• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Router Advertisements on interfaces it is not configured

Scheduled Pinned Locked Moved IPv6
30 Posts 4 Posters 4.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    pox
    last edited by Sep 11, 2017, 7:32 PM

    I have a lan interface and a vlan.20 interface. I configured IPv6 RA on the lan interface.
    When I connect on vlan.20, where no RA is configured (vlan.20 does not even have an IPv6 address), I get the RA ICMPv6 packets with the RA information.
    Is this correct? Is this as designed? Can I somehow block them? I don't want IPv6 on that vlan (for now).

    1 Reply Last reply Reply Quote 0
    • J
      JKnott
      last edited by Sep 11, 2017, 7:39 PM

      Where are you seeing this?  A trunk port?  Access port on VLAN 20?  Are you using Wireshark?

      If looking at a trunk port, Wireshark will show both native and VLAN traffic.  You have to examine the packets to see if there's an 802.1q tag.  If there is, then it's on the VLAN.  If there isn't, it's not.

      PfSense running on Qotom mini PC
      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
      UniFi AC-Lite access point

      I haven't lost my mind. It's around here...somewhere...

      1 Reply Last reply Reply Quote 0
      • J
        johnpoz LAYER 8 Global Moderator
        last edited by Sep 11, 2017, 7:40 PM

        You would not get info from lan on your vlan.20 unless its not configured correctly in your switching environment… Ie if connected to dumb switch that doesn't have your vlan.20 setup on it to isolate the layer 2 networks.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • P
          pox
          last edited by Sep 11, 2017, 8:08 PM

          @JKnott:

          Where are you seeing this?  A trunk port?  Access port on VLAN 20?  Are you using Wireshark?

          If looking at a trunk port, Wireshark will show both native and VLAN traffic.  You have to examine the packets to see if there's an 802.1q tag.  If there is, then it's on the VLAN.  If there isn't, it's not.

          Strange. I am connecting with my laptop to a wireless access point on a sid configured with vlan id 20. The AP is connected to pfsense on a trunk port (vlan.30 and lan are also configured on that same ethernet port).
          I see the RA ICMPv6 packets with wireshark on my laptop when connected on vlan.20. I am quite sure I am on vlan.20, because all firewall rules I configured on that vlan work (for example I can't access the router web interface - from lan I can, and from vlan.20 not).
          In wireshark I don't see the 802.1q tag. That's because that is only on the wire between the AP and pfsense, right?

          1 Reply Last reply Reply Quote 0
          • P
            pox
            last edited by Sep 11, 2017, 8:11 PM

            @johnpoz:

            You would not get info from lan on your vlan.20

            I do :)

            @johnpoz:

            unless its not configured correctly in your switching environment… Ie if connected to dumb switch that doesn't have your vlan.20 setup on it to isolate the layer 2 networks.

            No, there is no dumb switch involved here. Just a vlan aware wireless access point and pfsense. Any idea on how to debug this?

            1 Reply Last reply Reply Quote 0
            • J
              JKnott
              last edited by Sep 11, 2017, 8:54 PM Sep 11, 2017, 8:47 PM

              In wireshark I don't see the 802.1q tag. That's because that is only on the wire between the AP and pfsense, right?

              That depends.  If it's connected to an access port that's configured for VLAN 20, yes.  I would assume that would also apply to an access point, except I know better.  My own TP-Link access point does not properly separate the VLAN from native LAN and stuff from the LAN leaks onto the SSID for the VLAN.  Any chance you have a TP-Link access point?

              What do you see when you connect to the trunk port?  You should see native LAN traffic, without the VLAN tags and whatever VLANs you have enabled, with appropriate VLAN tags.  Do you see the RAs in the VLAN 20 frames?

              One other thing, does your notebook run Linux?  If so, it's easy to set up a VLAN on it.  Then Wireshark can be used to veiw only what's on the VLAN.  Not so easy (as in usually impossible) to do with Windows.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              1 Reply Last reply Reply Quote 0
              • P
                pox
                last edited by Sep 11, 2017, 9:04 PM

                @JKnott:

                That depends.  If it's connected to an access port that's configured for VLAN 20, yes.  I would assume that would also apply to an access point, except I know better.  My own TP-Link access point does not properly separate the VLAN from native LAN and stuff from the LAN leaks onto the SSID for the VLAN.  Any chance you have a TP-Link access point?

                It is a TP-Link AP! The EAP245.
                You are the best, really.

