Accepting upstream RAs
-
Question: is it possible to configure a pfSense box with a static IPv6 address, but get it to pick up its default route from Router Advertisements from upstream router(s)?
I can see pfSense will do this when it picks up its WAN address via DHCP6 or SLAAC, but I want to configure a static WAN address whilst still accepting RAs [for redundancy/failover].
Googling for this, I've only been able to find information about how to set up pfSense to send RAs.
I also note there is a mode whereby pfSense can send RAs to clients which already have static IPs. I just can't work out how to configure pfSense to act in the opposite role.
Thanks!
-
I don't know about your ISP, but mine uses DHCPv6-PD to provide an address for pfSense. However, even that address is not used for routing, as the link local address is. Find out what your ISP provides and work with that. You can't just create an address and use that.
-
ISPs are not involved here.
Upstream of the Netgate XG1537 pair are two Mikrotik CCR1036-8G-2S+ routers which are part of our network and act as the BGP gateways to external networks. The address space on the network which connects Netgate to Mikrotik is our own RIPE space, so we statically assign all the IPs ourselves.
I don't really want to bring pfSense into OSPF/OSPF-v3 on the WAN side, at least not without a large amount of testing. And the intervening Netgear switches are mangling IPv6 CARP, which is a separate issue.
So the question I posed remains. Can I configure pfSense to accept Router Advertisements from upstream routers, or not?
-
@candlerb said in Accepting upstream RAs:
So the question I posed remains. Can I configure pfSense to accept Router Advertisements from upstream routers, or not?
Since it's behind another router, there's no need for RAs. Just manually configure the route, just as you would with IPv4. Configure IPv6 Upstream gateway to point the router it's behind.
-
As I said, there are two routers upstream.
-
@candlerb said in Accepting upstream RAs:
As I said, there are two routers upstream.
Just a thought - but what's different? Even if there are two upstreams - you only have one RIPE v6 delegation, don't you? So what's the problem in defining a static route to the pfSense WAN interface from both of them? Don't see the problem with that?
-
@candlerb said in Accepting upstream RAs:
As I said, there are two routers upstream.
Do you have to use two for redundancy? If so, you'll need a first hop redundancy protocol, such as Virtual Router Redundancy Protocol. Otherwise, just pick one router and use it.
-
The network looks like this:
ISP1 .-- ISP2 |bgp /bgp |bgp rtr1--' rtr2 | | -+-+----------+-+- | | fw1 -------- fw2 | sync |Our own address space is used on everything from rtr1/2 downwards.
fw1 and fw2 need an IPv6 default gateway. If rtr1 or rtr2 fails, I want traffic to continue flowing.
Therefore I repeat the original question: is it possible to configure fw1 and fw2 to accept Router Advertisements from rtr1 and rtr2? A simple "yes" or "no" will suffice.
However if the answer is "yes" I'd like to know where the config setting is, as I haven't been able to find it.
If the answer is "no", then I'll look at other options - such as configuring a gateway group and relying on gateway monitoring or somesuch.
-
While pfSense may be able to provide RAs on the WAN interface, though you'd have to configure it as a LAN interface, the other routers have to accept them. I suspect you're trying to create a custom solution, instead of using the proper method. This is what a first hop redundancy protocol is used for.
-
@JKnott: you've got my requirement upside-down.
I want the pfSense firewalls, on their WAN interface, to accept RAs from the upstream routers.
This is the normal behaviour for RAs. In fact, pfSense supports it if the WAN interface is configured dynamically using DHCP6 or SLAAC. I want to know if it's possible when the WAN interface is configured with a static IPv6 address.
Downstream, everything is fine:
fw1 fw2 | | -+---+----+- | server- I can configure pfSense to send RAs only (without offering SLAAC prefix or DHCP6)
- I can configure the server with a static IPv6 address
- I can configure the server to pick up its default route via RA (e.g. Linux:
accept_ra=1)
That all works fine. Now I need to do the same upstream, where the pfSense WAN is the "client" and the upstream routers send RAs.
You are right that I could instead use VRRP or CARP. The reasons not to do this are partly philosophical (IPv6 already provides this facility, in the form of Router Advertisements), and partly practical: the Netgear M4300-24X24F I'm using has a bug where it drops more than 90% of IPv6 CARP packets, which results in devices switching into MASTER-MASTER mode. (Aside: it also doubles IPv4 CARP packets. Go figure). I do have a case open with Netgear for this.
I know how networks work, so I'm trying to ask a specific question about pfSense from pfSense experts. The question is: if I configure pfSense WAN interface with a static IPv6 address, can it also be configured to accept Router Advertisements? "Yes" or "no" from someone who knows the answer, please.
