:fe02:ad6f
VLAN20: 2604:3d08:6b80:ff02:4262:31ff:fe02:ad6f
VLAN30: 2604:3d08:6b80:ff03:4262:31ff:fe02:ad6f
so obviously my ISP gave me prefix 2604:3d08:6b80::/56 and pfsense were able to give me a 2604:3d08:6b80:ff00-03::/64 on each LAN interface
The reason might be as what others pointed out, flooded RA message on LAN and VLAN
Thanks for your help anyway -
@pixielark said in Help me with IPv6 SLAAC on Android:
I am not 100% seperating my vlan and that might explain the reason
Any chance you have a cheap TP-Link switch? That's a known "feature" with them.
-
@derelict said in Help me with IPv6 SLAAC on Android:
I'd say @grimson is correct and the android device is seeing RAs from all VLANs instead of just one. Is this a managed switch with VLANs properly defined?
@jknott said in Help me with IPv6 SLAAC on Android:
Any chance you have a cheap TP-Link switch? That's a known "feature" with them.
I do have a TP-link switch but I won't call it a cheap one, model number T1500G-10MPS (fully L2 managed I believe) and it cost almost same as a ubiquiti managed switch (price wise at least
)I got this switch because I am using some TP-Link EAP access point so just got the switch at the same time
but it might be just me being stupid
(looking back to my JIRA board at work)so here is my WIFI setup, I have 4 SSID and 4 AP at home
8 port TP-Link switch
port 1 connect to my pfsense, port 5-8 to each APtest-LAN(SSID) without any wirelss VLAN ID
test-vlan10(SSID) with wireless VLAN ID 10
test-vlan20(SSID) with wireless VLAN ID 20
test-vlan30(SSID) with wireless VLAN ID 30on my TP-Link switch
I have 4 vlan
VLAN ID 1 System-VLAN with port 1-8 untagged
VLAN ID 10 VLAN10 with port 1-8 tagged
VLAN ID 20 VLAN20 with port 1-8 tagged
VLAN ID 30 VLAN30 with port 1-8 taggedbut it seems like the System-VLAN leaks RA message to all VLAN10-30 therefore when device connect to test-vlan10-30 if will receive RA from System-VLAN and get a IPv6 address from ff00 on top of the interface it belongs to
and System-VLAN will receive RA message from all VLAN10-30 so I am getting IPv6 from all prefix ID (ff00-ff03)
is this some "feature" of the TP-Link switch? or I was using my switch wrong with misconfiged VLAN?
Thanks a lot for eveyones help
-
That looks OK. I would say that TP-Link switch leaks IPv6 multicast/ICMP6 across VLANs when it shouldn't.
One more reason to simply discard TP-Link from the list of considered manufacturers.
-
@derelict said in Help me with IPv6 SLAAC on Android:
That looks OK. I would say that TP-Link switch leaks IPv6 multicast/ICMP6 across VLANs when it shouldn't.
One more reason to simply discard TP-Link from the list of considered manufacturers.
I am looking at tp-link official docs about how to setup vlan https://www.tp-link.com/us/faq-788.html
will report back after I do more digging
thanks a lot -
It could also be the APs doing it.
-
I know @JKnott had problems with tplink AP that they sucked at vlans just like their cheap switches.
-
@derelict said in Help me with IPv6 SLAAC on Android:
It could also be the APs doing it.
So I have it fixed, as what you mentioned, I cannot figure out what's wrong with my switch config, so I looked at my AP config, remember my default SSID test-LAN does not have vlan tag enabled, but after I read tp-link switch doc my understanding is that the switch always operate under vlan1 (I don't even think it supports untagged operation at all base on their document), so it makes no sense for AP to operate at untagged (or vlan disabled as what they called), and I think their solution to deal with this is to pollute all vlan so you will receive package on your AP regardless of you AP is set to be untagged but switch is operating at vlan1
I put my test-lan SSID onto vlan1 and boom
, no more pollution, everything is working as expected now, I only receive the IPv6 address based on the interface(vlan) I am connecting to now@johnpoz said in Help me with IPv6 SLAAC on Android:
I know @JKnott had problems with tplink AP that they sucked at vlans just like their cheap switches.
I'd recommand him to put his AP onto vlan1 and try it again, but I agree whatever tp-link implemented does not make sense at all
but for the price I won't complain too much, hope they will improve their software or my wifi6 upgrade will be full ubiquiti in the future
-
ok, so after a few tries, it seems my main lan (vlan1) is not getting pollution anymore, but RA still leaks to vlan10-30, so I am still seeing unnecessary IP at all of my vlan, time to file a bug tp tp-link i guess
-
@pixielark said in Help me with IPv6 SLAAC on Android:
time to file a bug tp tp-link i guess
Good luck with that - if you read the history of the complaints of their sg105e and 108e switches took them forever to even admit they were doing anything wrong.. There is a post on their forums where they say it was like that by design to not remove vlan 1 from all ports.. They just don't get it!
They finally released a fix for v3+ of their hardware but 1 and 2 got left hanging...
I wouldn't recommend buying their switches or AP no matter how cheap they are.. Unless you want is dumb device with no vlan support.
-
@pixielark said in Help me with IPv6 SLAAC on Android:
but it seems like the System-VLAN leaks RA message to all VLAN10-30 therefore when device connect to test-vlan10-30 if will receive RA from System-VLAN and get a IPv6 address from ff00 on top of the interface it belongs to
That sounds just like the problem I had with my TP-Link access point. It made having a guest WiFi impossible.
-
This is the first I've heard of Shaw supporting IPv6.
What type of service do you have?
What type of modem do you have?
Is your pfSense connected through a bridged port?
-
@bimmerdriver said in Help me with IPv6 SLAAC on Android:
This is the first I've heard of Shaw supporting IPv6.
What type of service do you have?
What type of modem do you have?
Is your pfSense connected through a bridged port?
Shaw started to offer IPv6 service about a year ago.
You have to be on their current 300M or 600M service (residential, not sure about business)
You have to get their XB6 modem (No, the Hirtron one with 300M service will NOT work, if you request a XB6 Shaw will force you to renew your contract to be on their "new" billing system in order to be qualified, so it is your choise to pay "extra" if you definitely want IPv6)
There are currently 2 XB6 modems Shaw offer, Arris TG3482 and Technicolor CGM4141, I would personally recommand you to get the Technicolor one (using Broadcom processor), the Arris one uses Intel Puma chip which has famous hardware defact, although both will work just for getting IPv6.
You can put your XB6 into bridge mode by going into the settings page and everything should work afterwards, connect your pfsense to your XB6 and request a /56 prefix from Shaw (defalt /64 because of all the garbage modem on the market), and you can workout the others after that -
@jknott said in Help me with IPv6 SLAAC on Android:
@pixielark said in Help me with IPv6 SLAAC on Android:
but it seems like the System-VLAN leaks RA message to all VLAN10-30 therefore when device connect to test-vlan10-30 if will receive RA from System-VLAN and get a IPv6 address from ff00 on top of the interface it belongs to
That sounds just like the problem I had with my TP-Link access point. It made having a guest WiFi impossible.
Yeah, I guess if we only need ipv4 everything would work just fine
-
You only do need IPv4 - name 1 actual resource you need to get to that requires IPv6 ;)
But multicast is multicast - you have other stuff that would be bleeding over.. Just wouldn't be such an obvious problem.
-
@pixielark said in Help me with IPv6 SLAAC on Android:
@bimmerdriver said in Help me with IPv6 SLAAC on Android:
This is the first I've heard of Shaw supporting IPv6.
What type of service do you have?
What type of modem do you have?
Is your pfSense connected through a bridged port?
Shaw started to offer IPv6 service about a year ago.
You have to be on their current 300M or 600M service (residential, not sure about business)
You have to get their XB6 modem (No, the Hirtron one with 300M service will NOT work, if you request a XB6 Shaw will force you to renew your contract to be on their "new" billing system in order to be qualified, so it is your choise to pay "extra" if you definitely want IPv6)
There are currently 2 XB6 modems Shaw offer, Arris TG3482 and Technicolor CGM4141, I would personally recommand you to get the Technicolor one (using Broadcom processor), the Arris one uses Intel Puma chip which has famous hardware defact, although both will work just for getting IPv6.
You can put your XB6 into bridge mode by going into the settings page and everything should work afterwards, connect your pfsense to your XB6 and request a /56 prefix from Shaw (defalt /64 because of all the garbage modem on the market), and you can workout the others after thatThanks for the info. My question was more out of curiosity, because I was not aware that Shaw is offering IPv6. I'm on Telus and I don't have to pay extra for IPv6 or a modem that I can bridge to use my own pfSense router, so I don't plan to switch to Shaw. (I left Shaw years ago because I wasn't happy with their service.)
-
@bimmerdriver If I can get Telus fibre I would ditch Shaw in a heartbeat, our city is very stubborn with some regulations so Telus does not deploy fibre in my city
-
@pixielark said in Help me with IPv6 SLAAC on Android:
You have to get their XB6 modem (No, the Hirtron one with 300M service will NOT work, if you request a XB6 Shaw will force you to renew your contract to be on their "new" billing system in order to be qualified, so it is your choise to pay "extra" if you definitely want IPv6)
I'm on Rogers. I had to get a new modem to use IPv6. When I did that, I wound up with a cheaper package, with pretty much the same bandwidth and cap.
Based on what I've heard of Shaw, that money grab is not surprising.
-
Ok, so the final update, I have everything fixed now (at least till now)
So the final trick is to set my switch to tag port 5-8 which connect to my 4 APs
apparently the tp-link APs will receice packages on it's selected wirelss VLAN + anything that's untagged (without vlan header)
after change my switch to tag vlan1 on port 5-8 it ensures all the vlan1 tag won't be removed when outbound the port, which fixes the RA flood issue.
Thanks everyone for the help
