News: This forum is now permanently frozen.
Pages: [1]
Topic: Bug in IPv6 RA's "crossing" VLANs  (Read 4262 times)
« on: June 30, 2011, 10:23:08 »
Scrooge *
Posts: 10

System and setup:
m0n0wall 1.33 running on ALIX

Physical Interfaces:

vr1: WAN (IPv6 mode AICCU)

vr0: LAN (IPv6 mode static)
IPv6 Address: 2001:16d8:dd35:1::/64
Enabled: Send IPv6 router advertisements & Other stateful configuration

Virtual Interfaces:

vlan0 (DMZ): vr0 tagged with ID10  (IPv6 mode static)
IPv6 Address: 2001:16d8:dd35:babe::/64
Enabled: Send IPv6 router advertisements & Other stateful configuration

vlan1 (DMZ2): vr0 tagged with ID20  (IPv6 mode disabled)

Problem:
The router advertizements that are received by the clients on LAN contains information about the adresses in DMZ.

A view from the client:
Code:
Ethernet adapter Wireless Network Connection:

        Connection-specific DNS Suffix  . : local
        IP Address. . . . . . . . . . . . : 10.0.1.192
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        IP Address. . . . . . . . . . . . : 2001:16d8:dd35:1:cdd8:f690:35c9:eec1
        IP Address. . . . . . . . . . . . : 2001:16d8:dd35:1:221:5cff:fe5f:d897
        IP Address. . . . . . . . . . . . : 2001:16d8:dd35:babe:cdd8:f690:35c9:eec1
        IP Address. . . . . . . . . . . . : 2001:16d8:dd35:babe:221:5cff:fe5f:d897
        IP Address. . . . . . . . . . . . : fe80::221:5cff:fe5f:d897%10
        Default Gateway . . . . . . . . . : 10.0.1.254
                                            fe80::20d:b9ff:fe15:6450%10

This causes the client to bind to addresses in two different subnets and depending on the priority of the IP's, the client will loose all IPv6 connectivity (trying to send packets with a source IP from a different subnet, and hence not allowed through the FW)..

The same doesn't happen on the DMZ interface. It only receives advertizements for its own interface:

Code:
eth0      Link encap:Ethernet  HWaddr 00:0c:29:20:73:23
          inet addr:10.0.10.50  Bcast:10.0.10.255  Mask:255.255.255.0
          inet6 addr: 2001:16d8:dd35:babe:20c:29ff:fe20:7323/64 Scope:Global
          inet6 addr: fe80::20c:29ff:fe20:7323/64 Scope:Link


If I disable RA's on DMZ, the incorrect advertizement on LAN immidiatly stops..

I haven't tested if this is only VLAN related or if the same will happen if I enable IPv6+RA on physical interface vr2..
« Last Edit: June 30, 2011, 10:38:19 by Scrooge »
« Reply #1 on: June 30, 2011, 19:03:34 »
Scrooge *
Posts: 10

Ignore my previous post for the time being.. Apparently I'm unable to reproduce the problem on cabled ethernet.. Only wireless..  Huh

Need to do some more testing..
« Reply #2 on: June 13, 2012, 11:23:01 »
CSchwadorf *
Posts: 12

I can reproduce the problem with cabled and wireless ethernet.

My Setup is:
m0n0wall 1.8.0b510 on soekris net6501

vr0 - untagged: LAN - IPv6 Static 64 Subnet with RA - xxxx:xxxx:xxxx:0::0/64
vr0 - tag 4: DMZ1 - IPv6 Static 64 Subnet with RA - xxxx:xxxx:xxxx:2000::0/64
vr0 - tag 12: DMZ2 - IPv6 Static 64 Subnet with RA - xxxx:xxxx:xxxx:5000::0/64

When I add all three VLANs to the switch port the client gets IPv6 adresses from all three VLANs resulting in this setup:

Code:
Ethernet-Adapter LAN-Verbindung:

   Verbindungsspezifisches DNS-Suffix: xxxx
   IPv6-Adresse. . . . . . . . . . . : xxxx:xxxx:xxxx:0:e830:7e96:1e35:b5a0
   IPv6-Adresse. . . . . . . . . . . : xxxx:xxxx:xxxx:2000:e830:7e96:1e35:b5a0
   IPv6-Adresse. . . . . . . . . . . : xxxx:xxxx:xxxx:5000:e830:7e96:1e35:b5a0
   Temporäre IPv6-Adresse. . . . . . : xxxx:xxxx:xxxx:0:d541:9657:c62d:eb19
   Temporäre IPv6-Adresse. . . . . . : xxxx:xxxx:xxxx:2000:d541:9657:c62d:eb19
   Temporäre IPv6-Adresse. . . . . . : xxxx:xxxx:xxxx:5000:d541:9657:c62d:eb19
   Verbindungslokale IPv6-Adresse  . : fe80::e830:7e96:1e35:b5a0%10
   IPv4-Adresse  . . . . . . . . . . : 172.16.x.x
   Subnetzmaske  . . . . . . . . . . : 255.255.x.x
   Standardgateway . . . . . . . . . : fe80::200:24ff:fece:97c4%10
                                       172.16.x.x

Removing eg. VLAN 4 from the switch port and renewing all adresses the corrosponding IPv6 setup looks like this:
Code:
Ethernet-Adapter LAN-Verbindung:

   Verbindungsspezifisches DNS-Suffix: xxxx
   IPv6-Adresse. . . . . . . . . . . : xxxx:xxxx:xxxx:0:e830:7e96:1e35:b5a0
   IPv6-Adresse. . . . . . . . . . . : xxxx:xxxx:xxxx:5000:e830:7e96:1e35:b5a0
   Temporäre IPv6-Adresse. . . . . . : xxxx:xxxx:xxxx:0:d541:9657:c62d:eb19
   Temporäre IPv6-Adresse. . . . . . : xxxx:xxxx:xxxx:5000:d541:9657:c62d:eb19
   Verbindungslokale IPv6-Adresse  . : fe80::e830:7e96:1e35:b5a0%10
   IPv4-Adresse  . . . . . . . . . . : 172.16.x.x
   Subnetzmaske  . . . . . . . . . . : 255.255.x.x
   Standardgateway . . . . . . . . . : fe80::200:24ff:fece:97c4%10
                                       172.16.x.x

Removing all other VLAN except one results in the client loosing ipv6 connectivity depending on the adress priority.
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines