External access point ipv6 mystery

stefj

I'm trying to put into use the access point features of my ISP router that I switched to bridge mode and using as modem for my pfsense installation.

Using this recipe, I'm connecting the modem back to pfsense via the same cable that I'm using for the pppoe connection, as an extra opt interface in a different subnet than my main lan.

And using this recipe, I get access to its interface from my lan devices. And -to my utter disbelief- it works perfectly fine. For the most part.

My main lan is in the 192.168.1.0/24 space. The isp router is at 192.168.0.1/24 and I can access it from lan. I turned off all routing features on it, dhcp servers and what not, and enabled just the wireless ssid. A dhcp server on pfsense is handling any devices connected to the ssid, giving them 192.168.0.0/24 addresses and internet connectivity through firewall rules.

All this is working perfectly. The problems start when I also enable ipv6 dhcp/ra on this opt interface.

The devices connecting to the ssid are getting ipv6 addresses. I can ping -6 back and forth no problem. But I can't pass any ipv6 online tests and internet connectivity overall becomes intermittent and slow. I'm assuming this last part is happening because the device is prioritizing ipv6 over ipv4 and ipv6 doesn't work.

Should say here that

• The opt interface connecting to the router is getting a valid ipv6 prefix and passes ping/tracert diagnostics from pfsense side no problem.
• The router could give working ipv6 through wifi prior to the bridge conversion.
• The devices failing to pass ipv6 tests through this connection, can pass them no problem through any other connection.
• ipv6 works fine on the other pfsense interfaces

So, what's going on here? I have no idea what's causing this.
And while it's not a big deal and I can live just fine without ipv6 on that ssid, it's the why that's driving me crazy.
Any ideas for science?

JKnott

@stefj

No idea, other than it may have something to do with your unusual connection. WiFi works fine here, on both main and guest SSID. I'm using a proper stand alone AP.

stefj

@jknott

Can't be that unusual if there's official recipes for doing it. I just followed the guides in the documentation.

Surely I'm not the first one to try this connection. Hoping somebody who's doing something similar can give me any clues to figure out if it's a bug with pfsense or the cpe. Or maybe I'm just missing something in my configuration, though I can't think of anything.

johnpoz

@stefj said in External access point ipv6 mystery:

I'm trying to put into use the access point features of my ISP router

That recipe is for using some wifi router that your no longer using for your actual internet as just an AP.. Sounds like to me your trying to leverage the isp gateway as your wifi, while still using it for access to the internet as a modem.. That is not really what that recipe is for.

The recipe of just using any old wifi router you have laying about as just an AP works fine.. But that is not what it sounds like to me your doing.

stefj

@johnpoz said in External access point ipv6 mystery:

@stefj said in External access point ipv6 mystery:

I'm trying to put into use the access point features of my ISP router

That recipe is for using some wifi router that your no longer using for your actual internet as just an AP.. Sounds like to me your trying to leverage the isp gateway as your wifi, while still using it for access to the internet as a modem.. That is not really what that recipe is for.

The recipe of just using any old wifi router you have laying about as just an AP works fine.. But that is not what it sounds like to me your doing.

Yep, that's what I'm doing pretty much and I see nothing wrong with it, especially since it works. That isp router is placed in a central location and has 8 ssids dualband wifi5. Would be a shame to let it go to waste.

So the question is why it works with ipv4 but not with ipv6.

Got plenty of other downstream access points to cover the area and it's no problem running that one in ipv4 only or even not at all. That's not the issue. My question is for science. I can't stand not knowing why something doesn't work.

stefj

And to clarify further, I'd be totally fine with it not working at all. Wasn't expecting it to be working when I tried. Was actually shocked that it did.

But now that it does, it seems crazy that it would work in ipv4 but not ipv6. That's illogical, right? What's the catch?

JKnott

@stefj

I don't know about your modem but, with mine, WiFi is not available in bridge mode.

stefj

@jknott said in External access point ipv6 mystery:

@stefj

I don't know about your modem but, with mine, WiFi is not available in bridge mode.

I'm using port binding to bind the bridge connection to the lan port where pfsense is connected for pppoe.
So the rest of the lan ports and the 8 ssids are free to work as a switch essentially.

