Unique Local Addresses?
-
^^^^
It shows both gateways, but whatever happens, I lose Internet access. I can ping local addresses, including ULA, so routing still appears to be functioning at least that far, but I cannot get out to the Internet. Also, sometimes it works OK after rebooting, Sometimes it doesn't. I have no idea why it's failing. I agree it shouldn't matter which is default route, as both are to a link local address on the same interface. -
Do you have more then 1 router? If not there should not be more then 1 gateway.
If you only have 1 pfSense router, then you need to find what is advertising itself as a router.
Again 1 router advertising more then 1 prefix will still only advertise 1 gateway.
Edit: i just noticed someing in a prev post. Do you have 2 pfsense interfaces plugged into the same layer2/vlan?
-
There is only 1 router, pfSense. The router has to advertise itself on all interfaces, including VLANs. Regardless, it shouldn't matter, because all RAs point to the same router. I have a main LAN and a VLAN on 1 interface. The main LAN has both global and ULA addresses. The curious thing is that when I configure the pfSense alias for the ULA on the main LAN, everything works fine. But if I then reboot pfSense, it usually, but not always fails.
-
I was and am confused becuase you said that hey you have two gateways which sounded like it was on the same client like your client was seen two different Gateway from pfSense if that's the case that makes no sense and it would lead me to believe that two different vlans are mixed together on the same layer 2/brodcast domain. Unless I'm just misunderstanding what you're saying.
-
I get 2 router advertisements, one on the main LAN and 1 on the VLAN. I don't think I ever said I had 2 gateways. The RAs have to be on every interface, including VLANs, so that every device will receive them. However, that doesn't hurt, as it's still the same gateway, no matter which RA is used. Regardless, just adding ULA alias on the main LAN is what causes the problem I really don't understand why it should. A I mentioned, the problem usally happens after a reboot. Prior to the reboot, everything works fine.
-
Aren't you the one who thinks he can use an unmanaged switch to "isolate" VLANs? Is that the case here?
-
I get 2 router advertisements, one on the main LAN and 1 on the VLAN. I don't think I ever said I had 2 gateways.
Same thing really, you shouldn't be getting 2 different RA's. It should be 1 RA from 1 pfSense interface per VLAN.
Aren't you the one who thinks he can use an unmanaged switch to "isolate" VLANs? Is that the case here?
It does indeed sound like there is 2 pfSense interface on 1 VLAN/Broadcast domain.
-
Aren't you the one who thinks he can use an unmanaged switch to "isolate" VLANs? Is that the case here?
I have never said anything like that. I said unmanaged switches can pass VLAN tagged frames.
-
Are you using an unmanaged switch for the untagged and tagged networks in this case?
-
I get 2 router advertisements, one on the main LAN and 1 on the VLAN. I don't think I ever said I had 2 gateways.
Same thing really, you shouldn't be getting 2 different RA's. It should be 1 RA from 1 pfSense interface per VLAN.
Aren't you the one who thinks he can use an unmanaged switch to "isolate" VLANs? Is that the case here?
It does indeed sound like there is 2 pfSense interface on 1 VLAN/Broadcast domain.
I'm not sure where who is misunderstanding here. There is only one, 1, count 'em one physical interface on the LAN. On that interface is the main LAN with global addresses and ULA. There is also VLAN 3 on that NIC with only ULA. Also, there is another Interface connected to a Cisco router or used for testing. It has only ULA. All interfaces, including VLAN, have NAT IPv4 addresses, which continue to work fine.
When I put an IPv6 alias for the ULA on the main LAN, things work fine. I can route between ULA and global addresses. But when I reboot, then the router stops working with IPv6 to the Internet. When I get some time, I'll investigate further where the failure is. i.e. routing to the WAN, DNS etc..
-
Are you using an unmanaged switch for the untagged and tagged networks in this case?
Yes, and I see both, using Wireshark. This is on my main desktop computer, running Linux. As I mentioned above, the problem occurs after applying the alias and rebooting. Having the VLAN, without the alias continues to work properly. Please note, there is no change made to the computer when I see the problem. It has the main LAN and VLAN configured, as it has had for months. It also gets the appropriate addresses for the global addresses, ULA and VLAN ULA. As I said, that's been that way for months. The alias is on the pfSense router.
-
So are the frames tagged properly or not?
How about you post a pcap.
You post cockamamie layer 2 recommendations then post about strange layer 2 issues. Onus is on you.
-
You post cockamamie layer 2 recommendations then post about strange layer 2 issues. Onus is on you.
I'll do some more testing when I get time. Meanwhile, I have a question for you. You have a computer, as I do here, that you want to participate in the native LAN and also 1 or more VLANs. Now with a managed switch, that would mean a trunk port (I'm ignoring the special situation on Cisco switches for VoIP phones) which provides native LAN and whatever VLANs are allowed on the switch. Please explain what the difference would be, between that trunk port and an unmanaged switch. What difference would the computer see?
