Project

General

Profile

Actions

Regression #12581

open

CARP IPv6 assigned address does not get advertised to endpoints with RADV

Added by Patrick U 5 months ago. Updated 5 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
DHCP (IPv6)
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.5.2
Affected Architecture:

Description

With feature #11103 a fix is made to exclude "AdvRASrcAddress" section in the RADVD.CONF file and use the IPv6 link-local address of an interface.

Now when I have Router Advertisement configured with the CARP as selected address, RA is still and always advertising the link-local address of the configured adapter/interface.
This breaks the IPv6 configuration and connectivity, so I have to configure all endpoints manually to have the right IPv6 address as gateway address.
With all 100% manual configuration everything works great, with RADV configured that advertise the IPv6 link-local address as route breaks the network.

Interface situation:
- IPv4 set and working great with CARP. DHCP server works as designed;
- iPv6 set and working great with CARP, but RA of gateway/router address is only submitting the link-local address to clients being served by RADV;

Actions #1

Updated by Viktor Gurov 5 months ago

  • Tracker changed from Bug to Regression

Patrick U wrote:

With feature #11103 a fix is made to exclude "AdvRASrcAddress" section in the RADVD.CONF file and use the IPv6 link-local address of an interface.

Now when I have Router Advertisement configured with the CARP as selected address, RA is still and always advertising the link-local address of the configured adapter/interface.
This breaks the IPv6 configuration and connectivity, so I have to configure all endpoints manually to have the right IPv6 address as gateway address.
With all 100% manual configuration everything works great, with RADV configured that advertise the IPv6 link-local address as route breaks the network.

Are you trying to advertise on the non-link-local CARP VIP?
Could you show a working manual configuration?
Did this work in the previous version of pfSense?

Actions #2

Updated by Patrick U 5 months ago

Hi Viktor,

It did work with the previous version 2.5.0 as designed.

Just like with 2.5.0 and earlier version, I have set the RA interface property to IPv6 CARP VIP adddress.
Last week I have tried the 'AdvRASrcAddress' config within the RADVD.conf, but when restarting the RADV daemon it will remove this added configuration (auto-generate the file again).

Do you wish to see configuration from the PFSense instance or from a linux/windows client?

PFsense adapter settings:
- Interface address FW01 (prio HIGH): 2001:41f0:952a:2::2
- IPv6 local-link address FW01: fe80::2e0:67ff:fe1e:52a7
- Interface address FW02 (prio LOW) : 2001:41f0:952a:2::3
- IPv6 CARP address: 2001:41f0:952a:2::1
- RA interface selected: <interface-name> CARP IPv6 - 2001:41f0:952a:2::1
- Router mode: managed (tried the others too)

This is what is set at a Microsoft client with the help of RADVD:
Interface:
Wireless LAN adapter Wi-Fi:

Connection-specific DNS Suffix  . : &lt;domain-name&gt;
Description . . . . . . . . . . . : Intel(R) Wireless-AC 9560 160MHz
Physical Address. . . . . . . . . : 80-32-53-F8-2F-E6
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:41f0:952a:2::bd3c(Preferred)
Lease Obtained. . . . . . . . . . : donderdag 9 december 2021 13:25:25
Lease Expires . . . . . . . . . . : zaterdag 11 december 2021 12:03:25
Link-local IPv6 Address . . . . . : fe80::d842:80d2:28f7:45d5%8(Preferred)
IPv4 Address. . . . . . . . . . . : 10.16.18.176(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : donderdag 9 december 2021 20:43:58
Lease Expires . . . . . . . . . . : zaterdag 11 december 2021 10:21:36
Default Gateway . . . . . . . . . : fe80::2e0:67ff:fe1e:52a7%8
10.16.18.254
DHCP Server . . . . . . . . . . . : 10.16.18.253
DHCPv6 IAID . . . . . . . . . . . : 93892453
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-26-FE-04-7E-04-0E-3C-9A-85-39
DNS Servers . . . . . . . . . . . : 2001:41f0:952a:1::7
2001:41f0:952a:1::8
172.16.18.7
172.16.18.8

This is the IPv6 routing table:
IPv6 Route Table ===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
8 66 2001:41f0:952a:2::/64 On-link
8 306 2001:41f0:952a:2::bd3c/128
On-link
8 306 fe80::/64 On-link
8 306 fe80::d842:80d2:28f7:45d5/128
On-link
1 331 ff00::/8 On-link
8 306 ff00::/8 On-link ===========================================================================
Persistent Routes:
None

These are the client to FW ping results (basic test):
Pinging 2001:41f0:952a:2::2 with 32 bytes of data:
Reply from 2001:41f0:952a:2::2: time=2ms
Reply from 2001:41f0:952a:2::2: time=1ms

Pinging 2001:41f0:952a:2::3 with 32 bytes of data:
Reply from 2001:41f0:952a:2::3: time=2ms
Reply from 2001:41f0:952a:2::3: time=1ms

Pinging 2001:41f0:952a:2::1 with 32 bytes of data:
Reply from 2001:41f0:952a:2::1: time=3ms
Reply from 2001:41f0:952a:2::1: time=1ms

Pinging fe80::2e0:67ff:fe1e:52a7 with 32 bytes of data:
Reply from fe80::2e0:67ff:fe1e:52a7: time=2ms
Reply from fe80::2e0:67ff:fe1e:52a7: time=1ms

When performing a ping to my DNS with the link-local address as IPv6 gateway:
Pinging 2001:41f0:952a:1::7 with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.

