DHCPv6 on multiple interfaces

houseonfire

First time exploring pfsense for home network.

pfsense is an ESXi VM, with 3 interfaces: WAN, LAN and OPT. WAN and LAN have uplink ports but OPT without.

Configured WAN to connect with DHCP and DHCPv6, prefix set to 60 and enable "Send IPv6 prefix hint". LAN configured with Static IPv4 and TRACK INTERFACE (v6), IPv6 interface is WAN and prefix ID 0. OPT configured similar to LAN but with prefix ID 1. Everything works, STATUS > INTERFACES showing LAN obtained IPv4 and IPv6 (e.g. 2001:1111:1111:1111:...), IPv6 also available on OPT (e.g. 2001:1111:1111:1112:...).

Enable DHCPv6 server on interface LAN, "Prefix Delegation Size" 64, RA - Assisted, range ::1001 to ::10f.f A client laptop connected to LAN port, received IPv6 address 2001:1111:1111:1111::10xx. Then Enable DHCPv6 server on interface OPT, similar setting with LAN.

When I restart my laptop network interface, IPv6 address changed to 2001:1111:1111:1112::10xx, somehow DHCPv6 server on OPT assigned the address to laptop even though there is not physical uplink to this interface.

If I only disable DHCPv6 on OPT and reset network interface of laptop, IPv6 revert back to 2001:1111:1111:1111::10xx. If I only disable DHCPv6 on LAN, laptop don't get any IPv6 address (which is expected). I don't understand why DHCPv6 server on OPT able to serve up an address to laptop, even though laptop connected to LAN and there is a DHCPv6 server on LAN interface.

My question is how to get DHCPv6 server on LAN interface to serve clients connected to LAN and ones connected to OPT (VMs) served by DHCPv6 server on OPT? I simply want to separate the two networks...

By the way, DHCPv4 works fine, LAN handing out 10.x.x.x addresses to clients connected to LAN and OPT handing out 192.168.x.x addresses to clients connected to OPT.

deet

If I'm understanding your post correctly, I seem to have encountered something similar: devices on two separate, isolated subnets are getting addresses with prefixes from both subnets.

I seem to have isolated it to radvd. If I disable the DHCPv6 server and set RA to "Unmanaged" on all interfaces, the issue still occurs: a client on my LAN subnet, which is on a separate interface from my GUESTLAN subnet, will wind up with multiple addresses, some with the LAN subnet prefix and some with the GUESTLAN subnet prefix. The result is some clients can connect and use IPv6 while some cannot, depending on how each OS determines which address is primary.

Turning off RA for the GUESTLAN interface stops the behavior, but this is not a desirable solution.

JKnott

@deet said in DHCPv6 on multiple interfaces:

seem to have isolated it to radvd. If I disable the DHCPv6 server and set RA to "Unmanaged" on all interfaces, the issue still occurs: a client on my LAN subnet, which is on a separate interface from my GUESTLAN subnet, will wind up with multiple addresses, some with the LAN subnet prefix and some with the GUESTLAN subnet prefix.

Any chance you have VLANs on a TP-Link switch? Some TP-Link gear does not handle VLANs properly and allows multicasts to cross from the VLAN to LAN? I have the same problem with my TP-Link access point.

deet

Actually yes, the GUESTLAN is on a VLAN, and I have other VLANs too.

The switches here are all Ubiquiti. I have VLAN-only networks configured in what I understand to be The UniFi Way, so that all switches keep all tagged traffic tagged until it reaches a port assigned to a tagged network profile, where it will then be untagged as it leaves the port. I don't know of a way with UniFi to untag multiple networks on a single port.

Everything else involving multicast and VLANs is working as expected with IPv4. The networks can't talk to each other over IPv4. Broadcast/multicast packets don't hop over interfaces. I'm not running Avahi or otherwise proxying mDNS. It doesn't seem like I've cross-connected cables or misconfigured the switches. The VLAN is tagged as it leaves the LAN interface on the pfSense machine and, as far as I can tell, remains tagged across the network. In fact, it should be untagged only in the wifi APs on the GUESTLAN SSID. And, again, everything is working as expected, with all the proper isolation as far as I can tell, except when it comes to RA.

This thread is not very useful except that it seems to point to something similar:
https://forum.netgate.com/topic/117118/slacc-bleedthrough-on-vlans

I know opinions on UniFi vary, but I'm not aware of any issues with VLANs being untagged unexpectedly or other leakage, but I suppose I can pursue that.

deet

And here we are:

https://community.ui.com/questions/IPv6-Router-Advertisement-leaking-to-untagged-VLAN/51ce1739-62cb-40e3-a018-f09cb84e0dd0#answer/1c496683-f66c-4131-b8d0-eb11485017ed

I think this is what I'm seeing. Indeed, this is affecting only Windows clients. And indeed, the GUESTLAN VLAN is tagged on the LAN segment.

Hmph. I shall try excluding the GUESTLAN from ports serving the affected systems and see if that helps.

deet

Excluding tagged VLANs from the ports serving the affected systems seems to have solved it.

So, to recap:

Problem: Certain clients, including Windows 10 devices with Realtek NICs, will see IPv6 router advertisements from tagged VLANs, even if they would not otherwise see the tagged traffic. In other words, they ignore any VLAN tags that might be present on IPv6 router advertisements.

Symptom: Windows clients will configure IPv6 addresses from unexpected subnets.

Solution: Ensure that no tagged traffic hits the NIC of the affected client.

It seems I've inadvertently hijacked this thread, unless this was in fact what OP was seeing. I hope it's helpful.

JKnott

@deet said in DHCPv6 on multiple interfaces:

Solution: Ensure that no tagged traffic hits the NIC of the affected client.

Since you have a managed switch, just put that client on an access port. Trunk ports should only be used when you need VLAN access, as would be the case for the computer running pfSense or the access point.

deet

Exactly right.

johnpoz

@deet said in DHCPv6 on multiple interfaces:

isolated subnets are getting addresses with prefixes from both subnets.

Not possible!!! Your vlans are are not isolated is your problem..

JKnott

@johnpoz said in DHCPv6 on multiple interfaces:

Not possible!!! Your vlans are are not isolated is your problem..

As anyone with certain TP-Link gear knows. However, I believe he identified the issue as due to the NIC drivers in Windows 10.