VLAN members get assigned multiple IPv6 addresses



  • I'm having a bit of a weird problem.
    I'm running pfsense behind my ISPs router, which delegates IPv6 prefixes.

    I have one LAN interface and just created a VLAN.
    The IPv6s work fine for the LAN devices, however it's fairly odd on all the VLAN-devices.

    On the LAN, my devices get one IPv6 (two, if you count the temporary one), which is fine. Everything works.

    On the VLAN, my devices also get one (two) IPs. The ipv6-connection works fine at first. IPv6-test websites confirm that ipv6 is functioning normally.
    However, a few seconds later, the test-sites stop working altogether. All ipv6-tests fail. The addresses timeout.
    When I go back to my network-device settings, I notice that instead of the original two, I now have four IPv6 addresses assigned. It remains at 4 from then on. And IPv6 connections fail permanently.
    When I disable/re-enable the network interface on my VLAN-devices, I'm back to two IPv6, but then a few seconds later, same thing happens.

    I'm not sure where those additional addresses come from. My LAN and VLAN settings are identical (except for the prefix ID of course)

    Configuration:
    WAN:
    IPv6 Configuration Type: DHCP6

    LAN:
    IPv6 Configuration Type: Track Interface
    IPv6 Interface: WAN
    IPv6 Prefix ID: 0

    VLAN10:
    IPv6 Configuration Type: Track Interface
    IPv6 Interface: WAN
    IPv6 Prefix ID: 1



  • @W5Ofwur1xtOmtk9ZBO

    Any chance you have a TP-Link managed switch? Some models have a problem where multicast packets leak between VLANs, which means devices will get addresses from the other VLANs. I have the same problem with my TP-Link access point.



  • @JKnott
    yes, exactly.

    Is there anything I can do about this? It's the only switch that I have. Just bought it for this purpose. Unfortunately it was about a month ago now. So I can't return it



  • @W5Ofwur1xtOmtk9ZBO said in VLAN members get assigned multiple IPv6 addresses:

    Is there anything I can do about this?

    About the only thing you can do is update the firmware, provided an update is available. Otherwise, you could turn the switch into a data tap, for monitoring networks with Wireshark. Those switches work reasonably well in that role.


  • LAYER 8 Global Moderator

    What is the exact model number and hardware version v1,2 v4, etc. if the tplink switch me and jknott had discussed quite a bit here if your v2 or below your out of luck... But v3 did have some firmware that was suppose to fix the issue.

    Good luck - if no put it on your shelf and get a better make.. the netgear and dlink both do what they say and same price points.



  • @johnpoz I have the V4, but I'm already on the newest firmware (2018-11-30)



  • @W5Ofwur1xtOmtk9ZBO said in VLAN members get assigned multiple IPv6 addresses:

    @johnpoz I have the V4, but I'm already on the newest firmware (2018-11-30)

    Then I guess you'll have to get another make. As I mentioned, you have the makings of a data tap, which can come in handy if you're really into networking. Which model switch did you get?


  • LAYER 8 Global Moderator

    So its still broken even in V4... Wow what CRAP!!

    Go with netgear or dlink then - they both work as they should for vlan isolation.

    You sure its problem in the device, vs your config - you removed say vlan 1 from all your ports that you want in other vlans.. That is the problem with the older models and firmwares - you could not remove vlan 1 from ports that you wanted in other vlans. So pretty much you just had dumb switch where all ports are in vlan 1. And you could think you were doing tagging of vlan X, etc.



  • Are you guys sure that it's the switch's fault? I'm still somewhat suspicious about the whole thing.

    I'm using a wifi-router as an AP on the VLAN. I don't understand how the IPv6 is leaking through that AP to my phone on that network.

    Then, I disabled IPv6 for the entire VLAN (in pfsense). But I still get an IPv6 and IPv6 DNS on the VLAN-device.

    Then, I disabled the IPv6 on the wifi router (AP), but I'm STILL getting an IPv6. I don't understand how the switch can force these IPs through all the way to my phone.


  • LAYER 8 Global Moderator

    No not sure.. You do understand that IPv6 can be auto configured by the device right, and it could be just link-local address.

    Your really going to need to show us how you have everything connected, diagram and what IPs your getting that you think you shouldn't be getting.



  • @W5Ofwur1xtOmtk9ZBO said in VLAN members get assigned multiple IPv6 addresses:

    Are you guys sure that it's the switch's fault? I'm still somewhat suspicious about the whole thing.

    This is where Wireshark really comes in handy. You can look at the packets to see the VLAN tags, IP addresses, etc. Wireshark is an excellent tool for resolving network issues. PfSense has a built in Packet Capture, but it's limited compared to Wireshark. One thing you might try, assuming you have VLANs configured on pfSense and a port on the switch configured for VLAN 10. If a computer, running Wireshark, is connected to that port, Wireshark should show only traffic intended for VLAN 10. If you see stuff, such as router advertisements from other that VLAN 10, then you have that TP-Link problem. To do this filter on ICMP6.


  • Galactic Empire

    Packet capture on the parent interface, download into wireshark and set up a column for the vlan id like I mentioned in this post:-

    https://forum.netgate.com/topic/145609/vlan-interface-on-wan-interface-not-tagging-frames/5


  • LAYER 8 Netgate

    Are the addresses being assigned out of the same /64 or /64s from different VLANs?

    Perfectly normal and expected for there to be multiple if not several IPv6 addresses on an interface, but they should all be inside the interface prefix.

    We know pfSense is tagging the traffic properly. The problem is that switch doesn't properly isolate broadcast (multicast) domains or is misconfigured.

    I would never use one of those switches in any network that mattered to me. I would use it for test stuff (like a tap, as mentioned) or throw it away.


Log in to reply