-
OK, I've done some testing. I've attached 3 pcap files for before the alias is added, after the alias is added but before reboot and after reboot. There are 3 local interfaces on the pfSense router
Native LAN with global address and ULA fd48:1a37:2160:0::1
VLAN 3 with ULA fd48:1a37:2160:3::1
Test network on a separate NIC with ULA fd48:1a37:2160:4::1
All interfaces have NAT IPv4 addresses. IPv4 works fine.Desktop computer, running Linux has native LAN with global address and ULA and VLAN 3 with ULA
The ULA is always advertised and addresses appear for both native LAN and VLAN 3
Prior to enabling the alias fd48:1a37:2160:0::1 on the native LAN, internet access works fine, but I cannot ping a ULA address on a computer connected to the test network
After enabling the alias, internet still works fine and I can ping the test network computer, using the IPv6 address
After rebooting, I can still ping the computer connected to the test network, but no longer access the Internet with IPv6. DNS also fails.
When I ping ipv6.google.com, using the IPv6 address 2607:f8b0:400b:808::200e I can see the packets going out on VLAN 3, with an appropriate IPv6 address for the VLAN. Of course, this will not work over the Internet.Through all the above, DNS lookup and IPv6 access to the Internet continue to work on the pfSense firewall.
Bottom line, for some reason, after the alias is enabled, the Linux computer decides it has to use VLAN 3 to reach the Internet. Deleting the alias and rebooting pfSense restores Internet access to the Linux computer. I expect DNS fails due to IPv6 being used to access it.
The files were captured on the Linux computer with Wireshark.
[RA without alias.pcap](/public/imported_attachments/1/RA without alias.pcap)
[RA with alias before reboot.pcap](/public/imported_attachments/1/RA with alias before reboot.pcap)
[RA with alias after reboot.pcap](/public/imported_attachments/1/RA with alias after reboot.pcap) -
What network is the linux computer supposed to be on?
-
It's on the native LAN and VLAN 3. As mentioned above, the native LAN has both global and ULA addresses. VLAN 3 is ULA only.
-
What's the point of connecting the client to two different segments like that? You could easily have any number of different IPv6 prefixes on the main LAN, some of the globally routable, some of them ULA. IPv6 is designed with that in mind.
-
@kpa:
What's the point of connecting the client to two different segments like that? You could easily have any number of different IPv6 prefixes on the main LAN, some of the globally routable, some of them ULA. IPv6 is designed with that in mind.
Experimenting. I like to try different things. But the question remains, why does adding an alias on the native LAN cause the Linux computer to start using the VLAN ULA for it's source on traffic for the Internet?
BTW, I have a /56 prefix from my ISP and use the 0 /64 on the native LAN, 4 on the other NIC and ff on the OpenVPN VPN, so I know all about lots of prefixes. I started experimenting with ULAs a while ago, as I read that IoT gear should be using them for security reasons.
-
"as I read that IoT gear should be using them for security reasons."
What scenario does your iot device even need to use IPv6 to talk to local stuff, but not be allowed global? Are you running a ipv6 only network? Why go through all the extra hassle when you could just block the iot from going outbound at the firewall.. No matter what IP it has v4 or v6, public or rfc1918, etc. etc.
ULA would make sense if you only had a /64 to play with and you have multiple segments.. And you want these segments to talk ipv6 to each other.
Clearly is this not the case since you state you have /56 to work with.
"the native LAN has both global and ULA addresses"
This comes down to running multiple layer 3 on the same layer 2 plain and simple.. Never a good idea!! You going to dual stack ipv4 and ipv6 which are completely different protocols then ok… But running either multiple v4 or v6 layer 3 on the same layer 2 is bad juju! And yeah its going to cause you grief and pain..
-
As I've mentioned a few times, I like to experiment, to learn. I said quite a while back, there's no IoT here. I just decided to try ULA after reading an article about IoT. Regardless, I don't understand why a computer should start sending Internet traffic out a VLAN with only ULA on it, after an alias is placed on the pfSense native LAN interface. Everything works fine after enabling that alias, until I reboot. Also, the first time I noticed the problem was the next morning after enabling the alias and I no longer had access to the Internet. So, it appears it doesn't even need a reboot, if left sitting long enough.
So, the situation is this. at the moment I have Internet access. If I put the alias on that interface, everything will intially work as expected. But if I then reboot pfSense, my Linux computer will then try to access the Internet via VLAN 3, using a ULA. Why is that happening. Nothing has changed on the computer. I have even set the RAs on VLAN 3 to have low priortiy.
