Windows Device gets multiple IPv6 gateways from RA

lufu83

Hello everyone,

my Windows 10 clients are getting IPv6 addresses from LAN and DMZ when Router Advertisement is set to unmanaged in pfsense, even tough they are only connected to LAN and do not have an Interface in DMZ. When RA is set to managed on Interface LAN and DMZ, the Windows client only gets one IPv6 Address from DHCPv6 but once again multiple default Gateways.
No matter what RA Mode i use, on the Client i always end up getting a IPv6 configuration with multiple default Gateways and in certain cases also multiple IP Addresses.

ipconfig (with RA Mode set to managed and DHCPv6 enabled on LAN and DMZ)

ipconfig (with RA Mode set to unmanaged and DHCPv6 disabled on LAN and DMZ)

The first IPv6 you see with containing :15c2:5d30: belongs to the DMZ and shouldn't be assigned to the NIC since it only has a connection to my LAN Network.
The second IPv6 is the right one.

DHCPv6 Server for LAN (DMZ has the same Settings except for the range which is ::30:1000 to ::30:2000)

route print (with RA Mode set to managed and DHCPv6 enabled on LAN and DMZ)

route print (with RA Mode set to unmanaged and DHCPv6 disabled on LAN and DMZ)

WAN Configuration:

LAN Configuration:

DMZ Configuration:

RA Configuration:

The fun part is that this problem only affects Windows clients.
I don't have any Problems with Linux clients in the same LAN.

route -A inet6

Does anyone know what is going wrong with my setup?

Thank you.

JKnott

Fire up Wireshark and watch icmp6. See what's in the RAs. It sounds like something is leaking somewhere.

lufu83

@jknott
i can see Router Advertisement pakets from both pfsense Nics.

I will check my Switch config to see if there is something bridging both networks

JKnott

@lufu83

Any chance you're running VLANs through a TP-Link switch or AP?

lufu83

@lufu83
for some strange reason i can see Router Advertisement pakets from all vlans in my Wireshark trace if the Port configuration on my Ubiquiti Switch is set to "All".
Changing the port profile to a specific value like "LAN" or "DMZ" does the trick.

lufu83

There is also a related Topic on the the Ubiquiti Forum for all those struggleing with the same Problem:
https://community.ui.com/questions/5-7-23-still-a-problem-with-VLANs-and-IPv6-RAs/6618f213-8b51-478a-832b-8e32463978bd

JKnott

@lufu83

I don't have a Ubiquiti switch, but when I configured my Cisco switch, I configured the pfsense and AP ports to pass the needed VLANs and the other ports just got the main LAN.

lufu83

@jknott
A Unifi Switch has its Ports set to the profile "All" by default.
In Cisco terms this would mean that every Port is set to Trunk Mode with native VLAN 1 and every other VLAN tagged

What helped was to set a specific Profile where only one VLAN is selected.
In other words, the port now is in Access Mode and has no tagged VLANs