Regression #12581
closedNon Link-Local IPv6 CARP address does not get advertised to endpoints with RADVD
100%
Description
With feature #11103 a fix is made to exclude "AdvRASrcAddress" section in the RADVD.CONF file and use the IPv6 link-local address of an interface.
Now when I have Router Advertisement configured with the CARP as selected address, RA is still and always advertising the link-local address of the configured adapter/interface.
This breaks the IPv6 configuration and connectivity, so I have to configure all endpoints manually to have the right IPv6 address as gateway address.
With all 100% manual configuration everything works great, with RADV configured that advertise the IPv6 link-local address as route breaks the network.
Interface situation:
- IPv4 set and working great with CARP. DHCP server works as designed;
- iPv6 set and working great with CARP, but RA of gateway/router address is only submitting the link-local address to clients being served by RADV;
Updated by Viktor Gurov almost 3 years ago
- Tracker changed from Bug to Regression
Patrick U wrote:
With feature #11103 a fix is made to exclude "AdvRASrcAddress" section in the RADVD.CONF file and use the IPv6 link-local address of an interface.
Now when I have Router Advertisement configured with the CARP as selected address, RA is still and always advertising the link-local address of the configured adapter/interface.
This breaks the IPv6 configuration and connectivity, so I have to configure all endpoints manually to have the right IPv6 address as gateway address.
With all 100% manual configuration everything works great, with RADV configured that advertise the IPv6 link-local address as route breaks the network.
Are you trying to advertise on the non-link-local CARP VIP?
Could you show a working manual configuration?
Did this work in the previous version of pfSense?
Updated by Patrick U almost 3 years ago
Hi Viktor,
It did work with the previous version 2.5.0 as designed.
Just like with 2.5.0 and earlier version, I have set the RA interface property to IPv6 CARP VIP adddress.
Last week I have tried the 'AdvRASrcAddress' config within the RADVD.conf, but when restarting the RADV daemon it will remove this added configuration (auto-generate the file again).
Do you wish to see configuration from the PFSense instance or from a linux/windows client?
PFsense adapter settings:
- Interface address FW01 (prio HIGH): 2001:41f0:952a:2::2
- IPv6 local-link address FW01: fe80::2e0:67ff:fe1e:52a7
- Interface address FW02 (prio LOW) : 2001:41f0:952a:2::3
- IPv6 CARP address: 2001:41f0:952a:2::1
- RA interface selected: <interface-name> CARP IPv6 - 2001:41f0:952a:2::1
- Router mode: managed (tried the others too)
This is what is set at a Microsoft client with the help of RADVD:
Interface:
Wireless LAN adapter Wi-Fi:
Connection-specific DNS Suffix . : <domain-name>
Description . . . . . . . . . . . : Intel(R) Wireless-AC 9560 160MHz
Physical Address. . . . . . . . . : 80-32-53-F8-2F-E6
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:41f0:952a:2::bd3c(Preferred)
Lease Obtained. . . . . . . . . . : donderdag 9 december 2021 13:25:25
Lease Expires . . . . . . . . . . : zaterdag 11 december 2021 12:03:25
Link-local IPv6 Address . . . . . : fe80::d842:80d2:28f7:45d5%8(Preferred)
IPv4 Address. . . . . . . . . . . : 10.16.18.176(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : donderdag 9 december 2021 20:43:58
Lease Expires . . . . . . . . . . : zaterdag 11 december 2021 10:21:36
Default Gateway . . . . . . . . . : fe80::2e0:67ff:fe1e:52a7%8
10.16.18.254
DHCP Server . . . . . . . . . . . : 10.16.18.253
DHCPv6 IAID . . . . . . . . . . . : 93892453
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-26-FE-04-7E-04-0E-3C-9A-85-39
DNS Servers . . . . . . . . . . . : 2001:41f0:952a:1::7
2001:41f0:952a:1::8
172.16.18.7
172.16.18.8
This is the IPv6 routing table:
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
8 66 2001:41f0:952a:2::/64 On-link
8 306 2001:41f0:952a:2::bd3c/128
On-link
8 306 fe80::/64 On-link
8 306 fe80::d842:80d2:28f7:45d5/128
On-link
1 331 ff00::/8 On-link
8 306 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
These are the client to FW ping results (basic test):
Pinging 2001:41f0:952a:2::2 with 32 bytes of data:
Reply from 2001:41f0:952a:2::2: time=2ms
Reply from 2001:41f0:952a:2::2: time=1ms
Pinging 2001:41f0:952a:2::3 with 32 bytes of data:
Reply from 2001:41f0:952a:2::3: time=2ms
Reply from 2001:41f0:952a:2::3: time=1ms
Pinging 2001:41f0:952a:2::1 with 32 bytes of data:
Reply from 2001:41f0:952a:2::1: time=3ms
Reply from 2001:41f0:952a:2::1: time=1ms
Pinging fe80::2e0:67ff:fe1e:52a7 with 32 bytes of data:
Reply from fe80::2e0:67ff:fe1e:52a7: time=2ms
Reply from fe80::2e0:67ff:fe1e:52a7: time=1ms
When performing a ping to my DNS with the link-local address as IPv6 gateway:
Pinging 2001:41f0:952a:1::7 with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.
