IPv6 RA breaks through VLAN's
-
Hi!
We have the following setup:
VLAN 10_CLN is used for Windows Client PC's in the domain and pfSense is configured with a static address in a /64 network. Router advertisement is set to unmanaged and clients properly configure IPv6 via SLAAC.
VLAN 90_VOIP is used for VoIP phones and pfSense is also configured with a static address in a different /64 network. Router advertisement is set to unmanaged and clients properly configure IPv6 via SLAAC.The VLAN's are configured in pfSense and are all tagged on a single 10G NIC.
A Windows 10 client computer is directly connected to the switch on a hybrid port having VLAN 10 set as PVID/untagged and VLAN 90 set as tagged. VLAN is however not configured on the Windows 10 PC, hence it takes part only in the VLAN 10 network and receives IPv6 configuration for the 10_CLN network.
After some time or when manually restarting the radvd service, the Windows 10 client computer receives an IPv6 address from the 90_VOIP network which is not the intention. This is also problematic because the firewall is not configured on the VLAN 10 interface to let traffic with a 90_VOIP IPv6 as source pass through.
Since the computer also then uses the 90_VOIP route as the default route, it will not be reachable via IPv6 anymore and timeouts will happen.The first entry in a wireshark protocol of the 10_CLN VLAN having the 90_VOIP network in:
68 2.937537 :: ff02::1:ff49:1bc4 ICMPv6 78 Neighbor Solicitation for ...5a:ab6b:ca20:ad49:1bc4Is this a configuration error on my side or a bug in pfSense/radvd?
Thanks for your help :)
-
Any chance you have a TP-Link access point or switch? Some models didn't handle VLANs & multicasts properly.
-
@JKnott
Thanks for your response. It's a Mikrotik CRS354. -
I haven't used Mikrtik gear. However, that is the exact problem I had with a TP-Link AP. My guest WiFi is on VLAN 3 and until I replaced my access point with one from Ubiquiti I couldn't use IPv6 on it.
You mention the VLAN is not configured on the PC. Does the port it's connected to have VLAN 10 on it?
BTW, a line or two from Wireshark is pretty much useless. You should post the capture file here.
-
With the Mikrotik, I can use IPv6 without issues. The problem seems to be related when you use a hybrid port setup with a tagged and untagged VLAN.
After some research, I found out it's not a router nor a switch problem: Windows listens to RA's coming in on tagged VLAN's and strips VLAN tags, even when it's not configured to do so.
Testing the same port on a Linux box, it will disregard tagged VLAN's and the setup works as intended. So it seems to be a Windows problem only.In our network, some ports have a phone connected and a computer connected to the phone, others have the computer directly connected to the ports.
For generalization, I liked the idea to have only hybrid ports and be able to plug every combination into every port.It looks like I have to go back to access ports without any VLAN's being tagged and have the VLAN's stripped on the phones if a computer is connected to it.
-
@mphilippi so I am curious about this - I don't recall ever seeing such an issue in the wild.. But should be easy enough to test..
So if what reading is valid, or still valid on current versions of windows. My IPv4 is untagged native to my windows port, your saying if I enable IPv6 on this interface, but don't have IPv6 on the native untagged network, but also have a tagged vlan on this port with IPv6 on it pfsense will use this on its untagged interface?
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
What happens if you don't run Wireshark in promiscuous mode ?
-
The client receives IPv6 addressing from the tagged VLAN but obviously won't be able to communicate with it through the untagged VLAN. It seems to be an issue with Windows.
Could you re-create the scenario? -
@NogBadTheBad
It has nothing to do with Wireshark. I used the packet capture feature of pfSense only after I found out about the issue to get more data -
@mphilippi said in IPv6 RA breaks through VLAN's:
So it seems to be a Windows problem only.
Yeah, another Windows "feature". Normally, with VoIP on a VLAN, you connect the computer through the phone, which will remove the tag, before passing packets on to the computer.
MS has a very long history of breaking things, because they don't follow standards and practices.
-
@mphilippi Both Wireshark and a packet capture from pfSense defaults to promiscuous mode, that was why I asked.
-
I always do packet capture in promiscuous mode, as these days switches keep most of the other traffic away. Back when I first started using it, then known as Ethereal, hubs were still in use, so you'd see everything on the network, including passwords.
