Netgate SG-1000 microFirewall

Author Topic: IPv6 dhcpd/slaac  (Read 289 times)

0 Members and 1 Guest are viewing this topic.

Offline Ofloo

  • Full Member
  • ***
  • Posts: 117
  • Karma: +3/-2
    • View Profile
IPv6 dhcpd/slaac
« on: January 24, 2018, 01:46:08 am »
I've got multiple dhcp servers on different vlans for IPv6 but for some reason the dhcp/routeradvertisments of other vlans flow into each other.   vlan100 gets an IPv6 assigned from vlan200 and visa versa.

How do I prevent this from happening?

I've tried various router advertisement modes and even tried turning of the dhcpv6, either it doesn't give me an IP at all or it gives me multiple. To me beats the point of separating networks then I can rater put everthing in one network.

Offline Napsterbater

  • Jr. Member
  • **
  • Posts: 70
  • Karma: +6/-0
    • View Profile
Re: IPv6 dhcpd/slaac
« Reply #1 on: January 24, 2018, 09:34:09 pm »
Simple, you have IPv6 RA packets (multicast) crossing your VLANs/Broadcast domains, you have a switching config/issue somewhere, or a client/nic behaving badly when receiving tagged traffic.


Post some info on you setup.



For example I have seen this when a switch port was setup as a "Trunk"/Tagged (and a "native"/untagged VLAN) and the device on the other end was not "VLAN Aware", or atleast configed to be, traffic from the tagged VLANs the tag was striped and the packet passed along to the OS, yet that client could never talk back to the LAN that packet came from, so DHCP4 or DHCP6 could not assign an IP as there was no working 2 way path to complete the assingment, only 1 way. But the client could SLAAC, since that only needed a 1 way path.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9829
  • Karma: +1111/-311
    • View Profile
Re: IPv6 dhcpd/slaac
« Reply #2 on: January 24, 2018, 09:37:21 pm »
Got TP-Link?
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline Ofloo

  • Full Member
  • ***
  • Posts: 117
  • Karma: +3/-2
    • View Profile
Re: IPv6 dhcpd/slaac
« Reply #3 on: January 25, 2018, 01:16:35 am »
Yes, indeed it was a switch problem, .. i did find out why however, .. it doesn't really solve my problem. For mac vlans to work i need to set the port configuration to "GENERAL", and for some reason if the port is not configured as "TRUNK" but "GENERAL" as required for mac vlan the vlans multicasts flow into eachother.

* Yes I've got a T2600G-28TS TP-link

Code: [Select]
ACCESS: The ACCESS port can be added in a single VLAN, and the egress rule of the port is UNTAG. The PVID is same as the current VLAN ID. If the current VLAN is deleted, the PVID will be set to 1 by default.

TRUNK: The TRUNK port can be added in multiple VLANs. The egress rule of the port is UNTAG if the arriving packetís VLAN tag is the same as the portís PVID, otherwise the egress rule is TAG. The PVID can be set as the VID number of any valid VLAN.

GENERAL: The GENERAL port can be added in multiple VLANs and set various egress rules according to the different VLANs. The default egress rule is UNTAG. The PVID can be set as the VID
« Last Edit: January 25, 2018, 01:20:07 am by Ofloo »

Online JKnott

  • Hero Member
  • *****
  • Posts: 1211
  • Karma: +54/-11
    • View Profile
Re: IPv6 dhcpd/slaac
« Reply #4 on: January 25, 2018, 05:54:18 am »
Yet another example of why we should stay away from TP-Link.

Offline Napsterbater

  • Jr. Member
  • **
  • Posts: 70
  • Karma: +6/-0
    • View Profile
Re: IPv6 dhcpd/slaac
« Reply #5 on: January 26, 2018, 12:22:48 am »
Code: [Select]
GENERAL: The GENERAL port can be added in multiple VLANs and set various egress rules according to the different VLANs. The default egress rule is UNTAG. The PVID can be set as the VID [/quote]

Just from reading that it sounds like when in general that YOU (via "rules") have to tell it what vlans to TAG, otherwise ALL VLANs assigned to the port go out untagged.

Offline Ofloo

  • Full Member
  • ***
  • Posts: 117
  • Karma: +3/-2
    • View Profile
Re: IPv6 dhcpd/slaac
« Reply #6 on: January 29, 2018, 01:38:08 am »
never mind spoke to soon :/

The port has vlan tags of several vlans enabled so not quite sure what you're refering to when you're talking about retagging the traffic, .. but i think what you're saying i already did.
« Last Edit: January 29, 2018, 02:42:29 am by Ofloo »

Offline Napsterbater

  • Jr. Member
  • **
  • Posts: 70
  • Karma: +6/-0
    • View Profile
Re: IPv6 dhcpd/slaac
« Reply #7 on: January 31, 2018, 03:11:00 pm »
never mind spoke to soon :/

The port has vlan tags of several vlans enabled so not quite sure what you're refering to when you're talking about retagging the traffic, .. but i think what you're saying i already did.

What is connected to that port? Is the connected device VLAN aware? Is it setup for multiple VLANs? Is this happening on more then one port with more then one device/client?

Best bet is to use wireshark on a port that has this issue and look at the RA packets, confirm they are tagged at all and correctly for the VLAN for the subnet being advertised, if they are then set your sights on the client/s.