Second Lan network same interface

Derelict

No idea what you are showing us there. that is em0 and bge0.

A parent interface of a VLAN will show like that if it is not assigned to an interface and numbered.

igb1 is not assigned in interfaces > assignments:

igb1: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
options=500bb <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwfilter,vlan_hwtso>ether 00:08:a2:0a:59:42
hwaddr 00:08:a2:0a:59:42
inet6 fe80::208:a2ff:fe0a:5942%igb1 prefixlen 64 scopeid 0x2
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active

VLAN 223 is…

igb1_vlan223: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
options=3 <rxcsum,txcsum>ether 00:08:a2:0a:59:42
inet 192.168.223.1 netmask 0xffffff00 broadcast 192.168.223.255
inet6 2600:dead:beef:cafe:208:a2ff:fe0a:5942 prefixlen 64
inet6 fe80::1:1%igb1_vlan223 prefixlen 64 scopeid 0xb
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 223 vlanpcp: 0 parent interface: igb1</full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,promisc,simplex,multicast></full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,jumbo_mtu,vlan_hwcsum,vlan_hwfilter,vlan_hwtso></up,broadcast,running,promisc,simplex,multicast>

JKnott

I was showing the LAN4 interface, which doesn't appear to have a MAC address, though it does in ifconfig.  I also don't know why it shows opvpns1 on it.
Curious.

Derelict

Because it is assigned to an OpenVPN instance. Look in Interfaces > (assign).

JKnott

Openvpn was assigned, but I have absolutely no idea how that wound up on there.  I deleted that assignment and created a new one as em0 and it came up.

JKnott

I just came across something curious.  I've set up the new interface for LAN4 and enabled both IPv4 and IPv6.  The IPv6 prefix is within my /56.  When I ping my desktop computer, on it global IPv6 address, it's successful.  When I try on it's ULA, I get a "Destination unreachable: No route" error.  Traceroute show the path ending at 2607:f798:10:10ac:0:690:6325:5193.  I have no idea where that is, but it's certainly not on my network.  Host lookup doesn't provide a host name.  Why is pfSense trying to route a ULA off my network?  Neither "Block private networks and loopback addresses" nor "Block bogon networks" are selected for this interface or main LAN, but both are on the WAN interface.

Derelict

Does pfSense know that interface has that ULA subnet on it? In other words, is that ULA subnet in the routing table with a destination of that interface?

Neither "Block private networks and loopback addresses" nor "Block bogon networks" are selected for this interface or main LAN, but both are on the WAN interface.

Those block inbound connections, not outbound. You have to specifically block RFC1918 and ULA from egressing outbound using floating rules on WAN out. At least that's how I like to do it.

JKnott

@Derelict:

Does pfSense know that interface has that ULA subnet on it? In other words, is that ULA subnet in the routing table with a destination of that interface?

Does it require a specific route to be added?  In Cisco & Linux routers, the interface networks are added automatically, so it's not necessary to specify the route.  The prefix is correct in RA subnets and the computer gets the correct address.

Netstat -r doesn't show the ULA route for the LAN or LAN4.  However, the first column, showing networks, is truncated, so the full address is not shown for all networks, but I think all interfaces show the global address routes.

johnpoz

You wouldn't need to add a route for anything directly connected via pfsense.  But pfsense has to have a ULA address in that prefix on the interface connected to the network your using the ULA on.

If you just setup the RA to hand out the ula prefix, pfsense wouldn't have to have an actual ULA address that interface.. So yeah it  would try routing it out its default IPv6 gateway..

JKnott

I tried adding a virtual IPv6 address to the LAN interface and it shows in ifconfig.  I can ping it from the pfSense command shell, but not from another computer.  The RAs advertise the ULA network, but not the pfSense interface address.

JKnott

I tried setting up a static route, but the only choices for gateway were the WAN or loopback interfaces.  I couldn't select the actual interface.  When I select the loopback ::1, traceroute shows multiple lines of the firewall address.

Is it not possible to get pfSense to route ULA networks?  If not, that is a serious fault, as ULAs are just like RFC1918 IPv4 addresses, in that they can be routed, but not onto the Internet.  I have no problem routing IPv4 RFC1918 addresses properly.

JKnott

I set up the LAN interface as a gateway for the ULA address.  I can ping the interface ULA from my notebook, but pinging the desktop ULA displays "Time Exceeded: Hop limit" and traceroute6 shows the firewall repeatedly and not going beyond it.

