Bug #6507
closedGRE and GIF tunnels on dynamic IPv6 interface are not brought up during boot
100%
Description
Setup
The WAN Interface of my pfsense firewall is connected to our homenetwork. The "real" wan connection (dsl router) advertises a prefix to the local network. The pfSense is configured to use IPv6+DHCP6 to autoconfigure the interface. A GRE Tunnel is configured to a remote IPv6 endpoint in a datacenter (no ipsec, no vpn, just plain gre). This works quite fine up to the point where the pfSense firewall gets rebooted.
Problem
During bootup pfsense tries to online and configure the gre interface. The script rc.bootup / interfaces.inc tries to lookup local IPv6 address to correctly configure the local site. I guess that at this point the IPv6 address isn't yet assigned and therefore the lookup will fail.
System Log
Jun 21 00:09:41 wanpf1 php-cgi: rc.bootup: Accept router advertisements on interface vtnet0_vlan41 Jun 21 00:09:41 wanpf1 php-cgi: rc.bootup: Accept router advertisements on interface vtnet0_vlan42 Jun 21 00:09:42 wanpf1 php-cgi: rc.bootup: The command '/sbin/ifconfig gre0 inet6 tunnel 'fc00::21'' returned exit code '1', the output was 'ifconfig: 'tunnel' requires 2 arguments' Jun 21 00:09:42 wanpf1 php-cgi: rc.bootup: The command '/sbin/ifconfig gre1 inet6 tunnel 'fc00::22'' returned exit code '1', the output was 'ifconfig: 'tunnel' requires 2 arguments' [...] Jun 21 00:09:43 wanpf1 rtsold: Recieved RA specifying route fe80::5054:ff:fe88:c1d8 for interface opt1(vtnet0_vlan42) Jun 21 00:09:43 wanpf1 rtsold: Recieved RA specifying route fe80::5054:ff:fe88:c1d8 for interface opt1(vtnet0_vlan42) Jun 21 00:09:43 wanpf1 rtsold: Starting dhcp6 client for interface opt1(vtnet0_vlan42) Jun 21 00:09:43 wanpf1 rtsold: Starting dhcp6 client for interface opt1(vtnet0_vlan42) [...] Jun 21 00:09:44 wanpf1 rtsold: Recieved RA specifying route fe80::5054:ff:fee0:a429 for interface wan(vtnet0_vlan41) Jun 21 00:09:44 wanpf1 rtsold: Recieved RA specifying route fe80::5054:ff:fee0:a429 for interface wan(vtnet0_vlan41) Jun 21 00:09:44 wanpf1 rtsold: Starting dhcp6 client for interface wan(vtnet0_vlan41) Jun 21 00:09:44 wanpf1 rtsold: Starting dhcp6 client for interface wan(vtnet0_vlan41)
Workaround
After manually adding the tunnel configuration post-boot or just edit+save the gre interface correctly configures the interface. So basically it works, but it's not reboot-save.
Additional
What I haven't tested yet but will do would be- What happens to gre interfaces if you receivce a new RA from your upstream neighbour
- Can you use a hostname as remote endpoint? This would enable dynamic endpoints (similar to the IPSEC configuration where the ipsec configuration gets updated to the new endpoint on dyndns change). btw. the combination of ipsec+gre is a great one. You can have use the GRE Tunnel to setup dynamic routing updates or complex routing scenarios without the need to update fixed ipsec network lists ... but that's a different story.
Versions tested
2.3.1_5
Related issues
Updated by Daniel Hoffend over 8 years ago
My test setup contains 2 gre tunnels, but to reproduce the issue 1 gre tunnel is sufficient.
Tunnel1
- Local IPv6 address on vtnet0_vlan41 (fc01::xxxx)
- Remote IPv6 address (fc00::21 reachable via fc01::1 / link-local ipv6 address)
- Static Route to fc00::21 to next-hop on vtnet0_vlan41
Tunnel2
- Local IPv6 address on vtnet0_vlan42 (fc02::xxxx)
- Remote IPv6 address (fc00::22 reachable via fc02::1 / link-local ipv6 address)
- Static Route to fc00::22 to next-hop on vtnet0_vlan42
Updated by Chris Buechler over 8 years ago
- Subject changed from GRE Tunnel over IPv6 doesn't receive the complete tunnel configuration during rc.bootp to GRE tunnel on dynamic IPv6 interface not brought up during boot
- Status changed from New to Confirmed
- Affected Version changed from 2.3.x to All
Updated by Daniel Hoffend over 8 years ago
Any idea? Is there any hook we can bind to? Like change of interface ip addresses? Which could get our tunnels reconfigured?
Updated by Daniel Hoffend over 8 years ago
IMO this function should be combined with the ipsec tunnel reload. This way you can combine point2point ipsec connections and gre tunnels for dynamic routing.
Once the local ip address or the remote tunnel endpoint changes ipsec and gre can be reconfigured to point into the same direction.
Updated by Daniel Hoffend over 8 years ago
I've tried to dig into this again. There some things I've noticed.
1) it looks like the binary "check_reload_status" is triggering ipsec, openvpn or dyndns reloads. It also should trigger rc.newwanip and rc.newwanipv6
2) The rc.newwanip script triggers the function interface_gre_configure()
3) The rc.newwanipv6 script doesn't include this function call. Also looking into the system logs the script itself never gets executed. I see the rc.newwanip gets triggered to change ipv6 routes but apparently the v6 script is never called when the interface received its dhcpv6 address.
I'm looking to the right place to trigger the gre interface reconfiguration after the interface got it's first ipv6 address or when the v6 address has changed (like ra from the upstream gateway).
Updated by Viktor Gurov about 4 years ago
- Affected Version changed from All to 2.5.0
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/63
TODO:
correctly restart tunnels on track interface
Updated by Renato Botelho about 4 years ago
- Status changed from Confirmed to Pull Request Review
- Assignee set to Viktor Gurov
- Target version set to 2.5.0
- Affected Version changed from 2.5.0 to All
Updated by Renato Botelho about 4 years ago
- Target version changed from 2.5.0 to CE-Next
Updated by Jim Pingle over 3 years ago
- Has duplicate Bug #11860: GIF interfaces should be reconfigured when IPv6 address of a WAN-Interface changes added
Updated by Jim Pingle over 3 years ago
- Subject changed from GRE tunnel on dynamic IPv6 interface not brought up during boot to GRE and GIF tunnels on dynamic IPv6 interface are not brought up during boot
Updating subject to reflect that the PR corrects both GRE and GIF.
Updated by Renato Botelho over 3 years ago
- Status changed from Pull Request Review to Feedback
- Target version changed from CE-Next to 2.6.0
- Plus Target Version set to 21.09
PR has been merged. Thanks!
Updated by Viktor Gurov over 3 years ago
- % Done changed from 0 to 100
Applied in changeset 474b0fed67a9e2682526a230d410a4339ec7972d.
Updated by Viktor Gurov over 3 years ago
Updated by Jim Pingle over 3 years ago
- Status changed from Feedback to Pull Request Review
Updated by Renato Botelho over 3 years ago
- Status changed from Pull Request Review to Feedback
PR has been merged. Thanks!
Updated by Viktor Gurov about 3 years ago
- Related to Regression #12288: GRE and GIF tunnel inside addresses are missing at the OS level after applying changes on assigned interfaces added
Updated by Jim Pingle about 3 years ago
- Plus Target Version changed from 21.09 to 22.01
Updated by Jim Pingle almost 3 years ago
- Status changed from Feedback to Closed