Multiple IPv6 capable connections
-
Are those multiple WAN connections from the same provider? Or do you have your own prefix independent of your ISP? If not, it's difficult to do proper load balancing. About all you could do is have some clients connect to one WAN and others connect to other WANs and that can get messy. As you mentioned, that link local address issue will be a problem. As discussed in another thread, that's a fault with pfSense or perhaps FreeBSD.
-
@JKnott said in Multiple IPv6 capable connections:
Are those multiple WAN connections from the same provider?
Yes, they are.
Or do you have your own prefix independent of your ISP?
No, I am using the prefixes supplied by the ISP as requested by the IPv4 setup.
About all you could do is have...
Well, that's what I am currently doing, but with 4 ISP connections that's a pain in the neck.
Maybe I should check whether a plain FreeBSD box allows setting the link local address manually.
-
I believe this to be an implementation issue in pfSense.
I did a little checking and opnsense (also based on FreeBSD/HardenedBSD) appears to use SLAAC addresses on the interfaces so they are each unique.
Also according to their forum they are supposed to have MultiWan ipv6 on their release planned for July.
I haven't tried to actually use opnsense, so I can't verify for myself that it actually works.
I will go ahead and open a bug on the hard coded link local address. I have resisted before, since I don't have a multiple WAN situation and can't test it.
-
I created Bug #10586. Will see when they have time to address it. It could be that there are "reasons" why they did it this way.
-
There's a reason they'd violate the RFC??? Duplicate Address Detection is mandatory with IPv6.
-
@IsaacFL said in Multiple IPv6 capable connections:
I did a little checking and opnsense ...
My routers are virtualized anyway, so I might test the current opensense version over the weekend without too much hassle.
-
I'm running 2.4.5 and don't see DAD with it.
-
@JKnott
I've setup the latest OPNsense 20.1 version, but haven't looked at IPv6 yet. Might take some time. My pfSense boxes are all 2.4.5 and there is obviously no DAD. -
If you look at /etc/inc/interfaces.inc
You will see the following:
function interface_track6_configure($interface = "lan", $wancfg, $linkupevent = false) { global $config, $g; if (!is_array($wancfg)) { return; } if (!isset($wancfg['enable'])) { return; } /* If the interface is not configured via another, exit */ if (empty($wancfg['track6-interface'])) { return; } /* always configure a link-local of fe80::1:1 on the track6 interfaces */ $realif = get_real_interface($interface); $linklocal = find_interface_ipv6_ll($realif, true); if (!empty($linklocal) && $linklocal != "fe80::1:1%{$realif}") { mwexec("/sbin/ifconfig {$realif} inet6 {$linklocal} delete"); } /* XXX: This might break for good on a carp installation using link-local as network ips */ /* XXX: Probably should remove? */ mwexec("/sbin/ifconfig {$realif} inet6 fe80::1:1%{$realif}");
Maybe you could manually change the address to fe80::1:2 on one box in this file and see if it sticks?
I couldn't find it anywhere else.
-
Still, DAD is mandatory on IPv6. Why is pfSense not doing it?
Here's what RFC 4862 says:
Duplicate Address Detection MUST be performed on all unicast
addresses prior to assigning them to an interface, regardless of
whether they are obtained through stateless autoconfiguration,
DHCPv6, or manual configuration, with the following exceptions:The update RFC 7527 says there are a couple of exceptions, but those wouldn't apply here.
Perhaps one option for this situation would be to allow another address to be set.
-
@IsaacFL said in Multiple IPv6 capable connections:
/etc/inc/interfaces.inc
It looks as if fe80::1:1 gets statically enforced. So changing the 2nd box might work to see whether there are other problems. The OPNsense code is different here, but I haven't read all relevant interface files so far.