                @JKnott:

                What do you see when you connect to the trunk port?  You should see native LAN traffic, without the VLAN tags and whatever VLANs you have enabled, with appropriate VLAN tags.  Do you see the RAs in the VLAN 20 frames?

                I will try this. I can not do this now, but I suspect you already know the answer :)

                @JKnott:

                One other thing, does your notebook run Linux?  If so, it's easy to set up a VLAN on it.  Then Wireshark can be used to veiw only what's on the VLAN.  Not so easy (as in usually impossible) to do with Windows.

                Will try it. But if I connect to the trunk port, and see the correct vlan tags on the ethernet frames, and no RAs with 802.1q tags, I know the AP is the problem.

                1 Reply Last reply Reply Quote 0
                • D
                  Derelict LAYER 8 Netgate
                  last edited by Sep 11, 2017, 9:08 PM

                  My own TP-Link access point does not properly separate the VLAN from native LAN and stuff from the LAN leaks onto the SSID for the VLAN.

                  Capital-U Ugly. Another quality product from TP-Link.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • J
                    JKnott
                    last edited by Sep 11, 2017, 9:16 PM

                    @Derelict:

                    My own TP-Link access point does not properly separate the VLAN from native LAN and stuff from the LAN leaks onto the SSID for the VLAN.

                    Capital-U Ugly. Another quality product from TP-Link.

                    And capital -GLY!  ;)

                    I believe it was johnpoz who mentioned a TP-Link managed switch also has problems with VLANs.  I have one of those too, but I just use it for port mirroring with Wireshark.  It works OK for that.  I suspect the TP-Link engineers don't really understand the concept of VLANs.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    1 Reply Last reply Reply Quote 0
                    • J
                      johnpoz LAYER 8 Global Moderator
                      last edited by Sep 11, 2017, 9:32 PM

                      The problem is you can not remove vlan 1 from any of the interfaces.. Atleast not in the cheaper tp-link "smart" switches..  Did you change the pvid on the ports in your other vlans?

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • P
                        pox
                        last edited by Sep 11, 2017, 9:39 PM

                        @johnpoz:

                        The problem is you can not remove vlan 1 from any of the interfaces.. Atleast not in the cheaper tp-link "smart" switches..  Did you change the pvid on the ports in your other vlans?

                        I don't have port vlans. The AP has only one ethernet port. And on that port is just tagged and untagged traffic. The vlan ids I use are 20 and 30.

                        1 Reply Last reply Reply Quote 0
                        • J
                          JKnott
                          last edited by Sep 11, 2017, 9:43 PM

                          @johnpoz:

                          The problem is you can not remove vlan 1 from any of the interfaces.. Atleast not in the cheaper tp-link "smart" switches..  Did you change the pvid on the ports in your other vlans?

                          I assume you're talking to me.  As I don't use VLANs on that switch, I'm not worried about that problem.  I only use that TP-Link switch for monitoring traffic.  I did this by configuring port 1 to mirror 2 and plugging a computer running Wireshark into port 1.

                          PfSense running on Qotom mini PC
                          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                          UniFi AC-Lite access point

                          I haven't lost my mind. It's around here...somewhere...

                          1 Reply Last reply Reply Quote 0
                          • J
                            JKnott
                            last edited by Sep 11, 2017, 9:46 PM

                            I don't have port vlans. The AP has only one ethernet port. And on that port is just tagged and untagged traffic. The vlan ids I use are 20 and 30.

                            Unplug the cable from the access point and plug it into the notebook where you're running Wireshark.  Look for the frames that include VLAN 20 tags to see if they contain RAs.  Until you look there, we can't be sure of what's happening.

                            PfSense running on Qotom mini PC
                            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                            UniFi AC-Lite access point

                            I haven't lost my mind. It's around here...somewhere...

                            1 Reply Last reply Reply Quote 0
                            • P
                              pox
                              last edited by Sep 12, 2017, 6:40 PM

                              @pox:

                              @JKnott:

                              What do you see when you connect to the trunk port?  You should see native LAN traffic, without the VLAN tags and whatever VLANs you have enabled, with appropriate VLAN tags.  Do you see the RAs in the VLAN 20 frames?

                              I will try this. I can not do this now, but I suspect you already know the answer :)

                              Did it. The ICMPv6 packets don't have the vlan tag.
                              So the problem is not pFsense sending advertisements on the wrong interface, but the TP-Link router passing vlan tagged packets on an untagged lan.

