Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple IPv6 capable connections

    Scheduled Pinned Locked Moved IPv6
    12 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jsphgttgns
      last edited by

      Hi!

      I am trying to do some kind of load balancing for IPv6 traffic in a LAN, where I have several WAN dual stack connections.

      As described here in other posts, the static link local value fe80::1:1 seems to be a current problem for some configuations.

      (1) IPv4 multi WAN on the same pfSense box works out of the box, but there can be only a single IPv6 LAN, i.e. the second NIC cannot hand off its net to local devices and the LAN adapter doesn't even configure itself for IPv6.

      (2) Using two separate pfSense boxes allows to independently configure the LAN adapters, but the common fe80::1:1 does not select the right physical gates for some connections such that some packets are routinely send into the wrong direction.

      (3) Using two separate pfSense boxes, where one box uses SLAAC and the other one a static IPv6 address from the pool of the first box, results in successful pings and reachability, but that doesn't seem to allow any routing. Probably because routers must be advertised, if I understood other comments correctly.

      What can I do?

      As far a I am concerned, I'd like to hear that sooner or later the link local addresses would we unique, such that "poor man's" load balancing would work out of the box, :).

      JKnottJ 1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott @jsphgttgns
        last edited by

        @jsphgttgns

        Are those multiple WAN connections from the same provider? Or do you have your own prefix independent of your ISP? If not, it's difficult to do proper load balancing. About all you could do is have some clients connect to one WAN and others connect to other WANs and that can get messy. As you mentioned, that link local address issue will be a problem. As discussed in another thread, that's a fault with pfSense or perhaps FreeBSD.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        J 1 Reply Last reply Reply Quote 0
        • J
          jsphgttgns @JKnott
          last edited by

          @JKnott said in Multiple IPv6 capable connections:

          Are those multiple WAN connections from the same provider?

          Yes, they are.

          Or do you have your own prefix independent of your ISP?

          No, I am using the prefixes supplied by the ISP as requested by the IPv4 setup.

          About all you could do is have...

          Well, that's what I am currently doing, but with 4 ISP connections that's a pain in the neck.

          Maybe I should check whether a plain FreeBSD box allows setting the link local address manually.

          IsaacFLI 1 Reply Last reply Reply Quote 0
          • IsaacFLI
            IsaacFL @jsphgttgns
            last edited by

            I believe this to be an implementation issue in pfSense.

            I did a little checking and opnsense (also based on FreeBSD/HardenedBSD) appears to use SLAAC addresses on the interfaces so they are each unique.

            Also according to their forum they are supposed to have MultiWan ipv6 on their release planned for July.

            I haven't tried to actually use opnsense, so I can't verify for myself that it actually works.

            I will go ahead and open a bug on the hard coded link local address. I have resisted before, since I don't have a multiple WAN situation and can't test it.

            IsaacFLI J 2 Replies Last reply Reply Quote 0
            • IsaacFLI
              IsaacFL @IsaacFL
              last edited by

              I created Bug #10586. Will see when they have time to address it. It could be that there are "reasons" why they did it this way.

              JKnottJ 1 Reply Last reply Reply Quote 0
              • JKnottJ
                JKnott @IsaacFL
                last edited by

                @IsaacFL

                There's a reason they'd violate the RFC??? Duplicate Address Detection is mandatory with IPv6.

                PfSense running on Qotom mini PC
                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                UniFi AC-Lite access point

                I haven't lost my mind. It's around here...somewhere...

                1 Reply Last reply Reply Quote 1
                • J
                  jsphgttgns @IsaacFL
                  last edited by

                  @IsaacFL said in Multiple IPv6 capable connections:

                  I did a little checking and opnsense ...

                  My routers are virtualized anyway, so I might test the current opensense version over the weekend without too much hassle.

                  JKnottJ 1 Reply Last reply Reply Quote 0
                  • JKnottJ
                    JKnott @jsphgttgns
                    last edited by

                    @jsphgttgns

                    I'm running 2.4.5 and don't see DAD with it.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    J 1 Reply Last reply Reply Quote 0
                    • J
                      jsphgttgns @JKnott
                      last edited by

                      @JKnott
                      I've setup the latest OPNsense 20.1 version, but haven't looked at IPv6 yet. Might take some time. My pfSense boxes are all 2.4.5 and there is obviously no DAD.

                      IsaacFLI 1 Reply Last reply Reply Quote 0
                      • IsaacFLI
                        IsaacFL @jsphgttgns
                        last edited by

                        @jsphgttgns

                        If you look at /etc/inc/interfaces.inc

                        You will see the following:

                        function interface_track6_configure($interface = "lan", $wancfg, $linkupevent = false) {
                        	global $config, $g;
                        
                        	if (!is_array($wancfg)) {
                        		return;
                        	}
                        
                        	if (!isset($wancfg['enable'])) {
                        		return;
                        	}
                        
                        	/* If the interface is not configured via another, exit */
                        	if (empty($wancfg['track6-interface'])) {
                        		return;
                        	}
                        
                        	/* always configure a link-local of fe80::1:1 on the track6 interfaces */
                        	$realif = get_real_interface($interface);
                        	$linklocal = find_interface_ipv6_ll($realif, true);
                        	if (!empty($linklocal) && $linklocal != "fe80::1:1%{$realif}") {
                        		mwexec("/sbin/ifconfig {$realif} inet6 {$linklocal} delete");
                        	}
                        	/* XXX: This might break for good on a carp installation using link-local as network ips */
                        	/* XXX: Probably should remove? */
                        	mwexec("/sbin/ifconfig {$realif} inet6 fe80::1:1%{$realif}");
                        
                        

                        Maybe you could manually change the address to fe80::1:2 on one box in this file and see if it sticks?

                        I couldn't find it anywhere else.

                        JKnottJ J 2 Replies Last reply Reply Quote 0
                        • JKnottJ
                          JKnott @IsaacFL
                          last edited by

                          @IsaacFL

                          Still, DAD is mandatory on IPv6. Why is pfSense not doing it?

                          Here's what RFC 4862 says:
                          Duplicate Address Detection MUST be performed on all unicast
                          addresses prior to assigning them to an interface, regardless of
                          whether they are obtained through stateless autoconfiguration,
                          DHCPv6, or manual configuration, with the following exceptions:

                          The update RFC 7527 says there are a couple of exceptions, but those wouldn't apply here.

                          Perhaps one option for this situation would be to allow another address to be set.

                          PfSense running on Qotom mini PC
                          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                          UniFi AC-Lite access point

                          I haven't lost my mind. It's around here...somewhere...

                          1 Reply Last reply Reply Quote 0
                          • J
                            jsphgttgns @IsaacFL
                            last edited by

                            @IsaacFL said in Multiple IPv6 capable connections:

                            /etc/inc/interfaces.inc

                            It looks as if fe80::1:1 gets statically enforced. So changing the 2nd box might work to see whether there are other problems. The OPNsense code is different here, but I haven't read all relevant interface files so far.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.