Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Selective RA advertising?

    Scheduled Pinned Locked Moved IPv6
    15 Posts 3 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mcfly9
      last edited by

      Hi,

      I am not sure RA is the right thing to do this, so bear with me.

      My pfsense is used to link two sites together. Both sites use ipv4 and ipv6.

      When I turn RA on (router only), a default route is pushed to my clients with pfsense's IP. Is it possible to only push selected routes (remote site's subnet) through RA or RA will always push all routes found on pfsense?

      1 Reply Last reply Reply Quote 0
      • M
        mcfly9
        last edited by

        Anyone?

        1 Reply Last reply Reply Quote 0
        • JKnottJ
          JKnott
          last edited by

          What pfSense pushes is it's own address, as the default route.  If you want it to provide other than the ISPs route, you have to configure routing to do it.  However, I'm not sure what you're trying to do.  Are the 2 sites connected via VPN?  If you only want the traffic to go to the other site and not the rest of the Internet, you could probably configure the firewall rules to do that.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 0
          • M
            mcfly9
            last edited by

            I have two sites, each have a tunnelbroker link to the v6 internet with an average delay (~20-30ms). The two sites have the same ISP, so the v4-to-v4 link has much less delay (4ms). I have set up an OpenVPN tunnel between the two sites for v4 and v6 traffic as well and it is working well. pfSense does not act as a default router (yet) for the sites but is a second router on the network in the sites.

            I am trying to "advertise" a route to the other site (available and working through pfsense's openvpn tunnel) to the computers on the network.

            The problem is that if I turn on RA, it will generate a second default route on my clients which I would like to avoid (client -> pfsense -> router -> tunnelbroker -> v6 internet).

            Is this even possible to do with RA?

            I am using static routes on the clients to achieve this but it isn't a very scalable solution.

            1 Reply Last reply Reply Quote 0
            • JKnottJ
              JKnott
              last edited by

              Is the VPN on pfSense?  If so, pfSense must advertise itself as the default route, as there is no other available to devices on the LAN.  You then have to configure pfSense to route appropriately.  RAs, only advertise local routers.  They do not advertise routes beyond the router, as figuring out the path is the router's job.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              1 Reply Last reply Reply Quote 0
              • M
                mcfly9
                last edited by

                Yes, VPN is on pfSense. Routing tables in pfsense and router are set up to use the shortest routes. My question is how the routes can be influenced on the end-user computers.

                I'll try to draw…

                
                ===================== LAN1 ==================
                computers           pfSense            router --+------ IPv4 Internet
                                       I                        +------ tunnelbroker.net ---- IPv6 Internet
                                       I                                                            
                                       I                                                            
                                       I OpenVpn site-to-site (through v4 internet)                                  
                                       I                                                            
                                       I                                                           
                computers           pfSense            router --+------ tunnelbroker.net ---- IPv6 Internet
                                                                +------ IPv4 Internet
                ===================== LAN2 ==================
                
                

                Option 1) If I turn on RA in pfsense, computers see two default routes:

                • pfsense
                • router

                Option 2) If I turn off RA in pfsense, computers see one default route:

                • router

                In case of option1, my computers going to the v6 internet might use the pfsense->router->tunnelbroker->v6internet route which is one more hop than router->tunnelbroker->v6internet. Also, when going to LAN2, they might go through router->pfsense->openvpn->lan2 which is again one more hop than pfsense->openvpn->LAN2.

                In case of option1, my computers going to the LAN2 will use the router->pfsense->openvpn->lan2 which is again one more hop than pfsense->openvpn->LAN2 would be.

                I hope it's easier to see my dilemma now. I emphasize, I am able to do what I want using persistent routes on the computers but would want to have the v6 routes deployed to the computers in an automatic fashion if this is possible (I am using DHCP on v4).

                1 Reply Last reply Reply Quote 0
                • JKnottJ
                  JKnott
                  last edited by

                  @mcfly9:

                  Yes, VPN is on pfSense. Routing tables in pfsense and router are set up to use the shortest routes. My question is how the routes can be influenced on the end-user computers.

                  It doesn't matter what you draw.  If the only way off your LAN is through pfSense, then it can only advertise itself.  If it announced another route, local devices would have no way to reach it.  This situation can only be resolved by configuring the routing in pfSense.  Then your LAN clients will send traffic to pfSense.  PfSense will then in turn forward appropriately.

                  The only reason for advertising a different route would be if there's another router on the LAN that could be used.  Even then, that router would be expected to advertise itself.

