[solved] RA Subnets
-
You wouldn't track the interface for ULA, as you manually assign it on the Router Advertisement page. When you track an interface, the prefix is provided by the ISP and they'd have nothing to do with your ULA, though they might have them on the WAN interface.
You have to ensure you actually have a ULA address on the interface. If you have that, then try pinging another ULA on the same subnet. Once you have that, then you can try routing between subnets.
-
@jknott I have none, I have a GUA.
So it is a bug.
-
Have you specified a ULA prefix (starts with fc or fd), with a /64 subnet size on the Router Advertisements page? If so, the prefix should be included in the RAs. This is why I asked you to do a packet capture, to ensure the RA includes the ULA prefix. If that's there, then any IPv6 capable device on the network should get a ULA address, in addition to GUA. And no, it's not a bug. I have no problem getting ULA addresses on my networks.
Just run Packet Capture for a few minutes, filtering on ICMP6 and post here, so I can read it.
-
@jknott Please, you obviously not reading my posts and not looking at the screenshots provided. Sure, I resist doing something I don't know much about, but I also already gave a good reason for not doing it, because it is already wrong in pfSense, I don't need to capture traffic for that in the first place.
-
2.5.1 didn't fixed it.
-
@bob-dig I only see that you entered it in the RA settings. What about pfSense itself? Where is the ULA for that interface set up? Screens please. Seems more that you are simply doing it wrong :)
-
@jegr Hey Jens, that is why I am asking.
But to be honest, where else to put it? Like I said, interface is on track for the GUA, so... -
@bob-dig said in [Bug] RA Subnets:
But to be honest, where else to put it? Like I said, interface is on track for the GUA, so...
You are throwing things together that have nothing to do with each other. Yes, putting it in RA seems fine. So you're handing out ULAs to clients. Yay. But without you handing one to pfsense itself, how are you thinking that it should receive packets from those IP6s? Magically? ;)
How about simply giving pfSense an appropriate ULA IP6 via an IP ALIAS as you want it to serve two different prefixes? How else do you think the interface will get an IP6 from that ULA if you don't configure it there yourself? ;)
Also your firewall rules will not work in "normal" ways anymore as "<lan> network" alias won't magically include the second prefix on that interface, only the one configured via Interface setup. So watch your rules, too!
Don't forget to upvote ๐ those who kindly offered their time and brainpower to help you!
If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.
-
@jegr I am trying this right now, never used an IP alias before. lets see if I succeed.
-
@jegr Instantly works, thanks Jens!
-
@jegr said in [Bug] RA Subnets:
How about simply giving pfSense an appropriate ULA IP6 via an IP ALIAS as you want it to serve two different prefixes?
My complaint is the alias doesn't show up anywhere other than with the ifconfig command.
PfSense running on Qotom mini PC
i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
UniFi AC-Lite access pointI haven't lost my mind. It's around here...somewhere...
-
@jknott said in [solved] RA Subnets:
My complaint is the alias doesn't show up anywhere other than with the ifconfig command.
That is true, now I can see this myself.
-
@jknott said in [solved] RA Subnets:
My complaint is the alias doesn't show up anywhere other than with the ifconfig command.
Perhaps I'm tired but I can't follow :) Care to elaborate?
Don't forget to upvote ๐ those who kindly offered their time and brainpower to help you!
If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.
-
@jegr said in [solved] RA Subnets:
Also your firewall rules will not work in "normal" ways anymore as "<lan> network" alias won't magically include the second prefix on that interface, only the one configured via Interface setup. So watch your rules, too!
Interestingly it worked anyway. I pinged the "lan" interface from the "voip" interface without a problem.
PS C:\Windows\system32> ping fd28:faaf:f468:1:192:168:1:1 Pinging fd28:faaf:f468:1:192:168:1:1 with 32 bytes of data: Reply from fd28:faaf:f468:1:192:168:1:1: time<1ms Reply from fd28:faaf:f468:1:192:168:1:1: time<1ms Reply from fd28:faaf:f468:1:192:168:1:1: time<1ms Reply from fd28:faaf:f468:1:192:168:1:1: time<1ms Ping statistics for fd28:faaf:f468:1:192:168:1:1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms
"voip" was the interface in question all the time. Will have to try from another interface to "voip".
-
@bob-dig said in [solved] RA Subnets:
Will have to try from another interface to "voip".
Even this is working without any modifications @JeGr
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), -
So I think pfSense knows what "lan_voip net" is because of ifconfig:
hn4: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 description: lan_voip options=48071b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,TSO4,TSO6,LRO,LINKSTATE,TXCSUM_IPV6> ether 00:15:5d:82:4e:3c inet6 fe80::215:5dff:fe82:4e3c%hn4 prefixlen 64 scopeid 0xa inet6 fe80::1:1%hn4 prefixlen 64 scopeid 0xa inet6 fd28:faaf:f468:98:192:168:98:1 prefixlen 64 inet6 2003:da:a711:44f0:215:5dff:fe82:4e3c prefixlen 64 inet 192.168.98.1 netmask 0xffffff00 broadcast 192.168.98.255 media: Ethernet autoselect (10Gbase-T <full-duplex>) status: active nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> -
@jegr said in [solved] RA Subnets:
@jknott said in [solved] RA Subnets:
My complaint is the alias doesn't show up anywhere other than with the ifconfig command.
Perhaps I'm tired but I can't follow :) Care to elaborate?
Create an IP alias and see where it's listed. You won't see it in the web config. You have to go to a command prompt and run ifconfig to see that it's actually configured.
-
Some closing thoughts, I think with IPv6 it is normal to have more than one address per interface, so it would be better to have this option right in the interface-tab. Lets say I am giving input in IPv6 Configuration Type it should instantly allow for another IPv6 and so on.
Also what makes IPs virtual in the first place, some trickery? Again, shouldn't be needed for more IPv6-addresses. -
I agree it should be easier to find. As for the name alias, that was even the case with IPv4, before there was IPv6. I assume it's because you have more than one address an interface can use, which is not typical. Also, with IPv6, you have not just mulitple addresses, you have multiple prefixes. Even if you don't have an alias, with SLAAC you can have up to 8 addresses, then there's link local too. By the time you've added a 2nd prefix, you're up to 17 addresses on a single interface.
