Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    turn IPv6 off on interfaces or at least disable advertising default routes

    TNSR
    2
    5
    181
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      helmlein last edited by helmlein

      first things first: I would like to do IPv6 PD with TNSR, but at this time, it's not implemented.

      I therefore need a second router on the client network for IPv6 (PD and SLAAC advertising), and that's where the problems start.

      I am getting advertised default routes on the clients for IPv6 pointing to the local fe80 IPv6 addresses of the TNSR interfaces, and I can't delete them on the clients; they keep reappearing. I have not yet TCPDUMPed the exact behaviour but would like to turn either IPv6 off on the respective TNSR interfaces (which can't be done using "no ipv6 address"; the local link IPv6 address will be kept) or, failing that, turn off IPv6 completely (if it can't be done right, it shouldn't be done at all). But in the present state, TNSR interfaces are somehow messing up IPv6 in my networks.

      Has anyone got a suggestion or experienced similar behaviour?

      Kind regards

      Martin

      H 1 Reply Last reply Reply Quote 0
      • H
        helmlein @helmlein last edited by helmlein

        edit/add:

        indeed, TNSR sends out IPv6 router advertisements, and while it doesn't advertise a default route technically, the client (in this case openbsd) adds a default route for it:

        12:20:35.552319 fe80::3eec:efff:fe38:33f7 > ff02::1: icmp6: router advertisement
        12:20:35.552321 fe80::3eec:efff:fe38:33f7 > ff02::1: icmp6: router advertisement
        
        tnsr tnsr#  show inte RADIO 
        Interface: RADIO
            Description: RADIO VLAN 3
            Admin status: up
            Link up, link-speed 10 Gbps, unknown duplex
            Link MTU: 1500 bytes
            MAC address: 3c:ec:ef:38:33:f7
            NAT inside
            IPv4 MTU: 0 bytes
            IPv4 Route Table: ipv4-VRF:0
            IPv4 addresses:
                192.168.3.1/24
            IPv6 MTU: 0 bytes
            IPv6 Route Table: ipv6-VRF:0
            IPv6 addresses:
                fe80::3eec:efff:fe38:33f7/64
            VLAN tag rewrite: disable
            Rx-queues
                queue-id 0 : cpu-id 1
            counters:
              received: 8076506222 bytes, 14028807 packets, 0 errors
              transmitted: 32340497834 bytes, 26720262 packets, 0 errors
              protocols: 12845112 IPv4, 240047 IPv6
              1188334 drops, 22 punts, 0 rx miss, 0 rx no buffer
        

        Can this be turned off? If so, how?

        Derelict 1 Reply Last reply Reply Quote 0
        • Derelict
          Derelict LAYER 8 Netgate @helmlein last edited by

          @helmlein Yes, it should not be sending RAs.

          The workaround at the moment is to disable IPv6.

          As root on the host shell:
          echo net.ipv6.conf.all.disable_ipv6=1 > /etc/sysctl.d/50-noipv6.conf
          echo net.ipv6.conf.default.disable_ipv6=1' >> /etc/sysctl.d/50-noipv6.conf
          dp-exec sysctl -p /etc/sysctl.d/50-noipv6.conf

          Then restart the dataplane ((config)# service dataplane restart) or reboot.

          H 1 Reply Last reply Reply Quote 1
          • H
            helmlein @Derelict last edited by helmlein

            @derelict Thanks; it's a bit sad TNSR can't do IPv6 PD yet, but at least the workaround (BTW the ' needs to be removed from your echo statement in line 2) stops it from sending RAs.

            It would be nice if the RAs could be turned off per interface without disabling the whole IPv6 stack, that can e.g. be done in VyOs or in EdgeOS.

            As I'm on the homelab edition I can't really complain; thanks for the quick fix!

            M.

            Derelict 1 Reply Last reply Reply Quote 0
            • Derelict
              Derelict LAYER 8 Netgate @helmlein last edited by

              @helmlein It is not intended to be this way and there is an open bug on the RA. DHCP6 features are simply not implemented yet.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post

              Products

              • Platform Overview
              • TNSR
              • pfSense
              • Appliances

              Services

              • Training
              • Professional Services

              Support

              • Subscription Plans
              • Contact Support
              • Product Lifecycle
              • Documentation

              News

              • Media Coverage
              • Press
              • Events

              Resources

              • Blog
              • FAQ
              • Find a Partner
              • Resource Library
              • Security Information

              Company

              • About Us
              • Careers
              • Partners
              • Contact Us
              • Legal
              Our Mission

              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

              Subscribe to our Newsletter

              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

              © 2021 Rubicon Communications, LLC | Privacy Policy