                              Any idea on how I could fix this without buying a new AP?
                              It's not that big of a problem really, those packets do no harm. It's just traffic that should not be there…

                              1 Reply Last reply Reply Quote 0
                              • J
                                johnpoz LAYER 8 Global Moderator
                                last edited by Sep 12, 2017, 6:45 PM

                                "but the TP-Link router passing vlan tagged packets on an untagged lan."

                                What specific tp-link device do you have - make and model.. And how do you have it all connected together?  What configs do you have on its ports for vlans and tags?

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 0
                                • P
                                  pox
                                  last edited by Sep 12, 2017, 6:53 PM

                                  @johnpoz:

                                  "but the TP-Link router passing vlan tagged packets on an untagged lan."

                                  What specific tp-link device do you have - make and model.. And how do you have it all connected together?  What configs do you have on its ports for vlans and tags?

                                  TP-Link router is wrong: it's a TP-Link EAP245 Access Point.
                                  The AP is connected with ethernet to pFsense. On the pFsense side that ethernet port is configured as an interface for

                                  • lan: untagged traffic

                                  • vlan.20

                                  • vlan.30

                                  lan has IPv6 configured with a static IPv6 address. RA is configured on that interface. All other interfaces are IPv4 only.

                                  On the AP there are 3 configured SSIDs:

                                  • SSID1: no vlan tag specified

                                  • SSID2: vlan id 20

                                  • SSID3: vlan id 30

                                  If i connect to Wireless SSID2, I get the ICMPv6 router advertisements from lan.

                                  1 Reply Last reply Reply Quote 0
                                  • D
                                    Derelict LAYER 8 Netgate
                                    last edited by Sep 12, 2017, 7:04 PM

                                    About the only suggestion I can make on the pfSense side is to also tag the LAN interface, but if the TP-Link AP requires management to be untagged (as so many do) that will probably not be possible.

                                    Or, maybe, make a special management interface that is untagged to the AP with no RA enabled and a separate LAN interface that is tagged with the RA on it.

                                    Just thinking of ways that might possibly work around that broken AP.

                                    Personally, I would discard/return it and get something that works.

                                    Chattanooga, Tennessee, USA
                                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                    1 Reply Last reply Reply Quote 0
                                    • J
                                      johnpoz LAYER 8 Global Moderator
                                      last edited by Sep 12, 2017, 7:17 PM Sep 12, 2017, 7:11 PM

                                      "If i connect to Wireless SSID2, I get the ICMPv6 router advertisements from lan."

                                      And what happens when you connect to SSID3?  Are you also seeing lan RAs?

                                      According to the main site for that eap245 it states
                                      "Supports management VLAN for an enhanced network management"

                                      Have to look at the manual.. But yeah if the traffic is tagged going into the AP it sure and the F should not send the RAs out a vlan SSID..

                                      Are you doing anything with the captive portal of the AP?  Curious if that might have something to do with it??  Are you running the firmware I show on their site? EAP245(US)_V1_161116  says it has fixed some bugs ;)

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                                      1 Reply Last reply Reply Quote 0
                                      • P
                                        pox
                                        last edited by Sep 12, 2017, 7:16 PM

                                        @johnpoz:

                                        "If i connect to Wireless SSID2, I get the ICMPv6 router advertisements from lan."

                                        And what happens when you connect to SSID3?  Are you also seeing lan RAs?

                                        Yes, the same.

                                        1 Reply Last reply Reply Quote 0
                                        • J
                                          johnpoz LAYER 8 Global Moderator
                                          last edited by Sep 12, 2017, 7:27 PM Sep 12, 2017, 7:23 PM

                                          ok check this out from their manual..

                                          http://static.tp-link.com/1910012212_EAP_UG.pdf
                                          Wireless VLAN
                                          ID
                                          Set a VLAN ID for the wireless network. It supports maximum 8 VLANs
                                          per frequency band.
                                          With this feature, the EAP can work together with the switches
                                          supporting 802.1Q VLAN. The EAP adds different VLAN tags to the
                                          clients which are connected to the corresponding wireless network. The
                                          clients in different VLANs cannot directly communicate with each other.
                                          VLAN 0 means that the EAP does not add any VLAN tag to the clients
                                          which are connected to this wireless network.

                                          Note: Clients connected to the EAP via Ethernet cable do not belong
                                          to any VLAN. Thus wired client can communicate with all the wireless
                                          clients despite the VLAN settings.

                                          From that I take this AP is just plain borked!!!  And doesn't care what tags you send into the thing..

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                                          1 Reply Last reply Reply Quote 0
                                          20 out of 30
                                          • First post
                                            20/30
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received