Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPv6 Alias Stacked with CARP Interface.

    IPv6
    2
    4
    592
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      The Sky Heart
      last edited by

      Hi Guys,

      in pfsense document it's mentioned:
      If multiple subnets are required on a single interface with HA, this may be accomplished using IP Aliases. As with the main interface IP addresses, we recommend each firewall have an IP address inside the additional subnet, for a total of at least three IPs per subnet. Separate IP alias entries must be added to each node inside the new subnet, ensuring that their subnet masks match the actual subnet mask for the new subnet. IP alias VIPs that are directly on an interface do not sync, so this is safe.

      this works very well with IPv4, but not with IPv6.

      I have 2 pfsense boxes installed on Dell R430 Server, and I have a /32 IPv6 Subnet assigned by RIPE and we are announcing this subnet from our juniper router, what I'm trying to achieve is assign /48 IPv6 to customers behind the pfsense boxes.

      here is my setup.

      Master:

      WAN IPv6: xxxx:4f20:0:2::41/64
      WAN CARP: xxxx:4f20:0:2::1/64 VHID 201

      V1050 IPv6: xxxx:4f20:10::2/48
      V1050 CARP: xxxx:4f20:10::1/48 VHID 202
      this is a VLAN interface.

      Backup:

      WAN IPv6: xxxx:4f20:0:2::42/64

      V1050 IPv6: xxxx:4f20:10::3/48
      this is a VLAN interface.

      until here everything works fine, I can reach xxxx:4f20:10::1 from outside and I can assign IP's in that subnet to hosts and everything works.

      now I want to add a second /48 subnet on the same CARP VHID 202 let's say xxxx:4f20:11::/48, so I added xxxx:4f20:11::1/48 as an IP Alias stacked to the CARP interface for V1050, but when I do that I can't reach xxxx:4f20:12::1 from outside.

      as I mentioned I have the same setup with IPv4 on the same boxes with nearly 130 /24 subnet's all public IP's, I normally also add a static route for the subnet but when I do that for IPv6 all hosts behind pfsense boxes looses connectivity until I restart the box.

      the only error in logs I see when adding the CARP IP Alias is this
      ifa_maintain_loopback_route: insertion failed for interface ix3.1050: 17

      I'm really not sure what i'm missing, or if i'm doing it correct cause IPv4 works perfectly and i'm not sure if the same applies to IPv6.

      any help or ideas would be much appreciated.

      Thanks

      1 Reply Last reply Reply Quote 0
      • T
        The Sky Heart
        last edited by

        sorry I forgot to mention that I'm using pfsense 2.4.2-RELEASE-p1 (amd64)

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          So you're trying to assign /48 prefixes out of your /32 to inside hosts?

          You don't add a /48 to an interface.  Upstream should route the /32 to the existing CARP VIP. You then use DHCPv6 or some other method (like static routes) to route longer prefixes (like /48) to inside destinations.

          Moving to IPv6 forum.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10000 words and 15 conference calls.
          DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • T
            The Sky Heart
            last edited by

            Hi Derelict,

            Thanks a lot for your reply,

            as I mentioned we announce this subnet and I have full control over the routes, I also do have a static route to route the whole /32 prefix to the WAN CARP VIP, the idea is that I don't want to use DHCP6, when a customer needs an IPv6 Subnet what I do is just add the first IP of that subnet as an IP Alias Stacked with the V1050 CARP VIP, and that IP will also be the Gateway for the customer who will use this subnet.

            after digging more seems it's not a routing or setup problem, it's actually a firewall rules issue, it seems that pfsense doesn't add the IPv6 IP Aliases to the auto created Aliases, i'm not sure if anyone had this issue but if no one open a bug report about it then I will do it.

            here is what happens, I do have IN and OUT rules configured
            on WAN:
            Protocol: IPv4+6
            Source: any
            Destination: V1050 net    –--> this suppose to include any IP that is assigned to V1050 interface including IP Aliases, and it's an Auto Alias created by pfsense.

            on V1050 I have a firewall rules to allow all traffic.

            so basically what ever IPv6 IP Alias you add to V1050 interface you should reach it, but this doesn't work cause the V1050 net Alias doesn't include that new IP Alias, I added a new firewall rule on WAN to allow traffic to that new IP Alias and I was able to to reach it.

            Best Regards

            1 Reply Last reply Reply Quote 0
            • First post
              Last post