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  1 Reply Last reply Reply Quote 0
                  • M
                    mcfly9
                    last edited by

                    @JKnott:

                    The only reason for advertising a different route would be if there's another router on the LAN that could be used. Even then, that router would be expected to advertise itself.

                    If you read my post carefully and have a short peek on the diagram, you will see that this is exactly my case. pfSense is NOT my deafult router to the internet.

                    1 Reply Last reply Reply Quote 0
                    • M
                      mcfly9
                      last edited by

                      Here's it in even clearer picture.

                      
                      ===================== LAN1 ==================
                          I                  I                 I
                          I                  I                 I
                      computers           pfSense            router --+----------------------------> IPv4 Internet
                                             I                        +------ tunnelbroker.net ----> IPv6 Internet
                                             I                                                            
                                             I OpenVpn site-to-site                                  
                                             I                                                            
                                             I                                                            
                      computers           pfSense            router --+------ tunnelbroker.net ----> IPv6 Internet
                          I                  I                 I      +----------------------------> IPv4 Internet
                          I                  I                 I
                      ===================== LAN2 ==================
                      
                      
                      1 Reply Last reply Reply Quote 0
                      • JKnottJ
                        JKnott
                        last edited by

                        OK, so you have 2 routers on the LAN.  Does the other router not also provide RAs?  If you have that situation, then you should set one to have a higher priority than the other.  In pfSense, that is done on the Router Advertisement page.

                        Why do you have 2 routers?  You're making things difficult.  You could manually add routes to the devices on the LAN.  But RAs are not intended to do what you want.  They only advertise themselves.  If you had multiple routers, you could use a routing protocol, such as RIP or OSPF to advertise routes to other routers, but individual computers generally don't support that.  What is the other router?  Does it support VPNs?  Why not put it in bridge mode.

                        From http://www.networksorcery.com/enp/protocol/icmp/msg9.htm

                        Each router periodically multicasts a Router Advertisement from each of its multicast interfaces, announcing the IP address(es) of that interface.

                        As you can see, an RA can only advertise the router it's from.

                        Perhaps you should rethink what you're trying to do.

                        PfSense running on Qotom mini PC
                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                        UniFi AC-Lite access point

                        I haven't lost my mind. It's around here...somewhere...

                        1 Reply Last reply Reply Quote 0
                        • M
                          mcfly9
                          last edited by

                          @JKnott:

                          Why do you have 2 routers?  You're making things difficult.  You could manually add routes to the devices on the LAN.  But RAs are not intended to do what you want.  They only advertise themselves.  If you had multiple routers, you could use a routing protocol, such as RIP or OSPF to advertise routes to other routers, but individual computers generally don't support that.  What is the other router?  Does it support VPNs?  Why not put it in bridge mode.

                          Thanks, this answers my original question.

                          The other router is a dumb ISP router. On a longer run I will migrate all routing to pfSense and eliminate the two routers. This will make the current issue obsolete.

                          1 Reply Last reply Reply Quote 0
                          • JKnottJ
                            JKnott
                            last edited by

                            Can you put those ISP's routers into bridge mode?  That's all you need to do and let pfSense handle routing etc..

                            PfSense running on Qotom mini PC
                            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                            UniFi AC-Lite access point

                            I haven't lost my mind. It's around here...somewhere...

                            1 Reply Last reply Reply Quote 0
                            • M
                              mcfly9
                              last edited by

                              Yup, that's exactly what I am trying on a third site.

                              1 Reply Last reply Reply Quote 0
                              • DerelictD
                                Derelict LAYER 8 Netgate
                                last edited by

                                Yet another "let's just put another router on the LAN" design.

                                Don't do that.

                                Create a transit network between your edge routers and the pfSense nodes.

                                Then the edge routers will have the static routes to pfsense for addresses on the other side of the VPN and will know what to do with the traffic without hairpinning in and out the same interface.

                                
                                ===================== LAN1 ==================
                                    I                                    I
                                    I                                    I
                                computers                            router –+----------------------------> IPv4 Internet
                                                         pfSense-----/        +------ tunnelbroker.net ----> IPv6 Internet
                                                            I                                                       
                                                            I OpenVpn s2s                                  
                                                            I                                                       
                                                         pfSense-----\                                                       
                                computers                            router --+------ tunnelbroker.net ----> IPv6 Internet
                                    I                                    I    +----------------------------> IPv4 Internet
                                    I                                    I
                                ===================== LAN2 ==================
                                
                                

                                ETA oh. Dumb ISP routers. OK. I'll leave that there anyway…

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • M
                                  mcfly9
                                  last edited by

                                  Thanks everyone for your answers!

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.