Anything I connect on the router, be it through the free lan ports or the ssids, is picked up by pfsense's dhcp server and given an appropriate and working ipv4.

I imagine the same would be true for any cheap modem/router that has more than 1 port, since they work as an unmanaged switch basically.

johnpoz

@stefj Again if your taking your "isp" device that are currently using access the internet with - and trying to leverage that in any way shape or form connected to the public internet as some form of AP with bridging setup on it - and bridging through pfsense? That is horrible horrible idea!

The old wifi your using as AP should be behind pfsense, and completely isolated from your ISP L2 network..

If you want to use some old wifi router as just an AP - completely isolated from the public internet since its behind pfsense.. That is fine and secure - but sure sounds like to me you taken your isp device, put it into bridge mode, and then also bridging in pfsense.. Which could expose your L2 network to the public internet..

stefj

@johnpoz said in External access point ipv6 mystery:

@stefj Again if your taking your "isp" device that are currently using access the internet with - and trying to leverage that in any way shape or form connected to the public internet as some form of AP with bridging setup on it - and bridging through pfsense? That is horrible horrible idea!

The old wifi your using as AP should be behind pfsense, and completely isolated from your ISP L2 network..

If you want to use some old wifi router as just an AP - completely isolated from the public internet since its behind pfsense.. That is fine and secure - but sure sounds like to me you taken your isp device, put it into bridge mode, and then also bridging in pfsense.. Which could expose your L2 network to the public internet..

I'm not doing any interface/port bridging. I simply converted the router to bridge mode for pfsense to do pppoe through it.

Soon as I did that and pfsense got connected, pfsense told me that there's no need to use that nic port exclusively for the wan pppoe interface. And it offered me the option to reuse that same nic port as a different opt interface. I added it as interface opt3, gave it a different static ip than the wan interface ip and it worked.

Two different interfaces with different static ipv4 and different ipv6 prefixes through the same ethernet cable on the same nic port. I assume the reason this is possible, is because my pppoe connection is using vlan 835 to connect to the isp, so it's essentially a vlan.

And then I found the two official guides mentioned above that seemed to describe this scenario and I went with it.

If you think this poses a security risk, I'd appreciate some ideas on how to test for it.

johnpoz

@stefj So that wifi network, now your private network is attached through a bridge on your isp device.. So its connected to the public internet.

Do you trust it to be isolated? I wouldn't - so your wifi network that while pfsense might treat it as isolated network.. Its still actually has a leg in the isp network through your isp device.

I personally would not do that.. To me amounts to just running some different L3 network on the same L2 network as your isp network..

Sniff on the interface - are you seeing say arp and other broadcast traffic on pfsense opt interface in promiscuous mode? That is not from your devices?

While its "possible" your isp device keeps the rest of the isp network L2 network isolated from the wifi L2 network - I personally wouldn't trust that.. But sniff for a while and see what you see.. Maybe your ok.. But if that is the case and it really is an isolated L2 then your ipv6 should work just like your IPv4..

stefj

@johnpoz

I did some snooping around and couldn't find any leaks. My snooping abilities range from terrible to inexistent though, so my inability to find a hole does not mean it's not there.

For now I decided to decommission the AP, as I'm not comfortable not knowing why it behaves this way and it's not worth the security risk. You guys win.

But my curiosity won't leave it be. I'll get another modem to stick in front of pfsense and have a go at figuring out what's wrong with this one in a more controlled environment when time permits.

johnpoz

Using it as as just a AP behind pfsense will be fine - and then sure be able to look into sure.

As to sniffing - on pfsense, do a packet capture on your opt interface you were using for wireless. In promiscuous mode.. set it for just arp on the protocol

Do you see arp traffic from the internet? For example.. This is my actual wan interface - I tried to run some wireless network here it would be directly connected to the internet no matter what "ip" Layer 3 range I ran on it..

This interface is connected to the internet.. Running some AP on your isp device that you put into bridge mode and tried to run wireless on - "could" very well just be bridging that wifi to the internet.. Be it you running as some rfc1918 network or not.

That sniff ran for 5 seconds - that is just small portion of what it saw, none of those IPs are my pfsense wan IP.. Those are just other isp clients on the same L2 as my wan.