IPv6, VLANs and Android...
-
My current Config has worked with no issue on my IPv4 ISP for a number of years.
Currently running 23.09.1-RELEASE on a VM (upgraded to plus prior to the non free use change) and have recently moved to an ISP that fully supports IPv6.
I have successfully got the following working:
Got my 3 VLANs setup with a /64 from the ISP supplied /56 via track interface with different prefix IDs.
Setup RA as unmanaged on all VLANs.
Multiple systems get an IPv6 address from the correct subnet and work fine.
My android device, however, starts off fine, then, some time later (within a few minutes), ends up with IPv6 addresses from all VLAN subnets. This doesn't matter which VLAN I put it on, although they work fine as far as the IPv4 addresses are concerned (ie, from the correct DHCP scope).
IPv6 is fully SLAAC (afaik), and I have not configured anything other that the subnets and the DNS servers, which do work fine.Any idea, or is it just another Android IPv6 issue?
Thanks
-
@FillDee said in IPv6, VLANs and Android...:
Any idea, or is it just another Android IPv6 issue?
Are you running a DHCPv6 server? If so, that's your problem. Thanks to some genius at Google, Android doesn't support DHCPv6.
-
@JKnott
No DHCPv6 servers are running (well, there is a Windows service running, but no IPv6 scopes are configured, they are all v4 and work fine). As mentioned, it's all SLAAC.I'm aware that Android doesn't support DHCPv6 (supposedly to stop cell providers giving out a single IPv6 address, but who knows), but not sure how this would cause RA on different VLANs to be picked up by the Android client.
I have, for the moment, switched off the RA and disabled track interface on all except 1 VLAN and the Android client is behaving.
I don;t even know how to troubleshoot the issue.... -
UPDATE - Also found a Windows 11 PC doing the same.
So either my layer 2 switch config is wrong, or PFsense is putting the RA info on multiple interfaces.
-
ends up with IPv6 addresses from all VLAN subnets.
Any chance you have a TP-Link switch or access point? Some models don't handle multicasts properly.
-
@JKnott My replies are being queued, so may appear out of order.
I do not have tplink APs. I have 2 Asus AX units that connect directly to a Cisco SG switch with mac group VLANs setup.
I have found that wired seem to work fine, but wireless pick.up multiple RA subnets, so I'm looking into that.
Thanks for trying to help.
-
@FillDee said in IPv6, VLANs and Android...:
I have found that wired seem to work fine, but wireless pick.up multiple RA subnets, so I'm looking into that.
I mentioned TP-Link because I had one and found multicasts leaked from the main LAN to the VLAN, causing devices on my guest WiFi to get the wrong address. Replacing the AP with one from Unifi fixed the problem.
As always, an important tool for solving this sort of problem is Wireshark. If you could set up a monitor port on the managed switch, you could use it to capture traffic going to the AP. With Wireshark, you can filter on ICMPv6 and the Android device MAC address. If you can do that, post the capture file here. If you can't use that method, you could use Packet Capture on pfSense, as the packets pass through it when passing between LAN & VLAN.
-
OK, did some more investigation and have a theory.
I have multiple VLANs going over my WiFi. The VLANs are based on the MAC of the device (basic security enough for me). Guests get put on a VLAN that only gets internet access.
My way of thinking, is that the RA is transmitted, correctly tagged, from the VLAN interface on pfsense. This goes to my layer 2 switch and then the VLAN tag gets removed and the RA goes out to the WiFi clients and all of them get that multicast This then gets one RA from each subnet. This would explain why my wired ports work fine, as the wired ports are access ports tagged with a VLAN and hence do NOT get RA's from other VLANs passed to them.
So, next question, is there any way to stop the PFsense doing explicit RA multicasts and only respond to a client RA solicitation request with a unicast? That way, I assume the other clients would ignore it.
-
I let the AP remove the VLAN tags and connect to the 2nd SSID. And no, you generally don't request RAs. They happen automagically. Seems to me you're trying to do things the wrong way.
-
@FillDee could be that android randomizes the MAC, hence the different VLAN if they are based on the MAC?
-
That shouldn't make a difference, if the network is set up properly.
-
@bschapendonk
It gets multiple RA subnets/routes, not just the incorrect one. As I base my VLANs on MAC addresses, a random mac acts like a guest and gets only internet access, whereas, if I use my phone MAC, it gets access to my internal network.All of that works fine with IPv4, with DHCP.
-
@JKnott said in IPv6, VLANs and Android...:
I let the AP remove the VLAN tags and connect to the 2nd SSID. And no, you generally don't request RAs. They happen automagically. Seems to me you're trying to do things the wrong way.
Router solicitations are done by most clients afaik. I was hoping that I could just stop the RA multicasts. I'm relatively new to IPv6 so I could have misunderstood it. The correct RA subnet is always first to appear {assuming from the solicitation and the unicast reply), followed by the incorrect ones a bit later, from what I am again assuming is the periodic RA's.
If I'm doing things the wrong way, how should I be doing it?
Things work fine for IPv4, as DHCP gives out the GW and IP, so it's nice and neat. Since IPv6 is based on SLAAC and RA's, this seems to break using VLANs the way I am.
I guess I could look at an access point that can fix SSIDs to a specific VLAN. I had that setup with a 2nd access point, but decided to set them as a MESH and use MAC based VLANs instead. I like this setup, as new devices have only internet access until I add the MACs to an internal VLAN. This also works if a laptop gets plugged into one of the AP ethernet ports. It was a nice solution that worked great up until this point... :(
-
@FillDee said in IPv6, VLANs and Android...:
Router solicitations are done by most clients afaik. I was hoping that I could just stop the RA multicasts. I'm relatively new to IPv6 so I could have misunderstood it. The correct RA subnet is always first to appear {assuming from the solicitation and the unicast reply), followed by the incorrect ones a bit later, from what I am again assuming is the periodic RA's.
A client will do a RS when first connecting to a network. That RA will be addressed to the client requesting it. After that, it relies on periodic RAs, which are sent to the entire network, using multicast address ff02::1, which is all IPv6 devices.
Things work fine for IPv4, as DHCP gives out the GW and IP, so it's nice and neat. Since IPv6 is based on SLAAC and RA's, this seems to break using VLANs the way I am.
On IPv4, the client requests the lease and that's the only way it gets one. There is nothing comparable to RAs on IPv4. Also, a DHCP lease can last for several hours, depending on how the DHCP server is configured. RAs occur frequently.
I guess I could look at an access point that can fix SSIDs to a specific VLAN.
That is the way you're supposed to do it. I suspect you're using a router as an access point. I have a proper access point, separate from my router. My router is configured to place my guest WiFi on a VLAN, over the same cable as my main LAN and then the AP separates them and places the VLAN on the 2nd SSID. You really need something that supports VLANs and multiple SSIDs to do this.
-
@JKnott
Thanks for the info.
I'll look into things further and see if I can stop RA multicasts and see what problems that might bring.
As I said, I like the fact I can plug my laptop into the APs (which are Asus AX routers in access point mode), and still get onto the internal network without changing any config.
These routers do support multiple SSIDs and can support VLANs, just not from gui.
I really don't want to go back to that if Ican help it. -
@FillDee said in IPv6, VLANs and Android...:
I'll look into things further and see if I can stop RA multicasts and see what problems that might bring.
You'll break the network. RAs are a key part of IPv6.
-
I can always turn them back on if I break things.
