Multiple IPv6 capable connections
-
Hi!
I am trying to do some kind of load balancing for IPv6 traffic in a LAN, where I have several WAN dual stack connections.
As described here in other posts, the static link local value fe80::1:1 seems to be a current problem for some configuations.
(1) IPv4 multi WAN on the same pfSense box works out of the box, but there can be only a single IPv6 LAN, i.e. the second NIC cannot hand off its net to local devices and the LAN adapter doesn't even configure itself for IPv6.
(2) Using two separate pfSense boxes allows to independently configure the LAN adapters, but the common fe80::1:1 does not select the right physical gates for some connections such that some packets are routinely send into the wrong direction.
(3) Using two separate pfSense boxes, where one box uses SLAAC and the other one a static IPv6 address from the pool of the first box, results in successful pings and reachability, but that doesn't seem to allow any routing. Probably because routers must be advertised, if I understood other comments correctly.
What can I do?
As far a I am concerned, I'd like to hear that sooner or later the link local addresses would we unique, such that "poor man's" load balancing would work out of the box, :).
-
Are those multiple WAN connections from the same provider? Or do you have your own prefix independent of your ISP? If not, it's difficult to do proper load balancing. About all you could do is have some clients connect to one WAN and others connect to other WANs and that can get messy. As you mentioned, that link local address issue will be a problem. As discussed in another thread, that's a fault with pfSense or perhaps FreeBSD.
-
@JKnott said in Multiple IPv6 capable connections:
Are those multiple WAN connections from the same provider?
Yes, they are.
Or do you have your own prefix independent of your ISP?
No, I am using the prefixes supplied by the ISP as requested by the IPv4 setup.
About all you could do is have...
Well, that's what I am currently doing, but with 4 ISP connections that's a pain in the neck.
Maybe I should check whether a plain FreeBSD box allows setting the link local address manually.
-
I believe this to be an implementation issue in pfSense.
I did a little checking and opnsense (also based on FreeBSD/HardenedBSD) appears to use SLAAC addresses on the interfaces so they are each unique.
Also according to their forum they are supposed to have MultiWan ipv6 on their release planned for July.
I haven't tried to actually use opnsense, so I can't verify for myself that it actually works.
I will go ahead and open a bug on the hard coded link local address. I have resisted before, since I don't have a multiple WAN situation and can't test it.
-
I created Bug #10586. Will see when they have time to address it. It could be that there are "reasons" why they did it this way.
-
There's a reason they'd violate the RFC??? Duplicate Address Detection is mandatory with IPv6.
-
@IsaacFL said in Multiple IPv6 capable connections:
I did a little checking and opnsense ...
My routers are virtualized anyway, so I might test the current opensense version over the weekend without too much hassle.
-
I'm running 2.4.5 and don't see DAD with it.
-
@JKnott
I've setup the latest OPNsense 20.1 version, but haven't looked at IPv6 yet. Might take some time. My pfSense boxes are all 2.4.5 and there is obviously no DAD. -
If you look at /etc/inc/interfaces.inc
You will see the following:
function interface_track6_configure($interface = "lan", $wancfg, $linkupevent = false) { global $config, $g; if (!is_array($wancfg)) { return; } if (!isset($wancfg['enable'])) { return; } /* If the interface is not configured via another, exit */ if (empty($wancfg['track6-interface'])) { return; } /* always configure a link-local of fe80::1:1 on the track6 interfaces */ $realif = get_real_interface($interface); $linklocal = find_interface_ipv6_ll($realif, true); if (!empty($linklocal) && $linklocal != "fe80::1:1%{$realif}") { mwexec("/sbin/ifconfig {$realif} inet6 {$linklocal} delete"); } /* XXX: This might break for good on a carp installation using link-local as network ips */ /* XXX: Probably should remove? */ mwexec("/sbin/ifconfig {$realif} inet6 fe80::1:1%{$realif}");
Maybe you could manually change the address to fe80::1:2 on one box in this file and see if it sticks?
I couldn't find it anywhere else.
-
Still, DAD is mandatory on IPv6. Why is pfSense not doing it?
Here's what RFC 4862 says:
Duplicate Address Detection MUST be performed on all unicast
addresses prior to assigning them to an interface, regardless of
whether they are obtained through stateless autoconfiguration,
DHCPv6, or manual configuration, with the following exceptions:The update RFC 7527 says there are a couple of exceptions, but those wouldn't apply here.
Perhaps one option for this situation would be to allow another address to be set.
-
@IsaacFL said in Multiple IPv6 capable connections:
/etc/inc/interfaces.inc
It looks as if fe80::1:1 gets statically enforced. So changing the 2nd box might work to see whether there are other problems. The OPNsense code is different here, but I haven't read all relevant interface files so far.