Help: DHCPv6 only works for directly connected clients

ChrisJenk

I'm at my wits end with this so hoping someone here can suggest something...

SG-3100 on latest software (21.05.1).

LAN interface setup for IPv4 and IPv6. DHCPv6 (RA - managed) is configured on the LAN interface. Clients are macOS (11.5.2) and Linux (CentOS 8).

Main LAN is provided by an L2/L3 managed switch which uplinks to one of the SG-3100 LAN ports. IPv4 and IPv6 functionality is all working fine for statically addressed clients and clients using DHCP.

For DHCPv6 however, if I connect a client directly to one of the other SG-3100 LAN ports then it correctly gets assigned an IPv6 address (with the right prefix) of 2001:470:1f09:2df::d:e94a/80, DNS servers and router.

For this case the DHCPv6 server logs show:

Sep 1 13:14:06 dhcpd 94189 Solicit message from fe80::c60:1b78:efbe:89e7 port 546, transaction ID 0xE7094200
Sep 1 13:14:06 dhcpd 94189 Advertise NA: address 2001:470:1f09:2df::d:e94a to client with duid 00:01:00:01:21:eb:81:8d:dc:a9:04:87:08:a5 iaid = 1 valid for 7200 seconds
Sep 1 13:14:06 dhcpd 94189 Sending Advertise to fe80::c60:1b78:efbe:89e7 port 546

Sep 1 13:14:07 dhcpd 94189 Request message from fe80::c60:1b78:efbe:89e7 port 546, transaction ID 0xE3F78800
Sep 1 13:14:07 dhcpd 94189 Reply NA: address 2001:470:1f09:2df::d:e94a to client with duid 00:01:00:01:21:eb:81:8d:dc:a9:04:87:08:a5 iaid = 1 valid for 7200 seconds
Sep 1 13:14:07 dhcpd 94189 Reusing lease for: 2001:470:1f09:2df::d:e94a, age 290 secs < 25%, sending shortened lifetimes - preferred: 4210, valid 6910
Sep 1 13:14:07 dhcpd 94189 Sending Reply to fe80::c60:1b78:efbe:89e7 port 546

However, the same client connected to a port on the managed switch gets the correct router and DNS servers assigned but doesn't get a proper address/prefix assigned. Instead it ends up with just the ULA (fd33:...../64) (macOS0 or just a link-local address (Linux).

The DHCPv6 logs contain these entries for the failing case:

Sep 1 13:03:44 dhcpd 94189 Solicit message from fe80::c60:1b78:efbe:89e7 port 546, transaction ID 0xF6705200
Sep 1 13:03:44 dhcpd 94189 Picking pool address 2001:470:1f09:2df::d:e94a
Sep 1 13:03:44 dhcpd 94189 Advertise NA: address 2001:470:1f09:2df::d:e94a to client with duid 00:01:00:01:21:eb:81:8d:dc:a9:04:87:08:a5 iaid = 1 valid for 7200 seconds
Sep 1 13:03:44 dhcpd 94189 Sending Advertise to fe80::c60:1b78:efbe:89e7 port 546

Sep 1 13:03:45 dhcpd 94189 Solicit message from fe80::c60:1b78:efbe:89e7 port 546, transaction ID 0xF6705200
Sep 1 13:03:45 dhcpd 94189 Picking pool address 2001:470:1f09:2df::d:e94a
Sep 1 13:03:45 dhcpd 94189 Advertise NA: address 2001:470:1f09:2df::d:e94a to client with duid 00:01:00:01:21:eb:81:8d:dc:a9:04:87:08:a5 iaid = 1 valid for 7200 seconds
Sep 1 13:03:45 dhcpd 94189 Sending Advertise to fe80::c60:1b78:efbe:89e7 port 546

Sep 1 13:03:47 dhcpd 94189 Solicit message from fe80::c60:1b78:efbe:89e7 port 546, transaction ID 0xF6705200
Sep 1 13:03:47 dhcpd 94189 Picking pool address 2001:470:1f09:2df::d:e94a
Sep 1 13:03:47 dhcpd 94189 Advertise NA: address 2001:470:1f09:2df::d:e94a to client with duid 00:01:00:01:21:eb:81:8d:dc:a9:04:87:08:a5 iaid = 1 valid for 7200 seconds
Sep 1 13:03:47 dhcpd 94189 Sending Advertise to fe80::c60:1b78:efbe:89e7 port 546

Sep 1 13:03:51 dhcpd 94189 Solicit message from fe80::c60:1b78:efbe:89e7 port 546, transaction ID 0xF6705200
Sep 1 13:03:51 dhcpd 94189 Picking pool address 2001:470:1f09:2df::d:e94a
Sep 1 13:03:51 dhcpd 94189 Advertise NA: address 2001:470:1f09:2df::d:e94a to client with duid 00:01:00:01:21:eb:81:8d:dc:a9:04:87:08:a5 iaid = 1 valid for 7200 seconds
Sep 1 13:03:51 dhcpd 94189 Sending Advertise to fe80::c60:1b78:efbe:89e7 port 546

Sep 1 13:03:58 dhcpd 94189 Solicit message from fe80::c60:1b78:efbe:89e7 port 546, transaction ID 0xF6705200
Sep 1 13:03:58 dhcpd 94189 Picking pool address 2001:470:1f09:2df::d:e94a
Sep 1 13:03:58 dhcpd 94189 Advertise NA: address 2001:470:1f09:2df::d:e94a to client with duid 00:01:00:01:21:eb:81:8d:dc:a9:04:87:08:a5 iaid = 1 valid for 7200 seconds
Sep 1 13:03:58 dhcpd 94189 Sending Advertise to fe80::c60:1b78:efbe:89e7 port 546

It seems like the 'Advertise message (Sending Advertise to fe80::c60:1b78:efbe:89e7 port 546) is not reaching the client when it is connected to my switch rather than directly to the SG-3100? I can ping the SG-3100 LAN link-local address (fe80::208:a2ff:fe12:64c4) from the client in both cases (when connected to directly to the SG-3100 and when connected to the switch) and also the reverse (I can ping the client's link-local address from the SG-3100) in both cases.

Do I need some special firewall rule to allow this reply through? I can't see how the firewall would differentiate these two cases to be honest.

I really need to get this working so any advice appreciated.

JKnott

@chrisjenk

Is that switch configured with any VLANs? Switches are supposed to be transparent.

ChrisJenk

@jknott Yes, it has one VLAN. But the switch ports being used here are not members of that VLAN. And anyway, surely if that was an issue it would affect the ability to ping to/from the link-local addresses in both directions. Seems strange that the presence of a VLAN could affect just this one very specific thing and nothing else whatsoever...

JKnott

@chrisjenk

Well, time for some packet captures, to see what's happening.

ChrisJenk

@jknott So after analysing some packet captures and digging around in the depth of the switch config options it seems the switch 'screens' DHCP servers unless they have been explicitly configured as 'trusted'. It seems that for DHCPv6 this involves dropping the multicast messages used for 'advertise' (and maybe others). Once I added the SG-3100 LAN link-local iPv6 address as a 'trusted' DHCP server then things started working as expected.