IPv6 IP Alias prevents Track Interface from working with DHCPv6 and RA

Derelict

@chewie198 I believe the "quick fix" is to have a checkbox somewhere that says "ignore ULA" and, somewhere in the code (ianap) honor that as the addresses on each interface are looped through.

A more-perfect solution is likely much more complicated.

chewie198

@Derelict I agree, solving this thoroughly is not easy at all. If it were, it likely would have been done already. Right now, these sections of code have been written with the assumption that there will only be one primary IP address per interface, and with IPv6, that is no longer the case. That means we now have to maintain a list of all the addresses on a given interface and modify the UI to reflect a separate list of settings for each one, or at the very least, to allow for choosing a primary. That's not a trivial amount of work.

I like your quick fix idea though because that would almost certainly be less code to write and test and it should cover a basic use case for a large percentage of end-user configurations. Then we could choose whether to allocate DHCP addresses under the GUA or ULA ranges per user preference. Given @JKnott's reply, maybe we're already in the clear regarding RA's. I don't recall seeing this behavior the last time I assigned a VIP, but I can retest if we're getting conflicting reports.

chewie198

I've updated the thread title to better reflect the current discussion.

IsaacFL

@chewie198 Was there ever a bug opened in Redmine for this?

chewie198

@IsaacFL Yes, https://redmine.pfsense.org/issues/5999 was opened several years ago but the development work is still pending. @jimp mentioned that the fix was difficult and that they would be willing to accept a pull request to fix the issue, but i haven't seen much interest from other developers or users in trying to resolve this - at least not on this particular thread or within the issue comments. If you're seriously interested in resolving this then I would suggest either starting a bounty or, if you're a developer, teaming up to tackle this, preferably with some feedback from Netgate as they would be the ones approving the pull requests.

IsaacFL

@chewie198 Thanks, I was just wanting to see what had happened since I do not use ULA myself.

I had through some of my own testing found that what is happening, is that during the boot process the radvd.conf is being incorrectly configured whenever a ipv6 VIP is present.

Looking at the Issue 5999, not sure I would have any additional information since interest doesn't seem to be there.

dg6464

I've got the exact same issue as this, but it's described perfectly in this thread, not mine.

Hoping that this bug gets some priority.

@JKnott and I have been bantering back and fourth on my thread, which was originally about Apple TV's taking too much NDP space, which has evolved into a thrilling tale of IPv6 ULA's and WAN track interfaces.

Anyway... I've got to delete the ULA IPv6 VIP every time I pull the WAN interface, push it up/down, or reboot the box, because the VIP takes over.

I think the answer would be some sort of interface priority on the LAN for which address is primary (GUA or ULA) or something, but I am also not a programmer. It just seems like pfSense doesn't appropriately deal with multiple addresses correctly on IPv6.

I also get some funky activity with some clients not pinging to other clients correctly, which is likely due to the client stacks (Mac, Windows, pihole, DNScrypt, etc). Windows seems to ALWAYS work for pings, regardless what I do (Mac not so much). But it's likely again due to priority in which interface (GUA or ULA) is sending the ICMP packets, or possibly which it get's first or something.

Anyway - if any diagnostics are required from my end or anything let me know... happy to help, but can't really contribute much more not being a programmer. Just wanted to add that it would be great to see the IPv6 multiple-addresses side of things ramped up in pfSense. Once it's adopted more and more I am sure all of the OS stacks will catch up.

Hoping maybe the Netgate folks get to it in a future release... properly getting track interface to work with multiple IP addresses on a LAN interface including GUA and ULA. Definitely some funky routing and "which interface gets priority or sends the traffic and can route" going on... both on the pfSense side (which they can control), as well as the various client OS's (Windows, Mac, Linux, etc). All of them do it differently. Windows machines here always seem to ping everything just fine... Mac's not so much.

If anyone finds a fix / workaround (possibly a script to pull and add the ULA VIP after 5-10 seconds whenever the WAN goes up/down)... let me know and I'd be happy to test it.

Best Regards,

dg6464

JKnott

@dg6464

Take a look at your router advertisements. Mine are further up. Also, I'm using SLAAC, not DHCPv6 on my LAN.

dg6464

@JKnott I'm using both with the drop down being "Assisted".

Not sure what you would like me to show for in my RA's... I have both my ULA and GUA prefix's listed there, what do you mean by yours are further up? Do you mean your ULA is on top of the RA's prefix lists?

DHCPv6 I just have on for devices that support it... as I dole out a domain name on that (I don't have a search list defined in the RA function for SLAAC).

Best Regards,

dg6464

chewie198

I can confirm that the latest pull request committed to the 2.5 development branch seems to resolve the problem that I was experiencing. Really appreciate the fix guys! Any chance we could get a dropdown to specify which prefix to use for the DHCPv6 server? In my network I use DHCPv6 to assign ULA addresses but the servers receive their global address via RA's. Beggars can't be choosers and all that, but I appreciate the feature addition either way

chewie198

It looks like I was premature in drawing my conclusion - the assigned prefix still appears to reset to the VIP range after a reboot of the firewall. @viktor_g and I have been relaying information in the Redmine ticket at https://redmine.pfsense.org/issues/5999, but it would be helpful to know whether anyone else is still experiencing this issue on the latest development snapshot. Anyone with a IPv6 PD subnet, or who has experienced this issue previously, willing to add a VIP and test this? All that is needed to reproduce, if you already have a PD subnet, is to add a ULA VIP to the interface and reboot the firewall.

JKnott

@chewie198

I'll give it a try when 2.5 comes out.

viktor_g

@chewie198 Could you check the PM, please?

dg6464

Apologies guys... I absolutely would, but moved service providers and no longer have native IPv6 capabilities with Bell like I did with Rogers. So I've fully disabled IPv6.

JKnott

@jknott

I just tried it and it's still necessary to specify the GUA prefix, when a ULA prefix is added. However, I'm using SLAAC, not DHCPv6 on my LAN.

chewie198

I've been running 2.5 since it came out and it does indeed seem like this has finally been resolved. @JKnott I had a similar issue occur immediately after upgrading the firewall, but after rebooting I haven't seen it happen again. Both my SLAAC and DHCPv6 devices have retained their GUA and ULA addresses for several weeks now, even after multiple firewall reboots.

JKnott

@chewie198

I just tried it again and it seems to be OK. Time will tell.

tnx

apearson

Works here as well