IPv4 & IPv6 VLAN tagging
-
I've configured pfSense to be dual stacked as follows:
WAN
IPv4 - PPPOE as per ISP
IPv6 - DHCP6 as per ISPThe ISP provides a /56 IPV6 prefix 2001:2000:3000:0400::
LAN
IPV4 - Static - 192.168.0.1 / 24
IPv6 - Track Interface -> WAN & Prefix ID 0I then create 3 VLANs off the LAN interface.
V10
IPv4 - Static - 192.168.10.1 / 24
IPv6 - Track Interface -> WAN & Prefix ID 10V20
IPV4 - Static - 192.168.20.1 / 24
IPv6 - Track Interface -> WAN & Prefix ID 20V30
IPV4 - Static - 192.168.30.1 / 24
IPv6 - Track Interface -> WAN & Prefix ID 30A DHCPv4 scope is defined for each IPV4 subnet
RADV is set Assisted with router priority normalA client machine connected to an switch not supporting VLANs acquires ONLY an 192.168.0.x lease. Yet acquires IPv6 addresses for each (v)LAN:
2001:2000:3000:0400::x
2001:2000:3000:0410::x
2001:2000:3000:0420::x
2001:2000:3000:0430::xWith VLANs being a Layer 2 contruct and IPV4 and IPv6 being Layer 3, why is the client machine acquiring IPV6 prefixes (addresses) for every (v)lan ?
-
@Peek said in IPv4 & IPv6 VLAN tagging:
With VLANs being a Layer 2 contruct and IPV4 and IPv6 being Layer 3, why is the client machine acquiring IPV6 prefixes (addresses) for every (v)lan ?
When in doubt, fire up Wireshark (or Packet Capture if you must) to see what's actually on the wire. Do the VLAN tags appear on the IPv6 RAs? Unless configured to accept VLANs, the client should not be getting those addresses.
-
@JKnott , all righty then. Will do. Any advise on how to analyse the data once captured ? ...
-
@Peek said in IPv4 & IPv6 VLAN tagging:
@JKnott , all righty then. Will do. Any advise on how to analyse the data once captured ? ...
Filter on ICMP6 to capture the RAs. Then, when examining the captures, you should see the VLAN tags. You can compare with the IPv4 DHCP packets to see any relevant difference.
-
@JKnott said in IPv4 & IPv6 VLAN tagging:
When in doubt, fire up Wireshark (or Packet Capture if you must) to see what's actually on the wire. Do the VLAN tags appear on the IPv6 RAs? Unless configured to accept VLANs, the client should not be getting those addresses.
Create a column in Wireshark and filter on vlan.id
-
@NogBadTheBad said in IPv4 & IPv6 VLAN tagging:
Create a column in Wireshark and filter on vlan.id
That may be a bit premature, until he's sure there are VLAN tags on IPv6.
One thing that keeps nagging me is the possibility there's a TP-Link managed switch in there somewhere, although he said there was only an unmanaged switch. With some TP-Link gear, the multicasts leak from VLANs to the native LAN. If that happens, then the client will receive multiple RAs from the VLANs and have an address in those prefixes. This is exactly what I saw with my TP-Link access point.
PfSense running on Qotom mini PC
i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
UniFi AC-Lite access pointI haven't lost my mind. It's around here...somewhere...
-
@JKnott said in IPv4 & IPv6 VLAN tagging:
@NogBadTheBad said in IPv4 & IPv6 VLAN tagging:
Create a column in Wireshark and filter on vlan.id
That may be a bit premature, until he's sure there are VLAN tags on IPv6.
One thing that keeps nagging me is the possibility there's a TP-Link managed switch in there somewhere, although he said there was only an unmanaged switch. With some TP-Link gear, the multicasts leak from VLANs to the native LAN. If that happens, then the client will receive multiple RAs from the VLANs and have an address in those prefixes. This is exactly what I saw with my TP-Link access point.
Yup
Just makes it easier trawling through the packet.
-
@JKnott said in IPv4 & IPv6 VLAN tagging:
One thing that keeps nagging me is the possibility there's a TP-Link managed switch in there somewhere
To be specific, it's an Intel NUC8i5BEH with Realtek 8153 USB3 connected to an Netgear GS208 unmanaged switch. Very basic virtualization home lab setup. Worked flawlessly with esxi, yet without ever attempting vlans. Only once on XCP-ng did vlans come into play.
However ... XCP-ng started to loose connectivity every so often. "Reconfiguring the Management Interface" on the console would resolve the issue instantly. (Better than having to restart every time) Disabling "TX Checksum Offloading" on pfSense as well as the virtual interfaces made no difference.
The disconnections became so irritating, that it was all burned and restarted from scratch. Yet even before reimplementing vlans again as to capture traffic, the disconnections came about in less than a minute.
I've thrown in the towel on XCP-ng and is contemplating KVM-Qemu ... Until that is running, I'll be back
-
@Peek said in IPv4 & IPv6 VLAN tagging:
I've thrown in the towel on XCP-ng and is contemplating KVM-Qemu ...
Why didn't you mention you were running a virtual machine? That adds in another layer that might cause problems.
-
Apologies @JKnott , got redacted during the numerous drafts before posting. Yet I can say that I'm pondering the source off all drama to be the Realtek 8153 driver.
The setup worked flawlessly for a number of months on esxi. Only with XCP-ng has it became so messy.
Yet now I'm looking into compiling the lastest RTL8153 driver. I'll be back to advise once that's completed.
