Some doubts about 'Router Advertisements' !!
-
In the past I have tried to setup VM's with IPV6. Never really successful. I did already wrote about that in the past.
Today I tried setting up a vm using TrueNAS scale version (TrueNAS-SCALE-22.12.1) as host and with ubuntu-22.04.2 LTS in the VM.
And again it did not work !!
- The VM is connected to vlan120.
- each vlan has an /64 IPV6-net
- pfSense DHCP6 is configured for that vlan
- RA configured as 'Managed'
Having seen that, and given that more is working now than in than in the past. I decided to some extensive tests.
What I did was
- restarting the VM after all setting changes
- trying all 'Router Advertisement' settings one by one
- connect to the vm
- 'ip a' to see the config
- ping -6 www.google.com
- watching the result & capturing using pfSense package capture
Findings are:
-
In a lot of cases pfSense does not know how to reach the VM. The answer on the echo request is lost. Neighbor Solicitation does not work!
-
RA disabled => does not work no address at all
-
Router Only => only a local address
-
Unmanaged => OK!
-
Managed => wrong address /128 should be /64
-
Assistant => wrong address /128 should be /64
-
Stateless => OK!
Not 100% sure, but that I have some verdicts about pfSense .... sure.
Attached a file with more detailed info
So hopefully someone does understand the problem, and in case of a bug ... that it will be fixed !
Below the details
-
I run Virtual box VMs and they work fine. However, there is one important detail. The VM's network interface can be either bridged or NAT. If NAT, IPv6 won't work. It has to be bridged mode. Is this similar to what you have?
-
I am not using NAT here at all !! The VLAN goes straight towards the VM.
I defined a trunk and that trunk is carrying multiple VLAN's. I did not define bridges, since I do not need them.
The trunk does not have an IP-address. Neither the VLAN.
So the vlan is transparently going from pfSense directly into the VM.The VM itself is getting its IP from the IPV4-dhcp server and the IPV6 DHCP / RA server and that is where the problem is.
It has been there in the past and at this moment in time, I more than ever have the feeling that there is a problem at the pfSense side.
-
@louis2 said in Some doubts about 'Router Advertisements' !!:
wrong address /128 should be /64
Using Windows Server DHCP Server for IPv6 results in that...
On the DHCPv6 Server & RA/(interface)/DHCPv6 Server tab what does it list for Subnet Mask?
-
The pfSense subnet is /64 and as expected on the dhcpv6 tab it also list 64 bit. The RA tab does not have a subnet field, apart from RA Subnet fields which I left empty.
The text over there states (as I would expect):
^If no subnets are specified here, the Router Advertisement (RA) Daemon will advertise to the subnet to which the router's interface is assigned.^I tried what happens if If changed the default /128 without any thing in the subnet field, to /64 again without any thing in the subnet field .... which did not change the behavoir.
What even it is a strange field ...
-
Since I am a bit curious, I decided to check what happens if I filled the subnet field in the RA tab with the subnets subnet definition including / 64 using RA option managed.
The answer is, it still does not work
Since I would like the router to control the IP-address, the client should use DHCPv6.
I did also have a look at the netgate doc: (https://docs.netgate.com/pfsense/en/latest/services/dhcp/ipv6-ra.html)
Here the most relevant part:
Router Advertisement Modes
The modes for the RA daemon control the services offered by pfSense
software, announce the firewall as an IPv6 router on the network, and direct clients on how to obtain addresses.Disabled
The RA daemon is disabled and will not run. IPv6 gateways must be entered manually on any client hosts.
=> NORouter Only
This firewall will send out RA packets that advertise itself as an IPv6 router. DHCPv6 is disabled in this mode.
=> NOUnmanaged
The firewall will send out RA packets and clients are directed to assign themselves IP addresses within the interface subnet using SLAAC. DHCPv6 is disabled in this mode.
=> NOManaged
The firewall will send out RA packets and addresses will only be assigned to clients using DHCPv6.
=> YESAssisted
The firewall will send out RA packets and addresses can be assigned to clients by DHCPv6 or SLAAC.
=> I do not know what this implies, as stated I prefer the FW to control the addresses (fixing them in the DHCP-server, preferable mac-based)Stateless DHCP
The firewall will send out RA packets and addresses can be assigned to clients by SLAAC while providing additional information such as DNS and NTP from DHCPv6.
=> I do not know what this implies, as stated I prefer the FW to control the addresses (fixing them in the DHCP-server, preferable mac-based) -
L louis2 referenced this topic on
-
Did you ever figure out what happened here? I have a similar issue, except the DHCPv6 from my VLAN is issuing IPs to the untagged network. DHCPv6 issuing IPs from VLAN30 to LAN Untagged, Why? .
-
@davidg1982 said in Some doubts about 'Router Advertisements' !!:
the DHCPv6 from my VLAN is issuing IPs to the untagged network.
Any chance you have a TP-Link switch or access point? Some models don't do VLANs properly. I had a TP-Link access point that allowed RAs from the main LAN to the VLAN, which made it impossible for me to have IPv6 on my guest WiFi.
-
@JKnott No, I have a basic NETGEAR POE four port switch. Although, my Ruckus APs support VLAN.
