Selective RA advertising?



  • Hi,

    I am not sure RA is the right thing to do this, so bear with me.

    My pfsense is used to link two sites together. Both sites use ipv4 and ipv6.

    When I turn RA on (router only), a default route is pushed to my clients with pfsense's IP. Is it possible to only push selected routes (remote site's subnet) through RA or RA will always push all routes found on pfsense?



  • Anyone?



  • What pfSense pushes is it's own address, as the default route.  If you want it to provide other than the ISPs route, you have to configure routing to do it.  However, I'm not sure what you're trying to do.  Are the 2 sites connected via VPN?  If you only want the traffic to go to the other site and not the rest of the Internet, you could probably configure the firewall rules to do that.



  • I have two sites, each have a tunnelbroker link to the v6 internet with an average delay (~20-30ms). The two sites have the same ISP, so the v4-to-v4 link has much less delay (4ms). I have set up an OpenVPN tunnel between the two sites for v4 and v6 traffic as well and it is working well. pfSense does not act as a default router (yet) for the sites but is a second router on the network in the sites.

    I am trying to "advertise" a route to the other site (available and working through pfsense's openvpn tunnel) to the computers on the network.

    The problem is that if I turn on RA, it will generate a second default route on my clients which I would like to avoid (client -> pfsense -> router -> tunnelbroker -> v6 internet).

    Is this even possible to do with RA?

    I am using static routes on the clients to achieve this but it isn't a very scalable solution.



  • Is the VPN on pfSense?  If so, pfSense must advertise itself as the default route, as there is no other available to devices on the LAN.  You then have to configure pfSense to route appropriately.  RAs, only advertise local routers.  They do not advertise routes beyond the router, as figuring out the path is the router's job.



  • Yes, VPN is on pfSense. Routing tables in pfsense and router are set up to use the shortest routes. My question is how the routes can be influenced on the end-user computers.

    I'll try to draw…

    
    ===================== LAN1 ==================
    computers           pfSense            router --+------ IPv4 Internet
                           I                        +------ tunnelbroker.net ---- IPv6 Internet
                           I                                                            
                           I                                                            
                           I OpenVpn site-to-site (through v4 internet)                                  
                           I                                                            
                           I                                                           
    computers           pfSense            router --+------ tunnelbroker.net ---- IPv6 Internet
                                                    +------ IPv4 Internet
    ===================== LAN2 ==================
    
    

    Option 1) If I turn on RA in pfsense, computers see two default routes:

    • pfsense
    • router

    Option 2) If I turn off RA in pfsense, computers see one default route:

    • router

    In case of option1, my computers going to the v6 internet might use the pfsense->router->tunnelbroker->v6internet route which is one more hop than router->tunnelbroker->v6internet. Also, when going to LAN2, they might go through router->pfsense->openvpn->lan2 which is again one more hop than pfsense->openvpn->LAN2.

    In case of option1, my computers going to the LAN2 will use the router->pfsense->openvpn->lan2 which is again one more hop than pfsense->openvpn->LAN2 would be.

    I hope it's easier to see my dilemma now. I emphasize, I am able to do what I want using persistent routes on the computers but would want to have the v6 routes deployed to the computers in an automatic fashion if this is possible (I am using DHCP on v4).



  • @mcfly9:

    Yes, VPN is on pfSense. Routing tables in pfsense and router are set up to use the shortest routes. My question is how the routes can be influenced on the end-user computers.

    It doesn't matter what you draw.  If the only way off your LAN is through pfSense, then it can only advertise itself.  If it announced another route, local devices would have no way to reach it.  This situation can only be resolved by configuring the routing in pfSense.  Then your LAN clients will send traffic to pfSense.  PfSense will then in turn forward appropriately.

    The only reason for advertising a different route would be if there's another router on the LAN that could be used.  Even then, that router would be expected to advertise itself.



  • @JKnott:

    The only reason for advertising a different route would be if there's another router on the LAN that could be used. Even then, that router would be expected to advertise itself.

    If you read my post carefully and have a short peek on the diagram, you will see that this is exactly my case. pfSense is NOT my deafult router to the internet.



  • Here's it in even clearer picture.

    
    ===================== LAN1 ==================
        I                  I                 I
        I                  I                 I
    computers           pfSense            router --+----------------------------> IPv4 Internet
                           I                        +------ tunnelbroker.net ----> IPv6 Internet
                           I                                                            
                           I OpenVpn site-to-site                                  
                           I                                                            
                           I                                                            
    computers           pfSense            router --+------ tunnelbroker.net ----> IPv6 Internet
        I                  I                 I      +----------------------------> IPv4 Internet
        I                  I                 I
    ===================== LAN2 ==================
    
    


  • OK, so you have 2 routers on the LAN.  Does the other router not also provide RAs?  If you have that situation, then you should set one to have a higher priority than the other.  In pfSense, that is done on the Router Advertisement page.

    Why do you have 2 routers?  You're making things difficult.  You could manually add routes to the devices on the LAN.  But RAs are not intended to do what you want.  They only advertise themselves.  If you had multiple routers, you could use a routing protocol, such as RIP or OSPF to advertise routes to other routers, but individual computers generally don't support that.  What is the other router?  Does it support VPNs?  Why not put it in bridge mode.

    From http://www.networksorcery.com/enp/protocol/icmp/msg9.htm

    Each router periodically multicasts a Router Advertisement from each of its multicast interfaces, announcing the IP address(es) of that interface.

    As you can see, an RA can only advertise the router it's from.

    Perhaps you should rethink what you're trying to do.



  • @JKnott:

    Why do you have 2 routers?  You're making things difficult.  You could manually add routes to the devices on the LAN.  But RAs are not intended to do what you want.  They only advertise themselves.  If you had multiple routers, you could use a routing protocol, such as RIP or OSPF to advertise routes to other routers, but individual computers generally don't support that.  What is the other router?  Does it support VPNs?  Why not put it in bridge mode.

    Thanks, this answers my original question.

    The other router is a dumb ISP router. On a longer run I will migrate all routing to pfSense and eliminate the two routers. This will make the current issue obsolete.



  • Can you put those ISP's routers into bridge mode?  That's all you need to do and let pfSense handle routing etc..



  • Yup, that's exactly what I am trying on a third site.


  • LAYER 8 Netgate

    Yet another "let's just put another router on the LAN" design.

    Don't do that.

    Create a transit network between your edge routers and the pfSense nodes.

    Then the edge routers will have the static routes to pfsense for addresses on the other side of the VPN and will know what to do with the traffic without hairpinning in and out the same interface.

    
    ===================== LAN1 ==================
        I                                    I
        I                                    I
    computers                            router –+----------------------------> IPv4 Internet
                             pfSense-----/        +------ tunnelbroker.net ----> IPv6 Internet
                                I                                                       
                                I OpenVpn s2s                                  
                                I                                                       
                             pfSense-----\                                                       
    computers                            router --+------ tunnelbroker.net ----> IPv6 Internet
        I                                    I    +----------------------------> IPv4 Internet
        I                                    I
    ===================== LAN2 ==================
    
    

    ETA oh. Dumb ISP routers. OK. I'll leave that there anyway…



  • Thanks everyone for your answers!


Log in to reply