Now when I set a manual configuration with RADVD disabled on the PFSense instance:

Microsoft client interface:
Wireless LAN adapter Wi-Fi:

Connection-specific DNS Suffix  . : &lt;domain-name&gt;
Description . . . . . . . . . . . : Intel(R) Wireless-AC 9560 160MHz
Physical Address. . . . . . . . . : 80-32-53-F8-2F-E6
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:41f0:952a:2::bd3c(Preferred)
Link-local IPv6 Address . . . . . : fe80::d842:80d2:28f7:45d5%8(Preferred)
IPv4 Address. . . . . . . . . . . : 10.16.18.176(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : donderdag 9 december 2021 20:43:57
Lease Expires . . . . . . . . . . : zaterdag 11 december 2021 10:32:34
Default Gateway . . . . . . . . . : 2001:41f0:952a:2::1
10.16.18.254
DHCP Server . . . . . . . . . . . : 10.16.18.253
DNS Servers . . . . . . . . . . . : 2001:41f0:952a:1::7
2001:41f0:952a:1::8
172.16.18.7
172.16.18.8

IPv6 Routing table:
IPv6 Route Table ===========================================================================
Active Routes:
If Metric Network Destination Gateway
8 55 ::/0 2001:41f0:952a:2::1
1 331 ::1/128 On-link
8 311 2001:41f0:952a:2::bd3c/128
On-link
8 311 fe80::/64 On-link
8 311 fe80::d842:80d2:28f7:45d5/128
On-link
1 331 ff00::/8 On-link
8 311 ff00::/8 On-link ===========================================================================
Persistent Routes:
None

Ping tests:
Pinging 2001:41f0:952a:2::2 with 32 bytes of data:
Reply from 2001:41f0:952a:2::2: time=2ms
Reply from 2001:41f0:952a:2::2: time=1ms

Pinging 2001:41f0:952a:2::3 with 32 bytes of data:
Reply from 2001:41f0:952a:2::3: time=1ms
Reply from 2001:41f0:952a:2::3: time=1ms

Pinging 2001:41f0:952a:2::1 with 32 bytes of data:
Reply from 2001:41f0:952a:2::1: time=1ms
Reply from 2001:41f0:952a:2::1: time=1ms

Pinging 2001:41f0:952a:1::7 with 32 bytes of data:
Reply from 2001:41f0:952a:1::7: time=4ms
Reply from 2001:41f0:952a:1::7: time=2ms

Upstream IPv6:
Pinging 2001:41f0:952a::1 with 32 bytes of data:
Reply from 2001:41f0:952a::1: time=4ms
Reply from 2001:41f0:952a::1: time=2ms

Pinging google:
Pinging 2a00:1450:400e:803::2004 with 32 bytes of data:
Reply from 2a00:1450:400e:803::2004: time=10ms
Reply from 2a00:1450:400e:803::2004: time=9ms

Actions #3

Updated by Patrick U 5 months ago

Just forgot the traceroute...

Command: tracert -d -6 www.google.com

Tracing route to www.google.com [2a00:1450:400e:803::2004]
over a maximum of 30 hops:

1     2 ms     1 ms     1 ms  2001:41f0:952a:2::3
2 13 ms 9 ms 9 ms 2001:41f0:952a::1
3 10 ms * * 2001:b88::159:101
4 10 ms 9 ms 9 ms 2001:b88:0:408::2
5 13 ms 11 ms * 2001:730:2207:e::d52e:b616
6 * 12 ms * 2a00:1450:8101::1
7 10 ms 9 ms 9 ms 2001:4860:0:1::3006
8 11 ms 11 ms 9 ms 2001:4860:0:f8c::c
9 11 ms 11 ms 10 ms 2001:4860::c:4002:54bb
10 15 ms 21 ms 13 ms 2001:4860::9:4000:d476
11 * * * Request timed out.
12 10 ms 11 ms 10 ms 2001:4860:0:1::5193
13 10 ms 9 ms 9 ms 2a00:1450:400e:803::2004

Trace complete.

Actions #4

Updated by znerol znerol 5 months ago

Please note: RFC compliant clients must not accept a router unless it is a link-local address (see RFC4861 section 6.1.2). If a client receives a router-advertisement from a globally routable IP (such as 2001:41f0:952a:2::1) it must ignore it.

Also note, that AdvRASrcAddress currently does not work as intended in FreeBSD. See also #12582 and the github issue linked from there.

Actions

Also available in: Atom PDF