Derelict

Just assign an interface address to the interface. It will be connected and therefore in the routing table. No gateways or static routes necessary. pfSense doesn't care if it is routable or ULA. It's just a subnet.

JKnott

@Derelict:

Just assign an interface address to the interface. It will be connected and therefore in the routing table. No gateways or static routes necessary. pfSense doesn't care if it is routable or ULA. It's just a subnet.

The LAN interface has both global and ULA addresses on it.  Global addresses work fine.  How do I assign a 2nd address?  I created the subnet on the RA page and even created an alias on the Virtual IPs page.  Ifconfig shows the virtual IP and I can ping it from the pfSense computer, but not from the desktop computer, which has both global and ULA addresses.  The virtual address on the pfSense computer is fd48:1a37:2160::1 and the desktop has fd48:1a37:2160:0:61af:b555:ad10:3fd2

When I ping from pfSense to the desktop, this is what I see.
ping6 fd48:1a37:2160:0:61af:b555:ad10:3fd2
PING6(56=40+8+8 bytes) fd48:1a37:2160::1 –> fd48:1a37:2160:0:61af:b555:ad10:3fd2

There is no response from the desktop.  If I have a static route configured, traceroute keeps cycling through the pfSense computer.  If I don't have a static route configured, it tries to go out to the 'net.

Also, Wireshark does not show any pings, in either direction.  However, the RA contains "ICMPv6 Option (Prefix information : fd48:1a37:2160::1/128)" and "ICMPv6 Option (Prefix information : fd48:1a37:2160::/64)" , so the router ULA address is being advertised.

Either I'm missing something, or ULA routing isn't working properly.  As I mentioned, IPv4 RFC1918 addresses route properly.

The desktop system is running openSUSE 42.3.

JKnott

Just to update, I have 3 interfaces as follows
LAN global and ULA
VLAN3 ULA only
LAN4 global only.

From the pfSense computer or a computer on LAN4, I cannot ping the ULA on the desktop on either LAN or VLAN3.  On the pfSense computer, I can ping it's own ULA on both LAN and VLAN3.

JKnott

Assigning a virtual IP on the LAN interface caused it to lose the global address.  There's definitely something wrong with the way pfSense handles ULA.

Derelict

IDK, man. I just did it and it worked fine.

DHCP WAN, Track Interface LAN, ULA IP Alias VIP /64 on LAN, Added ULA /64 as a subnet for RA on LAN, firewall rule passing all traffic from ULA::/64 on LAN, booted test VM:

pfSense LAN:
re0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=80098 <vlan_mtu,vlan_hwtagging,vlan_hwcsum,linkstate>ether fe:e0:54:6e:79:49
hwaddr fe:e0:54:6e:79:49
inet 172.25.233.1 netmask 0xffffff00 broadcast 172.25.233.255
inet6 2001:dead:beef:fd01:fce0:54ff:fe6e:7949 prefixlen 64
inet6 fe80::1:1%re0 prefixlen 64 scopeid 0x1
inet6 fd08:1e26:8fea:525b::1 prefixlen 64
nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>)
status: active

Test host interface:
derelict@Host-B1:~$ ifconfig
eth0      Link encap:Ethernet  HWaddr 9a:b3:de:87:fa:4b 
          inet addr:172.25.233.100  Bcast:172.25.233.255  Mask:255.255.255.0
          inet6 addr: fd08:1e26:8fea:525b:98b3:deff:fe87:fa4b/64 Scope:Global
          inet6 addr: fe80::98b3:deff:fe87:fa4b/64 Scope:Link
          inet6 addr: 2001:dead:beef:fd01:98b3:deff:fe87:fa4b/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:205 errors:0 dropped:0 overruns:0 frame:0
          TX packets:122 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:34081 (34.0 KB)  TX bytes:15844 (15.8 KB)

To pfSense LAN VIP:
derelict@Host-B1:~$ ping6 -c 3 -I fd08:1e26:8fea:525b:98b3:deff:fe87:fa4b fd08:1e26:8fea:525b::1
PING fd08:1e26:8fea:525b::1(fd08:1e26:8fea:525b::1) from fd08:1e26:8fea:525b:98b3:deff:fe87:fa4b : 56 data bytes
64 bytes from fd08:1e26:8fea:525b::1: icmp_seq=1 ttl=64 time=0.518 ms
64 bytes from fd08:1e26:8fea:525b::1: icmp_seq=2 ttl=64 time=0.294 ms
64 bytes from fd08:1e26:8fea:525b::1: icmp_seq=3 ttl=64 time=0.684 ms

