Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    VLAN members get assigned multiple IPv6 addresses

    IPv6
    5
    13
    255
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Sector8899 last edited by

      I'm having a bit of a weird problem.
      I'm running pfsense behind my ISPs router, which delegates IPv6 prefixes.

      I have one LAN interface and just created a VLAN.
      The IPv6s work fine for the LAN devices, however it's fairly odd on all the VLAN-devices.

      On the LAN, my devices get one IPv6 (two, if you count the temporary one), which is fine. Everything works.

      On the VLAN, my devices also get one (two) IPs. The ipv6-connection works fine at first. IPv6-test websites confirm that ipv6 is functioning normally.
      However, a few seconds later, the test-sites stop working altogether. All ipv6-tests fail. The addresses timeout.
      When I go back to my network-device settings, I notice that instead of the original two, I now have four IPv6 addresses assigned. It remains at 4 from then on. And IPv6 connections fail permanently.
      When I disable/re-enable the network interface on my VLAN-devices, I'm back to two IPv6, but then a few seconds later, same thing happens.

      I'm not sure where those additional addresses come from. My LAN and VLAN settings are identical (except for the prefix ID of course)

      Configuration:
      WAN:
      IPv6 Configuration Type: DHCP6

      LAN:
      IPv6 Configuration Type: Track Interface
      IPv6 Interface: WAN
      IPv6 Prefix ID: 0

      VLAN10:
      IPv6 Configuration Type: Track Interface
      IPv6 Interface: WAN
      IPv6 Prefix ID: 1

      JKnott 1 Reply Last reply Reply Quote 0
      • JKnott
        JKnott @Sector8899 last edited by

        @W5Ofwur1xtOmtk9ZBO

        Any chance you have a TP-Link managed switch? Some models have a problem where multicast packets leak between VLANs, which means devices will get addresses from the other VLANs. I have the same problem with my TP-Link access point.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        S 1 Reply Last reply Reply Quote 1
        • S
          Sector8899 @JKnott last edited by

          @JKnott
          yes, exactly.

          Is there anything I can do about this? It's the only switch that I have. Just bought it for this purpose. Unfortunately it was about a month ago now. So I can't return it

          JKnott 1 Reply Last reply Reply Quote 0
          • JKnott
            JKnott @Sector8899 last edited by

            @W5Ofwur1xtOmtk9ZBO said in VLAN members get assigned multiple IPv6 addresses:

            Is there anything I can do about this?

            About the only thing you can do is update the firmware, provided an update is available. Otherwise, you could turn the switch into a data tap, for monitoring networks with Wireshark. Those switches work reasonably well in that role.

            PfSense running on Qotom mini PC
            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
            UniFi AC-Lite access point

            I haven't lost my mind. It's around here...somewhere...

            1 Reply Last reply Reply Quote 0
            • johnpoz
              johnpoz LAYER 8 Global Moderator last edited by

              What is the exact model number and hardware version v1,2 v4, etc. if the tplink switch me and jknott had discussed quite a bit here if your v2 or below your out of luck... But v3 did have some firmware that was suppose to fix the issue.

              Good luck - if no put it on your shelf and get a better make.. the netgear and dlink both do what they say and same price points.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 22.05 | Lab VMs CE 2.6, 2.7

              S 1 Reply Last reply Reply Quote 0
              • S
                Sector8899 @johnpoz last edited by

                @johnpoz I have the V4, but I'm already on the newest firmware (2018-11-30)

                JKnott 1 Reply Last reply Reply Quote 0
                • JKnott
                  JKnott @Sector8899 last edited by

                  @W5Ofwur1xtOmtk9ZBO said in VLAN members get assigned multiple IPv6 addresses:

                  @johnpoz I have the V4, but I'm already on the newest firmware (2018-11-30)

                  Then I guess you'll have to get another make. As I mentioned, you have the makings of a data tap, which can come in handy if you're really into networking. Which model switch did you get?