Now when I set a manual configuration with RADVD disabled on the PFSense instance:
Microsoft client interface:
Wireless LAN adapter Wi-Fi:
Connection-specific DNS Suffix . : <domain-name>
Description . . . . . . . . . . . : Intel(R) Wireless-AC 9560 160MHz
Physical Address. . . . . . . . . : 80-32-53-F8-2F-E6
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:41f0:952a:2::bd3c(Preferred)
Link-local IPv6 Address . . . . . : fe80::d842:80d2:28f7:45d5%8(Preferred)
IPv4 Address. . . . . . . . . . . : 10.16.18.176(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : donderdag 9 december 2021 20:43:57
Lease Expires . . . . . . . . . . : zaterdag 11 december 2021 10:32:34
Default Gateway . . . . . . . . . : 2001:41f0:952a:2::1
10.16.18.254
DHCP Server . . . . . . . . . . . : 10.16.18.253
DNS Servers . . . . . . . . . . . : 2001:41f0:952a:1::7
2001:41f0:952a:1::8
172.16.18.7
172.16.18.8
IPv6 Routing table:
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
8 55 ::/0 2001:41f0:952a:2::1
1 331 ::1/128 On-link
8 311 2001:41f0:952a:2::bd3c/128
On-link
8 311 fe80::/64 On-link
8 311 fe80::d842:80d2:28f7:45d5/128
On-link
1 331 ff00::/8 On-link
8 311 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
Ping tests:
Pinging 2001:41f0:952a:2::2 with 32 bytes of data:
Reply from 2001:41f0:952a:2::2: time=2ms
Reply from 2001:41f0:952a:2::2: time=1ms
Pinging 2001:41f0:952a:2::3 with 32 bytes of data:
Reply from 2001:41f0:952a:2::3: time=1ms
Reply from 2001:41f0:952a:2::3: time=1ms
Pinging 2001:41f0:952a:2::1 with 32 bytes of data:
Reply from 2001:41f0:952a:2::1: time=1ms
Reply from 2001:41f0:952a:2::1: time=1ms
Pinging 2001:41f0:952a:1::7 with 32 bytes of data:
Reply from 2001:41f0:952a:1::7: time=4ms
Reply from 2001:41f0:952a:1::7: time=2ms
Upstream IPv6:
Pinging 2001:41f0:952a::1 with 32 bytes of data:
Reply from 2001:41f0:952a::1: time=4ms
Reply from 2001:41f0:952a::1: time=2ms
Pinging google:
Pinging 2a00:1450:400e:803::2004 with 32 bytes of data:
Reply from 2a00:1450:400e:803::2004: time=10ms
Reply from 2a00:1450:400e:803::2004: time=9ms
Updated by Patrick U almost 3 years ago
Just forgot the traceroute...
Command: tracert -d -6 www.google.com
Tracing route to www.google.com [2a00:1450:400e:803::2004]
over a maximum of 30 hops:
1 2 ms 1 ms 1 ms 2001:41f0:952a:2::3
2 13 ms 9 ms 9 ms 2001:41f0:952a::1
3 10 ms * * 2001:b88::159:101
4 10 ms 9 ms 9 ms 2001:b88:0:408::2
5 13 ms 11 ms * 2001:730:2207:e::d52e:b616
6 * 12 ms * 2a00:1450:8101::1
7 10 ms 9 ms 9 ms 2001:4860:0:1::3006
8 11 ms 11 ms 9 ms 2001:4860:0:f8c::c
9 11 ms 11 ms 10 ms 2001:4860::c:4002:54bb
10 15 ms 21 ms 13 ms 2001:4860::9:4000:d476
11 * * * Request timed out.
12 10 ms 11 ms 10 ms 2001:4860:0:1::5193
13 10 ms 9 ms 9 ms 2a00:1450:400e:803::2004
Trace complete.
Updated by znerol znerol almost 3 years ago
Please note: RFC compliant clients must not accept a router unless it is a link-local address (see RFC4861 section 6.1.2). If a client receives a router-advertisement from a globally routable IP (such as 2001:41f0:952a:2::1
) it must ignore it.
Also note, that AdvRASrcAddress
currently does not work as intended in FreeBSD. See also #12582 and the github issue linked from there.
Updated by Jim Pingle 4 months ago
- Status changed from New to Resolved
- Assignee set to Christian McDonald
- Target version set to 2.8.0
- % Done changed from 0 to 100
- Plus Target Version set to 24.08
This is working properly on 24.08 snapshots w/Kea DHCP HA.
Updated by Jim Pingle about 2 months ago
- Subject changed from CARP IPv6 assigned address does not get advertised to endpoints with RADV to Non Link-Local IPv6 CARP address does not get advertised to endpoints with RADVD
- Category changed from DHCP (IPv6) to IPv6 Router Advertisements (radvd/rtsold)
To add one thing I didn't see noted above, you can and should be making a Link-Local IPv6 CARP address for these purposes, not a routable/GUA address.
There are pending updates to the docs reflecting this that will be published along with this release.
Updated by Jim Pingle about 2 months ago
- Plus Target Version changed from 24.08 to 24.11