4. IPv4 & IPv6 VLAN tagging

IPv4 & IPv6 VLAN tagging


  • I've configured pfSense to be dual stacked as follows:

    WAN
    IPv4 - PPPOE as per ISP
    IPv6 - DHCP6 as per ISP

    The ISP provides a /56 IPV6 prefix 2001:2000:3000:0400::

    LAN
    IPV4 - Static - 192.168.0.1 / 24
    IPv6 - Track Interface -> WAN & Prefix ID 0

    I then create 3 VLANs off the LAN interface.

    V10
    IPv4 - Static - 192.168.10.1 / 24
    IPv6 - Track Interface -> WAN & Prefix ID 10

    V20
    IPV4 - Static - 192.168.20.1 / 24
    IPv6 - Track Interface -> WAN & Prefix ID 20

    V30
    IPV4 - Static - 192.168.30.1 / 24
    IPv6 - Track Interface -> WAN & Prefix ID 30

    A DHCPv4 scope is defined for each IPV4 subnet
    RADV is set Assisted with router priority normal

    A client machine connected to an switch not supporting VLANs acquires ONLY an 192.168.0.x lease. Yet acquires IPv6 addresses for each (v)LAN:

    2001:2000:3000:0400::x
    2001:2000:3000:0410::x
    2001:2000:3000:0420::x
    2001:2000:3000:0430::x

    With VLANs being a Layer 2 contruct and IPV4 and IPv6 being Layer 3, why is the client machine acquiring IPV6 prefixes (addresses) for every (v)lan ?

    0 1 Reply

  • @Peek said in IPv4 & IPv6 VLAN tagging:

    With VLANs being a Layer 2 contruct and IPV4 and IPv6 being Layer 3, why is the client machine acquiring IPV6 prefixes (addresses) for every (v)lan ?

    When in doubt, fire up Wireshark (or Packet Capture if you must) to see what's actually on the wire. Do the VLAN tags appear on the IPv6 RAs? Unless configured to accept VLANs, the client should not be getting those addresses.

    0

  • @JKnott , all righty then. Will do. Any advise on how to analyse the data once captured ? ...

    0 1 Reply

  • @Peek said in IPv4 & IPv6 VLAN tagging:

    @JKnott , all righty then. Will do. Any advise on how to analyse the data once captured ? ...

    Filter on ICMP6 to capture the RAs. Then, when examining the captures, you should see the VLAN tags. You can compare with the IPv4 DHCP packets to see any relevant difference.

    0
  • N
    Galactic Empire

    @JKnott said in IPv4 & IPv6 VLAN tagging:

    When in doubt, fire up Wireshark (or Packet Capture if you must) to see what's actually on the wire. Do the VLAN tags appear on the IPv6 RAs? Unless configured to accept VLANs, the client should not be getting those addresses.

    Create a column in Wireshark and filter on vlan.id

    0 1 Reply

  • @NogBadTheBad said in IPv4 & IPv6 VLAN tagging:

    Create a column in Wireshark and filter on vlan.id

    That may be a bit premature, until he's sure there are VLAN tags on IPv6.

    One thing that keeps nagging me is the possibility there's a TP-Link managed switch in there somewhere, although he said there was only an unmanaged switch. With some TP-Link gear, the multicasts leak from VLANs to the native LAN. If that happens, then the client will receive multiple RAs from the VLANs and have an address in those prefixes. This is exactly what I saw with my TP-Link access point.

    0
    N
     2 Replies
  • N
    Galactic Empire

    @JKnott said in IPv4 & IPv6 VLAN tagging:

    @NogBadTheBad said in IPv4 & IPv6 VLAN tagging:

    Create a column in Wireshark and filter on vlan.id

    That may be a bit premature, until he's sure there are VLAN tags on IPv6.

    One thing that keeps nagging me is the possibility there's a TP-Link managed switch in there somewhere, although he said there was only an unmanaged switch. With some TP-Link gear, the multicasts leak from VLANs to the native LAN. If that happens, then the client will receive multiple RAs from the VLANs and have an address in those prefixes. This is exactly what I saw with my TP-Link access point.

    Yup ☺

    Just makes it easier trawling through the packet.

    0

  • @JKnott said in IPv4 & IPv6 VLAN tagging:

    One thing that keeps nagging me is the possibility there's a TP-Link managed switch in there somewhere

    To be specific, it's an Intel NUC8i5BEH with Realtek 8153 USB3 connected to an Netgear GS208 unmanaged switch. Very basic virtualization home lab setup. Worked flawlessly with esxi, yet without ever attempting vlans. Only once on XCP-ng did vlans come into play.

    However ... XCP-ng started to loose connectivity every so often. "Reconfiguring the Management Interface" on the console would resolve the issue instantly. (Better than having to restart every time) Disabling "TX Checksum Offloading" on pfSense as well as the virtual interfaces made no difference.

    The disconnections became so irritating, that it was all burned and restarted from scratch. Yet even before reimplementing vlans again as to capture traffic, the disconnections came about in less than a minute.

    I've thrown in the towel on XCP-ng and is contemplating KVM-Qemu ... Until that is running, I'll be back 😎

    0 1 Reply

  • @Peek said in IPv4 & IPv6 VLAN tagging:

    I've thrown in the towel on XCP-ng and is contemplating KVM-Qemu ...

    Why didn't you mention you were running a virtual machine? That adds in another layer that might cause problems.

    0 1 Reply

  • Apologies @JKnott , got redacted during the numerous drafts before posting. Yet I can say that I'm pondering the source off all drama to be the Realtek 8153 driver.

    The setup worked flawlessly for a number of months on esxi. Only with XCP-ng has it became so messy.

    Yet now I'm looking into compiling the lastest RTL8153 driver. I'll be back to advise once that's completed.

    0
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy