CARP IPv6 again



  • As this thread seems to be closed I need to ask you something.  :-
    https://forum.pfsense.org/index.php?topic=45553.msg237843#msg237843

    I have 2 boxes running pfsense 2.2 with CARP IPv6 only.
    The first thing I encoutered when my setup was finished based upon this howto…
    https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)
    ... I was not able to communicate via IPv6, cause both routers advertised their link local IP as default gateway which led me to a client having two default gateways.
    The problem was that the router which was used for outgoing packets was not the same as where the answer packets were received, so since it's a statefull paket filter, packets were dropped.

    I experimented with quite some settings, but the only way I can get it to work is disabling the radvd on the SLAVE router manually.
    Only then I get online flawlessly. BUT, I don't want to be forced to intervene manually in case of a router failure.

    This is my config, as I understand it should be working (but isn't).
    Router1 (Master):
    dhcpv6: disabled
    radvd: unmanaged
    priority: normal
    ra:interface: selected the VIP interface

    Router2 (Slave):
    dhcpv6: disabled
    radvd: unmanaged
    priority: normal
    ra:interface: selected the VIP interface

    Thank you!  ;)



  • What's also really strange is, that when I disable Router Advertisment on the slave router, it actually won't stop.

    When I look into /var/etc/radvd.conf on that slave router it's still set to:
    AdvSendAdvert on

    Shall I fill in a bug report?



  • Maybe one can answer my question simply:

    Can I provide clients with gateway information via radvd, giving them a link local gateway?
    This link local address should of course be a virtual IP, so failover is also working for SLAAC clients.

    If so, how?



  • You have to bind the RAs to a CARP IP, so radvd stops/starts with CARP status.



  • Thank you. Do I have to create a link local virtual IP address first, or can I use the global address?



  • OK, I got it running. I did NOT setup a virtual link local address.

    Edit:
    BUT:
    this is what a clients routing table looks like, when it's all fine:

    
    fe80::/64 dev eth0  proto kernel  metric 256 
    default via fe80::960c:6dff:fe80:bb91 dev eth0  proto ra  metric 1024  expires 56sec
    default via fe80::960c:6dff:fe80:b87d dev eth0  proto ra  metric 1024  expires 28sec
    
    

    sometimes I get those kind of routing table:

    
    default via fe80::960c:6dff:fe80:bb91 dev eth0  proto static  metric 1 
    default via fe80::960c:6dff:fe80:bb91 dev eth0  proto ra  metric 1024  expires 48sec
    default via fe80::960c:6dff:fe80:b87d dev eth0  proto ra  metric 1024  expires 24sec
    
    

    Then it's not working  ???



  • Were you able to figure this out?

    I'm trying to figure out the best way to handle this case.



  • Same problem and setup here.

    1. If I bind radvd (unmanaged mode) to the interface, both gateways advertise themselves.

    2. If I bind it to the CARP (on LAN) interface, only one of them advertises at the time. That's good, but…

    If that gateway's WAN connection dies, the CARP IPs switch over quickly and the other radvd starts advertising. The linux hosts get those new advertisements, but don't start using this gateway for, like, 80 seconds or so. I understand that THAT's not pfSense problem, but — if I could only just advertise the CARP LAN IP as gateway for the hosts, then this issue would be solved - they'd just continue using the same gateway for all they're concerned...

    So why is it not possible to tell radvd to just advertise the CARP IP??



  • Ok, little follow-up.

    1. It looks like it's not possible (at all) to actually specify which address is advertised in a RA. I assume the host directly uses the source address of the RA

    2. To speed up failover, one can hack the pfSense code which generates the actual radvd config and set MinRtrAdvInterval 3, MaxRtrAdvInterval 5 and, for the ::/0 route add AdvRouteLifetime 5. This reduces failover time to around 10 seconds - but I'm not sure if it is generally a good idea to mess with these values.

    3. The fastest option (in terms of failover) seems to be actually not to use SLAAC in the first place, but to manually configure IPv6 on each host - to be able to specify the desired CARP IP as default gateway…

    Does this make sense?

    PS: Oh, just found this read: https://www.isc.org/blogs/routing-configuration-over-dhcpv6-2/