ipv6 vlan leak
-
Hoping someone can give me a pointer on troubleshooting: I have 4 vlans on igb0, vlan1 thru vlan4. Vlans 1-4 each get different ipv6 /64 adresses through track interface. Igb0 itself has no ipv6 connectivity (ipv6 is set to none on interface settings). But, somehow, igb0 clients get ipv6 adresses from vlan1 by slaac.
Does anyone know why this is happening or how to fix?
-
@anyn12 do you actually have vlan1 with an ID of 1?
This is the native vlan on pretty much every switch on the planet. And would normally be an untagged.
If interface igb0 has no IPv6 what IP is being handed out? The one you have on vlan 1?
-
@johnpoz igb0 has a static ipv4 address.
Yes vlan1 has id 1.
I know it is an odd choice, really just a workaround so that I can track interfaces for multiwan ipv6 NPt. Igb0 doesn't go to a switch - it goes straight to the IPMI port on my pfsense box. The vlans themselves have no clients.
Is the fix simply changing vlan1 to something else like vlan10?
-
@anyn12 I would never in a million years use the actual ID of 1 set on a vlan. This is default untagged vlan.
Without some more details of exactly how everything is connected, and where the client is exactly that is getting the IPv6 you don't want it to get.
But yeah I would change the actual ID on a vlan your using to something other than 1.
A common practice is to use the vlan ID that somehow ties with your IP scheme.. If your using /24 vlans, use like the 3rd octet as the ID for example. But I would stay away from setting an actual tag of 1..
-
@johnpoz ok yes sounds like I made a really dumb mistake. Thank you for helping me fix this so quickly!
-
Any chance you have a TP-Link switch? Some models don't handle VLANs properly.
-
@jknott no I don't have tplink, but I have a good feeling changing the ID will fix my problem, thank you for the pointer on not using id1.
-
Yup. Using VLAN1 bad!
https://docs.netgate.com/pfsense/en/latest/vlan/security.html#using-the-default-vlan-1
Steve