                  PfSense running on Qotom mini PC
                  i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                  UniFi AC-Lite access point

                  I haven't lost my mind. It's around here...somewhere...

                  1 Reply Last reply Reply Quote 0
                  • johnpoz
                    johnpoz LAYER 8 Global Moderator last edited by

                    So its still broken even in V4... Wow what CRAP!!

                    Go with netgear or dlink then - they both work as they should for vlan isolation.

                    You sure its problem in the device, vs your config - you removed say vlan 1 from all your ports that you want in other vlans.. That is the problem with the older models and firmwares - you could not remove vlan 1 from ports that you wanted in other vlans. So pretty much you just had dumb switch where all ports are in vlan 1. And you could think you were doing tagging of vlan X, etc.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 22.05 | Lab VMs CE 2.6, 2.7

                    1 Reply Last reply Reply Quote 0
                    • S
                      Sector8899 last edited by

                      Are you guys sure that it's the switch's fault? I'm still somewhat suspicious about the whole thing.

                      I'm using a wifi-router as an AP on the VLAN. I don't understand how the IPv6 is leaking through that AP to my phone on that network.

                      Then, I disabled IPv6 for the entire VLAN (in pfsense). But I still get an IPv6 and IPv6 DNS on the VLAN-device.

                      Then, I disabled the IPv6 on the wifi router (AP), but I'm STILL getting an IPv6. I don't understand how the switch can force these IPs through all the way to my phone.

                      JKnott 1 Reply Last reply Reply Quote 0
                      • johnpoz
                        johnpoz LAYER 8 Global Moderator last edited by

                        No not sure.. You do understand that IPv6 can be auto configured by the device right, and it could be just link-local address.

                        Your really going to need to show us how you have everything connected, diagram and what IPs your getting that you think you shouldn't be getting.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 22.05 | Lab VMs CE 2.6, 2.7

                        1 Reply Last reply Reply Quote 0
                        • JKnott
                          JKnott @Sector8899 last edited by

                          @W5Ofwur1xtOmtk9ZBO said in VLAN members get assigned multiple IPv6 addresses:

                          Are you guys sure that it's the switch's fault? I'm still somewhat suspicious about the whole thing.

                          This is where Wireshark really comes in handy. You can look at the packets to see the VLAN tags, IP addresses, etc. Wireshark is an excellent tool for resolving network issues. PfSense has a built in Packet Capture, but it's limited compared to Wireshark. One thing you might try, assuming you have VLANs configured on pfSense and a port on the switch configured for VLAN 10. If a computer, running Wireshark, is connected to that port, Wireshark should show only traffic intended for VLAN 10. If you see stuff, such as router advertisements from other that VLAN 10, then you have that TP-Link problem. To do this filter on ICMP6.

                          PfSense running on Qotom mini PC
                          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                          UniFi AC-Lite access point

                          I haven't lost my mind. It's around here...somewhere...

                          1 Reply Last reply Reply Quote 0
                          • NogBadTheBad
                            NogBadTheBad last edited by

                            Packet capture on the parent interface, download into wireshark and set up a column for the vlan id like I mentioned in this post:-

                            https://forum.netgate.com/topic/145609/vlan-interface-on-wan-interface-not-tagging-frames/5

                            Andy

                            1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

                            1 Reply Last reply Reply Quote 0
                            • Derelict
                              Derelict LAYER 8 Netgate last edited by

                              Are the addresses being assigned out of the same /64 or /64s from different VLANs?

                              Perfectly normal and expected for there to be multiple if not several IPv6 addresses on an interface, but they should all be inside the interface prefix.

                              We know pfSense is tagging the traffic properly. The problem is that switch doesn't properly isolate broadcast (multicast) domains or is misconfigured.

                              I would never use one of those switches in any network that mattered to me. I would use it for test stuff (like a tap, as mentioned) or throw it away.

                              Chattanooga, Tennessee, USA
                              The pfSense Book is free of charge!
                              DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                              Do Not Chat For Help! NO_WAN_EGRESS(TM)

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post