Unique Local Addresses?

JKnott

I don't know why it's happening, but it happened twice.  Also, as mentioned in other posts, there apparently is a problem.  And I created the alias by clicking on Firewall > Virtual IPs.

johnpoz

And what did you pick for the type of VIP?

JKnott

@johnpoz:

And what did you pick for the type of VIP?

IP Alias

JKnott

With pfSense 2.4.0, I can now add a ULA alias on my LAN interface, without losing Internet access.  It appears there was a problem with the previous version.

JKnott

^^^^
Looks like I spoke too soon.  As before, after a reboot, the problem returns.  However, one thing I noticed is the default route on my computer changes, from the main LAN to a VLAN interface on my pfSense router.  I'm not sure what causes this, as the VLAN has a different prefix from the ULA on the main LAN.

Why would the default route change?  I checked the router.priority for each RA and the VLAN is set to low and main LAN set to normal.

JKnott

It's currently working, with the ULA alias.  I have no idea why it's working now and not before.

I set the mail RA priority to high, but IP -6 route show shows both the main LAN and VLAN to have medium preference:

default via fe80::1:1 dev eth0  proto ra  metric 1024  expires 58sec hoplimit 64 pref medium
default via fe80::216:17ff:fea7:f2d3 dev vlan3  proto ra  metric 1024  expires 51sec hoplimit 64 pref medium

Shouldn't that reflect the router priority setting, which is high for main LAN and low for VLAN3?

My computer is running OpenSUSE Linux.

Napsterbater

@awebster:

Once it is added in, you can then setup the prefix in the RA config to advertise each prefix defined on the interface.  Note that clients on that L2 will get an address for EACH advertised prefix (if listening to RAs).  Keep in mind they will also get more than 1 gateway this way.

Just one correction, It will still be only one Gateway no matter how many prefixes are advertised. You would only get a 2nd Gateway if you had a 2nd box broadcasting RAs. 1 box broadcasting many prefixes = 1 Gateway.

And that gateway is a Link Local address, not a ULA or GUA.

JKnott

^^^^
It shows both gateways, but whatever happens, I lose Internet access.  I can ping local addresses, including ULA, so routing still appears to be functioning at least that far, but I cannot get out to the Internet.  Also, sometimes it works OK after rebooting,  Sometimes it doesn't.  I have no idea why it's failing.  I agree it shouldn't matter which is default route, as both are to a link local address on the same interface.

Napsterbater

Do you have more then 1 router? If not there should not be more then 1 gateway.

If you only have 1 pfSense router, then you need to find what is advertising itself as a router.

Again 1 router advertising more then 1 prefix will still only advertise 1 gateway.

Edit: i just noticed someing in a prev post. Do you have 2 pfsense interfaces plugged into the same layer2/vlan?

JKnott

There is only 1 router, pfSense.  The router has to advertise itself on all interfaces, including VLANs.  Regardless, it shouldn't matter, because all RAs point to the same router.  I have a main LAN and a VLAN on 1 interface.  The main LAN has both global and ULA addresses.  The curious thing is that when I configure the pfSense alias for the ULA on the main LAN, everything works fine.  But if I then reboot pfSense, it usually, but not always fails.

Napsterbater

I was and am confused becuase you said that hey you have two gateways which sounded like it was on the same client like your client was seen two different Gateway from pfSense if that's the case that makes no sense and it would lead me to believe that two different vlans are mixed together on the same layer 2/brodcast domain. Unless I'm just misunderstanding what you're saying.

JKnott

I get 2 router advertisements, one on the main LAN and 1 on the VLAN.  I don't think I ever said I had 2 gateways.  The RAs have to be on every interface, including VLANs, so that every device will receive them.  However, that doesn't hurt, as it's still the same gateway, no matter which RA is used.  Regardless, just adding ULA alias on the main LAN is what causes the problem  I really don't understand why it should.  A I mentioned, the problem usally happens after a reboot.  Prior to the reboot, everything works fine.

Derelict

Aren't you the one who thinks he can use an unmanaged switch to "isolate" VLANs? Is that the case here?

Napsterbater

I get 2 router advertisements, one on the main LAN and 1 on the VLAN.  I don't think I ever said I had 2 gateways.

Same thing really, you shouldn't be getting 2 different RA's. It should be 1 RA from 1 pfSense interface per VLAN.

Aren't you the one who thinks he can use an unmanaged switch to "isolate" VLANs? Is that the case here?

It does indeed sound like there is 2 pfSense interface on 1 VLAN/Broadcast domain.

JKnott

Aren't you the one who thinks he can use an unmanaged switch to "isolate" VLANs? Is that the case here?

I have never said anything like that.  I said unmanaged switches can pass VLAN tagged frames.

Derelict

Are you using an unmanaged switch for the untagged and tagged networks in this case?

JKnott

@Napsterbater:

I get 2 router advertisements, one on the main LAN and 1 on the VLAN.  I don't think I ever said I had 2 gateways.

Same thing really, you shouldn't be getting 2 different RA's. It should be 1 RA from 1 pfSense interface per VLAN.

Aren't you the one who thinks he can use an unmanaged switch to "isolate" VLANs? Is that the case here?

It does indeed sound like there is 2 pfSense interface on 1 VLAN/Broadcast domain.

I'm not sure where who is misunderstanding here.  There is only one, 1, count 'em one physical interface on the LAN.  On that interface is the main LAN with global addresses and ULA.  There is also VLAN 3 on that NIC with only ULA.  Also, there is another Interface connected to a Cisco router or used for testing.  It has only ULA.  All interfaces, including VLAN, have NAT IPv4 addresses, which continue to work fine.

When I put an IPv6 alias for the ULA on the main LAN, things work fine.  I can route between ULA and global addresses.  But when I reboot, then the router stops working with IPv6 to the Internet.  When I get some time, I'll investigate further where the failure is. i.e. routing to the WAN, DNS etc..

JKnott

@Derelict:

Are you using an unmanaged switch for the untagged and tagged networks in this case?

Yes, and I see both, using Wireshark.  This is on my main desktop computer, running Linux.  As I mentioned above, the problem occurs after applying the alias and rebooting.  Having the VLAN, without the alias continues to work properly. Please note, there is no change made to the computer when I see the problem.  It has the main LAN and VLAN configured, as it has had for months.  It also gets the appropriate addresses for the global addresses, ULA and VLAN ULA.  As I said, that's been that way for months.  The alias is on the pfSense router.

Derelict

So are the frames tagged properly or not?

How about you post a pcap.

You post cockamamie layer 2 recommendations then post about strange layer 2 issues. Onus is on you.

JKnott

You post cockamamie layer 2 recommendations then post about strange layer 2 issues. Onus is on you.

I'll do some more testing when I get time.  Meanwhile, I have a question for you.  You have a computer, as I do here, that you want to participate in the native LAN and also 1 or more VLANs.  Now with a managed switch, that would mean a trunk port (I'm ignoring the special situation on Cisco switches for VoIP phones) which provides native LAN and whatever VLANs are allowed on the switch.  Please explain what the difference would be, between that trunk port and an unmanaged switch.  What difference would the computer see?