• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

IPv4 & IPv6 VLAN tagging

L2/Switching/VLANs
3
10
1.8k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    Peek
    last edited by Peek Jun 17, 2019, 11:41 AM Jun 17, 2019, 11:39 AM

    I've configured pfSense to be dual stacked as follows:

    WAN
    IPv4 - PPPOE as per ISP
    IPv6 - DHCP6 as per ISP

    The ISP provides a /56 IPV6 prefix 2001:2000:3000:0400::

    LAN
    IPV4 - Static - 192.168.0.1 / 24
    IPv6 - Track Interface -> WAN & Prefix ID 0

    I then create 3 VLANs off the LAN interface.

    V10
    IPv4 - Static - 192.168.10.1 / 24
    IPv6 - Track Interface -> WAN & Prefix ID 10

    V20
    IPV4 - Static - 192.168.20.1 / 24
    IPv6 - Track Interface -> WAN & Prefix ID 20

    V30
    IPV4 - Static - 192.168.30.1 / 24
    IPv6 - Track Interface -> WAN & Prefix ID 30

    A DHCPv4 scope is defined for each IPV4 subnet
    RADV is set Assisted with router priority normal

    A client machine connected to an switch not supporting VLANs acquires ONLY an 192.168.0.x lease. Yet acquires IPv6 addresses for each (v)LAN:

    2001:2000:3000:0400::x
    2001:2000:3000:0410::x
    2001:2000:3000:0420::x
    2001:2000:3000:0430::x

    With VLANs being a Layer 2 contruct and IPV4 and IPv6 being Layer 3, why is the client machine acquiring IPV6 prefixes (addresses) for every (v)lan ?

    J 1 Reply Last reply Jun 17, 2019, 2:58 PM Reply Quote 0
    • J
      JKnott @Peek
      last edited by Jun 17, 2019, 2:58 PM

      @Peek said in IPv4 & IPv6 VLAN tagging:

      With VLANs being a Layer 2 contruct and IPV4 and IPv6 being Layer 3, why is the client machine acquiring IPV6 prefixes (addresses) for every (v)lan ?

      When in doubt, fire up Wireshark (or Packet Capture if you must) to see what's actually on the wire. Do the VLAN tags appear on the IPv6 RAs? Unless configured to accept VLANs, the client should not be getting those addresses.

      PfSense running on Qotom mini PC
      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
      UniFi AC-Lite access point

      I haven't lost my mind. It's around here...somewhere...

      1 Reply Last reply Reply Quote 0
      • P
        Peek
        last edited by Jun 17, 2019, 3:02 PM

        @JKnott , all righty then. Will do. Any advise on how to analyse the data once captured ? ...

        J 1 Reply Last reply Jun 17, 2019, 3:15 PM Reply Quote 0
        • J
          JKnott @Peek
          last edited by Jun 17, 2019, 3:15 PM

          @Peek said in IPv4 & IPv6 VLAN tagging:

          @JKnott , all righty then. Will do. Any advise on how to analyse the data once captured ? ...

          Filter on ICMP6 to capture the RAs. Then, when examining the captures, you should see the VLAN tags. You can compare with the IPv4 DHCP packets to see any relevant difference.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 0
          • N
            NogBadTheBad
            last edited by Jun 17, 2019, 3:37 PM

            @JKnott said in IPv4 & IPv6 VLAN tagging:

            When in doubt, fire up Wireshark (or Packet Capture if you must) to see what's actually on the wire. Do the VLAN tags appear on the IPv6 RAs? Unless configured to accept VLANs, the client should not be getting those addresses.

            Create a column in Wireshark and filter on vlan.id

            Andy

            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

            J 1 Reply Last reply Jun 17, 2019, 3:44 PM Reply Quote 0
            • J
              JKnott @NogBadTheBad
              last edited by Jun 17, 2019, 3:44 PM

              @NogBadTheBad said in IPv4 & IPv6 VLAN tagging:

              Create a column in Wireshark and filter on vlan.id

              That may be a bit premature, until he's sure there are VLAN tags on IPv6.

              One thing that keeps nagging me is the possibility there's a TP-Link managed switch in there somewhere, although he said there was only an unmanaged switch. With some TP-Link gear, the multicasts leak from VLANs to the native LAN. If that happens, then the client will receive multiple RAs from the VLANs and have an address in those prefixes. This is exactly what I saw with my TP-Link access point.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              N P 2 Replies Last reply Jun 17, 2019, 3:48 PM Reply Quote 0
              • N
                NogBadTheBad @JKnott
                last edited by Jun 17, 2019, 3:48 PM

                @JKnott said in IPv4 & IPv6 VLAN tagging:

                @NogBadTheBad said in IPv4 & IPv6 VLAN tagging:

                Create a column in Wireshark and filter on vlan.id

                That may be a bit premature, until he's sure there are VLAN tags on IPv6.

                One thing that keeps nagging me is the possibility there's a TP-Link managed switch in there somewhere, although he said there was only an unmanaged switch. With some TP-Link gear, the multicasts leak from VLANs to the native LAN. If that happens, then the client will receive multiple RAs from the VLANs and have an address in those prefixes. This is exactly what I saw with my TP-Link access point.

                Yup ☺

                Just makes it easier trawling through the packet.

                Andy

                1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                1 Reply Last reply Reply Quote 0
                • P
                  Peek @JKnott
                  last edited by Jun 18, 2019, 11:14 PM

                  @JKnott said in IPv4 & IPv6 VLAN tagging:

                  One thing that keeps nagging me is the possibility there's a TP-Link managed switch in there somewhere

                  To be specific, it's an Intel NUC8i5BEH with Realtek 8153 USB3 connected to an Netgear GS208 unmanaged switch. Very basic virtualization home lab setup. Worked flawlessly with esxi, yet without ever attempting vlans. Only once on XCP-ng did vlans come into play.

                  However ... XCP-ng started to loose connectivity every so often. "Reconfiguring the Management Interface" on the console would resolve the issue instantly. (Better than having to restart every time) Disabling "TX Checksum Offloading" on pfSense as well as the virtual interfaces made no difference.

                  The disconnections became so irritating, that it was all burned and restarted from scratch. Yet even before reimplementing vlans again as to capture traffic, the disconnections came about in less than a minute.

                  I've thrown in the towel on XCP-ng and is contemplating KVM-Qemu ... Until that is running, I'll be back 😎

                  J 1 Reply Last reply Jun 19, 2019, 1:13 AM Reply Quote 0
                  • J
                    JKnott @Peek
                    last edited by Jun 19, 2019, 1:13 AM

                    @Peek said in IPv4 & IPv6 VLAN tagging:

                    I've thrown in the towel on XCP-ng and is contemplating KVM-Qemu ...

                    Why didn't you mention you were running a virtual machine? That adds in another layer that might cause problems.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    P 1 Reply Last reply Jun 19, 2019, 2:37 AM Reply Quote 0
                    • P
                      Peek @JKnott
                      last edited by Jun 19, 2019, 2:37 AM

                      Apologies @JKnott , got redacted during the numerous drafts before posting. Yet I can say that I'm pondering the source off all drama to be the Realtek 8153 driver.

                      The setup worked flawlessly for a number of months on esxi. Only with XCP-ng has it became so messy.

                      Yet now I'm looking into compiling the lastest RTL8153 driver. I'll be back to advise once that's completed.

                      1 Reply Last reply Reply Quote 0
                      2 out of 10
                      • First post
                        2/10
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.