Feature #1829
closedCARP with IPv6 support
0%
Description
need to be able to bind router advertisements to CARP IPs.
Updated by Seth Mos over 13 years ago
The specific issue is that you can not select a Carp IPv6 vip interface for router advertisements. Ideally we need to generate a IPv6 Link-local for this and broadcast that.
We will need to fix our rtadvd for this too since it hates interfaces without multicast. What we currently do is broadcast both systems. But because they both have the same priority this becomes a issue.
I would suggest bumping the priority of the master regardless so that the network doesn't break as easily when someone plugs in a cheap yumcha router.
There are comments in the services_rtadvd_configure() function when I first attempted this 6 months ago.
Updated by Chris Buechler over 13 years ago
need some additional consideration on how this should work from the GUI perspective. Maybe just make the underlying bits handle things correctly if there's a gateway in the DHCPv6 configuration, and allow configuring a gateway in the DHCPv6 config even if you don't have DHCPv6 enabled (since that's where RAs are managed at this time and that seems the most sensible option I can think of).
Updated by Seth Mos over 13 years ago
Ah, yes, well, the gateway field needs to go from the dhcpv6 config in the UI since it doesn't exist.
Complain to the IETF to get that supported, at all.
I'll strip the gateway field since I can't use it all, it is a remnant from a early development and I forgot to pull.
Added a link-local to the vip, still no go.
vip1: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
inet6 2001:470:d72c::2 prefixlen 64
inet6 fe80::1%vip1 prefixlen 64 scopeid 0xd
nd6 options=3<PERFORMNUD,ACCEPT_RTADV>
carp: MASTER vhid 1 advbase 1 advskew 0
[2.1-DEVELOPMENT][root@host]/root(52): /usr/sbin/rtadvd -f -D -c /var/etc/rtadvd.conf vip1
rtadvd20569: <make_packet> link-layer address option has null length on vip1. Treat as not included.
rtadvd20569: <ra_timer_update> RA timer on vip1 is set to 16:0
rtadvd20569: <sock_open> IPV6_JOIN_GROUP(link) on vip1: Can't assign requested address
Updated by Chris Buechler over 13 years ago
My thought was actually keeping it in the DHCPv6 screen even though it has nothing to do with it, since we already have the autoconfigure setting there. That should probably move to interfaces.php though.
Updated by Seth Mos over 13 years ago
ah, you mean the rtadvd settings? That would make sense, I tied them into the dhcp6 config as that seems the most straightforward since dhcp6 would only be enabled on the lans.
The code in rtadvd already checks if the gateway address is a vip and then it really should tie into that.
Now that I think about it some more it would be a lot more awkward having a unrelated setting on the interfaces page.
Otherwise we'd need a dropdown plus a user input field on the interfaces page to get a complete picture. Dhcp6 page just seemed straightforward. Since rtadvd also controls the managed flag to even get clients to send query dhcp6 servers that seems appropriate.
Updated by Ermal Luçi about 13 years ago
- Status changed from New to Feedback
Patch is active for 9 for FreeBSD 8 base it needs to be included by hand on builds to not create issues with 2.0 builds.
Updated by Seth Mos almost 13 years ago
- Assignee set to Ermal Luçi
If feasible, add support for manually configuring the link-local address to send by way of a patch to rtadvd.
We could possibly use the same method of configuring as the patch from ticket #1836 that adds DNS support.
That way we can setup rtadvd to send the CARP vip link-local address which would possibly set via the dhcp6 gateway field. This would need to be hidden behind a advanced field though, it allows for excellent foot shooting.
By approaching it this way you can have both the master and backup simultaneously run rtadvd and they would both advertise the same CARP link-local.
Ermal, can you add support for a manually configured link-local address in the config for rtadvd so we can integrate it into the backend? This would always work regardless which version of FreeBSD we would use.
Updated by Seth Mos almost 13 years ago
- Assignee changed from Ermal Luçi to Seth Mos
- Estimated time set to 4.00 h
Looks like we mayb be able to circumvent this by switching to radvd. The config syntax is far more readable too.
Need to make sure the rdns still works though, should also allow us to advertise a global address or another link-local.
The gateway field in the dhcpv6 settings needs to move away from dhcpv6 and into the router advertisement section.
make this more obvious.
Updated by Seth Mos almost 13 years ago
- Status changed from Feedback to Assigned
Updated by Seth Mos over 12 years ago
- Status changed from Assigned to New
Running radvd in debug mode
/usr/local/sbin/radvd -C /var/etc/radvd.conf -mstderr -n -d 5
According to the authors of radvd one can modify the following function in radvd-1.8.5/send.c
int
send_ra(struct Interface *iface, struct in6_addr *dest) { uint8_t all_hosts_addr[] = {0xff,0x02,0,0,0,0,0,0,0,0,0,0,0,0,0,1}; struct sockaddr_in6 addr; struct in6_pktinfo *pkt_info; struct msghdr mhdr; struct cmsghdr *cmsg; struct iovec iov; char __attribute__((aligned(8))) chdr[CMSG_SPACE(sizeof(struct in6_pktinfo))]; struct nd_router_advert *radvert; struct AdvPrefix *prefix; struct AdvRoute *route; struct AdvRDNSS *rdnss; struct AdvDNSSL *dnssl; struct timeval time_now; time_t secs_since_last_ra; unsigned char buff[MSG_SIZE_SEND]; size_t buff_dest = 0; size_t len = 0; ssize_t err;
When attempting to use radvd in multicast mode.
[Apr 10 13:57:12] radvd: version 1.8.5 started [Apr 10 13:57:12] radvd: interface lan_vip1 does not support multicast [Apr 10 13:57:12] radvd: do you need to add the UnicastOnly flag? [Apr 10 13:57:12] radvd: interface lan_vip1 does not support broadcast [Apr 10 13:57:12] radvd: do you need to add the UnicastOnly flag? [Apr 10 13:57:12] radvd: mtu for lan_vip1 is 1500 [Apr 10 13:57:12] radvd: link layer token length for lan_vip1 is 0 [Apr 10 13:57:12] radvd: prefix length for lan_vip1 is -1 [Apr 10 13:57:12] radvd: can't join ipv6-allrouters on lan_vip1 [Apr 10 13:57:12] radvd: interface definition for lan_vip1 is ok [Apr 10 13:57:12] radvd: mtu for vr2 is 1500 [Apr 10 13:57:12] radvd: link layer token length for vr2 is 48 [Apr 10 13:57:12] radvd: prefix length for vr2 is 64 [Apr 10 13:57:12] radvd: interface definition for vr2 is ok [Apr 10 13:57:12] radvd: setting LinkMTU (1280) for vr2 is not supported [Apr 10 13:57:12] radvd: setting CurHopLimit (64) for vr2 is not supported [Apr 10 13:57:12] radvd: setting LinkMTU (1280) for lan_vip1 is not supported [Apr 10 13:57:12] radvd: setting CurHopLimit (64) for lan_vip1 is not supported [Apr 10 13:57:12] radvd: sending RA on vr2 [Apr 10 13:57:12] radvd: sendmsg: No buffer space available [Apr 10 13:57:12] radvd: interface lan_vip1 does not support multicast [Apr 10 13:57:12] radvd: do you need to add the UnicastOnly flag? [Apr 10 13:57:12] radvd: interface lan_vip1 does not support broadcast [Apr 10 13:57:12] radvd: do you need to add the UnicastOnly flag? [Apr 10 13:57:12] radvd: sending RA on lan_vip1 [Apr 10 13:57:12] radvd: sendmsg: Network is unreachable [Apr 10 13:57:12] radvd: polling for 10 seconds.
When attempting to use radvd in unicast only mode (UnicastOnly on;)
[Apr 10 13:56:40] radvd: version 1.8.5 started [Apr 10 13:56:40] radvd: mtu for lan_vip1 is 1500 [Apr 10 13:56:40] radvd: link layer token length for lan_vip1 is 0 [Apr 10 13:56:40] radvd: prefix length for lan_vip1 is -1 [Apr 10 13:56:40] radvd: can't join ipv6-allrouters on lan_vip1 [Apr 10 13:56:40] radvd: interface definition for lan_vip1 is ok [Apr 10 13:56:40] radvd: mtu for vr2 is 1500 [Apr 10 13:56:40] radvd: link layer token length for vr2 is 48 [Apr 10 13:56:40] radvd: prefix length for vr2 is 64 [Apr 10 13:56:40] radvd: interface definition for vr2 is ok [Apr 10 13:56:40] radvd: setting LinkMTU (1280) for vr2 is not supported [Apr 10 13:56:40] radvd: setting CurHopLimit (64) for vr2 is not supported [Apr 10 13:56:40] radvd: setting LinkMTU (1280) for lan_vip1 is not supported [Apr 10 13:56:40] radvd: setting CurHopLimit (64) for lan_vip1 is not supported [Apr 10 13:56:40] radvd: sending RA on vr2 [Apr 10 13:56:40] radvd: sendmsg: No buffer space available [Apr 10 13:56:40] radvd: polling for 10 seconds. [Apr 10 13:56:40] radvd: recvmsg len=112 [Apr 10 13:56:40] radvd: if_index 3 [Apr 10 13:56:40] radvd: found Interface: vr2 [Apr 10 13:56:40] radvd: received RA from fe80::200:24ff:fec8:dfa2 [Apr 10 13:56:40] radvd: polling for 10 seconds.
The message "radvd: prefix length for lan_vip1 is -1" points to device-bsd44.c line 102.
We should be able to teach it about CARP interfaces and use the CARP mac address as a basis for the LL address.
The message just above reads "radvd: link layer token length for lan_vip1 is 0" which means it couldn't find the CARP virtual hardware address. I believe this is something we can teach it.
Updated by Seth Mos over 12 years ago
- Status changed from New to Feedback
I've activated the CARP link local patch from Andrew on the 8.3 builds. It appears to work as it should.
I've committed changes that allow setting radvd to advertise on the CARP vip.
Needs proper testing.
Updated by Seth Mos over 12 years ago
Testing proved that CARP router advertisments work. Excellent.
Updated by Hannu Teulahti over 12 years ago
if I choose carp int as RA interface, the radvd does not start.
[2.1-BETA0][admin@XX]/root(9): /usr/local/sbin/radvd -C /var/etc/radvd.conf [Jun 07 10:43:43] radvd: Carp master for opt2_vip1 not found [Jun 07 10:43:43] radvd: error parsing or activating the config file: /var/etc/radvd.conf [Jun 07 10:43:43] radvd: Exiting, failed to read config file.
running:
2.1-BETA0 (amd64)
built on Wed Jun 6 11:07:35 EDT 2012
with latest gitsync as of today.
Updated by Seth Mos over 12 years ago
You need a snapshot with a kernel of June 7th or later
Updated by Seth Mos over 12 years ago
Confirmed that the latest available snapshot 07-06-2012 17:00 does not have the carp patch. Probably just sheer bad luck. The patch is indeed activated, a later snapshots should have it.
Updated by Hannu Teulahti over 12 years ago
Finally got a snapshot that has working carp+radvd.
2.1-BETA0 (amd64) built on Mon Jun 11 08:50:59 EDT 2012 FreeBSD 8.3-RELEASE-p2 You are on the latest version.
is it a bug or a feature that my backup pfsense box generates empty /var/etc/radvd.conf?
should I open a new feature request for synchronizing dhcpv6 and ra settings, or can this issue be extended for such?
Updated by Seth Mos over 12 years ago
I don't think the dhcpv6 settings are synced up to the backup yet.
You'll need to configure that manually, and select the same vip.
Updated by Jim Pingle over 12 years ago
- Status changed from Feedback to Resolved
No problems with CARP+IPv6 on several clusters, seems to be fine.