–- fd08:1e26:8fea:525b::1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.294/0.498/0.684/0.161 ms

To the WAN address of upstream pfSense:
derelict@Host-B1:~$ ping6 -c 3 -I fd08:1e26:8fea:525b:98b3:deff:fe87:fa4b 2001:dead:beef:7fff::ed96:eec5
PING 2001:dead:beef:7fff::ed96:eec5(2001:dead:beef:7fff::ed96:eec5) from fd08:1e26:8fea:525b:98b3:deff:fe87:fa4b : 56 data bytes
64 bytes from 2001:dead:beef:7fff::ed96:eec5: icmp_seq=1 ttl=64 time=0.524 ms
64 bytes from 2001:dead:beef:7fff::ed96:eec5: icmp_seq=2 ttl=64 time=0.287 ms
64 bytes from 2001:dead:beef:7fff::ed96:eec5: icmp_seq=3 ttl=64 time=0.320 ms

–- 2001:dead:beef:7fff::ed96:eec5 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 0.287/0.377/0.524/0.104 ms

I don't have routing for that ULA from anything else.

Note this is a recent 2.4-RC since that's what my test environment is currently running.</full-duplex></performnud,auto_linklocal></vlan_mtu,vlan_hwtagging,vlan_hwcsum,linkstate></up,broadcast,running,simplex,multicast>

Derelict

And with NPt to an unused /64 on pfSense WAN:
derelict@Host-B1:~$ ping6 -n -c 3 -I fd08:1e26:8fea:525b:98b3:deff:fe87:fa4b www.google.com
PING www.google.com(2607:f8b0:400e:c05::63) from fd08:1e26:8fea:525b:98b3:deff:fe87:fa4b : 56 data bytes
64 bytes from 2607:f8b0:400e:c05::63: icmp_seq=1 ttl=46 time=59.6 ms
64 bytes from 2607:f8b0:400e:c05::63: icmp_seq=2 ttl=46 time=83.8 ms
64 bytes from 2607:f8b0:400e:c05::63: icmp_seq=3 ttl=46 time=58.7 ms

–- www.google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 58.704/67.398/83.847/11.640 ms

JKnott

I'll have to go through the stuff you provided, howerver I made some changes and did some more testing.  At the moment, the configuration is as follows:

LAN global & ULA
LAN4 ULA only
VLAN3 ULA only

The desktop computer has both LAN and VLAN3 configured and the notebook is on LAN4 only.

If I ping the laptop by forcing ping over VLAN3, it works.  However, when via LAN, no response.  Wireshark on the notebook shows both request and reply, but on the desktop, only the request.  From the pfSense computer, I can ping the notebook and the VLAN3 address of the desktop, but not the LAN address.  Wireshark does not show any ping requests from pfSense to the LAN interface  So, there is still something about the LAN interface that's causing problems.

I see you have a ULA address fd08:1e26:8fea:525b::1 on the LAN interface.  How did you put it there?  I do not have one.  I used a virtual IP last night, but this morning, the virtual IP was there, but the global address was gone.

The network ULA addresses are as follows:
LAN  fd48:1a37:2160:0::
VLAN3  fd48:1a37:2160:3::
LAN4  fd48:1a37:2160:4::

Netstat -r on pfSense shows:

fd48:1a37:2160:3:: link#8            U      bge0_vla
fd48:1a37:2160:3:: link#8            UHS        lo0
fd48:1a37:2160:4:: link#2            U          em0
fd48:1a37:2160:4:: link#2            UHS        lo0

Note there is no line for fd48:1a37:2160:0::.

There is also this on the WAN interface:

fd07:f798:3:16e::  link#3            U          re0
fd07:f798:3:4172:: link#3            U          re0

There are no other ULA addresses listed.  So, pfSense doesn't have a route to fd48:1a37:2160:0::.

JKnott

I think I found it.  I had to set the VIP prefix to /64.  Also, curious that the pfSense graphical admin doesn't show the 2nd address on either the dashboard or interface status.  Netstat -r does though.

johnpoz

"I had to set the VIP prefix to /64"

what else would you have set it too?