Windows Device gets multiple IPv6 gateways from RA

lufu83 · Jan 30, 2021, 1:15 AM

Hello everyone,

my Windows 10 clients are getting IPv6 addresses from LAN and DMZ when Router Advertisement is set to unmanaged in pfsense, even tough they are only connected to LAN and do not have an Interface in DMZ. When RA is set to managed on Interface LAN and DMZ, the Windows client only gets one IPv6 Address from DHCPv6 but once again multiple default Gateways.
No matter what RA Mode i use, on the Client i always end up getting a IPv6 configuration with multiple default Gateways and in certain cases also multiple IP Addresses.

ipconfig (with RA Mode set to managed and DHCPv6 enabled on LAN and DMZ)
🔒 Log in to view
ipconfig (with RA Mode set to unmanaged and DHCPv6 disabled on LAN and DMZ)
🔒 Log in to view
The first IPv6 you see with containing :15c2:5d30: belongs to the DMZ and shouldn't be assigned to the NIC since it only has a connection to my LAN Network.
The second IPv6 is the right one.

DHCPv6 Server for LAN (DMZ has the same Settings except for the range which is ::30:1000 to ::30:2000)
🔒 Log in to view

route print (with RA Mode set to managed and DHCPv6 enabled on LAN and DMZ)
🔒 Log in to view

route print (with RA Mode set to unmanaged and DHCPv6 disabled on LAN and DMZ)
🔒 Log in to view

WAN Configuration:
🔒 Log in to view
🔒 Log in to view

LAN Configuration:
🔒 Log in to view

DMZ Configuration:
🔒 Log in to view

RA Configuration:
🔒 Log in to view
🔒 Log in to view

The fun part is that this problem only affects Windows clients.
I don't have any Problems with Linux clients in the same LAN.

route -A inet6
🔒 Log in to view

Does anyone know what is going wrong with my setup?

Thank you.

JKnott · Jan 30, 2021, 2:23 AM

Fire up Wireshark and watch icmp6. See what's in the RAs. It sounds like something is leaking somewhere.

lufu83 · Jan 30, 2021, 11:08 AM

@jknott
i can see Router Advertisement pakets from both pfsense Nics.
🔒 Log in to view
I will check my Switch config to see if there is something bridging both networks

JKnott · Jan 30, 2021, 11:29 AM

@lufu83

Any chance you're running VLANs through a TP-Link switch or AP?

lufu83 · Jan 30, 2021, 4:46 PM

@lufu83
for some strange reason i can see Router Advertisement pakets from all vlans in my Wireshark trace if the Port configuration on my Ubiquiti Switch is set to "All".
Changing the port profile to a specific value like "LAN" or "DMZ" does the trick.

lufu83 · Jan 30, 2021, 12:05 PM

There is also a related Topic on the the Ubiquiti Forum for all those struggleing with the same Problem:
https://community.ui.com/questions/5-7-23-still-a-problem-with-VLANs-and-IPv6-RAs/6618f213-8b51-478a-832b-8e32463978bd

JKnott · Jan 30, 2021, 4:46 PM

@lufu83

I don't have a Ubiquiti switch, but when I configured my Cisco switch, I configured the pfsense and AP ports to pass the needed VLANs and the other ports just got the main LAN.

lufu83 · Jan 31, 2021, 4:14 PM

@jknott
A Unifi Switch has its Ports set to the profile "All" by default.
In Cisco terms this would mean that every Port is set to Trunk Mode with native VLAN 1 and every other VLAN tagged

What helped was to set a specific Profile where only one VLAN is selected.
In other words, the port now is in Access Mode and has no tagged VLANs