Virtual IPv6 addresses assigned to WAN seem to take precence over DHCPv6 address assigned to WAN on outbound traffic
-
Hi,
Not sure if this should be in IPv6, Packages -> FRR or here in General.
I am thinking of putting this into redmine as a bug but want to leave it here for a bit first to see if I am doing something weird.
Any assistance sanity checking this will be appreciated. My reputation in redmine is .. poor enough as it is LOL!
Setup is as follows:
WAN Interface receives IPv4 and IPv6 addresses via DHCP.
For example: 203.0.113.23/24 and 2001:db8:3000:6::52/64
We have FRR set up to do a BGP session with a peer over IPv6. The peer expects us to speak from the 2001:db8:3000:6::52/64 address assigned to our WAN interface. This is reflected in our BGP Neighbor configuration's "Local source of BGP Updates"
We announce a /48, for example 2001:db8:2005::/48
Up until this point, things work out OK. BGP session is eastablished, things work as expected.
Now we want to take a single address out of the announced prefix and be able to ping it on WAN (for monitoring). So we create a virtual IP address binding on WAN such as 2001:db8:2005:6::99/64
In 2.4.5x this worked. pfSense would use the address specified under the WAN interface, i.e. 2001:db8:3000:6::52 for outbound communication.
Since upgrading from 2.4.5 to 2.5.1 this fails. We see the BGP session "Active", not established. It seems to want to use the VIP 2001:db8:2005:6::99/64 for outbound communication. Chicken/egg situation, this address is not available until the BGP session is established. The BGP session must come from the primary WAN IP or it wont be accepted by the peer.
I can see this also when going into Diagnostics -> PING and try to ping IPv6 space from "WAN". I see it will come from 2001:db8:2005:6::99/64, not 2001:db8:3000:6::52/64. The WAN interface's IPv6 gateway, fe80::1 is showing as offline in dpinger.
In System -> Routing the default IPv6 GW is pinned as the fe80::1
Removing the VIP and rebooting will resolve it.
It worked in 2.4.5x. I cannot see anything in changelogs that would explain what is going wrong.
What was tried to resolve it:
- Change WAN IPv4 and IPv6 from DHCP to Static
- Upgrade from 2.5.1 Release to 2.5.2-beta
- Tried binding the VIP as 2001:db8:2005:6::99/128 instead of /64
- Checked Diagnostics -> Routes to see what default route pfSense thinks it has. It shows correctly:
IPv6 Routes
default fe80::1%vtnet0 UGS 37639 1500 vtnet0
fe80::1 56:aa:02:eb:78:32 UHS 0 1500 vtnet0
fe80::%vtnet0/64 link#1 U 3500 1500 vtnet0
fe80::1%vtnet0 56:00:02:eb:52:48 UHS 3350 1500 vtnet0
2001:db8:2005:6::99 link#1 UHS 3 16384 lo0Expected behavior:
When a static IPv6 address exists on WAN interface but some virtual IPv6 addresses also exist on WAN interface the primary IPv6 address should be used as default for outgoing communication.
Actual behavior:
It seems to randomly pick the IPv6 Virtual IP instead of the primary WAN IPv6 address from the ISP for outbound communication. This fails because the IP depends on the BGP session being successful. The BGP session cannot succeed because the Neighbor expects us to speak from our primary WAN address.
Edit: I wonder if THIS is what I am seeing.
-
This is targeted for CE-next in redmine but seems to have stalled. Does CE-Next mean 2.5.2 or 2.6.0 ?