Multi WAN and duplicate DUID issues
-
Hi there!
I've been using pfSense for over ten years, but I don't have extensive knowledge or education in networking - so please excuse weird terminology or lack of understanding. It's been a great experience, and never needed help through the forums - until now.
My pfSense box is configured with two WAN connections, that I tap from my media converter. I divide the two WANs between heavy-use clients using VLANs (for "double" bandwidth). IPv4 works perfectly, but I've dabbled for two weeks with IPv6 - and I just couldn't get both WAN1 and WAN2 to receive an IPv6 adress at the same time.
I think I've read every post on the subject, and learning some about DUID and IAID, etc.
It seems like the problem is that pfSense uses a DUID based on the first physical interface's MAC, and uses this for the following interfaces, leading to duplicate DUIDs.
So to experiment, I downloaded the free demo of MikroTiks RouterOS, which has a switchbox called "Use Interface DUID". Works perfectly, two IPv6 addresses allocated to WAN1 and WAN2 at the same time, as one might also expect pfSense to work.
This feature has been asked for for now and again over the past few years - why is this not viewed as an important enough to implement? To my understanding, it is not even doable by CLI.
Thanks, and sorry for the long read.
-
@atomcurt Typically the LAN would get an IP via "track interface" and thus be linked to the WAN IPv6. It can't get an IP from both ISPs, thus devices on LAN can't get an IP from both. And if they did which would they use to connect out? The routing back to the PC on LAN would only work the IP from the same ISP/WAN connection. So using two IPv6 addresses is basically useful only to pfSense itself AFAIK. Unless maybe another subnet was used on LAN and routing changed for which ISP to use...similar to SD-WAN.
-
Thanks for your reply :-)
My observation is really applicable even without any LAN interfaces - the second WAN cannot get an IPv6-PD address in the first place because pfSense skips the fact that all interfaces should have a DUID generated for them. But it generates one, and calls it a day.
But yes, you have to choose which LAN/VLAN corresponding to which WAN. LAN1 interface could track WAN1, LAN2 interface could track WAN2. And two corresponding gateways.
My VLAN10 goes through WAN1. VLAN20 goes through WAN2, and it works great for IPv4 with pfSense. And it works great with MikroTik RouterOS for both IPv4 and IPv6. A guy I talked to use VyOS for the same use case - but that CLI setup is beyond my brain capacity.
Oh and it goes to say, I don't really know what I am doing. I could be entirely wrong here.
-
@atomcurt That's true, wasn't thinking about multiple internal networks for some reason.
Are your two WANs going to the same ISP hardware?
You could file a report at redmine.pfsense.org if it isn't there already.
https://docs.netgate.com/pfsense/en/latest/recipes/multiwan-ipv6.html suggests using NPt for two IPv6 WANs and one LAN.
https://docs.netgate.com/pfsense/en/latest/recipes/multiwan-ipv6.html#requirements does say "IPv6 connectivity with static addresses on two or more WANs" though. So it may be "by design" or maybe a limitation of FreeBSD? (wild speculation there)
-
Yes, same ISP hardware. That is probably a worsening factor. Had it been two separate connection types or ISPs, I don't think it would mind identical DUID (but not entirely sure there)
I tried the NPt and two "fake" interfaces that just monitored the prefix; but that did not work as again the other WAN is never going to be assigned anything by the ISP (again, not sure but it's my theory).
I have too considered it to be a limitation way down deep, as OPNsense has the exact same problem.
The static IPv6 stuff in the manual I did read, and it would work as no DUID is being used to negotiate a static IPv6. I don't believe many people have static IPv6 addresses though. But that makes me think Netgate knows of this issue already, and either it will never work, or just not a priority feature.
Thanks for your input and thoughts, I really appreciate it. At least people who run into the same behavior will hopefully find this thread, and not spend 40-60 hours troubleshooting with different router software and what not, as I have :)